University of Cambridge Information Services Committee There will

University of Cambridge

Information Services Committee

There will be a meeting of the Information Services Committee at 2.15pm on Thursday 30 April 2015 in the Syndicate Room, The Old Schools.

Coffee will be available at 2.00pm.

AGENDA

Starred items: agenda items starred as straightforward will not be discussed unless the item is unstarred by a member. Requests to unstar an item should be received by the Chairman or Secretary by 9.00am on the day of the meeting. Declaration of Interests - Members are asked to declare any conflicts of interest relating to matters on the agenda.

Papers 1. Minutes

The minutes of the meeting held on 5 March 2015 are circulated. ISC 58

2. Matters arising not dealt with elsewhere on the agenda

3. Chairman’s report

The Chairman will report on any matters of interest.

4. Sub-Committees

(1) A provisional timetable of sub-committee meetings is attached.

(2) The Committee asked to receive minutes of sub-committees and is invited to receive the latest available as follows:

A. IT Purchasing Group (26 January 2015) B. Business Systems Committee (20 February 2015) C. HR Systems Committee (11 February 2015) D. Student Information System Committee (13 March 2015) E. Financial Systems Committee (3 March 2015) F. Teaching and Learning Services Steering Group (29 January 2015) G. Joint Network Management Committee (8 January 2015)

(3) Members of sub-committees are invited to report on the business of their committee.

(4) On the recommendation of the IT Purchasing Group the Committee is asked to (a) approve revised terms of reference set out in the attached paper and (b) to appoint Ian Cooper (UIS) in succession to Richard Mee as Chairman.

The Committee will note (with reference to M 78 of the last meeting) that the IT Purchasing Group has a wider remit than just IT, and although a sub-committee of the ISC has a dotted line to the Purchasing Working Group by which it is often referred to as the IT Commodity Group.

(5) The Committee is asked to approve the terms of reference of the HPCS Strategy Committee, which the Research Policy Committee approved at their meeting on 23 April 2015.

(6) The Committee is asked to approve revised constitution and terms of reference for the Joint Network Management Committee.

ISC 59

ISC 60

ISC 61

ISC 62

ISC 63

-2-

5. UIS update report

The attached paper is circulated for information and summarises progress with implementing the new UIS organisation and developing the IS strategy since the March ISC meeting. It covers:

• progress on the UIS organisational development and plans for March and April;

• updates across the strategic projects previously discussed at ISC; • an update on the progress of a pilot project to investigate research computing

from the West Cambridge Data Centre (Annex A) • an update on the progress of the pilot of a service catalogue with the School

of Arts and Humanities (Annex B)

ISC 64

6. Information security management

The Committee at the last meeting (M75) discussed a paper (ISC 50) outlining the development of a strategic Information Management and Security pathway and asked that a revised paper be brought back to this meeting.

A revised paper is circulated. The ISC is asked to note the proposed approach, which will be subject to review at the Information Security Management Steering Group (constituted as set out in Appendix III) prior to endorsement.

ISC 65

7. CUDAR: Fundraising System

The paper is commercially sensitive and circulated to members only.

The actions the ISC are invited to approve are set out in the Executive Summary on page 2.

ISC 66

8. Storage Strategy

The attached paper outlines activity UIS has undertaken to understand the storage services required by end users across the University and describes a series of pilot services that UIS will run to inform the development of a coherent architecture.

The Committee is invited to endorse UIS’ approach of developing and operating an initial set of pilot services to inform the development of a coherent architecture, defining a storage strategy and the use of the TDF to fund the initial costs.

ISC 67

9. Recommendation for the MS Enterprise Enrolment Services licence

The attached paper sets out the case for purchasing a University wide Microsoft Enterprise Enrolment Services agreement (commonly referred to as “Microsoft Campus Agreement”).

The ISC is asked to approve:

• The procurement of a Microsoft EES agreement on behalf of the University. • A strategic initiative to develop a University wide Active Directory. • Release of Office 365 ProPlus productivity software for all staff and students.

The Committee is also asked to provide a steer for the proposals for potential services outlined in section 4.3.

ISC 68

10. IT Governance: minimum standards of IT Provision and Integration

The Committee at their last meeting (M76) made a number of comments on proposals for minimum standards in ISC51 and asked for a revised paper at this meeting. A revised paper is circulated.

ISC 69

-3-

11. Incident reports, lessons learned and remedial activity

The attached paper provides a progress report on the provision of a resilient network connection, lessons learned as a result of an earlier incident at the Central Network Hub (reported at the last meeting in paper ISC52) and reports on two significant incidents that have recently occurred:

• • West Cambridge (Soulsby) power issue – 23 February 2015 • • Old Schools power outage – 24 February 2015

The Committee is asked to:

• note the progress of the provision to the University of a resilient network connection;

• note the lessons learned from the incident at the Central Network Hub and to support the UIS recommendations on addressing future risks to the network by major works;

• note the incident at the Soulsby data centre for 23 February, the success of remedial activity to date and future planned work to address the operation of air handler units;

• note the incident at the Old Schools on 24 February, remedial activity taken and proposed procurement to address identified single points of failure.

ISC 70

12. Information Services Governance - update

A note of progress on governance issues is circulated. See also item 4 above. ISC 71

13. UIS dashboard.

The updated UIS dashboard is circulated. ISC 72

14. Forward look.

The Committee has agreed that each meeting should concentrate on a key strategic theme. Members are invited to suggest themes.

25 June 2015

Pre-meeting with UIS staff over a buffet lunch at the RNB

2015-16

Meeting 1

A final-project report from the UIS Service portfolio and catalogue pilot seeking endorsement of the next steps (anticipated to include rolling out the model to other schools and institutions)

15. Meeting dates 2015-16

Members are asked to note the following dates for meetings in 2015-16:

All meetings will be at 2.15pm in the Syndicate Room, with coffee available at 2.00pm.

16. Any other business.

Routine and reported (starred) business

17. * Technology Development Fund

. Members are asked to note the projects for which funds have been allocated under the delegated authority of the Director of Information Services.

ISC 73

-4-

18. * Meetings

Meetings have been arranged as follows:

Thursday 25 June 2015 (In the Roger Needham Building – please note change of venue) preceded by a buffet lunch at 1.00 pm ………………………….

At 2.15pm in the Syndicate Room:

1 October 2015 26 November 2015 14 January 2016 3 March 2016 21 April 2016 16 June 2016

Coffee will be available fifteen minutes before each meeting.

………………………………

Information Services Committee contacts:

Martin Bellamy (Director, UIS and Executive Officer to the Committee)

[email protected] 01223 332246

Nick Wilson (Secretary) [email protected] 01223 332250

Planning and Resource Allocation Office, The Old Schools, Trinity Lane, Cambridge, CB2 1TS

April 2015


Information Services Committee

Minutes of the meeting held on Thursday 5 March 2015 in the Syndicate Room, The Old Schools.

Present: Professor Young (in the chair), Ms Allden, Mr Ball, Ms Hoogewerf-McComb, Mrs Jarvis, Dr Nicholls, Dr Padman, Professor Prager and Professor Virgo, with Dr Bellamy and Mr Wilson (Secretary).

Apologies for absence were received from: Professor Daunton, Professor Leslie, Professor Maskell, Dr Dörrzapf, Mr Jones and Mr Watmore

There were no declarations of interest.

69. Minutes

The minutes of the meeting held on 15 January 2015 (ISC 48) were approved.

70. Matters arising

M57: West Cambridge Data Centre The strategy and action plan set out in paper ISC 40 had been approved by the Committee subject to feedback from institutions. The Director reported their strong support and the Committee consequently confirmed the provisional decisions they had reached at the last meeting and approved both the charging model and the action plan.

M59: CUDAR - Fundraising systems project The Committee were informed that the contract was out to tender. Those expected to tender had expressed interest in doing so.

M61: Planning Round questions Detailed consideration of the feedback reported in ISC 44 had been deferred until the new UIS structure was in place.

71. Chairman’s report

The Chairman reported that the Resource Management Committee had matched the funding provided by the School of Biological Sciences and the School of Clinical Medicine (for the joint School bio-medical compute and data platform) with a £564.5k capital grant, the hardware to be housed in the Data Centre.

72. User Needs Committee

Dr Padman reported that she would be following up with UNC members the discussion about its role at the UNC’s first meeting. Was the UNC an oversight group? Or was it a strategic body representing users’ interests? How would user views be gathered and assessed?

User Panels would be set up for the three main client groups: researchers, students and administrators; the UNC would oversee panels’ feedback and alert the ISC if it observed service standards were not being met.

The UNC continues to support prototyping work on a user experience platform, as a potential mechanism to improve access to a wide range of services for occasional users.

njw40

Text Box

ISC 58

- 2 -

73. Business Systems Committee

The Registrary reported on the ERP (Enterprise Resource Planning) Refresh Project. The Committee had been briefed about the current market and likely future options, and was now better informed about the issues they and the ISC needed to address. The Committee aimed to produce an interim report before the end of the year.

74. UIS strategy and organisation update report

Paper ISC 49 summarised progress since the January meeting in implementing the new UIS organisation and the development of the IS strategy.

The Director said there had been a strong field of applications for the Deputy Director posts and four good appointments had been made from 1 May in addition to the three internal appointments. The ISC’s new management structure would therefore be in place towards the end of May. He thanked members for their help in the recruitment process; the Committee congratulated him on a successful outcome.

A paper on a “Dropbox” type service would be considered at the next meeting of the ISC. Members were concerned that some Colleges had not yet expressed support for the MS Campus agreement and might not intend to participate. Incomplete coverage could cause problems. The Committee asked that steps be taken to persuade the other Colleges to participate.

The pilot Service Catalogue had been received positively and there had been a further beneficial outcome of closer contact between end users and Service staff.

The Teaching and Learning Service Steering Group had been discussing the transition to Moodle and identifying the CamTools services that might not be such a good fit.

Action: Director

75. Information security management

The ISC at its meeting on 9 October 2014 (M30) had agreed to invest in an Information Management function. Paper ISC 50 outlined the future development of a strategic Information Management and Security pathway.

The Director reminded the Committee that threats were increasing and were well resourced; there were lessons to be learned from others’ experiences and a recognised model to follow. There were a number of stages which would take time to work through.

In discussion, it was noted that the aim was information security management, not information management. The Committee agreed the way security was managed should not lead to risk aversion but should be proportionate to the risk and with as light a touch as possible; sharing information should not be made more difficult than it need be. There was a balance between security and usability; the aim should be a framework to guide operations, with devolved responsibility, not regulation.

The Committee noted the post of Registrary was another which could have the Senior Information Risk Owner (SIRO) role, but after discussion agreed with the proposal that it should be undertaken by the Director of UIS and that the Registrary be asked to Chair the Steering Group. The Steering Group should also include the Data Protection Officer and internal audit would continue to focus on information security.

The Steering Group would recommend strategy, not approve it.

The Committee otherwise endorsed the approach and the governance arrangements but asked that that paper be amended, in the light of the discussion, and the revised paper be brought to the next meeting.

- 3 -

76. IT Governance: minimum standards of IT provision and integration

Clause 5(h) of the Committee’s Terms of Reference included the duty “to set, consulting the Councils of the Schools, Colleges and other institutions as necessary, minimum standards of service to be provided. Paper ISC 51 set out some of the issues and possible solutions through existing or extended governance structures.

Communities would be fostered of those engaged in similar areas. The catalogue would provide users with a range of services building on core University wide services of guaranteed standard, local services for locally determined needs, and community services at users’ risk – on an “App store” model. The last could be services used by a few, but which could be of wider interest. Widely taken up services could change category.

An additional principle should deal with the gateway to the catalogue and how planning for catalogue services should be conducted with users.

The UNC’s role was consultative and advisory, not executive. It would monitor standards, not set them and it was not the role of the UNC to approve catalogue additions.

The Committee would receive a revised paper at a later meeting.

Action: Director

77. Central network hub incident – 30 January 2015

The Director described in more detail the incident (reported in paper ISC 52)in the Central Network Hub on 30 January 2015, its consequences and the steps to avoid a recurrence during the building work. The incident had been a very near miss which nearly severed the JANET connection to the eastern region. The Director paid credit to the swift response and expert support that had maintained service and minimised damage.

Members noted the investment by UIS of up to £80,000 to provide a second (but lower capacity) backup JANET connection from the West Cambridge Data Centre.

78. Information Services Governance – update

A note of progress on governance issues was circulated as ISC 53. Following review by each committee, revised constitutions and terms of reference were attached for the IT Purchasing Group, the High Performance Computing Service Strategy Group and (subject to its chair’s approval of the proposals) the Joint Network Management Committee .

Members raised a number of questions.

It was not clear how the IT Purchasing Group related to the central purchasing group and whether it was the same or a different body to the IT Commodity Group.

The HPCS Committee seemed to be a rewrite of the user committee and included no representation from the Schools of Clinical Medicine and Biological Sciences. Its relationship with the Research Services IT Committee and reporting lines to the PRC and RPC were unclear.

The ISC should appoint the Chairman of the JNMC, after considering the JNMC’s advice.

The Committee asked to receive revised proposals at its next meeting.

Action: Director

- 4 -

79. UIS dashboard.

The Director reported on the dashboard items not indicating green in ISC 54.

Although scheduling has not been part of the original brief for a room booking system and for the consultant’s study, it might now be a desirable option and the Project Board would be invited to consider it. The project was critical to developments that involved reorganisation of teaching space and the Committee hoped it could complete its work in good time.

80. Forward look.

The Committee had agreed that each meeting should concentrate on a key strategic theme. .

30 April 2015

Data Centre strategy – update on pilot of using the West Cambridge Data Centre to deliver research computing services to the Addenbrookes SiteMS

Campus agreement paper seeking endorsement to proceed with purchase

CUDAR Fundraising Systems project – business case for release of project funding.

Storage strategy.

25 June 2015

2015-16

Meeting 1

A final-project report from the UIS Service portfolio and catalogue pilot seeking endorsement of the next steps (anticipated to include rolling out the model to other schools and institutions)

81. Technology Development Fund

Paper ISC 55 reported funding approved from the TDF under the delegated authority of the Director of Information Services.

Members noted the projects for which funds had been allocated.

82. Minutes of other bodies

Business Systems Committee (7 January 2014; ISC 56). http://www.admin.cam.ac.uk/committee/is/systemscommittees/index.html

Joint Network Management Committee (30 October 2014): http://www.admin.cam.ac.uk/cam-only/committee/jnmc/minutes/

Financial Systems Committee (19 September 2014): http://ufs.admin.cam.ac.uk/keycont/FSC/ .

HR Systems Committee (3 March 2014): http://www.admin.cam.ac.uk/cam-only/committee/hr/system/ .

Student Information Systems Committee (6 November 2014): http://www.camsis.cam.ac.uk/cam-only/boards_groups_and_sigs/sisc/ .

Teaching and Learning Services Steering Group (31 October 2015; ISC 57). http://www.admin.cam.ac.uk/offices/education/enhancement/tlssg.html

The Committee asked that in future the minutes of sub-committees be circulated and reports of their meetings be substantive items on the agenda.

Action: Secretary

- 5 -

83. Meetings

Meetings had been arranged as follows:

At 2.15pm in the Syndicate Room:

Thursday 30 April 2015 Thursday 25 June 2015

Coffee would be available fifteen minutes before each meeting.

84. Meeting dates 2015-16

The Committee agreed to meet on the following dates in 2015-16:

1 October 2015 26 November 2015 14 January 2016 3 March 2016 21 April 2016 16 June 2016

All meetings at 2.15pm in the Syndicate Room1, with coffee available at 2.00pm.

………………………………

Information Services Committee contacts:

Martin Bellamy (Director, UIS and Executive Officer to the Committee)

[email protected] 01223 332246

Nick Wilson (Secretary) [email protected] 01223 332250

Planning and Resource Allocation Office, The Old Schools, Trinity Lane, Cambridge, CB2 1TS

March 2015

1 Post-meeting note: meetings in 2015-16 may be moved to a different committee room in the Old

Schools which is currently being refurbished and will enable video conferencing.

- 6 -

ISC meeting date Papers to be received by: Minutes of meetings held on:JNMC ITPG TLSSG BSC FSC HRSC SISC

2014-1530 April 2015 21 April 2015 08 January 2015 10 April 2015 11 February 2015 13 March 201525 June 2015 16 June 2015 23 April 2015 April/May 29 May 2015 05 June 2015 01 June 2015 08 June 2015

2015-1601 October 2015 22 September 2015 10 June 2015 ? August 201526 November 2015 17 November 2015 15 October 2015 Sept/Oct 16 September 2015 ? October 2016 ? November 201514 January 2016 05 January 201603 March 2016 23 February 2016 14 January 2015 Jan/Feb ? February 201621 April 2016 12 April 2016 ? March 201616 June 2016 07 June 2016 21 April 2016 April/May

Sub-Committees JNMC Joint Network Management Committee http://www.admin.cam.ac.uk/committee/jnmc/ITPG IT Purchasing Group http://www.admin.cam.ac.uk/offices/purchasing/groups/it/index.shtml

Joint with the Education C'tee TLSSG Teaching and Learning Services Steering Group http://www.admin.cam.ac.uk/offices/education/enhancement/tlssg.htmlSystem Committees BSC Business Systems Committee

FSC Financial Systems Committee http://ufs.admin.cam.ac.uk/keycont/FSC/HRSC HR Systems Committee http://www.admin.cam.ac.uk/cam-only/committee/hr/system/SISC Student Information Systems Committee http://www.camsis.cam.ac.uk/cam-only/boards_groups_and_sigs/sisc/

njw40

Text Box

ISC 59

njw40

Text Box

ISC 59

1 of 5

IT Purchasing Group

Unconfirmed minutes of 48th meeting held at 2.15pm on Monday, 26th January 2015

The Council Room, Old Schools

Present: Richard Mee (University Information Services, Chairman), Tom Twitchett (Procurement Services, Secretary), Craig Peacock (Economics), Brian Simpson (UIS), Mike Rose (Maths), Jonathan Wilson (CIMR), Jason Randall (Clare), Jay Pema (Education), Stephen Mounsey (Engineering), Erik Timmers (Biochemistry), Jennifer Allan (CSITS),Tim Dickens (Chemistry), Graham Titmus (Computer Lab), Julian King (UIS), and Jessica O’Brien (Procurement Services, Administrator).

1. Introduction and Apologies RM welcomed Jessica O’Brien (Procurement Services) and Jennifer Allan (CSITS) to the meeting. Apologies were received from Jon Holgate (UIS), Martin Keen (CSITS), Richard Bartlett (CSITS), Michelle Finnegan (UIS), Melanie Leggatt (MML), Jen Pollard (English) and Rob Beardwell (Downing College).

2. Administrative Matters A) Membership

RM welcomed Mike Rose (representing Physical Sciences) to his first meeting and Jennifer Allan who was deputising for Richard Bartlett.

