The document summarizes LU ITS' response to identified risks and concerns from a TSUS IT auditor. LU ITS acknowledges risks involving data center constraints and outlines steps taken to address them, such as moving some systems to offsite hosting. The response also provides clarification on delays in areas like retiring legacy systems, reducing operating environments, and establishing security policies and programs. It indicates that work is ongoing to comply with standards and remediate issues.

1. DRAFT
ADDRESSING IT SERVICES
RISKS AND RISK SYMPTOMS
LU ITS Response to TSUS IT Auditor (March 2009)

2. LU ITS Response to TSUS IT Auditor
¨ IDENTIFIED RISKS AND RISK SYMPTOMS
¨ Risk Symptoms Raising Security Concerns
¨ Risk to University Reputation

3. IDENTIFIED RISKS AND RISK SYMPTOMS
“Data Center resource constraints and critical path
requirements prevent effective management of internal
IT operations and risk management of other defined
University priorities and initiatives (such as the Banner
implementation, online curriculum, and fund-raising
efforts)* as evidenced by the following risk symptoms”
- TSUS Office of Audits and Analysis
(Required Communication with Lamar University)
*Emphasis Added

4. ITS Clarifications on Data Center
Constraints and Online Curriculum
¨ Data Center Constraints at LU are have not been a
constraint for Online Curriculum for an entire
academic year.
¤ Blackboard has been hosted offsite by Blackboard
since Summer ‘08.
¤ GoCourse is hosted in Dallas by HEH and has always
been.

5. ITS Clarifications on Data Center
Constraints and Advancement
¨ Data Center Constraints at LU will soon no longer
be a constraint for University Advancement.
¤ LU has signed a contract to host both Millennium and
MIP Accounting offsite with the software maker Sage
Software.

8. ITS Clarifications on Data Center
Constraints and Banner
¨ To Ensure Banner Success, Data Center
Consolidation and Operating Environment
Standardization Must Continue …

10. Delays In: Retiring legacy systems?
ITS Response:
¨ IBM Systems Deprecated (3 Racks of Hardware)
¨ Legacy Cisco Firewalls Deprecated and Replaced with State-of the-Art Fortinet Firewalls
¨ End-of-Life Hardware Removed and Systems Virtualized (MSS Help Desk and Three Legacy
Evisions MAPS Servers)
¨ All Remaining Legacy Systems are Slated for Virutalization With Deprecation to Follow
¨ Virtual Readiness Assessment (VRA) in Process to Identify Other Systems for Virtualization
¨ Luminis Portal, Recruitment Plus, Millienium, MIP Accounting All Moving to Off Site Hosting
(Provided by Software Manufacturers)
¨ Plus System Deprecation Scheduled EoY 2009 (Currently a Production System for Student
Records)
¨ Director, EAI Has Mapped All Application Relationships and Systems Dependencies to Reduce
Risk Related to Plus-Banner Migration

11. Enterprise Applications and Integration
First Overview of Project Inter-Relationships

12. Delays In: Engineering/reducing the
number of operating environments?
ITS Response:
¨ 2 Standard Operating Environments Selected: Red Hat Enterprise Linux
(RHEL) and MS Windows
¨ Deprecated
¤ AIX (Legacy Banner Plaform)
¤ SUSE Linux (DNS)
¨ By EoY 2009
¤ Will Deprecate VMS (Plus System)
¤ Will Virtualize Sun Systems for SACS
¤ Migrate File Services from Single Mac Server
¨ CONTINUED RISK: Number of Systems Not Managed By ITS
¤ Distance Education
¤ Library
¤ Departmental Servers

13. Delays In: Engineering a multi-tiered
Enterprise IT architecture?
ITS Response:
¨ Banner ERP: Oracle Database Clustering RAC has
been successfully implemented, along with
redundant load balancers (F5) for the application
tier
¨ New Firewalls are Redundant (Active-Active)
¨ Virtualization Accomplished via High Availability
Architecture
¨ All New Initiatives Following Zachman Architectural
Framework (Staff Training Included)