RM outlined proposals to amend the membership of the group to better align with the changes that have taken place in UIS and to increase the membership from Non-Schools Institutions (NSI)

B) Remit of the group

RM also presented changes to the remit of the group, mainly updating ISSS to Information Services Committee (ISC).

Proposed changes to the remit and membership were accepted.

3. Review of the Minutes of the 47th Meeting of the ITPG Minutes accepted.

Minutes

njw40

Text Box

ISC 60A

2 of 5

4. Matters arising from 47th Minutes

Action Point 43.1- TT will liaise with the new Head of Information Management in UIS regarding cloud computing guidance. In the meantime, he will produce guidance for undertaking competition using the G-Cloud.

Action Point 43.1- On-going

Action Point 45.7 – TT has had no expressions of interest regarding the usability of the tender documentation.

Action Point 45.7 – Closed Action Point 46.4 – TT still to arrange a Techlink seminar on Procurement.

Action Point 46.4 – Ongoing

Action Point 46.5 – RM provided feedback to the group about Microsoft discussion, which is detailed under agenda item 6. This will be a standing agenda item.

Action Point 46.5- Closed Action Point 47.1 – BS reported that he had spoken to Ginger Keogh in UIS Software Sales and the VMWare Account manager. VMWare have given up on trying to resolve the licensing issues experienced across the University, however if the University can spend £60-70,000 on licensing then it would be worth the University having an Enterprise Agreement, which would resolve a number of licensing issues. BS also met with VMWare users across the University to gather interest in an Enterprise Agreement. A TechLink Seminar has been arranged for 11th February to look at new VMWare technology.

Action Point 47.1 – Ongoing

Action Point 47.2- TT has circulated June, July and August data to the group.

Action Point 47.2- Closed

Action Point 47.3 – TT reported that he followed up guidance on coding. Guidance is given during iProcurement training but there is no other written guidance. He has identified there needs to be education around coding and Procurement Services will conduct this via their communications channels.

Action Point 47.3 –Closed

Action Point 47.4 – RM and TT reviewed Terms of Reference for ITPG.

Action Point 47.4- Closed

3 of 5

5. Commodity Update A) Review of the Desktop Agreement (UCAM 20/14) ITPG 15 (01) TT discussed spend for the first quarter of the new agreement. He noted that spend was relatively minor compared to the previous contract and that currently it is unfair to provide an average price per desktop given only one quarter of spend.

TT informed the group he has had no negative feedback regarding the review of the Desktop Agreement.

TT explained that Dell has asked for a price increase under the NDNA Framework to reflect the changes in the Dollar/Sterling exchange rate. TT noted that while the marketplace NDNA pricing will reflect this, he hopes that the MCS contract price will not change.

GT- asked whether items such as laptops were coded separately from desktops, in order to improve reporting. TT responded that this was not necessarily the case and pointed to the previous discussion on guidance for coding. A new code would make it easier, but it depends on what description is entered. CP- Asked if it is clear what a unit is in terms of the reporting. TT responded that Dell classify a unit as the whole item (base unit, monitor etc.).

B) Review of CUFS expenditure for A and K categories, Yearly and Quarter 1 ITPG 15

(02-05)

TT went through the Commodity Spend Analysis.

TT reported that AV spend is still subject to a number of high value mis-codes, which is affecting reporting. IT spend is steady across both the year and comparable quarter.

T.D- Commented that Apple seems to be getting more popular and wondered what impact this will have. TT responded that the Universities Apple Group National Framework will soon be coming to a close and a new agreement is currently being considered. TT explained that some Universities would prefer to go through resellers as they have better customer service than Apple itself and this would hopefully reduce the number of issues currently being raised about Apple within the University.

Action Point 47.5- TT to circulate a survey regarding whether the group needs to deal with Apple directly.

C) Framework Update

TT discussed the award of the new Audio Visual Framework which begins on 2nd February. He referred to the email he circulated to the group regarding early details of the framework lots and suppliers.

Action Point 47.6- TT to circulate more information regarding the Framework Update once it comes through.

D) EES Update RM reported that he would like to share the presentation given at a recent Schools Engagement meeting on Microsoft’s Enrollment for Education Services (EES, previously Campus Agreement) with the ITPG. Richard Hey is constructing a business case for the University. There is support from the colleges and affiliates are showing strong interest in a University agreement.

4 of 5

RM reported that the next step would be on the 18th of February when the University holds open sessions with Microsoft, colleges and departments at UIS to discuss the potential benefits of EES. The colleges have raised concerns about the costs, so price point will be key. Other questions raised are which product ranges will be included. RM reported that the benefits of the EES Update would be the latest versions of Windows, Office and Office 365. Azure cloud services may also be discounted. He noted that Enterprise benefits would include improved security and could potentially buy into other benefits. University active directory would allow common email and calendaring which would be another positive. But it will come down to cost. RM believes there is a strong and compelling case, but discussions will continue. Timeline: 1) Community Engagement meetings will take place on 18th February. 2) Information Services Committee meeting in April 3) Agreement will be in place by September. E) Credit Cards update T.T reported that the introduction of a procurement card system is being discussed within Finance Division with regards to the upcoming schedule of works to be presented to UIS for completion this calendar year. Procurement Services have asked that the system is high up on the list of works, especially as it is one of the team’s objectives for the reporting year! JP- Asked about the proposed credit card limit. TT- responded that policy will need to be developed before the limit is confirmed. Action Point 47.7- TT to include Credit Cards and a standing agenda item F) AV Sub-group TT explained that Dave Amman from the Judge Business School will be the chair of the sub group. The group will be made up of two representatives per school, to reflect the current ITPG membership. Invites will be extended via the AV Supporters Email List in due course. G) Escalation of Issues TT encouraged everyone to contact Procurement Services and TT regarding any issues or concerns with suppliers that require escalation. He noted that he meets with the top 10 suppliers quarterly and feedback from departments is vital to aid those discussions. If the group has questions please contact TT. H) Software Co-ordination committee update MR reported that the scheme began 2 years ago and has central funds of around £250,000 per year to spend on teaching (including PhD) software. A list of centrally funded software provided through the committee is published on Cam.ac.uk. JK asked whether ISC should be consulted regarding the remit of the group and where it sits with ITPG.

5 of 5

I) First Steps in Procurement course and IT Purchasing Exhibition date. TT reported that the next First Steps in Procurement Course would begin in April and will be run by the Finance Division. The course is more in depth than the online Introduction to Purchasing. Those involved in purchasing on a daily basis are encouraged to attend. The date for the Purchasing Exhibition has been confirmed as April 15 2015. All are encourage to attend. More information will be sent out closer to the time. J) A.O.B JK raised the subject of Red Hat Licensing. He explained that he is trying to get a site licence for Red Hat across the University but will need £50,000-£100,000 to cover the costs. He currently anticipates that there is £30,000 from within UIS and that he is talking to Cambridge University Press and Cambridge Assessment to see whether they are interested. If anyone else would like to contribute, they should contact him directly. K) Date of next meeting Date of next meeting will be in May. Choices will be circulated. The May meeting could be moved to the Roger Needham Building and a tour of the data centre included. RM may add an agenda item for school and college reports, so each representative at the meeting can raise concerns or issues.

Summary of Action Points Section Action Who Deadline Carried Forward from previous meetings: 43.1

TT to produce guidance on the use of Cloud Computing in conjunction with Legal Services

TT On-going

46.4 TT to cover off in a Tech Link TT On-going

47.1 BS to pursue enquiries into VMWare technology

BS On-going

New Action from January 2015 Meeting 47.5 TT to circulate a survey regarding whether the

group needs to deal with Apple directly. TT On-going

47.6 TT to circulate more information regarding the Framework Update once it comes through

TT On-going

47.7 TT to include Credit Cards and a standing agenda item

TT On-going

6 of 5


Business Systems Sub-Committee

The minutes of a meeting of the Business Systems Sub-Committee of the Information Services Committee held at 11am on Friday 20th February 2015 in the Pro-Vice-Chancellors’ meeting room, the Old Schools. Present: Graham Allen [GA] (in the chair)

Chris Edwards [CE] Sheila Gupta [SG] Peter Hedges [PH]

Andrew Reid [AR] Tom Walston [TW] on behalf of Angus Stephen

In attendance: Rebecca Simmons (Secretary) [RKS] BSSC.15.12. Apologies Apologies were received from Jonathan Nicholls [JWN], Ian Leslie [IL], Angus Stephen [AS], Ian Watmore [IW], and Martin Bellamy [MB]. BSSC.15.13. Minutes The minutes of the meeting held on 7 January 2015 were approved (BSSC-01). BSSC.15.14. Matters Arising CE reported that Paul Dampier has set up a pre-meeting to establish an EDM working group. AR confirmed that the Grant Thornton report had been amended. BSSC.15.15. Review of the Performance Report

(i) UIS Dashboard (BSSC-02) The majority of projects are green. There is a new project on the graduate application form which will be the subject of a paper to the SISC. The room booking project is amber; an offer has been made to a programme manager this week. The Moodle roll-out is amber as new deployment methods are being developed. The Occupational Health Upgrade remains Red, pending the identification of staff capacity to support this project. It was agreed to put the project on hold for the moment.

(ii) HR Systems Dashboard (BSSC-03) All projects are green except for the Occupational Health (see above). There will be an upgrade for the web recruitment system. R4 is the last release for the project. The CHRIS system will be upgraded next week to take account of statutory tax changes

(iii) Student Systems Teaching and Learning (BSSC-04)

All student projects are green or blue aside from Moodle (see above).

(iv) Finance Systems (BSSC-05a and -05b) All projects are green. The technical development of the finance system and Winter patching is ongoing.

njw40

Text Box

ISC 60B

(v) Research Administration (BSSC-06) There had been significant progress on many projects and it was anticipated that many would turn from grey to green during the next few weeks. The RO database contracts work is complete.

(vi) Estate Management (BSSC-07) The BIM project is behind schedule because of shortcomings in the documentation. EC Harris will now collaborate with Turner Townsend to complete a new proposal. The Buzzsaw Drawing Management project is now complete.

(vii) Non-UAS Business Systems Report (BSSC-08) See minutes BSSC.15.16, 17 and 18 below.

BSSC.15.16. Update on Library Project Board (BSSC-09)

CE reported. The project is back on schedule, albeit with a very tight timeframe. Initial meetings with potential suppliers are in progress and three companies will be invited to tender. A work plan and key milestones have been established. GA noted that the Project Board will need to present to the PRC in June if they require further funding for the project. CE will report back to the Project Board. BSSC.15.17 Fundraising Project Board (BSSC-10) CE reported. Following further investigations of potential systems, four expressions of interest from Systems suppliers would be sought for the CUDAR Fundraising System. PH noted that one of the CRM systems they are considering in the Research Office might need to link to the CUDAR database. It was agreed that the wider implications of the choice of business system for CUDAR should be discussed with PH and Paul Dampier as the projects progresses. BSSC.15.18 Update on NWCS Accommodation Allocation System from Estate Management TW reported. The discovery phase for this project has ended. It is now clear that in order to capture efficiency savings the existing business processes used to manage the booking of all residential accommodation need to be reviewed. The scope of the project will therefore be extended to all university properties. As a result, EM and Finance will be reviewing the use of Propman used to manage rents to see if this can be retired in favour of WPM, which is the Financial Division’s e-sales application. It is not possible to scale up existing systems and there is not an economic, commercially available solution. The Project Board has received a proposal from Fluent (existing company) which the Project Board is reviewing with assistance from Legal Services. The estimated cost of Stage 1 is £70k to improve processes, tools and provide a CRM. Stage 2 is £110k for the property allocation element. Both stages would be funded by NWC. In terms of risk, due diligence has been conducted, including site visits, and the University will own the software and code produced by Fluent. The fall-back position would be for the UIS to develop a new system, although they do not have capacity at present. CE reported that JWN and MB would like to convene a meeting to consider the governance of the project. Action: RKS to organise a meeting via Alison Heyn.

BSSC.15.19. To consider and make recommendations on terms of reference for the three systems sub-committees Following discussion it was agreed that CE would propose standards for all three TORs (from a technical/governance standpoint) in consultation with the responsible officers i.e. Academic Secretary, Director of Finance, Director of HR for confirmation by the sub-committees and BSSC. Action: CE to standardise the three TORs and bring them to the next BBSC meeting. GA noted that the Committee might want to consider the library and CUDAR project board TORs. CE remarked that there was a template TOR, approved by the ISC, for a project board which needs updating. Action: CE to speak to Nick Wilson about updating the project board TOR. BSSC.15.20 Strategic Systems Renewal Project Update The education workshop run by Gartner on emerging landscapes in ERP systems went well. Gartner concluded that the University should consolidate their core business systems and move to more of a hybrid model where some systems are taken off premises during a longer time-frame e.g. moving some systems into the cloud as appropriate and making effective use of innovative technology. Thanks were recorded to CE for organising the workshop. Action: Append conclusion from the workshop to the minutes of this meeting (RKS) BSSC.15.21 Report on incident in central network hub (BSSC-14) CE confirmed that Janet have agreed to allow the UIS to implement their own piece of equipment in their back-up hub. They have out-sourced the re-direction of the links from central to West Cambridge at their own expense. Insurers have assessed the loss. Replacement equipment has been ordered. BSSC.15.22 Finance report (ex-MISD) There were no comments. BSSC.15.23. Any Other Business There was no other business. BSSC.15.24. Future meeting dates

10 April 2015 5 June 2015

HR SYSTEMS

Page: 1 of 4 Version 1.0 (Published) Copyright © 2014 University of Cambridge Last Modified: 06/06/2014

meeting minutes 11 february 2015.docx

Meeting Minutes

HR Systems Committee Meeting 19

A meeting of this committee was held on 11 February 2015 at 10 a.m. in the Old Schools Meeting Room. Present: The Pro-Vice-Chancellor (Institutional Affairs) (Chairman), Dr Bellingham, Ms Dekkers, Mr Edwards, Mr Evans, Dr Lam, Ms Pollintine, Mr Reid, Ms Stone and Mr Wilson with Mr Virr as Acting Secretary. Ms Botcherby was present. Apologies for Absence: Ms Gupta, Ms Mehrer and Mr Hawkins. 1. Membership Changes

None. 2. Declarations of Interest

None.

3. Minutes

The Committee approved the minutes of the meeting held on 31 October 2014.

4. Matters arising

Electronic Document Management (EDM) Ms Stone reported that a business case for EDM for HR had been produced in draft and work was ongoing. The Registrary had established a UAS EDM group.

5. HR Systems Development Plan

The Committee received an updated version of the HR Systems Development Plan. The Committee noted that:

• The plan had been enhanced to include the first draft of an indication of the relative resource allocation to the ESS, staff review & development and TES projects, together with maintenance activities on the RAS and Web Recruitment systems.

njw40

Text Box

ISC 60C

HR SYSTEMS



• The diagram represented volume of activity, measured by the points allocated by the development team to functional requirements.

• The diagram represented fraction of capacity for development activity; if the size of the team were increased then the total available capacity would also increase.

The Committee also noted that the resource allocation diagram could usefully be applied to other activities. The Committee welcomed the form of presentation of the information, and asked for it to be kept up to date.

6. HR Systems Consultation Group

The Committee received the minutes of the meetings of the HR Systems Consultation Group held on 19 November 2014 and 14 January 2015. Dr Bellingham reported that the Group was working well, and members were making valuable contributions on the matters under discussion. The Committee noted that the Group had:

• Discussed the Staff Review and Development Project, and had concurred with the Committee’s view that an administrative system would be a sensible first step, and that cultural change was at least as important as system development.

• Discussed reporting; a number of institutions (although by no means all) wanted more direct access to reports at the times they need them.

• Considered a pilot survey of group members to guide future HR Systems priorities. Valuable lessons had been learned from the pilot and it would be refined to provide a more rigorous way of canvassing views

7. Web Recruitment Progress Update

The Committee received a paper setting out the current position of the Web Recruitment system. The Committee noted that:

• There had been an increase in institutions using the system (so that there was nearly full coverage)

• Principal development work on release 4 of the system had been completed in January, and it would go live at the end of February. Release 4 would introduce a number of new features, principally in the area of offers of employment.

• As the most complicated release of the system so far, a heavy emphasis was being placed on testing to ensure that as many potential problems as possible were caught before go-live.

HR SYSTEMS



In discussion, the Committee noted that: • The Web Recruitment system had been overwhelmingly positively received

across the University, with members aware of only a small number of relatively minor concerns in particular areas of the University.

• The system meant that the University would be better placed to deal with any increased volume in recruitment activity.

• The development of the Web Recruitment system provided an opportunity to obtain much more management information on recruitment. The focus should be on properly digested information which indicated particular areas at which managers should direct their attention.

8. Staff Review and Development

The Committee recalled that, at their meeting on 31 October 2014, they had noted the benefits of staff review and development (sometimes referred to as appraisal), had authorised the development of the first phase of a system to increase the efficiency of the administration of staff review and development in the University, and had asked Ms Stone to bring up a paper on the approach to cultural change which would be needed to fully embed staff review and development in the University. The Committee received a paper setting out a vision for Staff Review and Development (SRD). In discussion, the Committee noted that:

• Phase 1 of the SRD system should, in time, be part of a much bigger system integrating a number of disparate processes into one. However, linkages with other processes would be some time off, and only take place after hearts and minds had been won.

• Some parts of the University already operated a practice in which staff could not be considered for contribution-related pay progression unless they had undertaken the SRD process within the last year.

• Although SRD was applicable to, and important for, all staff, different approaches might be needed for different staff groups.

• External initiatives such as Athena SWAN were increasingly looking to universities to have fully embedded SRD processes.

• Although there was a perception that SRD was not welcomed by some academic and research staff, there was some evidence that newer UTOs and post docs currently feel that there is a lack of support in this area.

• The current approach to HR training offered to potential PIs might need further consideration.

• The current name of SRD might need to change to better emphasise its benefits to the University and to individuals.

The Committee agreed to endorse the following approach:

• Proceed with the first phase of the SRD system project, as previous agreed. • Develop a detailed communications strategy.

HR SYSTEMS



• In due course, make such revisions to the current SRD policy as appeared necessary.

9. Application Manager’s Report

The Committee received the Application Manager’s regular report. The Committee noted that:

• There was likely to be a delay to the Occupational Health upgrade project, owing to staff absence.

• It was currently expected that an additional upgrade to the CHRIS system would need to be undertaken in spring 2015 to allow for statutory changes introducing shared parental leave.

10. TES Project Update

The Committee received and noted a progress report on the TES System Project. 11. ESS Project Update The Committee received and noted a progress report on the ESS System Project. 12. HR Systems Budget 2013/14 and 2014/15

The Committee received the HR Systems financial statements as at 31 December 2014.

Page 1 of 4

STUDENT INFORMATION SYSTEM COMMITTEE Unconfirmed The Committee met on Friday 13 March 2015, in the Syndicate Room, Old Schools. Present: Chair: Professor Graham Virgo (Pro-Vice Chancellor for Education) Mr Graham Allen (Academic Secretary, Head of Academic Division), Dr Max Beber (Senior Tutor, Sidney Sussex College), Dr Martin Bellamy (Director, UIS), Dr Sue Colwell (Tutor for Graduate Affairs, St John’s College), Dr Malcolm Edwards (Head of Planning and Resource Allocation Office), Mrs F Jane Fisher-Hunt (Administrative Officer, Faculty of Classics), Dr Laurie Friday (Degree Committee Administrator, School of Physical Sciences), Dr James Keeler (Senior Tutor, Selwyn College), Dr Rebecca Lingwood (Director, Institute of Continuing Education), Mr James Matheson (Head of IT Services, Department of Engineering), Dr Kate Maxwell (Head of Student Operations, Academic Division), Mrs Lesley Thompson (Bursar, Lucy Cavendish College) In attendance: Mr Andrew Cox (Head of Student Systems, UIS) Secretary: Miss Debbie Salmon (Administrative Officer, Student Systems, UIS) Apologies: Apologies for absence were received from Mr Rob Richardson (Education Officer, Cambridge University Students’ Union), and Mr Jack Wright (Welfare Officer, Cambridge University Students’ Union). No requests had been received to ‘un-star’ a starred item. Mrs Lesley Thompson and Dr Laurie Friday were welcomed as new members of the Committee, appointed by the Colleges’ Standing Committee and the General Board respectively. Dr Max Beber and Dr Sue Colwell were welcomed as continuing members of the Committee, following re-appointment by the Colleges’ Standing Committee. 1. Declaration of Interests None were declared. 2. Minutes The minutes of the meeting held on 6 November 2014 were approved. 3. Matters Arising (SISC/089/15) Student System Security Model As the functionality within the Student System evolves, roles change. The impact of access is cumulative, for example, a user who has a role in a department and a different role at a college will have cumulative access to the students of both job functions; many users wear ‘different hats’ which allow access to a large number of students.

njw40

Text Box

ISC 60D

Page 2 of 4

Audit records are available to establish which records have been accessed, by whom, and when changes have been made; the data held within the audit records can be shared with the Student Registry, as the business owner of the data, to monitor any spike in access or unusual patterns of behaviour to a particular student’s record. There have been no known incidents around data access since the inception of CamSIS, however system security will always be subject to review at any time. It was suggested that the tick box statement to abide by the terms and conditions of access could pop up as a reminder at every login, although this could become irritating to the user and a satisfactory alternative to this would be implemented. 4. Additional Benefits for Users in 2015 (SISC/090/15) There would be several developments during 2015 resulting in significant usability improvements for students, academics, and administrative staff; the Committee were asked to promote the new benefits wherever they have the opportunity to do so. 5. Student System Development Report (SISC/091/15) Development projects released on 4 December 2014, in February 2015, and to be released on 24 March 2015 were summarised. The new User Interface for Academics was made available to the pilot group on 4 December, and then rolled out to all remaining users in early February. There had been no helpdesk calls raised to date, although usage would be low during Lent Term, and feedback could be expected by the end of Easter Term following examination result activity. As part of the same project, Student Advisor Maintenance was released on 4 December with positive feedback from college offices. All development projects scheduled for release on 24 March were on target to go live as expected; an exception to this is the release of recommended improvements and system changes to the University Transcript, due to a dependency on Digitary to upgrade their system, and licensing issues. Three additional development projects would be released on 24 March, including usability enhancements to the Masters Student Self-Assessment form, an early delivery of HESA statutory changes for 2014-15, and enhancements to the graduate application functionality for 2015 entry; these projects could be achieved because of the strict technical development process that is in place, which enabled resource to focus on additional projects within the quarter. The project to enhance the interface for departmental users would remain on hold, to continue the next phase of the Cambridge Graduate Supervision Reporting System (CGSRS), and it was recommended that it remained on hold due to the impending system upgrade. The Management Information team have found the new analytic software from Oracle to be invaluable, and it was used for producing new reports for Cambridge University Development and Alumni Relations (CUDAR), a separate project which had diverted the team from their scheduled work with the Graduate Lifecycle. The work with CUDAR had proven the concept that data can be taken from other systems and reported across different platforms, a positive benefit for future reporting between the HR and Finance systems; the production of the reports had overrun, but was now complete. The Committee understood the secondary benefits to the team, but considered that it was unsatisfactory that the request from CUDAR had not followed the prioritisation process, and it should have been submitted to the Committee alongside other requests for resource.

Page 3 of 4

The CUDAR request was reported to the Reporting Working Group at its meeting on 1 December 2014, but there was no knowledge of it until that date, and then it was anticipated to have a low impact on resource and take just two weeks. Dr Bellamy defended the route that CUDAR had taken, with a request to UIS rather than to Student Systems, although the Management Information team were the only resource in UIS who were able to produce the reports. The request had started as a small piece of work, but the lesson learnt from the experience is that there needs to be a cap on projects to be completed within a specified timeframe. The outcome was not intended; there was not an appropriate check within UIS, and the control of UIS projects would be improved. 6. Development Planning (SISC/092a/15) The programme of work under each of the themes would continue into the second quarter of 2015: i) Student Operations; ii) HESA; iii) Student Information System Platform, and iv) Management Information. The User Interface programme would be integrated into the Student Information System Platform upgrade programme. Continuing projects within the Student Operations programme would include delivery of enhancements to the University Transcript in July, and the development phase of improvements to the Cambridge Graduate Supervision Reporting System. The next phase of the Graduate Admissions Process Project is to agree the solution and commence development of a new web based online application form and process outside of PeopleSoft, linked to and branded as the Student System. The new technology would allow increased flexibility with the form and process and will, in time, benefit all admissions processes. Two Java developers would be recruited, causing the development fund budget to be maximised in the current financial year, and to be overspent by approximately £43k in 2015-16. A request would be made to fund the Java development from alternative options. The forthcoming, and as yet unknown, challenges affecting undergraduate admissions were noted; a number of change requests had been submitted by the Cambridge Admissions Office, and they were keen to be involved with the new admissions processes and functionality. Three of the change requests had been prioritised and would be developed for release in July 2015. Six of the change requests had been placed on hold as they would provide only a short term fix pending the upgrade of the System, or were not possible to develop with the current technology. The Committee strongly affirmed its approval to continue the development of new admissions functionality for graduate admissions as a high priority. A substantial level of resource had been invested in the two years of work already completed, and there was strong support internally, from the Cambridge Trusts, and to the external reputation of the University. A Project Board was in the process of being established; it would be chaired by Professor Virgo and report to the SISC. Dr Keeler expressed disappointment that, especially in respect of CUDAR having secured resource, that the importance of undergraduate admissions requirements was not being treated appropriately, and he encouraged the Committee carefully to consider the significance and strategic importance of the undergraduate admissions process, bearing in mind that some change requests were years old, but he also understood that the impending upgrade dictated the viability of any new developments. The Student Systems team were in discussion with Miss Reed, Cambridge Admissions Office, who had possible scenarios for the 2016-17 admissions round, and they were in the process of producing a business case in respect of the removal of UMS scores; forthcoming changes to A Levels were subject to Government policy and unknown.

Page 4 of 4

Mission critical developments would still be possible during the period of the upgrade, but workaround solutions were likely for practical reasons. As new functionality becomes available during the upgrade, the Student Systems team would be engaging with each business area to discuss needs, and to configure and test the system. The Committee were clear that, as part of the upgrade programme, the undergraduate admissions process should be given priority as soon as that functionality becomes available. Dr Keeler would report the Committee’s decision to the Undergraduate Admissions Special Interest Group. A change request submitted by CUDAR was rejected. In addition to there being insufficient resource to complete the project, it was anticipated that any development would require considerable testing of Student Self Service, and there were other issues to consider such as the disruption of address types in the System. Although CUDAR could explore the possibility of funding contract resource, the Student Systems team would still be impacted. The proposed projects within the HESA Programme and the Student Information System Platform Programme would continue. The upgrade of the System would have an impact on the work of the Management Information team, and the lifespan of any reports produced would be limited. Discussions within the Reporting Working Group were ongoing, with Mr Jon Beard exploring the availability of his team for the next phase; subject to the outcome of this and due to the timing of the upgrade, it was recommended that the ring-fenced resource be reduced from four to two so that they could be reallocated to the upgrade programme. 7. Student System Upgrade to Oracle PeopleSoft version 9.2 (SISC/093/15) The Committee were content with the technical terminologies within the progress report, and with the detail provided. It is expected that, following the release of the new version in the autumn of 2015, a demonstration of the fundamental changes would be provided at a later meeting. It was assumed that a simplified Student Loan Company configuration to one business unit would not be appropriate due to a significant change required by the colleges. 8. Any Other Business There was no other business. Date of Next Meeting The Easter Term meeting of the SISC will take place at 2pm on Monday 8 June 2015, in the Council Room.

Page 1 of 4


Minutes of the 62nd meeting of the Financial System Committee (FSC) 2.00pm, Tuesday 3rd March 2015

Room GS15, William Gates Building

Present: Paul Dampier, UAS (Acting Chair); Andrew Reid, Finance Division; Peter Hedges, Research Office; Chris Edwards, University Information Services; Dr Howard Jones, School of the Physical Sciences; Claire Cahill, Arts and Humanities; In attendance: Adam Durrant, School of Biological Sciences; Jo Hall, Finance Division; Chris Patten, Finance Division. 1. Apologies for absence Apologies were received from: Professor Ian Leslie (Chair); Laura Cousens, School of Humanities and Social Sciences; Kate Carreno, Non-Schools Institutions; Karl Wilson, School of Biological Sciences; Steve Hutson, Assistant Director of Finance; 2. Minutes of previous meeting The minutes of the 61st FSC meeting held on 10th December 2014 were approved. 3. Matters arising Action point 3.1: The Project Assurance Management response was submitted to the BSSC. The BSSC suggested an amendment to the management responses. Action point 5.1: the Committee’s Annual Report was amended as agreed and circulated with the minutes of the meeting. Action point 5.2: the final version of the Annual Report was submitted to the Finance Committee and the Business Systems Sub-Committee. The Finance Committee noted that the report was suitably comprehensive and informative Action point 8.1: Chris Edwards to send Jo Hall the ToR for the ERP Systems Strategy. Completed. Action point 8.2: Jo Hall to circulate ERP System Strategy ToR with the minutes of the meeting. Completed. Action point 8.3: Jo Hall to add “UIS Update” to the agenda as a standing item. Completed. PRINCIPAL BUSINESS 4. ERP Systems Strategy Update Chris Edwards provided a summary of progress to date for the ERP Refresh Strategy Review:

• ERP stands for “Enterprise Resource Planning” systems: CHRIS, CAMSiS and CUFS • Supplier provision was changing. ISC/BSSC on advice from UIS wishes to produce new

long-term strategy for ERP systems.

njw40

Text Box

ISC 60E

Page 2 of 4

• This resulted in a project expected to last 2 months with the first phase ”Educate” which involves stakeholders’ views about where we are now and what is needed going forward. This involved meetings with UAS directors and Registrary. Professor Ian Leslie is involved

• Result of initial meetings: the University should not try to build everything in one system. Core functionality will be held in the ERP systems but be prepared to build differentiation systems as alternative systems on premise or externally (SaaS or Cloud).

• There are opportunities for doing some things differently whilst delivering a sound finance system that meets current needs.

• The strategy will not lead to discarding CUFS but will look at alternatives to the parts of CUFS outside its core.

• The industry move is a general trend to Cloud and / or SaaS. Gartner state that 10% of organisations are hosted in the cloud now and they expect this to flip to 90% in the future (approx. 10 years).

• Cloud / SaaS - System provided externally – risk managed elsewhere (outsourced). Hosted by provider (SaaS) or via cloud e.g. Amazon cloud.

• The next stage is Discovery: due to be shared in next few weeks with those involved in 1st stage.

Dr. Jones asked about Security which is traditionally a concern with cloud services. Chris Edwards confirmed that it would be up to the University to stipulate and to take back control if necessary. Most credible suppliers have accreditation in place to confirm security of data. Some say data held off site is more secure. Contracts can stipulate terms for security and control. Claire Cahill asked about the restrictions on bespoking under such arrangements. Chris Edwards noted that some providers provide dedicated service which allows some bespoking but there is an associated cost for this. Alternatively we would share servers with others and no bespoking would be allowed and this would be cheaper. Claire Cahill asked how this fitted with the previous system review carried out. Chris Edwards confirmed that an outcome of the previous review was to revisit the strategy following the R12 Upgrade. Paul Dampier confirmed that no decision made and that it was recognised that any move from Oracle would have a significant cost of change and that it would be better to look at focused areas.

Adam Durrant asked about possible changes to the chart of accounts hierarchy. Discussion took place and comments and suggestions should be referred to the Finance Division. 5. FSC Terms of Reference

The BSSC had received ToR from three big systems (CHRIS/CAMSIS/CUFS) and want to harmonise these. The FSC ToR was last revised 6 yrs. ago in part to make it explicit that the FSC was the project board for major finance system projects. The following points were made:

• Acronyms need updating. • Only refers to CUFS. What about Cognos and other outputs / reporting? • Currently “System” committee. Should the FSC be the Finance “Systems” Committee? • There is no mention of user community? Is it just Finance users? • What is the role of the Finance System? To produce the accounts? • Other ToR’s take account of wider stakeholder needs. • Membership does not reflect the current attendance. It was confirmed that School

representation was preferred. • Should there be something about ensuring the consistency with the ERP Strategy and

architecture?

Page 3 of 4

Peter Hedges commented to Research Systems: There is currently no Research System Committee and should this be reconsidered? Following discussion it was agreed that Peter Hedges will draft a ToR for this to be discussed with the Registrary before consideration by the BSSC. Action point 5.1: Peter Hedges to draft a ToR for a Research Systems Committee. Action point 5.2: Andrew Reid to review the ToR with the aim of harmonising with the CHRIS and CAMSiS ToR and feedback received to provide a final draft for review.

6. Information Delivery Framework Jo Hall provided a brief overview of the paper. Claire Cahill expressed user frustration at the de-scoping of reporting during the R12 upgrade and that 10 months on there was no evidence of material progress despite extensive Reporting Strategy work, surveys etc. Claire asked where the resource and budget for this work and recommended quick tangible outputs. Chris Patten stated that there had been a good meeting in October 2014 to discuss the workstreams required. Point 1 in section 4.4 of this document is the outcome of this? The fact finding stage of this work has been done and the exercise now needs to deliver. Chris Edwards was unclear as to why this work was not progressing as desired since the UIS has resource allocated. Professor Ian Leslie had written with the view that this work must tie in to the ERP Refresh Strategy Review. Some in the meeting expressed concern that this would just delay progress further. Chris Edwards noted that the Programme Manager for the ERP Refresh Strategy Review (Mike Quinn) would recognise the dependencies of this project. Following further discussion the committee agreed that work should progress with the identification of project resources and a PID requesting the budget for this work to be presented to FSC. It would be submitted to the BSSC for funding. There was a desire for this to happen quickly. Action point 6.1: Jo Hall to present a PID and request for funding to the next FSC. OTHER BUSINESS 7. Operational update Jo Hall reported on work since the last meeting. The focus was on the Winter Patching and Database Upgrade project which is on target with the User Acceptance Test build nearing completion and user testing due to start on Monday 16th March. Go live is still planned for over the first May bank holiday. Cheque printing from CUFS has been completed and is now in testing as a dual running process to ensure the complexities in producing a correctly formatted cheque output are addressed before the old functionality is decommissioned. The requested Expenses interface with CUFS (from the Computing Laboratory) has not progressed since the last report.

Page 4 of 4

8. Technical Update

Chris Edwards reported that a CHRIS upgrade was nearing completion. UIS are also working with NW Cambridge on an Accommodation Booking System and development work is in progress. He also noted that the move of UIS hardware from Greenwich House is now complete. 9. Any other business Peter Hedges noted that a project had been launched to replace the Research Contracts Database, assuming that the cost of doing so falls within the budget available. He also noted that there was an upgrade to X5 in progress which is due to go live June / July 2015. It will primarily affect the user interface and provide improvements in this area. Future meeting dates were confirmed. Future Meeting Dates (Room GS15, William Gates Building) 2015 Mon 1st June: 10:00 - 12:00 Weds 16th September: 09:00 - 11:00

TLSSG January 2015 – unconfirmed Page 1 of 4

Teaching and Learning Services Steering Group

MINUTES A meeting of the Steering Group was held at 2.00pm on Thursday, 29 January 2015

in the Meeting Room at 17 Mill Lane Present: Professor Graham Virgo (Chair), Dr Rachael Padman, Dr Martin Bellamy, Mr John Norman, Mr Rob Richardson

In attendance: Mr Andrew Cox, Mrs Melissa Rielly (minutes)

Apologies: Professor Steven Connor, Dr David Good, Dr Paul Chirico, Ms Ann Jarvis

1. Declarations of interest None

2. Minutes

Minutes of the meeting held on 31 Oct 2014 (TLSSG47) were approved. Professor Virgo reported that Dr Siklos had come to the end of his term of membership and had declined to continue; Dr James Keeler has been nominated in his place and has accepted the nomination.

3. Matters arising from the Minutes and for report (not mentioned elsewhere on the agenda)

None

4. Teaching and Learning Innovation Fund, 2013-14

Following discussions at the 22 May 2014 meeting (item 4), a final draft of the report form for 2013-14 TLIF bids was discussed (TLSSG48). Members approved the new draft subject to amendments to the fourth question about achievement of project goals. Reports will be requested for review at the May meeting.

5. Teaching and Learning Innovation Fund, 2014-15

The Fund received 19 bids for 2014-15, totalling over £360,000; a summary sheet (TLSSG49) and all application forms were circulated (TLSSG50). Officers in ESP carried out a preliminary ranking into groups, taking into consideration the scope of the fund and grants awarded in previous years. Maximum available funding for 2014-15 is £99,000; any amount not awarded in this round will be carried forward to 2015-16.

The Group agreed that the focus of the awards should be on supporting innovation, whether this be local (new to Cambridge) or global (new to the sector). In future it may be worthwhile considering the involvement of external assessors in bids, to better assess global impact.

njw40

Text Box

ISC 60F


Members agreed that bids in rank 4 should not be funded, and that all bids in rank 1 should be funded in principle but with some reductions in cost. The Group discussed bids in ranks 2 and 3 and agreed to make the following awards:

Brearley, Jackie

Veterinary Medicine

Development of online teaching material for Veterinary Clinical Skills 12,136.42

Hubbard, Katharine

Plant Sciences

Bridging the Gap: Augmenting student skills for Biological Sciences practical classes 9,753.84

Jena, Raj

Medicine (Oncology clinical teaching)

ZEIT-GEIST: a new hybrid virtual reality environment for medical student teaching in Radiation Oncology 19,964

Kabla, Alexandre Engineering OpenLabTools.org 10,000

Ludlow, Amy Law Learning Together: a prison-based criminal justice educational programme 13,550.25

Moore, Andrew

Computer Lab

Practical Network Education: An aid to computer networking learning experience 15000

Oppenheimer, Clive Geography

Understanding volcanoes through data analysis and modelling 15000

Total £95,404.51

The Group further agreed the following:

a. That the Faculty of Divinity should be encouraged to discuss their potential project with UIS’ learning technologists, to determine whether there is scope for utilising any tools already developed; the Group agreed it would be willing to consider a revised funding bid from this project in light of these discussions.

b. That the Oncology bid may also benefit from discussion with UIS, to assist in ensuring future sustainability.

c. That the award for the Plant Sciences bid should be reduced so as to focus only on one of the two projects (the online practical materials), but that if this project was successful, the second project could be applied for in a future bidding round.