14. COMPLETED: Architecture SGHE Unified
Digital Campus (UDC - Production)

15. COMPLETED: Architecture SGHE
Unified Digital Campus (UDC - Test)

16. Zachman Architectural Framework

17. Delays In: Engineering an IT Security architecture accommodating
the re- engineered architecture mentioned above (Firewalls, DMZ,
DNS, DHCP, Active Directory, WSUS, etc.)?
ITS Response:
¨ New Firewalls (Active-Active) Established Allowing Full Network
Segmentation (DMZ + LAN Segmentation)
¨ DNS Migrated From Single Point of Failure on Non-Standard IBM
SuSE Linux to Fully Redundant Standard RHEL Servers
¨ DHCP Consolidation Underway
¨ New Active Directory Established Following MS Best Practices
(College of Business Migration to New Domain Architecture
Underway)
¨ WSUS Server Established.
¨ Microsoft Premier Support Contract Established.

18. Re-Designed Network Segmentation

19. Delays In: Establishing a security policy and
functioning security program?
ITS Response:
¨ ITS Participation in Bi-Weekly President’s Security
Meeting to Brief Campus Leadership on Current Security
Issues
¨ Organizing IT Security Analysts into Best Practices-Driven
Security Operations Center (SOC)
¨ Staff currently updating security policy based on SANS
Institute Guidelines and verifying compliance with TAC 202
¨ End User Licensing Agreement for Wireless Networking
¨ Revised AUP under development

20. Delays In: Updating system documentation
including policy/procedure
ITS Response:
¨ Need Further Clarification, As Systems
Documentation Exists on ITS Departmental Fileshares
¨ Numerous Procedures Exist for Various IT Processes.
Need Further Clarification as to Deficiencies.

21. Change Management Process

22. Delays In: Re-designing comprehensive
Disaster Recovery IT procedures
ITS Response:
¨ Disaster Recovery Plans are Interative in Nature, Requiring Constant
Refining as They are Exercised
¨ Disaster Recovery Plan Coordinator Appointed (John Genuardi)
¨ DRP Coordinator Currently Documenting Procedures in Anticipation
of Next Hurricane Season
¨ Duplicate of Critical Systems (Servers, Networking and Firewalls) in
Place in San Marcos Data Center to Support ERP and Reporting
Environment
¨ ITS to Present Proposal for Automation of Systems Replication in
Early April 2009 (Significant Cost Item: Approximately $500,000)

23. Delays In: Designing comprehensive
Business Continuity (non-IT) procedures
ITS Response:
¨ Beyond Scope of ITS

24. Delays In: TAC 202 compliance
ITS Response:
¨ Need Further Clarification. TAC 202 is Large.

25. Delays In: Resolving staffing concerns
and competencies
ITS Response:
¨ ITS is Realigning Resources to Address Staff
Competency Issues, Though Additional Clarity on
Auditor’s Concerns Could Be Helpful
¨ Additional Resources From SGHE Retained to
Augment Critical Areas With Major Deficiencies,
Espcially in Banner Area

26. Next Steps in Enterprise Applications
(Organizational Changes)

27. Power consumption not being monitored to assist in
critical mass bottleneck decision-making processes
ITS Response:
¨ In the Process of Collecting Bids for Complete Data
Center Re-Engineering Project (Significant Expenditure
Anticipated: $500,000)
¨ End-to-End Power Generation and Provision System
Tested on a Quarterly Basis
¨ Fail-Over Simulation During Winter Break: Yielded
Confirmation of Successful Outcome
¨ Substantial Decrease in Load on Data Center Power As
a Result of Current Deprecation, Virtualization, and Off
Site Hosting Efforts

28. Self-identified (QAT) and reported concerns that:
Network bandwidth may not be sufficient to support
Banner resource requirements
ITS Response:
¨ LEARN Connectivity Project (Network, Firewalls and
Packet Shapers) Addresses Connectivity Issues

29. Self-identified (QAT) and reported concerns that: Data
base capacity may not be sufficient for student
conversion
ITS Response:
¨ Student Conversion Underway With No Data Base
Capacity Issues
¨ Additional Capacity to Be Added to SAN to
Address Future Growth – to Include HEH Programs
and Centralized Enterprise-wide Scanning via
Banner XTender (Moderate Cost Item: $200,000)

30. Self-identified (QAT) and reported concerns that: Engineered
reporting infrastructure does not meet LU’s needs
ITS Response:
¨ SGHE working with LU to Implement Operational
Data Store (ODS) in 2009.