The Group agreed that all projects should be encouraged to consider, in reporting on progress, elements of sustainability.

ACTION: Mrs Rielly to write to all bidders to notify them of outcome, and will follow up with Divinity should a further bid be received.

6. Moodle

An updated Moodle progress report was received (TLSSG51). Mr Cox noted that, following the last meeting, detailed discussions had been held with Departments giving mixed feedback about the Moodle experience. As a result, several changes had been made in the January release, one of which was adopted globally into the core Moodle code for all Moodle users. Departments raising issues had reported that they were now satisfied with the progress and felt that Moodle was “back on track”.


Also, as a result of the feedback meetings, a new deployment method had been developed so that the team would now build a prototype for all Departments with 1-2 courses before rollout, so that key users could see in advance how the site would look and be maintained to inform the transfer from CamTools. This method was positively received by Departments, but at this early stage there is no concrete feedback on the new rollout experience; more will be discussed at the next meeting.

Several Colleges had expressed an interest in using Moodle for both supervision and administration; administrative use was being closely monitored as there is concern that use as an alternative intranet could put unnecessary and inappropriate drain on future resourcing. At this point in time there was no immediate concern, but this should be monitored and discussed in light of progress on electronic storage. Colleges had also expressed an interest in using Moodle for circulation of recruitment documentation; the Group expressed concern as to whether the security was sufficient for such use of personal data and this will be reviewed.

Resourcing was now in place with two learning technologists; one Department, Engineering, had valued the role so much they have now employed their own technologist. The Group noted that there were several models of learning technologist now in use within the University, and that there was merit in keeping this under review so as to ensure the community could be supported as it developed.

The schedule for implementation had been revised so as to aim for no new CamTools sites by Christmas 2015; this will be reviewed by the Group at its Michaelmas 2015 meeting.

The Group indicated that it would like more regular reports on the project, as well as inclusion of evidence base in future reports. Mr Bellamy and Mr Cox confirmed that internal reporting on the project could be repurposed to provide these updates, and they would discuss to bring a solution back to the Group. Future reports would include more evidentiary detail, and this would also be covered in the interim reports as they develop.

Mr Richardson noted that there had been a system downtime the previous weekend which affected CamTools, and that it was important during the transition period to ensure students still using CamTools are fully supported and receive communications.

ACTIONS:

1. Implementation schedule to be reviewed at Michaelmas 2015 meeting.

2. Mr Bellamy and Mr Cox to develop a method of interim reporting between meetings.

7. Teaching and Learning Services 5-year Strategy

The Chair updated members on potential development of a five-year strategy of IT support for teaching and learning. Discussions had progressed and the higher-level elements of the strategy were on the agenda for the next Directors of Teaching meeting in February. This is an important opportunity for feedback from academics. The administrative parts of the policy were being reviewed by the Student Operations team in parallel.


8. Any Other Business

8.1 Membership and terms of reference for the Group were discussed. The

Group reports to both the General Board’s Education Committee and the Information Services Committee, as a result of a previous review identifying a need for teaching support which sat between the two groups’ responsibilities. However, the Group is not formally constituted in Statutes and Ordinances and given the new structure of ISC it may be worthwhile reviewing membership alongside GBEC’s and ISC’s view of the remit of the Group, as well as Terms of Reference. Draft Terms of Reference will be brought to the next meeting for review, and highlighted to both GBEC and ISC. Frequency of meeting should be reviewed as well, in light of the agreed purpose.

ACTION: Mrs Rielly to notify GBEC and ISC of the review and to bring draft Terms of Reference to the next meeting.

8.2 The Group discussed the exam paper repository trialled some years ago and

whether there was merit in principle in following up the test version with a more sustainable service. Mr Norman reported that the yearly input was a very manual process, which could be reviewed in light of changes to examination paper production. Professor Virgo will highlight this as part of the examination review currently taking place.

ACTION: The Chair to raise as part of the Examination Review.

9. Date of next meeting

Friday 29 May 2015, at 10.00am in the Meeting Room, 17 Mill Lane.

1

JOINT NETWORK MANAGEMENT COMMITTEE (JNMC)

Minutes for the meeting held on 8 January 2015 in The Thetford Room, Roger Needham Building. Present: Dr. R Walker (RDHW) in the chair, Mr C Lawrence (CL) & Prof. R Glen (RCG). In attendance: Dr M Bellamy (MB), Dr M Johnson (MAJ), Mr A Culver (AEC), Mr R Carter (RPC), Mr G Ross (GR), Mr E Koht (EHK), & Mrs J Wilson (JMW). Apologies: Mrs L Thompson (LT), Mr J Holgate (JH), Mr R Franklin (RCF), Mr C Edwards (CE) & Prof. J Sinclair (JS). 1. Minutes

The minutes of the meeting held on 30 October 2015 were approved.

2. Matters Arising

a) Call Manager licencing proposal

The Chairman referred to the above proposal commenting that he understood that the call manager system had been updated with the licence, enabling Jabber to be available in principle for people to use. He asked about time scale and GR reported that he and JH were going to liaise with CO’s and come up with a plan. He has also created the relevant accounts required to enable members to access the system. b) Voice network/GBN tariffing

The Chairman pointed out that tariffing hadn’t been considered for a long time, but suggested that this action be carried forward as there was no proposal at present. All agreed that this was exactly the sort of thing the committee might consider useful. Action: JH c) O2 coverage

The Chairman asked if there were any updates on the O2 coverage at the Mill Pond. GR reported that he hadn’t had a confirmed date for this and the Chairman suggested that an email to them, after the meeting, would be fine. Action: GR

njw40

Text Box

ISC 60G

2

d) JNMC terms of reference The chairman suggested that as there hadn’t been any movement on this, it should be carried forward to the next meeting. MB to progress with this and liaise with JH. Action: MB e) Council representation

The Chairman requested that it be recorded that Stephen Cowley has stood down from the committee and that perhaps someone should contact the University Council who nominated him, asking what they propose to do about replacing him. MB mentioned that an alternative solution and probably the first step to take, would be to raise this at the next ISC meeting and establish if any one of the council representatives there would be interested in taking up this role. Action: MB The committee also wished to extend their thanks to Stephen Cowley for his very incisive contributions during his reign.

3) Service Review

A paper was presented to the Committee (no. ISC(JNMC)(2014)105) entitled Network and Telecomms Operations Report. The following points were discussed: a) Wireless

The Chairman asked if there was any hope of extending the public wireless network into collegiate wireless. AEC reported that this would be possible using The Cloud but that our initial contract with them was for 12 months. It is uncertain what would happen after this period as, should we wish to renew with them, they would then require a three year contract. The Chairman recommended a review of this, to be done soon enough such that a different provided could be chosen. b) UIS managed wireless service The Chairman asked that given the success of the managed wireless service access point scheme, whether the size of the scheme is now such that a revision of the tariffs might be in order and if it was covering its costs. AEC pointed out that the costs to us of the access points hasn’t changed a great deal since the beginning of the project and that the price was based on a five year term.

3

c) Telecomms The Committee referred to the Cisco telephone handset replacement paper (presented as Appendix A) showing detailed schematics of the scheme being carried out next year. GR explained that the old phones will still work, but that Cisco will not maintain any support (additional software, enhancements or bug fixes). The Chairman thanked GR for the table, which he said brought more clarity to the previously unclear item of business and commented that he didn’t see any difficulty in drawing down on the reserves that we have accumulated for this purpose. d) Network Traffic Stats.

The usual traffic stats were presented to the Committee (as paper no. ISC(JMNC)(2015)106). GR asked if the committee found these useful and if they should carry on presenting them. The committee agreed that this information was helpful but perhaps they didn’t need to be presented at every meeting. e) CUDN Network stats

The Committee was presented with some additional CUDN network stats (paper no. ISC(JNMC)(2015)108) showing infrastructure and bandwidth information, as requested at the previous meeting. The chairman asked if the committee were content to see figures on averages or did they want to look at peaks. The committee agreed that the information supplied was very informative and the Chairman commented that we should perhaps let AEC have the freedom to choose the parameters required to produce these stats.

4) Any Other Business

a) Addenbrooke’s second GBN link

A paper (no. ISC(JNMC)(2014)104) was previously circulated to the committee. The Chairman explained that this proposal was for our own GBN duct, with our fibre in it, rather than it being a CUDN connection over alternative providers. It has transpired due to the fact that we have now built up a 6 month relationship with the County Council, who are allowing us to use their infrastructure which lies beneath the guided busway. RPC asked about funding this and confirmed that the GBN had a sinking fund which has accrued £500,000 over the last 25 years. The committee agreed that the GBN reserves could sensibly fund this project. b) Second University Janet link Paper ISC(JNMC)(2014)107 was previously circulated to the committee. AEC mentioned that this was just an exploration at this stage after an initial meeting with Janet, to explore our options. AEC referred the committee to the connectivity table

4

showing our current links in the William Gates and ARUP buildings, emphasising the lack of failover with our connectivity to Janet. AEC believed the cost for this may be around £50,000 but that Janet will provide actual costs later on this year. The Chairman commented that the paper was very constructive and was a sensible contribution towards the Cambridge IT structure overall. c) Future JNMC Meetings

Meetings have now been arranged until the end of the next academic year, as follows: Thursday 9 April 2015 at 11.15 am in the Thetford Room, RNB. Thursday 18 June 2015 at 11.15 am in the Thetford Room, RNB. Thursday 15 October 2015 at 2.15 pm in the Thetford Room, RNB Thursday 14 January 2016 at 2.15 pm in the Thetford Room, RNB Thursday 21 April 2016 at 2.15 pm in the Thetford Room, RNB Thursday 16 June 2016 at 2.15 pm in the Thetford Room, RNB These dates have been entered in the JNMC calendar (see link below). https://www.google.com/calendar/embed?src=cam.ac.uk_v5dpb0qlrbm14mprfm8t4uavb4@group.calendar.google.com&ctz=Europe/London

Date of next meeting: 9th April 2015 at 11:15am in the Thetford Room, Roger Needham Building.

ITPG January 2015

IT Purchasing Group Remit

The role of the Group is to promote best practice and best value for money in the procurement and maintenance of Information Technology (IT) related products across the University. The main functions of the group include: 1. To build on the expertise in product selection, assessment and support provided by

University Information Services (UIS), by augmenting it with the experience of Departments and Colleges throughout the University, thus establishing a forum where the issues surrounding IT purchasing can be discussed and recommendations made.

2. To act as a central repository for IT purchasing information and experience, to be shared amongst the Group members and disseminated throughout the wider University IT support community.

3. To establish, manage and promote framework contracts/preferred supplier lists, drawing upon the experience of the whole University to create a directory of suppliers that reflect and can satisfy its unique range of requirements.

4. To provide a forum for Departments and Colleges to raise issues surrounding the purchasing of IT, and communicate these, where appropriate, to the relevant suppliers, carrying the authority of a representative University-wide body.

5. To act as a link between the IT support community in the University and the various national and regional IT consortia active within the sphere of higher education, ensuring that the University makes best use of its influence in any contracts and agreements negotiated by them.

6. To assist Procurement Services in ensuring that IT-related purchasing in the University complies with national and European legislation, thereby reducing the risk of legal challenge and associated expense.

7. To identify areas of IT expenditure where central contracts and agreements will be most beneficial to the University, and to assist in the negotiation and operation of such arrangements.

The membership of the IT Purchasing Group has been set by the Information Services Committee (ISC) to create a representative view of the way in which IT equipment, software and services are purchased within all the institutions of the University. The membership structure of the ITPG is as follows, with sub-groups being established to manage individual studies, chosen by or drawn from the Group as required: ▪ Chairman: Appointed by the ISC ▪ Secretariat: Procurement Services ▪ Membership:

a 2 IT support staff from each school (Arts and Humanities, Biological Sciences, Clinical Medicine, Humanities and Social Sciences, Physical Sciences, Technology)

b 2 IT support staff from the Colleges c 4 members of UIS staff d 2 IT support staff from non-School institutions

Each member of the ITPG is selected by the body that he or she represents and is responsible for disseminating information from the ITPG back into that institution.

njw40

Text Box

ISC 61

Page 1 of 2

RESEARCH POLICY COMMITTEE 23 April 2015

Terms of Reference for HPCS Strategy Group: Update

Purpose of this paper The RPC approved the outline terms of reference and initial membership of the High Performance Computing Service (HPCS) Strategy Group on 22 January 2015 (RPC 726). The Information Services Committee (ISC) has requested an extension to these terms of reference, and for additional members representing the life sciences to be identified. This paper presents proposals to address the ISC’s recommendations. Action requested of RPC To approve or amend the updated terms of reference and membership of the HPCS Strategy Group. NOTE: This paper is being distributed in hard copy at the RPC meeting on 23 April 2015. Once approved, a final version will formally be circulated for information with the papers for the next RPC meeting.

DRAFT

Terms of Reference for HPCS Strategy Group (new items in red) The role of the HPCS-SG is to provide management oversight of the HPCS, to represent the interest of users and to advise the RPC and ISC on the strategic development and delivery of high performance/high volume computing in the University. 1 The HPCS-SG should monitor charging models and seek opportunities for meeting the capital and running costs of high performance computing across the University, both within and outside the UIS. This should take account of energy costs and energy charging. 2 The HPCS-SG should ensure that the provision of high performance computing is informed by user needs. In the first instance this might be via setting up a user group, as recommended by the Review Group, but this should be left to the HPCS-SG. 3 The HPSC-SG should monitor the opportunities and risks associated with hosting national facilities and/or on-demand academic “cloud-like” facilities. 4 The HPSC-SG should monitor and assess the opportunities and risks associated with providing services to industry. 5 The HPSC-SG should comment on any provision in the Planning Round for high performance computing, such comment to be provided to the RPC and ISC. 6 The HPSC-SG should ensure that the UIS maintains an active horizon scanning activity for new developments related to high performance computing.

njw40

Text Box

ISC 62

Page 2 of 2

7 The HPSC-SG should consider “high volume” as well as “high performance” computation. For example, the provision, at University level, of large-scale cloud facilities with flexible access control ranging from machines dedicated to individuals, hosted departmental clusters, through to on-demand computation, and the requisite storage facilities. 8 The HPCS-SG should provide advice to both the RPC and ISC on the requirements, provision and auditing of arrangements which ensure that data is held and processed on facilities that are appropriate in security and privacy terms to meet the needs of legislation, sponsor requirements, and University policies. 9 The utility of the HPSC-SG should be reviewed every two years. It may well be that the HPSC-SG should be absorbed by, or morphed into, a general research subcommittee reporting to the RPC and the ISC. 10 The membership of the HPCS-SG will be reviewed at the end of the first 12-month period and at least biannually thereafter. Membership of HPCS Strategy Group Professor Ian Leslie (Chair) Dr Ralph Ecclestone (Secretary) Dr Anne Alexander, CRASSH and Digital Humanities Network Professor Paul Alexander, Big Data SRI Dr Paul Calleja, UIS Professor Stewart Cant, Department of Engineering Professor George Efstathiou, Institute of Astronomy Professor Anne Ferguson Smith, Department of Genetics Ms Sandra McLaughlin, AstraZeneca Dr Gos Micklem, Department of Genetics Professor Willem Ouwehand, Department of Haematology Professor Mike Payne, Department of Physics Professor Steve Russell, Systems Biology/Department of Biochemistry Dr Debora Sijacki, Institute of Astronomy 1Professor Simon Tavaré, DAMTP and Department of Oncology 2Professor John Todd, Department of Clinical Genetics Dr Matt Wingate, DAMTP Notes: 1 Professor Simon Tavaré: to be asked if he has time to do this; if not, to nominate a representative. 2 Professor John Todd: not yet responded to invitation. Lynn Gladden 22 April 2015

ISC(JNMC)(2015)113

1

Joint Network Management Committee Draft Composition and Remit for the Joint Network Management Committee 1. The Joint Network Management Committee shall be answerable to the Information Services Committee (ISC) and the Bursars' Committee and shall consist of: (a) three persons appointed by the ISC, two on the nomination of the Finance Committee, one on the nomination of the General Board; (b) three persons appointed by the ISC, on the nomination of the Bursars' Committee; (c) the Head of the Networking Division of the University Information Service, ex officio; (d) not more than three persons co-opted by the Committee, provided that it shall not be obligatory for the Committee to co-opt any person or persons. Members in classes (a) and (b) shall be appointed in the Michaelmas Term to serve for four years from 1 January following their appointment. Members in class (d) shall serve until 31 December of the year in which they are co-opted or the following year, as the Committee shall determine at the time of their co-optation. 2. The Director of the University Information Service and the Chairman of the Bursars' Committee shall have the right to attend all meetings of the Committee. 3. The GBN Manager, the Telecoms Manager and the Network Systems Manager of the University Information Services shall have the right to attend all meetings of the Committee. 4. The Chairman should be appointed by the ISC, taking into account advice from the JNMC. The Head of the Networking Division of the University Information Service shall act as Secretary of the Committee. 5. The duties of the Committee shall be as follows: (a) to oversee the University and Colleges joint telephone system established by the University and participating Colleges; (b) to oversee the maintenance and development of the physical network comprising ducts and cables, established by the University and the Colleges and known as the Granta Backbone Network; (c) to oversee the maintenance and development of the Cambridge University Data Network, including the University Wireless service; (d) to act on behalf of the University and the participating Colleges in authorising charges applied and the apportionment of outgoings incurred by the combined networks, to determine the apportionment of the capital and running costs of the system between the University and the participating Colleges for network services and their development; (e) to prepare annual estimates and accounts for submission to the ISC; (f) to make recommendations to the ISC concerning the development of the combined networks; (g) to report annually to the ISC on the operation of the combined networks.

njw40

Text Box

ISC 63

ISC(JNMC)(2015)113

2

Appendix 1 -Prior Ordinances for JTMC and GBNMC JOINT TELECOMMUNICATIONS MANAGEMENT COMMITTEE 1. The Joint Telecommunications Management Committee shall be a joint Committee of the Council and the Bursars' Committee and shall consist of: (a) four persons appointed by the Council, two on the nomination of the Finance Committee, one on the nomination of the General Board, and one on the nomination of the Information Technology Syndicate; (b) three persons appointed by the Bursars' Committee; (c) the University Telecommunications Manager, ex officio; (d) not more than three persons co-opted by the Committee, provided that it shall not be obligatory for the Committee to co-opt any person or persons. Members in classes (a) and (b) shall be appointed in the Michaelmas Term to serve for four years from 1 January following their appointment. Members in class (d) shall serve until 31 December of the year in which they are co-opted or the following year, as the Committee shall determine at the time of their co- optation. 2. The Director of the University Computing Service and the Chairman of the Bursars' Committee or their deputies shall have the right to attend all meetings of the Committee. 3. The Committee shall elect annually one of their members as Chairman. The University Telecommunications Manager shall act as Secretary of the Committee. 4. The duties of the Committee shall be as follows: (a) to administer the University and Colleges joint telephone system established by the University and participating Colleges, under such conditions as the Finance Committee and the Bursars' Committee shall determine from time to time; (b) subject to the provisions of Regulation 3 of the regulations for the University Telecommunications Manager, to supervise the work of that officer; (c) to act on behalf of the University and the participating Colleges in authorizing outgoings incurred by the joint telephone system, to determine the apportionment of the capital and running costs of the system between the University and the participating Colleges for telephone services and their development; (d) to prepare annual estimates and accounts for submission to the Council and the Bursars' Committee; (e) to make recommendations to the Finance Committee and the Bursars' Committee concerning the development of the joint telephone system; (j) to report annually to the Finance Committee and the Bursars' Committee on the operation of the joint telephone system.

ISC(JNMC)(2015)113

3

GRANTA BACKBONE NETWORK MANAGEMENT COMMITTEE 1. The Granta Backbone Network Management Committee shall be a joint Committee of the University and the Colleges and shall consist of: (a) two persons appointed by the Information Technology Syndicate, one appointed after consultation with the Council, who shall be Chairman, and one appointed after consultation with the General Board; (b) one person appointed by the Council on the nomination of the Finance Committee; (c) two persons appointed by the Bursars' Committee, one of whom shall be appointed after consultation with the Senior Tutors' Committee. Members in classes (a), (b), and (c) shall be appointed in the Michaelmas Term to serve for four years from 1 January next following their appointment. 2. The Director of the University Computing Service, or a deputy appointed by the Director, shall act as Secretary of the Committee. 3. The duties of the Committee shall be: (a) to oversee the maintenance and development of the physical network comprising ducts and cables, established by the University and the Colleges and known as the Granta Backbone Network, under such conditions as the Finance Committee and the Bursars' Committee shall determine from time to time; (b) to act on behalf of the University and the participating Colleges in setting charges for the use of the Granta Backbone Network, to determine the apportionment of the capital and recurrent costs of the network between the University, the Colleges, and other relevant bodies; (c) to make recommendations to the Finance Committee and the Bursars' Committee concerning the development of the Granta Backbone Network; (d) to report annually to the Finance Committee and the Bursars' Committee on the operation of the Granta Backbone Network.

ISC(JNMC)(2015)113

4

UIS Update

Purpose of this paper This paper summarises progress with implementing the new UIS organisation and developing the IS strategy since the March ISC meeting. It covers: • progress on the UIS organisational development; • updates across the strategic projects previously discussed at ISC; • an update on the progress of the pilot of a service catalogue with the School of Arts and

Humanities (Annex A) • an update on the progress of a pilot project to investigate research computing from the West

Cambridge Data Centre (Annex B)

Action requested This paper is for information only.

1 Organisational Development Recruitment update 1.1

1.1.1 HR change management team The HR change management team is now fully resourced, with the HR Project Officer having joined on 16 March 2015. 1.1.2 Leadership team recruitment Since the ISC’s March meeting we have been able to secure the Appointment Committee’s preferred candidates for each of the new Deputy Director roles. The Deputy Directors will take up their new roles on 28 April 2015.

UIS Leadership team composition 1.2

The new leadership team comprises: Deputy Director role Individual Build/Development Mr Chris Edwards Chief Architect Dr Mark Ferrar1 Departmental Operations Dr Steve Kearsey Education, Administration & Student Services Mr Richard Young2 Information Management Ms Michelle Finnegan Research & Institutional Services Dr Paul Calleja3 Service Operations Mr Steve Riley OBE4

1 formerly National Technology Officer, Microsoft UK 2 formerly IT Director Bupa Care Services & Bupa Health Clinics 3 formerly Director High Performance Computing Service in University of Cambridge 4 formerly the Interim Director General for IT at the Department of Work and Pensions

1 of 17

njw40

Text Box

ISC 64

In addition, and subject to consultation and a Report to the General Board on the future of CARET, John Norman will be a direct report to the Director of UIS in the role of Head of Digital Transformation Consultancy.

Full staff briefings 1.3

Full staff briefings continue to take place on a monthly basis and are the mainstay for supporting the ongoing dialogue around the change programme in UIS. Attendance, either in person or via the live stream, remains strong; topics covered in the last two meetings have included: • Process for the recruitment of Deputy Directors • Preparation for the move to the new divisional structure on the target date of 18 May • Career Development • Changes to space allocation in the Roger Needham building • Updates on the future of CARET Reported measures of understanding of the process remain high, although there is a degree of disquiet being expressed as some of the more practical changes in the building are made.

Next steps 1.4

The following table shows the strands of activity have been initiated, with their expected end dates:

Activity Planned Date Status Relocation of HPCS staff to Roger Needham building 17/04/2015 Complete Preparation for transition to divisional structure:

Assurance activities for services 24/04/2015 On Track Assurance activities for interim management arrangements (Build and Service Operations Divisions)

24/04/2015 On Track

Assurance activities for internal processes 24/04/2015 On Track Checkpoint meeting 27/04/2015 On Track Move to new divisional structure 18/05/2015 On Track Division-by-division detailed design 12/06/2015 On Track Staff consultation relating to CARET (formal and informal for CARET and UIS staff) ends

19/06/2015 On Track

UIS Divisional Change Plans Developed 31/07/2015 On Track Staff Consultation (Phase 2) commences 01/09/2015 Deployment of Organisational Change Completed 15/12/2015 On Track Post Evaluation Review 18/12/2015 On Track Working group activity on the career development approaches for UIS and IT professionals across the University started on 16 March 2015.

Strategy Development 1.5

It is anticipated that with the move to the new divisional structure – which enables closer working with the University by means of the Research & Institutional Services, and the Education Administration & Student Services divisions, and delivers enhanced capability across the other divisions – that during Michaelmas term 2015 UIS will be able to start work on the development of a

2 of 17

University-wide digital/IS strategy through to 2020. This will be informed further by the findings from the strategic initiatives/pilots outlined below.

2 Strategic initiatives Activity is under way in a number of key areas in the form of investigatory work and pilot projects. The following table provides a synopsis of the progress against each of these areas. Area Progress Value starts delivering

Storage services

The introduction of a range of University storage services.

A paper presenting a strategy for storage services is tabled for this meeting of the ISC.

It is anticipated that a platform to provide a shared storage infrastructure, and ‘dropbox-like’ service, will be in place in Autumn 2015.

Research Computing

The definition and pilot of a range of research computing services that can be provided from the West Cambridge Data Centre.

Annex B provides an update on recent project activity.

Project outputs will deliver in December 2015.

End User Computing

A review of the end-user computing strategy, including a review of software, managed desktop, office/administrative applications and helpdesk systems, including:

User experience portal

The pilot of a ‘user experience platform’ to investigate whether portal-like technology can be used to improve the experience of infrequent users of core University systems.

A three-month ‘wayfinder’ pilot has concluded and the User Needs Committee has been consulted on proposed next-steps. There is support for a second phase activity to be conducted with a focus on perceived pain points for students.

To be confirmed.

MS Campus agreement

Evaluating the potential benefits of a Microsoft Education Enrolment Services agreement to the University.

A paper with the UIS recommendation is tabled for this meeting of the ISC.

End of calendar year 2015 for initial benefits, with most being realised in the longer term.

3 of 17

Area Progress Value starts delivering

Enterprise systems (ERP5) systems refresh (CUFS, CamSIS, CHRIS)

To establish an Enterprise Systems architecture for the next 2-10 years.

The project is in the discovery phase, investigating what other organisations are doing and establishing working groups within the University.

High level design is anticipated in November 2015.

Service catalogue

A pilot of a new engagement model with the School of Arts and Humanities, including development of a service catalogue to highlight UIS, local and third party IT services.

A mid-project review meeting was held on 27 March. Annex A provides an update on recent project activity.

A UIS portfolio and first iteration of a catalogue of services for the School of Arts and Humanities will be provided mid-2015.

Cyber Security

Implementing recommendations from the Deloitte internal cyber security audit.

Recruitment for backfill of staff working on the Research Computing initiative is under way.

Managed firewall service and end user computing strategy are expected in early 2016.

Martin Bellamy Ed Webster Ian Cooper 21 April 2015

5 Enterprise Resource Planning (ERP)

4 of 17

Annex A: Service Portfolio and Catalogue Pilot Project with the School of Arts and Humanities

Purpose This paper provides an update on progress with the Service Portfolio and Catalogue Pilot project between UIS and the School of Arts and Humanities.

Action requested The ISC is asked to note the positive progress to date, and to provide direction on future activity in the area as outlined in section 2.

1 Project progress

All project tasks are to plan. Meetings with the School’s Computer Officers, to capture all services that are offered within each department, are complete. Meetings with the UIS management team, to review and define the service categories for the Portfolio, are complete; this work is now enabling technical development of the prototype Portfolio and Catalogues, to progress with the population of the identified service categories. A fit-gap exercise of the information collected about the School’s own services, and work to refine and define the UIS service categories, was presented for ratification by the UIS management team; this work is also complete. The User Experience Specialist has completed initial user research interviews with the School representative groups (Academics, Researchers, Students, Administrators, and Computer Officers) as part of the first testing phase, and she has also interviewed several non-School contacts to gain feedback on the prototype. Preparation work has included user stories and mind-mapping of the five main groups of user personas, and their interaction with IT. User research will continue during the second phase of project, and will include librarians, and an ‘all staff’ user group. The project website (http://www.catalogue-project.uis.cam.ac.uk/) provides an update on progress, an opportunity to test the on-line catalogue prototype, with the ability to provide on-line feedback, and access to project documentation and meeting notes. Feedback from meetings with Computer Officers and School staff indicates that the catalogue provision will be a valuable asset for the UIS, schools, faculties, and departments. We have identified significant areas of duplication of service and requirements for enhanced and new services. We expect that as the project communicates with the rest of the University that there will be general agreement that the direction that UIS is taking with this project is aligned with user expectations. A discussion on “Community Engagement” has taken place, and will be taken forward in the post-pilot phase, to ensure that the wider user community will be able to engage both with the UIS and the wider IT community, to share knowledge, advice, and support. There is strong support from the School’s Computer Officers for creating this community. At a meeting of the Project Board Checkpoint Review on 26 March 2015, the Board “commended the project team for their work and for their refreshing and enthusiastic engagement with users” and they “approved the continuation of the project to the second phase”.

5 of 17

The pilot project’s timeline diagram shows the progress and planned activities, with the forthcoming ISC meetings identified:

2 Post-project activity At this stage, the ISC may wish to consider the continuity of the catalogue development for the University at the end of the pilot stage on 1 July 2015. The project team’s preferred option is:

i) To continue with the implementation of a catalogue to the remaining schools and then to colleges, and to create a full catalogue of services for the Unified Administrative Service.

Other options considered:

ii) To wait and evaluate the success of the pilot before considering further development and deployment of the Portfolio and Catalogue; and

iii) To create a full catalogue of services that is of interest to the colleges.

3 Role of School Information Services Catalogue Coordinator/Manager The UIS secondment role has proven to be useful to the School of Arts and Humanities in the service discovery and categorisation process. IT provision within the School has been focussed at the Faculty level and, until recently, there has been little appetite to consider or coordinate IT provision across the School. The cataloguing of services at the School has revealed that many UIS services are already being taken up within faculties, providing a level of standardisation in some areas, but it has highlighted significant areas of duplication of effort and resource. There is a clear need for more resource, specifically IT officer support time, to be focussed on teaching and research activities across the School.

Produce Communications Plan

Development

Design and Document SCM Process

Portfolio Portfolio

CurrentDate

Key: On TrackAt Risk ISC Meeting ISC MeetingStopped

Project Management

Communications

Process Documentation

As Is Definition

Management Information

Design and Document Service Portfolio Managment Process

Programme/Project Management

January 2015 February 2015 March 2015 April 2015 May and June 2015

Define Change Strategy

Prepare Service Portfolio & Catalogue

Produce the School of Arts and Humanities Servic Catalogue

Design and Document Service Catalogue Managment Process

Hold Project Planning Workshops

Portfolio & Catalogue Design and Development

Produce Deployment Strategy and Plan

Produce Communications Plan Deliver Communications

Checkpoint Review

6 of 17

A number of core recommendations for the rationalisation of IT services and provision at School level have been presented to, and accepted by, the School as part of the pilot project Checkpoint Review. The full benefit of the catalogue process is in identifying areas of duplication, and providing recommendations for improvements and efficiencies, at a School level. Such recommendations need to be implemented to provide the efficiencies required to support teaching and research, without adding more staff. Subsequent to the pilot project, identified recommendations and benefits would be gained by appointing a permanent School IT Manager, having the remit and the authority to make changes, by removing duplication of effort and fully coordinating all available staff and resources. The value of this role having joint sponsorship by both the School and UIS should not be underestimated, both in optimising the uptake of relevant centrally-provided services, and providing access to the wider pool of IT skills available within UIS. By working with the UIS Institution Support Service (ISS) an IT management role could also provide a gateway for IT staff in terms of career progression, training, and mobility. It is clear that most schools within the University, whilst unique in their own way, operate in a similar devolved manner to The School of Arts and Humanities and could potentially experience similar benefits by undertaking a service catalogue process, and subsequent implementation of any recommendations. It is important to achieve the right balance between technical, managerial, and liaison, in relation to the outcome sought by the School.

4 Conclusion The project is progressing well and is proving to be a valuable asset for UIS in creating a “shop window” of services provided primarily by UIS, with the objective to include a comprehensive University-wide catalogue of services with clear service ownership, cost analysis, usage, management information, and service performance indicators. The ISC is asked to note the plans to complete the pilot with the School of Arts and Humanities, and then to proceed with extending the Service Catalogue to other parts of the collegiate University. Andrew Cox 22 April 2015

7 of 17

Annex B: Update on a pilot project to investigate research computing from the West Cambridge Data Centre

1 Background Context 1.1

Growth in demand for research computing services encapsulated by a broad range and scale of compute and data services at the Cambridge Biomedical Campus (CBC) is leading to an increase in demand for computing infrastructure to support research. A sustainable, efficient & effective strategy for the delivery of these vital services is needed if the research community, consisting of groups based in University departments and at affiliated institutions sited at the CBC, is to grow and compete on the world stage.

UIS research computing services based approach 1.2

The University’s Information Services Committee have asked the UIS to pursue options which consolidate computing services at the West Cambridge Data Centre (WCDC) maximising efficiency in terms of operational costs and space utilisation with focus on a services orientated approach. A significant element of these services relate to research computing services currently delivered by the UIS HPC Service especially within the realm of large scale research data and HPC resources. Although in addition to typical HPC services are a broader range of research computing & data services such as virtualised research computing platforms and research databases /web server service.

CBC Pilot Project 1.3

This CBC Pilot Project sets out a framework where the UIS and the School of Clinical Medicine (SCM) will work together to develop strategy for provision of research computing services at CBC. The principle is to locate as much of the research computing infrastructure as possible at the WCDC, producing a minimised and sustainable footprint of computing and networking infrastructure at CBC. The CBC Pilot Project will act as a proof of concept for the SCM research computing service strategy, where both cost and risks associated with current unknowns are minimised. Key elements of the pilot study are detailed below:- 1 The UIS will carry out a detailed review of the research service platforms listed in section 2.3.

This will include current working practices, projected demand, and UIS/WCDC capabilities in providing scientific computing infrastructure services for the research community at CBC, to deliver by end Q1 2015. This review will enable a strategy to be developed identifying services which can be offered from the WCDC and services that need to be hosted at CBC.

2 The UIS and SCM will carry out a 12-month pilot of the identified scientific computing services

to be run from the WCDC and local CBC data centres. Test-bed platforms supporting these services are to be instigated at the WCDC and pre-existing CBC data centres and users will be invited to test the services for suitability.

3 The Capella project will inform the architects to design a building with space for 15 racks

(approximately 100-150kW, 70 m2) and a physical design which would allow two extra 15-rack rooms to be added at the expense of office or laboratory space if required by future needs (to a max of 300kW, 210 m2). In this way the data centre requirement at the Capella has been set at

8 of 17

a small and minimal foot print. The UIS HPC team will help with the specification of the Capella Data centre design and be involved in the design sign off.

4 A decision on whether to complete the 15-rack, 30-rack, or 45-rack options will be made based

on the results of the pilot by the end of Q4 2015, as agreed by the Director of the UIS and the Secretary of the School of Clinical Medicine.

At the end of this process the CBC and the UIS will have developed an optimised medical research computing collaborative provision model in which appropriately resilient services with no single point of failure are established with an appropriate footprint of infrastructure at the CBC.

2 Project Objectives

The objective of the CBC pilot project is to determine via research computing platform classification, prototyping and remote service provision testing which classes of CBC research compute platform can be successfully hosted out of the remote WCDC and which classes are best hosted locally. This classification and evidenced based remote hosting suitability can then be used determined how much of the Capella building research computing requirement can be hosted remotely from WCDC and how much needs to be hosted locally within the new build Capella Data Centre. The CBC pilot project will deliver by the end of 2015 a complete description of the Capella building occupant’s research computing requirement projected to 2020 and an evidenced based analysis as the suitability of the WCDC to host the equipment. This analysis will be used to make a decision between the large or small Capella building data centre design options before the lock in design time point at the end of 2015. These outputs will also inform the wider Cambridge research computing community as to the suitability of the WCDC for remote research computing service provision and help drive research computing service development and uptake across the whole of the University and affiliated institutions thus leveraging the CBC pilot project outputs. It is also expected that one of the outputs will be formative work to provide a hosted VM service to the research community.

Phase of project Measure Discovery Phase Start 12/14 - end 16/2/15 • Carry out a detailed review of the research

service platforms listed in section 2.3 and classify them according to functional and operational features.

• Identify a number of CBC stakeholders willing to join the pilot and generate proof of concept (POC) systems to host out of the WCDC in a prototyping and or production test study.

• An initial POC Detailed Description document will be produced for each POC listed in section 2.3, including functional and operational behaviour needed for success.

• Initial PID with a number of well-defined

POC platforms to be taken forward into the run phase.

• All POCs have individual POC Detailed Description Document

• Platforms designed and resources required identified and put in place

• Success criteria defined • Time line mapped out • PID signed off by CBC project board • Project governance agreed

This Phase of the Project is Complete

9 of 17

Phase of project Measure Service Run and Tune Phase (1,2 & 3) Start 16/2/15 – end 1/11/15 • The UIS will install, configure and run each

of the POC platforms from the WCDC to the system design and operational requirement specification as outlined within the POC project plan document

• The run phase for each POC will be split into a number of phases (minimum 2 months) where the system is run and monitored then at the end of the phase assessed for fitness and tuned if needed.