31. Necessity to allow and rely on non-centralized
custodianship and administration of distributed satellite
data centers and servers across campus
ITS Response:
¨ Three racks have been removed and a fourth is in the process
of removal.
¨ Further consolidation of data centers is now subject to political
and not a physical constraints.
¨ Progress to date includes work with College of Business in
which critical systems have been relocated to the Data Center
(only systems remaining in CoB are there for performance
reasons – need for physical proximity)

32. Unsecured satellite network closet
doubling as general storage room
ITS Response:
¨ Need further clarification as to location of this
network closet
¨ Continued Risk: Some Data Closets are outside
the control of ITS, and administered by various
Information Technology Specialists (unclear as to
the scope of their functions)

33. Risk Symptoms Raising Security Concerns
“Current operational transition activities and lack of
unified approach will continue to prevent Lamar
University from addressing long-standing and immediate
security concerns as evidenced by the following risk
symptoms”

34. Disrupted, dismantled, or otherwise inadequate internal
control framework (which must be addressed before
any outsourcing strategy can be successful)
ITS Response:
¨ Initial Change Management Procedures in Place for the First
Time in IT Services
¨ Estabished Regular Maintenance Window
¨ Established Enterprise Maintenance Calendar, Coordinated
With Academic and Administrative Calendars
¨ Established Enterprise Service Desk
¨ Beginning to Adopt ITIL Model
¨ Security Staff Has Been Introduced to COBIT
¨ ITS to Recommend New Service Desk Software ($35K)

35. Unreliability and instability of “My.Lamar” portal, in addition to
significant modifications (known and unknown) regarding
security and access authentication processes
ITS Response:
¨ Moving to Hosted Solution for Portal
¨ LDAP Implementation in 2009 to Address
Authentication

36. No standardized change control
process or methodology
ITS Response:
¨ Initial Change Management Procedures in Place for the
First Time in IT Services
¨ Estabished Regular Maintenance Window
¨ Established Enterprise Maintenance Calendar,
Coordinated With Academic and Administrative
Calendars
¨ Established Enterprise Service Desk
¨ Beginning to Adopt ITIL Model
¨ ITS to Recommend New Service Desk Software

37. No security policy or established
security program
ITS Response:
¨ Inaccurate, as there is a fledgling IT security
program anchored in the President’s Bi-Weekly
Security Meeting

38. No security awareness training for
campus constituents
ITS Response:
¨ Further Clarification Needed

39. Lack of standardized computer “image” and
specifications for desktop/server purchases and
deployments
ITS Response:
¨ Currently Being Address Through Vendor Premier
Desktop Program
¨ Computer Lifecycle to Be Determined by Executive
Leadership
¨ Exploring “Thin Client” Technology (Citrix?)

40. ITS Believes TSUS IT Auditor’s Calls for the
Following Violate Academic Freedom
¨ “Approved Software” Policy
¨ “Audit” of software residing on users’ computers
¨ “Audit” of administrative privileges on users’
computers
¨ “File-Sharing” Software Policy

41. Lack of “approved software” policy
ITS Response:
¨ Considerations of Academic Freedom Prohibit This

42. Inability to “audit” software residing
on users’ computers
ITS Response:
¨ Considerations of Academic Freedom Prohibit This

43. Inability to “audit” administrative
privileges on users’ computers
ITS Response:
¨ Considerations of Academic Freedom Prohibit This

44. Lack of “file-sharing” software policy
ITS Response:
¨ Considerations of Academic Freedom Prohibit This

45. Recent EDI server compromise during
Admissions implementation
ITS Response:
¨ IT Services for this functional area have been moved
to a secure hosted solution
¨ Existing staff member transitioning to role more
appropriate to IT skill level