• There are no dependencies between POCs and the POC will not have the same start point so the phases will not be in sync. Some POCs will have 3 phases others will have 2.

• Collate all Capella occupants research computing 5 year needs into a single Capella research computing needs document

• The POC Detailed Description documents for all POCs listed in 2.3 will be complete

• POCs Physically built out in WCDC • Service provision started & operational &

functional behaviour measured • After a 2-3 month period each POC will be

assessed relative to required behaviour and tuned if needed

• Run phase report produced at the end of each run phase.

• Capella 5 year research computing needs document

• All POC Detailed Description documents to be complete by the end of April

This Phase of the Project is In Progress and On Target

Analysis phase Start - 1/11/15 end – 7/12/15 • Collate all POC run phase reports into a

final single document outlining the suitability of each POC and its general classification for remote service provision from WCDC

• Undertake Capella hosting plan based on the WCDC POC suitability evidence and the Capella research computing needs study

• POC suitability will be determined by analysing if run phase results meet the success criteria as outlined in POC project plan document.

• POC service provision final report – high

level overview of all reports with individual reports for deep dive.

o Outcome is POC suitable for WCDC remote service provision? Did the POC meet success criteria?

• Capella hosting plan stating the planned Capella research computing platforms and where they will be hosted

• Capella data centre size recommendation – i.e. the large or small option

This Phase of the Project is In Progress and on Target

Project Closure 14/12/15 • Final project board meeting • Discus final report and sign off

recommendations • Decide which POC’s stay in service which

are wound down • Project formally closed

• Project recommendations signed off • Capella DC size determined and signed off • Individual POCs assigned as keep running

as production or wind down • Project closed

10 of 17

3 Project Scope

The full scope of the project will be determined by carrying out an appropriate survey in the Discovery Phase. A number of meetings have already taken place, so far generating a number of proof-of-concept (POC) platforms to be included in the project. These POCs have been chosen to represent a cross section of research computing requirements and are listed below: POC / Study Name Department Academic

Lead Contact Categories

1 MRC BioStatistics MRC Biostatistics Unit (Institute of Public Health)

Lorenz Wernisch

Lorenz Wernisch

Standalone HPC & Storage

2 Cardiovascular Epidemiology Unit

Department of Public Health and Primary Care

Joanna Howson (Prof J Danesh)

Joanna Howson

Standalone HPC & Storage

3 UK 10k Project Department of Haematology

Chris Penkett (Prof W.H. Ouwehand)

Chris Penkett Central HPC & standalone Storage

4 HPHI WBIC Wolfson Brain Imaging Centre (Department of Clinical Neuroscience)

Guy Williams, Adrian Carpenter.

Guy Williams, Dave Berry

Shared facility Dynamic VMs Security

5 HPHI CR-UK CRUK-CI James Brenton, represented by Peter McCallum

Peter McCallum

Shared facility Dynamic VMs Security

6 Ken Smith’s Group (in collaboration with CRUK)

CIMR Richard Coulson/Paul Lyons

Vin Evertt Experimental device + analysis

7 Diabetes Inflammation Laboratory (DIL) \ Todd Group

CIMR John Todd Vin Everett/ Oliver Burren

Virtualisation persistent RC services /database / web server

8a. Centre for Stem Cell Research scale out HPC

Centre for Stem Cell Research (CSCR)

Bertie Gottens, Paul Bertone

Paul Sumption

HPC, Storage

8b. Cambridge Systems Biology Centre virtualisation of services

Cambridge Systems Biology Centre (CSBC)

Gos Micklem Paul Sumption

Virtualisation – persistent RC services

9 Offsite Data Backup – Wellcome Trust-MRC Institute of Metabolic Science, CBC.

Institute of Metabolic Science

Brian Lam Brian Lam Storage

11 of 17

10 NIHR Bioresource The Cambridge BioResource

Jyoti Khadrake

Jyoti Khadrake

HPC, Storage + Virtualisation – persistent RC services - secure

11 CRUK, Backup Consolidation\Science Storage Virtualisation

CRUK-CI Peter McCallum

Peter McCallum

Backup

12 CRUK HPC Cluster CRUK-CI Peter McCallum

Peter McCallum

Department hosted / run HPC & storage support

Not all servers and not all services will necessarily be moved to WCDC; part of the scope of the pilot is to determine which servers and services are suitable candidates for housing in WCDC.

4 Project Status This section shows the status of the individual Proof of Concepts (POC’s) as reported to the last Project Board which was held on 27 March.

Some POC’s have completed the installation phase and all others are currently reported as on target. One possible issue has been reported:

ISSUE To accommodate sensitive (patient identifiable) data systems will be required to be regulatory compliant. ISO27001 compliance will likely be a lengthy and costly process. It is required for several of the POCs, including the high profile HPHI project. WBIC do NOT require ISO27001, they require the NHS IG Toolkit. Current Mitigation Paul Calleja to form working group to look at compliance needs. The time line for implementation is likely to be Q2 2016.

Summary & Context for each Proof of Concept 4.1

1. MRC Bio Statistics - Scale out and relocation of HPC and Storage to WCDC 2. Cardiovascular Epidemiology Unit (PHPC) - Scale out and relocation of HPC and Storage to

WCDC 3. UK 10k Project (Haematology) - Scale out of HPC and storage 4. HPHI WBIC - Infrastructure build out to enable research & clinical imaging 5. HPHI CR-UK - Shared service with virtual machines and security 6. Ken Smith’s Group - HPC + Virtual machines to extend out from local service. 7. DIL \ Todd Group - HPC + Virtual machines to extend out from local service. 8. Centre for Stem Cell Research –

(a) Further HPC scale out (b) Cambridge System Biology Centre – Virtualisation of Services

9. Institute of Metabolic Science Off - site Data Backup 10. Research Campus Services. Medical Genetics – Scale out HPC Storage & Virtualisation. 11. Cancer Research UK - Backup Consolidation \ Science Storage Virtualisation 12. Cancer Research UK - HPC Cluster

12 of 17

Proof of Concept

Name Contact

(PI) Owner Current Status Summary RAG Status

1 MRC BioStatistics Lorenz

Wernisch Wojciech T. Running • Service operational in WCDC. COMPLETE

2 Cardiovascular Epidemiology Unit (PHPC)

Joanna Howson (Prof

J Danesh) Wojciech T. Running • Service now operational in WCDC. COMPLETE

3 UK 10k Project (Haematology)

Chris Penkett (Prof W.H.

Ouwehand) Wojciech T. Running • Service now operational in WCDC. COMPLETE

4 HPHI WBIC Guy Williams,

Adrian Carpenter

Paul C. Design &

Implementation

• A cross-school system has been proposed incorporating resources from WBIB, CR-UK and the SBS.

• A High level design by the end of April • Mid-level design by the end of May • Detailed design and procurement process ready end of June • Start Procurement July • Purchase order October • Equipment arrive • ISO27001 not required at start of project but we should be

working towards it • Working group being set up to look into security compliance

ON TARGET

5 HPHI CR-UK James

Brenton Paul C.

Design & Implementation

• Same time line as POC 4 • IOS 27001 requirements for sensitive data – working towards • Form working group to look at security • Cross-over with POC 12, CR-UK Cluster.

ON TARGET

13 of 17

Proof of Concept Name

Contact (PI) Owner Current

Status Summary RAG Status

6 Ken Smith’s Group Richard

Coulson, Paul Lyons

Ashley C. Dureid E.

Design & Implementation • Dureid E to write detailed POC description. ON TARGET

7 DIL \ Todd Group Vin Everett,

Oliver Burren Ashley C, Dureid

E. Design &

Implementation

• POC design document complete. • Virtual service POC designed – on track for testing at end

of May

ON TARGET

8(a) Centre for Stem Cell Research, HPC scale out

Paul Sumption Ashley C. Dureid

E. Design &

Implementation

• POC design document complete. • Further clarification regarding VMs required. • Virtual service POC designed – on track for testing at end

of May

ON TARGET

8(b) Cambridge Systems Biology Centre, virtualisation of services

Paul Browne Ashley C. Dureid

E. Design &

Implementation

• POC document complete. • Virtual service POC designed – on track for testing at end

of May

ON TARGET

9 Institute of Metabolic Science

Brian Lam Ashley C. Dureid

E. Design &

implementation

• Infrastructure installed. • Wojciech to finalise configuration details with Brian Lam. • Service start imminent

ON TARGET

10 Research Campus Services. Medical Genetics

Jyoti Khadrake Ashley C. Dureid

E. Design &

Implementation

• Patient data concerns. • Unclear what regulatory requirements are needed - ISO

27001, NHS IG Toolkit, other (Amber status)? • POC document might need revision? • Wojciech to check with Jakub about possible requirement

for hosting a server in the WCDC.

POSSIBLE ISSUES

Page 14 of 17

Proof of Concept Name

Contact (PI) Owner Current


11 CRUK, Backup Consolidation \ Science Storage Virtualisation

Peter McCallum

Ashley C. Dureid E.


• POC document complete. • CRUK have sent across the tape library proposal. This has

raised questions on the WCDC rack rental service – currently with Mike Quinn.

• Peter M to send tape library rack requirements by end of February.

• PO for tape library to be placed by end of March. • Peter M to write a proposal for a CR-UK to HPC secure

gateway (May).

ON TARGET

12 CRUK, HPC Cluster. Peter

McCallum Ashley C. Dureid

E. Design &

Implementation

• Continuing work done by Dureid E with CR-UK over the last few months.

• Clarifications required on system design and management.

ON TARGET

Work Stream Name

Related POCs CBC Owner Current


1 Network resilience and performance

All Ashley C. Design &

Implementation

• Work stream document complete. • Project plan completed. • Work due to start 1st April.

ON TARGET

Page 15 of 17

Work Stream Name



2 Virtual Server Service 4, 7, 8, 10 Wojciech Design &

Implementation

• Service CBC Pilot Project template complete. • Aims & deliverables of service to be completed. • Wojciech designing infrastructure based on Dell / Redhat

Openstack reference architecture • POC 4 (WBIC) has identified additional VSS requirements. • POC Hardware definition by 3/3/2015 • POC Purchase order by 24/4/1025 • Equipment delivered by 15/5/2015 • POC ready for testing by 30/5/2015

ON TARGET

3 Communication & Engagement

All Ashley C. Dureid

E. Design &

Implementation

• Confluence platform installed. • Migrate DIL content. • Upload finalised PID and detailed POC descriptions

Monday 23rd. Other documents will not be uploaded at this time.

• Ashley to send Richard Bartlett a link to the PID for inclusion in a Clinical School news email.

• Tony S. to discuss with Steve Smith regarding user accounts and authentication. This is a prerequisite for releasing the PID.

• Ashley to provide an initial design of the site. Once in place, Neil Matin will be approached to offer his opinion on the layout.

• Content for Wiki: o Stuart R to provide some photos. o Gavin M to approach Vin E for a short article. o Establish a project FAQ page. o Establish a Project Blog. o Dureid to ask Nachos for a ‘Getting started in

Bioinformatics’ article. o Project Current Status page.

ON TARGET

Page 16 of 17

Work Stream Name



4 WCDC Services 7, 11 Ashley\Dureid to liaise with Mike

Quinn


• Ashley to provide a work stream document detailing requirements to Mike Quinn.

• Ashley has emailed CR-UK questions to MQ, awaiting a response.

• The requirement for detailed (hosting\rack rental) services required.

ON TARGET

5 Regulatory Compliance (ISO 27001, NHS IG Toolkit)

4, 5, 10 Michelle Finnegan


• To accommodate sensitive (patient identifiable) data systems will be required to be regulatory compliant.

• ISO 27001 • NHS IG Toolkit • ISO27001 compliance will likely be a lengthy and costly

process. It is required for several of the POCs, including the high profile HPHI project.

• WBIC do NOT require ISO27001, they require the NHS IG Toolkit.

• Ashley C to examine NHS IG Tool Kit. • Paul Calleja to form working group to look at compliance

needs. The time line for implementation is likely to be Q2 2016.

POSSIBLE ISSUE

6 Capella Data Centre Design

CBC Richard Bartlett Design &

Implementation • Ashley to arrange an initial work stream meeting to bring

interested parties together. ON TARGET

Page 17 of 17

Information Security Management

Introduction The University has no formal central function for Information Management (IM) although it is recognised that legal and regulatory requirements are fully met and there are pockets of good practice around the organisation. There are some overarching policies and procedures in place but it is not known how completely these are applied across the University. There is no formal requirement to include information management or security issues in risk registers and therefore it is not known what the overall level of risk to the university is in this area. The focus on this area is increasing in a number of ways:

• Highly publicised global events, ongoing (see appendix I). • Threats are evolving; information is being published on a daily basis on the latest new

threats identified. • Potential consequences are increasing as we become more reliant on information

systems. • Expectations of government and research funding bodies are increasing • Information Management workstrand August 2014, as part of the UIS organisational

design work. This produced a set of recommended tasks that the University should undertake in order to improve risk management in this area.

• ISC approval October 2014, to form an Information Management division as part of the new UIS and agreement to funding for 2 additional posts on top of one current, and one additional fixed term post to assist with implementation.

• The Cyber Security Audit January 2015, conducted by our internal auditors Deloitte which ran concurrently with the above (see appendix II for the Executive summary from the audit and the current status of actions).

Overall, organisations are as vulnerable as the ‘weakest link’, be that people, process or technology.

Purpose of this paper The ISC made a commitment at its meeting in October 2014 to invest in establishing an Information Management function. This paper outlines how UIS will begin to address the challenge ahead and lays the foundation for the future development of a strategic Information Management and Security pathway.

1 University priorities Our strategic priority areas for Information Management and Security can be summarised as follows:

• Complying with University Statutes and Ordinances, legal and regulatory requirements • Protecting, promoting and extending our research • Protecting and preserving our student, alumni and teaching data • Preserving academic freedom • Preventing security breaches • Contributing to RPC's goal of ‘enabling excellent research, underpinned by renewed

infrastructure that will comprise “the best research environment for the next 50+ years” ’

1 of 15

njw40

Text Box

ISC 65

2 Approach We are proposing to develop an approach that blends direct accountability for university owned information assets and the provision of guidance to institutions on implementing local approaches that are proportional to the threats and risks involved. Internal audit will be asked to oversee progress with implementing the arrangements. It is standard practice to use a maturity model for benchmarking purposes. UIS has selected the Information Assurance Maturity Model (IAMM) from Communication-Electronics Security Group (CESG)1 which will help us set expectations and provide us with goals for the coming years. At this stage, as we have not yet begun to build an organisation wide Information Management function, we are not on the scale below. This is not to say that we are devoid of all capability in this area just that we have not yet assessed ourselves against this model. The model depicts various levels and clearly represents a multi-year journey. As Information assurance maturity increases so does risk resilience. 1 Initial 2 Established 3 Business

Enabling 4 Quantitatively Managed

5 Optimised

Awareness of the criticality of IA to the business and legal requirements

IA processes are institutionalised

IA processes are implemented in critical areas

Number of corporate exceptions to implementing IA processes is known and reported

Responsive IA processes are integrated as part of normal business

The approach we are proposing follows the outline below:

1 http://www.cesg.gov.uk/Pages/homepage.aspx

Assign who is responsible

Assess risk and impact

Determine risk appetite

Design protection guidance

Ensure guidance is applied

Respond to incidents

2 of 15

2.1 Assign – Governance arrangements The University Council, as part of its general responsibility for the administration of the university has ultimate accountability for information management and compliance with external regulations. In the absence of formal recognition of delegated responsibility we would recommend adopting a similar approach to other Universities where the Council has formally delegated operational responsibility to the Vice Chancellor for information assets where the university is the data controller. UIS proposes nominating a university officer (the Director of UIS) as Senior Information Risk Owner (SIRO), to help clarify accountability for risk management of information assets where the university is the data controller. The role initially applies to information that is owned by the university for the purposes of administration, planning and managing resources. The responsibility of the SIRO will be to ensure that, for such services, there is consideration of threats, risk exposures and appropriate mitigation measures. A Steering Group is also proposed to ensure:

1. University wide responsibility for developing guidance and an information management framework/toolkit, and for providing support for implementation.

2. Direct accountability for implementation of the policy for information assets where the University (in the main UAS) is the data controller (e.g. student records, staff records financial records).

Where centrally owned data assets are being shared with other institutions and colleges, the steering group would have a role in guiding and (via audit) verifying that institution is taking appropriate measures to protect such "University owned" information. This can be formalised through "information sharing agreements" set out the responsibility of recipient institutions. This will involve ensuring the heads of institutions are aware of their broader information management responsibilities. Further detail on Governance proposals can be found in Appendix III 2.2 Assess The cyber audit touched on a small portion of the university and therefore further assessment of the overall position is required in order to formulate a full list of priorities. Assessment will take the form of a web tool that can be used on both local and university wide levels and can be re-used and enhanced to provide us with the means of monitoring progress against targets. The chosen tool will incorporate risk, impact and resource assessments in order to determine priorities and ensure proportionality. The tool should be simple and quick to use. Current tools evaluated are complicated, lengthy, open to interpretation and liable to give inconsistent results that are not comparable to other organisations and not able to be collated to give an overall view. We will engage with other universities who may already have faced this challenge to learn from their experiences. We propose to create our own tool to capture a key set of data; initially this will be a simple tool to make it easy to use, simple to understand and quick to complete. It will be developed as we

3 of 15

progress to widen the capture of detail. The outputs of this tool will enable us to set priorities, start a risk register and begin work on cataloguing assets. The tool will provide scoring based on the IAMM table shown above. 2.3 Determine Using the information gathered as part of the Assessment process we will produce an action plan prioritised by risk. The level of effort to be applied in order to mitigate the identified risks can then be assessed. This may involve additional costs; the plan can then be re-evaluated and re-prioritised to ensure it is proportionate. 2.4 Design and implement We will create an information management and security strategy and framework to describe what the University needs to do in respect of all IM factors. The framework will include examples of best practice and contain resources and toolkits to help organisations attain the standards described therein. There are standard frameworks and toolkits available for use e.g. ISO27001, NHS Information Governance Toolkit2, IAMM toolkit; we will evaluate these for suitability to our needs. We will consult; a panel of interested parties across the university will be setup to provide input into the framework to ensure it covers all aspects of the university’s work and is applicable in all institutions. It will provide clear guidance on what should be done, from which local implementation plans can be established. The framework must consider academic freedom and allow for such, this may be as simple as being clear what information can be held outside of protected environments. Academic input will be required during the consultation process to ensure that due consideration is given to this and requirements are understood. Online access will be provided to training and awareness materials. 2.5 Ensure As previously stated our assessment tool will be reusable to allow us to monitor progress on a periodic basis. In addition we intend to provide training and assistance with the application of the IM Framework. A two year fixed term post has been authorised in order to do this. We will create a single website to publish all IM documents including the strategy, framework and policies and procedures. We will host workshops, forums, training sessions and the like to ensure that the policies are understood and access to support is provided. A programme of audit will be developed in collaboration with our internal auditors. 2.6 Respond We currently provide a university Computer Emergency Response Team (CamCERT) as part of the UIS service. This team is well established and well known in the university although not as formally established as is ideal.

2 We already have requirements for ISO27001 and NHS IG Toolkit compliance from some Research Councils for certain projects where patient data is held

4 of 15

We intend to develop a proposal to establish CamCERT as a formal service, establish the full requirement, the resources needed to meet that requirement and a roadmap to bridge the gap. An information incident management process will be created to formalise the policies and procedures that the team will work to, set standards for those processes and implement regular reporting of incidents, losses and risks to the SIRO and Responsible Officers. Incident management procedures will need escalating plans for handling different types of incident from minor through to major. The management of major incidents will require invoking departmental emergency management plans and could extend further and require Silver team, or similar, intervention. Clear guidelines will be provided to determine the level of incident based on impact and at what point an emergency management team, and which team should be assembled. We provide other services currently that are not well known e.g. the friendly probing service; this service is not well utilised or publicised at a Responsible Officer level. We will be incorporating reporting on this and other services as part of a portfolio of security reports to responsible officers at a Head of Institution level. The ISC is asked to note the proposed approach, which will be subject to review at the IM Steering Group prior to endorsement.

3 Operational principles In addition to the approach proposed above we have established some provisional operational principles. We acknowledge that an organisation wide approach to this subject will naturally create questions with regard to boundaries which are not addressed by the over-arching nature of the approach set out above. It is hoped that the inclusion of these principles will give greater clarity to those who are closer to the subject matter. A clear message was received during several of the engagement events, that help and assistance is welcomed but interference in local practice is not. As local knowledge is key to setting goals that are achievable and practicable it is important that the IM function works with those who understand the detail. The principles set out below are intended to reflect this approach.

• Define ‘what’ not ‘how’. The IM function will clarify what needs to be done to meet all the requirements of law, regulation, statutes and ordinances and good practice. It will not dictate local practice but will offer guidance, assistance, clarification and advice for proportionate local implementation.

• Encourage local ownership. By raising awareness of responsibilities at institutional level and providing tools and resources we can encourage propagation of best practice at source and embed practices.

• Agree proportionate targets. It is recognised that not all organisations are resourced equally; expectations need to be based on ability to react as well as the risk exposure.

• Use a whole organisation approach to allow transferability of local methodology, modelling and lessons learnt.

• Enable different working practices and approaches to preserve academic freedom and sharing of information.

4 Outline communications plan One of the biggest challenges we face is building awareness, support and interest in the IM function. To a certain extent it is human nature to think ‘it won’t happen to me’. There may also be a misconception that it is an IT issue when in reality we all responsible in some way, for example,

5 of 15

we use, have access to, update, retain and archive information on a daily basis in our email inboxes. Therefore the challenge is ultimately to reach everyone to raise awareness and build support. Our ability to do that on a face to face basis is limited by the people we have available and the urgency of the requirement. We plan to use several different methods to tackle this challenge, some of which have already been described in the Approach section:

• Face to face at Head of institution level to enable cascade throughout the organisation. • Forums and groups that are already in existence e.g. TechLinks, the Schools engagement

group etc. • A web presence to provide a single source for all IM materials: policies, guidance, links to

Law and Regulatory materials etc. • Roadshows and events to update staff and students on the work of IM • Consultation Groups involving a wide range of staff throughout the University to inform the

creation of a University framework and guidance. • Survey tools to gather information which can then be reported back in a useful format. • Providing regular reports to Heads of institution that give access to information they were

previously unaware of. • Newsletters, pamphlets and posters to raise awareness. • Online training in detail or as snippets to allow ease of access and ensure those that need

detail get it whilst those who don’t are not put off by irrelevant detail. • Use of a Communications specialist to assist in the creation of materials.

By utilising many different forms of communication we intend to reach as many people as possible.

5 Timeline The timeline shown in the following table represents a high level plan for the first two years of operation. Michelle Finnegan 23 April 2015

6 of 15

Calendar year

2015 2016

Governance

Steering Group meets







Assign accountability: who is responsible?

Setup governance

groups

Promote awareness

and responsibility

Assess: identify sensitive assets, threat profiles and consequences

Develop assessment

tool

Pilot and test the tool

Gather assessment

data, report and feedback for

inclusion in PR

Review and enhance the tool

Test any changes

Re-assess and report in

preparation for PR

Review and enhance the tool

Determine information risk appetite

Create prioritised plan based on

assessment results

Implement plans

Update plans based on the latest

assessment and report on progress

Design and Implement protections policies

Create Information

Management Framework

Consult with Engagement

groups

Pilot in a volunteer area

and create local guidance

Review pilot, update

framework and add any local

templates developed during

the pilot

Promote and implement the framework

Review and update policies contained

within the Framework taking

note of outputs from the re-assessment

work

7 of 15

Ensure policies are applied as intended

Create Information

Management Website

Populate IM website with

current Policies and Procedures

Update website to include IM Framework. Provide consultancy for the pilot implementation

Review the results of the

assessment and create metrics for

monitoring progress

Provide training and awareness on policies and procedures, accountability and responsibility contained in the IM

Framework. Provide consultancy on implementing the framework

Be prepared to manage incidents

Review current

CamCERT Provision and

create a requirements

proposal

Create policies and procedures,

set standards and reporting

metrics

Implement reporting

Review feedback from reporting, adjust where necessary

Outline communications plan

Face to face discussion with Heads of institution, TechLinks

etc. based on the approach detailed above

Prepare and run security

campaign as per Cyber Audit

Develop training materials,

newsletters etc.

Setup and run Roadshows and other

awareness events

Review of Roadshows and

events for lessons learnt

User policy awareness campaign

as per the Cyber Audit

Planning round

Planning round

Key Governance

Normal operation

Preparation

Review

Pilot/testing Implementation

denotes an activity from the Communications plan

8 of 15

Appendix I – Recent Cyber Events – excerpt from the Cyber Audit presentation

Risks Examples Consequences

Confidentiality 2014 Sony Pictures[1]

Loss of various personal and commercially sensitive data

2014 Queen Mary, London[2]

Operation PhDPounds, MoD funding, attack within hours of announcement

Loss of students’ personal details Loss of sensitive network information

2013 University of Cambridge ICO Case reference ENF0476417

2009 UEA Loss of climate research data; £112,870 spent on PR

[3]

Integrity 2013 MIT website defacement[4]

Aaron Swartz “revenge”

Reputational damage

2010 Stuxnet[5]

Indirect attack on connected infrastructure

Reportedly ruined 1/5 Iran’s nuclear centrifuges

Availability 2014 xbox/Playstation network[6]

No customer access/loss of revenue

2013 RBS Group[7]

No online banking, reputational damage

9 of 15

University of Cambridge – Cyber Security Assessment ©2015 Deloitte LLP. Private & Confidential

Appendix II

University of Cambridge Cyber Security Assessment Final Report

January 2015 Distribution list: Martin Bellamy – Director, University Information Services

Bob Dowling - Head of Online Services, University Information Services

Michelle Finnegan – Assistant Director University Information Service

Steve Kearsey - Assistant Director University Information Service

Andrew Reid, Director of Finance Jonathan Nicholls,

Registrary (Final report only) Audit Committee (Final report only)

Key dates:

Date of fieldwork: August – September 2014

Date of draft report: 25 September 2014

Receipt of responses: 21 October 2014 – 12 January 2015 Date of final report: 12 January 2015

This report has been prepared on the basis of the limitations set out in Appendix D.

This report and the work connected therewith are subject to the Terms and Conditions of the contract dated 7 April 2010 between the University of Cambridge and Deloitte LLP. The report is produced solely for the use of the University of Cambridge for the purposes of delivering the internal audit plan. Its contents should not be quoted or referred to in whole or in part without our prior written consent except as required by law. Deloitte LLP accepts no responsibility to any third party, as the report has not been prepared, and is not intended for any other purpose.

10 of 15


1. Executive summary

1.1. Background The University of Cambridge (UoC) is a global brand, encompassing diverse academic populations, many of whom also undertake valuable research with commercial and charitable entities. Criminal and social activists are known to target organisations with high public profiles or valuable information. There is a risk that those threat actors may conduct cyber-attacks, and the compromise of information will lead to damage to the UoC brand, negative publicity and financial losses.

In 2012, the UK Government launched its “10 Steps to Cyber Security” guidance to encourage organisations to consider whether they were managing their cyber risks. In 2014 the Government is encouraging the adoption of a standard for organisations, and is currently developing the “Cyber Essentials Scheme” (hereafter referred to as “the Scheme”) to become that standard. The Scheme requirements focus on Internet-based attacks, and the five basic controls to manage the associated risks.

Government is expected to heavily encourage the certification of organisations against the final Scheme. One aspect of the audit work has included consideration of the current practices which the University can use to plan future certification activities.

It is acknowledged by management in the University Information Services (UIS) that work is required in the area of cyber security to help manage risks in this area to an acceptable level for the University. The Director of the UIS confirmed that since finalisation of the fieldwork for this assessment, the Information Services Committee has approved the creation of four staff posts to establish an Information management Division, and additionally to appoint a Security Architect. These roles have not existed previously within the UIS and are to be put in place shortly.

1.2. Objectives and Scope The UIS and the Schools hold valuable data and intellectual property belonging to both the UoC, and third parties. The objective of the cyber audit has been to understand how the risk of a cyber-attack is mitigated. The audit assessed a representative system (Raven) managed by UIS, and representative departments within the Schools of Clinical Medicine and the School of Arts and Humanities.

Raven is a central system hosted and managed by UIS and provides a common service used by other computer services. It authenticates users through a web page. A single common authentication system like Raven means that users only have to remember one username and password for multiple computer services.

The controls were assessed against the current draft “Cyber Essentials Scheme” framework. The framework assesses five basic categories of control, which if implemented in full, are capable of preventing or reducing the majority of potential or identifiable cyber-attacks. The categories are:

1. Boundary firewalls and internet gateways;

2. Secure configuration;

3. Access control;

4. Malware protection; and

5. Patch management.

The scope excludes non-technical controls such as governance or policy, and areas such as the operating model or skills and capability. The assessment of risk and controls in place within

11 of 15


UIS was also out of scope of this audit, as is proposed to be considered as part of the Cyber internal audit to be undertaken during 2014/15.

Further detail on the scope of the cyber audit is provided in Section 2 of the report.

1.3. Summary assessment

Based on the work undertaken as detailed in the ‘Scope of Assignment’, we are able to provide Limited Assurance in respect of the adequacy and effectiveness of the selected controls within the in-scope areas at the time of our fieldwork.

Full Substantial Limited None

Limited assurance is defined as, ‘Weaknesses in the system of internal controls are such as to put the University’s objectives at risk. The level of non-compliance puts the University’s objectives at risk.”

Management should be aware that our cyber audit work was performed according to UK BIS Cyber Essentials framework which are different from audits performed in accordance with International ISO27002:2013 controls. Similarly, the assurance gradings provided in our cyber audit report are not comparable with the ISO27002:2013 controls issued by the International Audit and Assurance Standards Board.

Our cyber audit testing was performed on a judgemental sample basis and focussed on the key controls mitigating risks. Cyber audit testing is designed to assess the adequacy and effectiveness of key controls in operation at the time of a cyber audit. Even sound systems of internal control can only provide reasonable and not absolute assurance and may not be proof against collusive fraud. The classifications of our cyber audit assessment framework and priority ratings definitions for our recommendations are set out in more detail in the Appendices A and B.

12 of 15

13 of 15

Cyber security audit status Responsibility Action Status Raven: Online Services, August 2015

• Continue the plan to upgrade Raven. [Rec. 1] • Consider moving Raven behind UIS Business

Systems firewall. [Rec. 2]

Complete

Policy review: Information Management, January 2016

• End-user policy requires user to keep client system up-to-date for software and end-point-protection. [Rec. 1][Rec. 8]

• Institutional policy (currently non-existent) needs to put an equivalent security obligation on the institutions and carry a compliance statement. [Rec. 2]

To be assessed for impact and included in the Information Management Framework

Managed firewall service: Networks, March 2016 (resource availability has impacted our ability to deliver to the original date of December 2015)

• Firewall service to support stateful firewalls. [Rec. 2]

• Support for whitelists. [Rec. 2] • Rule timeouts/alerts. [Rec. 2] • Blocks for C&C protocols. [Rec. 8] • Intrusion detection/prevention. [Rec. 9]

In progress

Security campaign: Information Management, October 2015

• Promulgate good practice. [Rec. 3] • End-point-protection [Rec. 8] • Promote use of malware settings in browsers.

[Rec. 9]

To be included in the IM Framework and training and awareness of responsibilities

Points of Presence: Networks, October 2015

• Development of a core, basic blacklist for all points of presence. [Rec. 3]

To be confirmed

Two-factor authentication: Architecture, January 2016

• Review of whether a University service would be worthwhile. [Rec. 4]

To be confirmed

End user compute strategy: Service operations, January 2016

• Encourage users to move to managed desktops. [Rec. 6]

In progress

Identity management strategy: Architecture, January 2016

• To continue adding UIS services to the common password scheme. [Rec. 5]

• Consider support for managed administrative accounts. [Rec. 7]

In progress

Server network: Service Operations, October 2015

• Consider moving to a whitelist for core server network boundary with CUDN. [Rec. 3]

In progress

Logging service: Architecture, December 2015

• Consider provision of a central system log aggregation service. [Rec. 7]

To be confirmed

APPENDIX III Draft terms of reference - 17 April 2015 Information Security Management Steering Group Purpose To develop and implement a delegated framework for the management of information security throughout the University To ensure the framework is fully implemented for centrally managed information assets (i.e. those where the University is the data controller) To ensure appropriate guidance and support to institutions for implementation of the appropriate level of information security required for the assets being handled. Responsibilities

• Ensure information assets in all their forms (electronic or paper) are understood and that information risk appetite has been considered.

• Ensure an information security management framework is in place, and implemented. • Ensure an information risk register is in place, that this is regularly reviewed and appropriate

actions are initiated. • Ensure information loss reporting procedure is in place, and that it complies with external

reporting requirements. • Promote a culture of awareness, with annual training made available to all staff. • Ensure appropriate technical controls are in place, with system accreditations being

periodically reconfirmed. • Approving exceptions to agreed policy. • Establishing an information incident management capability. • Engage with Colleges to establish a collaborative approach to information management and

security.

Membership

• The Registrary (Chair) • Director of Information Services (Executive Officer of the Committee) • The Librarian • University Data Protection Officer • Head of Research • Academic Representation • Representatives from three Schools, SAH, SPS and SCM (each to represent the views of 2

schools) • SIROs from Cambridge University Press and Cambridge Assessment • Two representatives from other University institutions • Student representation • Deputy Director UIS (Secretary)

14 of 15

15 of 15

Frequency of meetings The IMSG will meet quarterly. Initial work programme:

• Agree the Strategy for Information Security Management • Set priorities for Information Management • Monitor progress against initiatives and report to ISC • Recommend information management policy to ISC • Review information losses and risks • Agree implementation plans • Prepare business cases for approval at ISC • Promote good practice in Information Management • Convene project/working groups and set membership where warranted • Engage both internally and externally to share knowledge, experience, and promote the

University’s work in the field. • Make recommendations of areas for audit as part of the annual audit planning process.

Implementation accountability The ISC has agreed to nominate a university officer (the Director of UIS) as Senior Information Risk Owner (SIRO) both to oversee implementation of the policy for centrally managed information assets, and to promote good practice across the University. The SIRO will be responsible for ensuring that the agreed policies are implemented for centrally owned information assets and for systems implemented by UIS;- this includes ensuring regular consideration of threats, risk exposures and appropriate mitigation measures.

Development and Alumni Relations Fundraising Systems Project This paper is commercially sensitive and is circulated to members of the Committee only.

njw40

Text Box

ISC 66

- 2 -

Storage strategy

Purpose of this paper This paper outlines activity UIS has undertaken to understand the storage services required by end users across the University and describes a series of pilot services that UIS will run to inform the development of a coherent architecture.

Action requested ISC members are asked to endorse UIS’ approach of developing and operating an initial set of pilot services to inform the development of a coherent architecture, defining a storage strategy and the use of the TDF to fund the initial costs.

1 Requirements The IT Review commented that the University would benefit from a central storage service1. In response to this the UIS ran a requirements capture project2 which identified specific services that were needed and a currently declared requirement for storage of 15 petabytes. The recently initiated project to provide computing from the West Cambridge Data Centre to the Biomedical Campus has also generated an overlapping set of storage requirements. The UIS has also discussed storage needs for the University’s administrative databases and applications. While there is some commonality in requirements, the various investigations indicate that detailed strategy will need to be tripartite to properly support the three domains of Research, Administration, and Education. The preliminary investigations also indicate that the projects are certain to evolve their requirements and technologies as experience with large scale storage develops.

2 Pilot services The requirements capture projects identified desired services rather than core infrastructure. In order to start delivering value to the University before the full requirements of the core infrastructure are designed UIS plans to develop a series of services, initially run as pilots. The three principal outputs of these pilots will be:

1. inputs to the design of the core infrastructure (introduced in high level detail below). 2. business models for the costing and staffing of the services, and 3. refinements of the services themselves.

We anticipate the pilots each running one academic year. This document does not provide detailed designs for the pilots; the proposed initial set of pilots is outlined in the following subsections. 2.1 File sharing and folder synchronisation (“Dropbox-like”) Colloquially identified as “Dropbox-like” access, this is the University’s preferred mechanism for sharing data. The requirements capture data identified that nearly all interviewed staff were using Dropbox to share data, even when they knew it was inappropriate to store the data outside of the

1 http://www.admin.cam.ac.uk/reporter/2012-13/weekly/6302/Revised-IT-Review-Report.pdf, ¶55, ¶112 2 http://www.uis.cam.ac.uk/reports/shared-storage-requirements-project

1 of 4

http://www.admin.cam.ac.uk/reporter/2012-13/weekly/6302/Revised-IT-Review-Report.pdf

http://www.uis.cam.ac.uk/reports/shared-storage-requirements-project

njw40

Text Box

ISC 67

University. This is the most urgent of the services identified by the requirements capture exercise. We anticipate a free quota for each user and a charged service beyond that for users and groups. A small overhead on the charged element will fund the free quota. The exact size of the free quota will be determined as part of the pilot’s business analysis. 2.2 High performance computing scratch space As the size of datasets used for HPC jobs increases, the size of the storage directly attached to the processing nodes also grows. We will grow the directly attached storage using hardware aligned as closely as possible with that providing the core storage infrastructure, to benefit from any financial benefits from the large-scale purchase and to reduce the administrative overhead of managing the hardware. The HPC pipeline requires an additional 10PB of local storage over the next 12 months. 2.3 File system as a service This service will provide file systems (probably over NFS or CIFS) to groups in the university, allowing them to purchase storage by the (tens of) terabyte without having to worry about managing or housing it. Features such as checkpointing and frequency of backups will be selectable by the commissioning end user and the configuration of these features will modify the price according to the additional raw storage required to provide them. 2.4 Research data services As data management grows in complexity as well as size there is a need for a human service to offer technical and academic support for data handling (efficient layout, visualization, consultancy, etc.) and also advice on policy and procedure (archiving requirements, personal data handling, etc.). 2.5 Administrative computing The University’s administrative systems are primarily based on Oracle databases. These have specific storage system requirements and further investigative work is required to determine whether the core storage hardware can provide the necessary functionality. If they can then there are further potential benefits from reduced hardware and system administration costs. The IBM SAN currently in use comes to its end of life at the end of CY2015.