46. The lack of itemized detailed costs related to the Banner implementation
Excerpt from QAT report submitted to state as of August 31, 2008
Project Item Report to Date
Initial $4,105,900.00
Estimated Project Cost
Last Reported $4,105,900.00
Estimated Project Cost
Current $4,805,900.00
Estimated Project Cost Notes: Includes all funding sources
Includes optional consulting fees to be used as needed
Explanation of Variance • Contract for additional SunGard resources: Student Lead and remote
between Last Reported and programming support
Current Project Cost
• Creation of Business Analyst Positions
Cost Expenditures to Date $1,394,186.00
(Fiscal Year) (Project-To-Date: $2,840,361.00)
Description of Expenditures will be posted to the SunGard Banner Finance system used by Lamar
Cost Tracking Mechanism University. These expenditures will be extracted and monitored using MS Excel.
Expenditures will be verified against vendor invoices and project estimates.

47. Expenditures, Encumbrances, and Budget
Adjustments (Since August 2008)
¨ Expenditures Sept1, 2008 – Mar 17, 2009: $1,277,578.30
¨ Outstanding Encumbrances: $ 374,797.04
¨ Budget Adjustments after September 1, 2008:
¤ BossCars Software $ 92,074.00
(included in ots enc)
¤ Oracle License True-Up (increase in headcount) $ 188,551.00
(included in expend.)

48. Incomplete or inadequate Disaster Recovery (IT) and
Business Continuity (non-IT) documentation and processes
during/after the transition period
ITS Response:
¨ Staff members responsible for this item no longer
work for University
¨ New staff member has this as Priority Issue
¨ ITS addressing disaster recovery for computing
services within context of university business
continuity planning

49. Risk to University Reputation
“In the event of another security breach or incident, the
risk of public criticism and potential liability for Lamar
University will significantly increase because there is a
4-year public record of identified, documented, and
unresolved consultant and audit findings to date:”

50. IT Response: Bottom Line Up Front
18 Months of Consistent Progress
Bottom Line: We Are Implementing Best Practices for
Infrastructure and Security. These Practices Include, But Are
Not Limited to:
¨ Standardized, Redundant and High Availibilty Systems
¨ Multi-Tiered Security Architecture
¨ New Firewalls – Dorms, Datacenter, Perimeter (Allowing Network
Segmentation and Demilitarized Zone)
¨ Antivirus – Clients and Servers (Identifying Unprotected Systems)
¨ Data Center Improvements Within Fiscal Limitations
¨ Integrated End-To-End Power System Fail-Over Testing
¨ Virtualizing Operating Environments
¨ Adoption of Software as a Service (SaaS) Model Where
Appropriate To Improve Service and Reduce Risk

51. Audit Documents Referenced
(Welcoming a New CIO: July 2005 – September 2007)
¨ Information Technology Consultant’s Report (July
2005)
¨ Report to Management on Review of Information
Technology – Lamar University (August 2007)
¨ Network Security Controlled Penetration Test Report
(August 2007)
¨ Internal Correspondence: Office of the Director of
Network Services and IT Strategic Planning; subject:
Findings from DIR Penetration Test (September
2007)

52. Audit Documents Referenced
(ITS Transformations: April – November 2008)
¨ TSUS Management Advisory Letter dated April 14,
2008
¨ TSUS Management Advisory Letter dated July 18,
2008
¨ The July 2008 letter to Lamar State College-Port Arthur
outlining a breach of Lamar University’s system
¨ Report to Management on Audit of Research Time and
Effort Reporting – Lamar University (August 2008)
¨ Texas Project Delivery Framework Monitoring Report
[LEAP System Upgrade for ERP] (November 17, 2008)

53. Audit Documents Referenced
(Today’s Challenge: Banner Student Jeopardy 2009)
¨ Email dated January 12, 2009 citing the failure to
process Fall 2009 admissions applications in Banner
and 10 MONTH DELAY in implementation
¨ SunGard Higher Education Draft Executive
Summary: Lamar University – Programming Team
and Banner Technical Support Assessment (January
21, 2009)