3 High-level architecture & staffing We have investigated various options and among the plausible candidates for an architecture there is strong commonality around a layered model that has:

• core, raw storage provided by as small a number of types of hardware as practical, to push down the unit costs as far as possible,

• an “orchestration” layer above that combines the raw storage into usable, resilient blocks (a.k.a. “software defined storage”), and

• a set of peripheral services which export that storage in various ways. This will all be maintained in the West Cambridge Data Centre (WCDC) and designed to ISO27001 levels of security. It is impossible to give specifics of the technologies involved in the three layers at this point. We will use the experience of the initial pilots to drive the selection and configuration of the technology. This development will rest within the new Architecture Division of the UIS. To support this infrastructure and the storage-related services the UIS will form a cross-divisional virtual team involving staff from Architecture, Build, Research & Institutional Services, and Service

2 of 4

Operations. This team will take the lead on the ongoing development of the core facilities. Some additional staffing (of the order of 1FTE) will be needed to support the storage systems and this will have to be factored into the recharged costs. The development of this architecture will be service-led and we can start the services for less than £500,000. It is recommended that the TDF funds are used to fund this initial activity.

4 Backup As the University moves to a central storage service, the onus falls on that service to provide reliable disaster recovery assurance. Given the very large quantities of data involved, backup and recovery is a very large undertaking. 4.1 Backups in Cambridge We can store the data in Cambridge. We could implement a disc or tape robot system to keep copies of our core storage. This has to be outside the WCDC itself, obviously, but all our other UIS machines rooms are either also on the West Cambridge Site (Roger Needham Building, Soulsby Building) or regarded as “high risk” (Central Network Hub3). For any scenario where we run our own backups (either this model or the hosted model below) we have to purchase and maintain/replace the hardware. 4.2 Backups elsewhere in the UK We can implement the same backup systems and house them outside Cambridge. There are two primary options for this. A critical factor for this service will be the network connectivity to Cambridge. Facilities connected to the Janet network have a great advantage. Third party commercial machine rooms offer no advantages over the Jisc shared data centre. We can rent space in the Jisc shared data centre4 at a price of a few tens of thousands of pounds per year. This cost is dominated by the power charges and will be a function of the technology used and how much we use it. A usage of 10kW will cost us of order of £35,000/year. Alternatively, a reciprocal agreement with another University could be implemented. This has opportunity costs for us since it eats into our pool of space in the WCDC but has the advantage of a flexible and cooperative partner. Power costs would have to be negotiated. 4.3 Backups in the public cloud There exist services for storing backups in the public cloud. The cheapest of these, for our likely use cases is to use Amazon Glacier. This service is Amazon’s cheapest for upload and storage but is expensive for downloads. Costs would be in the order of US$14,000 per petabyte backed up per year (assuming no restorations) inclusive of VAT but roughly US$60,000 per petabyte should we ever need to manage such a complete restoration. Sensitive backups must not be put in the public cloud without some additional security and we would develop a cryptographic gateway to this end. Backups would be made to local storage, encrypted in Cambridge with keys held locally, and the encrypted images would be uploaded to the cloud.

3 Currently under the Arup building works and recently the victim of water damage 4 http://www.jisc.ac.uk/shared-data-centre

3 of 4

http://www.jisc.ac.uk/shared-data-centre

This is likely to be the fastest to implement. We propose to start with this service and to investigate the UK-based hosting of our equipment. If we persist with this model we will investigate options for an insurance policy to cover the large download costs should be need to recover from a disaster. Bob Dowling Paul Calleja 23 April 2015

4 of 4

Microsoft Enterprise Enrolment Services

Purpose of this paper This paper sets out the case for purchasing a University wide Microsoft Enterprise Enrolment Services agreement (commonly referred to as “Microsoft Campus Agreement”).

Action requested The ISC is asked to approve:

• The procurement of a Microsoft EES agreement on behalf of the University. • A strategic initiative to develop a University wide Active Directory. • Release of Office 365 ProPlus productivity software for all staff and students.

The ISC is asked to provide a steer for the proposals for potential services outlined in section 4.3

1 The Agreement The proposal is to license the Education Desktop product through a Microsoft EES. This product is comprised of:

• Windows Enterprise Upgrade1 • Microsoft Office Professional Plus (for Windows) and Office for Mac • Microsoft Enterprise CAL2 Suite.

Additionally, we would benefit from access to Office 365 ProPlus for all staff and students at no additional cost3.

2 The case for proceeding (executive summary) For an estimated increase in current expenditure of approximately £50,000 per annum (ex VAT) all staff and students can be provided with Microsoft Office 365 ProPlus and 1 Terabyte of cloud based storage. Additionally, the University can use the latest Windows Desktop and Microsoft Office software and have an extensive set of CALs to support both centrally and locally provisioned services. Improved security, licencing compliance and reduced administration are indirect benefits, as is the ability to use the licence to introduce additional services over time (e.g. calendaring and document collaboration).

1 Windows Enterprise Upgrade - enables the latest version of Windows to be used where a qualifying base licence exists (typically the base licence will be the OEM licence shipped with the PC at purchase or an existing full product licence) 2 CAL - Client Access License, required to legally connect client devices to Microsoft server products including but not limited to Fileservers, Exchange and SharePoint. The Enterprise suite enables additional technologies with increased capability and configurability for the relevant products. A list of CALs included in this licence is included as Appendix 1. 3 Office 365 ProPlus - provides access to the desktop software productivity suite for education related work on non-University equipment.

1 of 9

njw40

Text Box

ISC 68

3 Cost The exact cost to the University will be dependent upon commercial negotiation and the selected procurement process. The principal variables in determining cost are:

• reseller cost price (dictated by Microsoft) • reseller margins (dictated by the reseller) • number of qualifying FTEs (dictated by the size of the University and any participating

Institutions) We are aiming to achieve a price of around £30 per annum (ex VAT) per qualifying FTE, assuming the Colleges agree to join the agreement. This price is believed to be ambitious but achievable and is over 20% less than the education list price of £39 per annum (ex VAT) per qualifying FTE. The most recent staff headcount (July 2014) records the University as having 10,345 staff, of which approximately 9,900 are believed to count as qualifying FTEs for this agreement. In order to reach the desired price point a headcount of over 10,000 FTE is required, necessitating College participation to reach the appropriate price break point. Based on the above assumptions, the cost to the University (excluding colleges) would be around £300,000 per annum (ex VAT) offset by a saving of approximately £250,000 per annum of current expenditure that would be no longer required. Colleges and any affiliate institutions who wish to participate will be expected to pay their share of the overall cost. This will not apply for college members who are already licensed through the University.

4 Services Enabled by Microsoft EES A Microsoft EES agreement will enable UIS to deliver immediate benefit to the participating institutions within the University and to additionally develop new services or extend current services in a cost-effective way. 4.1 Day one services Access to Windows Enterprise Upgrade and Microsoft Office Professional Plus and Office for Mac would be made available via the soon-to-be-released UIS online software sales/deployment service to all qualifying individuals. Additionally, institutional IT staff would have access to this software in a fashion that is suitable for deploying/managing the software within their local environment. 4.2 Year one services The following services should be developed and made available within the first year of the agreement:

1. A University wide Active Directory should be architected and built as an enabling service. This would enhance current authentication and authorisation services and facilitate the management of University wide IT services. It is envisioned that this would be an extension or modification of the exiting ad.cam.ac.uk Active Directory run by UIS on behalf of the University. A centralised Active Directory is a required pre-requisite for the delivery of University wide services based on Microsoft technology, including the proposed deployment of Microsoft Office 365 Pro Plus described below.

2 of 9

2. The productivity software (Word, Excel, PowerPoint etc.) and cloud-based storage (Microsoft OneDrive) included within Office 365 ProPlus should be made available to all staff and students via self-service provision. This may be by an in house developed system or by outsourcing the management to a third party such as KIVUTO4. (This offering does not include email or calendaring. Whilst a Microsoft EES agreement provides the most cost-effective way of delivering an Exchange based email and calendaring solution, be that on premise or in the cloud, a separate piece of work is required in order to make recommendations to the ISC as to if and how we move forward with these technologies.)

3. The development of the UIS End User Computing (Desktop) platform should continue in a

manner that utilises the benefits of the Microsoft EES. The lack of a Microsoft EES agreement has prevented the development of cost-effective University wide Microsoft-based services in the past and is considered a de facto requirement for innovation in this area.

4.3 Potential services (to be investigated) There is the potential opportunity to introduce a range of new services and or replace current services in order to utilise the full benefits of a Microsoft EES. It is suggested that the following work is undertaken during the first year of the agreement:

1. Investigate the options for replacing Hermes email and Google calendar with a University wide service combining email, calendaring and instant messaging into a single platform. This work should look at both on premise hosting, cloud-based provision or a hybrid of both. The proposal should include a review of alternate approaches including but not limited to the potential use of Microsoft Exchange, Office 365 and Google Apps.

2. Develop a proposal for a University wide federated SharePoint5 service.

5 Strategic Drivers The following points are considered to be the key strategic drivers and justification for adopting a Microsoft EES agreement: 5.1 Student Experience It will enable the University to deliver (as a minimum) the same level of IT provision to Cambridge students as that delivered by other Higher Education establishments. As the only UK University without a Microsoft EES agreement we are not currently able to uniformly provide all our students with many of the resources that other universities provide, including externally hosted services such as Office 365 for all students (21 Russell Group Universities have or are in the process of adopting this service as their main productivity environment for staff and students). 5.2 Staff Benefits All staff will be able to utilise the latest version (or previous version if preferred) of Windows and Microsoft Office on a University owned device assuming a qualifying licence (typically a machine based OEM6 licence) is already in place. Additionally, staff can be provided with the latest (or previous version if preferred) of Windows and Office for use on a personally owned computer for

4 KIVUTO – A company specialising in software distribution http://kivuto.com/ 5 SharePoint is a web application framework and platform that integrates intranet, content management, and document management. 6 OEM - Original Equipment Manufacturer

3 of 9

work-related purposes and have access to externally hosted services such as Office 365 ProPlus at no extra cost. 5.3 Improved security A Microsoft EES agreement will stop institutions using budgetary arguments as a rationale for not keeping Windows Desktops up to date thus reducing the risk associated with out of date and insecure Desktop Operating Systems. Currently, some institutions are reluctant to upgrade aging systems (such Windows XP), which increases their exposure to security vulnerabilities and malicious attack whilst indirectly increasing reputational risk for the wider University should a major security related incident occur. 5.4 Support for Research The use of Microsoft developer tools, platforms, and servers is included within a Microsoft EES agreement for use in laboratories, classrooms and on student computers where used for research and instructional purposes. Additionally, institutions will be able to utilise (at a considerable discount) externally hosted services such as the Azure Cloud (the only service of this type ranked by Gartner as an industry leader) to provide compute and storage for relevant research. 5.5 End User Computing A Microsoft EES agreement is a de facto requirement if UIS is to maximise the benefits offered by modern Microsoft technology as part of our End User Computing (Desktop) strategy. 5.6 Improved compliance A Microsoft EES agreement will ensure that the University is correctly licensed for the areas covered by the agreement. It is likely that some institutions are currently under licensed, although this is hard to quantify due to the devolved structure of the University. 5.7 Easier licence administration Administration of Microsoft Licensing will become significantly easier and less time consuming for all participating institutions. This will save staff time across the participating institutions leading to an indirect cost saving. 5.8 Upgrade rights A Microsoft EES agreement includes upgrade rights for the included licences thus allowing the University to upgrade systems and software when desired and facilitating the early adoption of new features of benefit. 5.9 Leverage HE sector benefits Sector wide negotiations with Microsoft, including those concerning university shared services (such as those offered by Jisc7), have assumed that a Microsoft EES agreement is in place (Cambridge is the ONLY UK University currently without such an agreement). For us to leverage any benefit from such arrangements a Microsoft EES agreement is required.

7 Jisc – a charity which champions the use of digital technologies in UK education and research.

4 of 9

6 Engagement & Support The UIS has undertaken a number of engagement activities with constituent parts of the University and received considerable (often unanimous) support for the proposal. Principal channels of engagement have been with:

• School IT committees. • Departmental IT leads and staff • Colleges bursars committee • Colleges IT management group • Affiliated organisations

7 Alternative Options A number of alternative options have been considered both in the sphere of desktop operating system/productivity software and in the realm of cloud-based IT services. 7.1 Alternatives to Microsoft Windows and Office The worldwide prevalence of Microsoft software (particularly Windows and Office) has led us to conclude that there is no viable case to suggest a complete move away from Microsoft technology. 7.2 Alternative Microsoft licensing models There are two viable models to consider in relation to how we licence our Microsoft software:

1. The proposed Microsoft EES route, where some software is licensed on an annual basis. 2. Microsoft Select (predominantly the University’s current approach), where software is

licensed in perpetuity. A like-for-like8 comparison clearly demonstrates the Microsoft EES route is cheaper for the products under consideration if licensed for the entire University over a three year timeframe.

The intention is that the current Microsoft Select agreement is retained for the purpose of licencing products that are not covered by the Microsoft Select agreement (e.g. Server products, Visio and MS Project). 7.3 Alternative to Microsoft Office 365 (i.e. other cloud-based productivity solutions) The principal alternative to Microsoft Office 365 is Google Apps. We have experience of this platform as the UIS currently runs a Google Calendar service (a component of Google Apps) across the University. This is not a widely used service and was problematic to introduce due to data protection and contractual concerns. Additionally, each component within Google Apps is subject to individual terms and conditions and require individual negotiation.

8 Financial Considerations The cost associated with a Microsoft EES agreement would be offset by savings made across the entire University as individual institutions would no longer be responsible for the direct purchase of their own Microsoft licences. The profile of the current spend is also known to contain large peaks (of £100,000 or more) every few years as a particular technology is upgraded or replaced. This variable cost profile would be replaced with a predictable and uniform annual spend. Additionally, the introduction of cloud-based services such as Microsoft Office 365 reduces the overhead cost

8 “like-for-like” - comparing the components included within the proposed Microsoft EES with licensing these components through Microsoft Select for an equivalent user base.

5 of 9

(power and cooling) associated with on premise provision. Gartner9 advice has been supportive of the proposal for adopting Microsoft EES with the chosen product set. 8.1 Current costs The following is intended to provide the ISC with indicative costs only (quoted figures are inclusive of VAT where applicable). The current qualifying spend made by Institutions (including Colleges) via the UIS managed Microsoft Select Agreement has been not less than £175,000 per annum for the last three years. The overall qualifying spend made across the University is higher but difficult to ascertain due to the devolved nature of the University, the large number of resellers involved, the complexity and variety of licencing models in use and the lack of granularity found in readily available historical data. Based on text filtering of Purchase Order line item descriptions a conservative estimate is that this additional expenditure has been at least £25,000 per annum for the last 3 years and probably considerably more. Taking into account peaks in spending, it is estimated that average expenditure over the last 5 years has been in the order of £250,000 per annum 8.2 Future costs The aspirational cost of circa £30 per annum (ex VAT) per qualifying FTE will be fixed for the first three years. Historically the cost of MS EES agreements has tended to rise with inflation and has not been subject to one-off large increases. By entering into a Microsoft EES agreement we would find ourselves in the same position as all other UK universities and could potentially benefit from future collective negotiations. 8.3 Cost Recovery It is recommended that the Microsoft EES agreement is funded centrally without directly recharging Schools or non-School Institutions, so as to avoid unnecessary administrative overhead. Colleges and other Institutions (e.g. Cambridge Assessment and The Theological Federation) would be expected to pay their respective share based on their own qualifying FTE count (excluding staff already counted as part of the University’s qualifying FTE count). Should the University wish to recover any of the cost from Schools or non-School institutions then it is recommended that this should be undertaken indirectly via the annual planning round. 8.4 FTE Count The most recent staff headcount (July 2014) records the University as having 10,345 staff, of which approximately 9,900 are estimated to be qualifying FTEs. Qualifying staff include all Faculty10 and Staff11 that work for more than 200 hours per annum and use an Institution Qualified Desktop. Microsoft have a price break point set at 10,000 FTE. Historically, the number of FTEs within the University has tended to rise over time (see table below).

9 Gartner - a leading information technology research and advisory consultancy. 10 Faculty – “any employee, contractor or volunteer who teaches or performs research for the Institution”. 11 Staff – “any non-Faculty employee, contractor or volunteer who performs work for the institution”.

6 of 9

Headcount of staff (taken from University of Cambridge Facts and Figures – January 2015): July 2012 July 2013 July 2014 Academic 1,596 1,616 1,649 Academic related 1,409 1,559 1,695 Contract Research 3,118 3,470 3,707 Technical 1,090 1,149 1,171 Clerical and Secretarial 1,535 1,601 1,680 Manual and Domestic12 414 428 443

Total staff 9,162 9,823 10,345

9 Security, Privacy and Data Protection Microsoft Office 365 is verified to meet requirements specified in ISO 27001, ISO/IEC 27018, SSAE16, FERPA, HIPAA, FISMA & EU Model clauses. Data is replicated in geo-redundant EU based datacentres (in Ireland and the Netherlands) to protect against datacentre wide failures. A 99.9% financially backed Service Level Agreement is provided and the terms have been verified by Jisc.

10 Termination of Agreement Should the University decide to discontinue the Microsoft EES in the future there would be three options available in relation to continued use of the licensed products and CALs:

1. Purchase perpetual licenses using the Buy-out Option13. 2. Remove the software. 3. Choose a combination of the above.

11 Timeline The work associated with the proposal for the University to adopt a Microsoft EES agreement has been split into 4 phases:

• phase 1 - pre-negotiation (complete) • phase 2 - formal negotiation with Microsoft (pending ISC approval) • phase 3 - architectural development for enabling services • phase 4 - service development and deployment

12 Manual and Domestic staff are not qualifying FTEs for the purpose of this agreement. 13 After three years or more it is possible to purchase perpetual licenses for the desired products and quantities by acquiring discounted “buy-out” licenses offered under the programme.

7 of 9

Richard Hey 22 April 2015

01/01/2015 30/09/201601/04/2015 01/07/2015 01/10/2015 01/01/2016 01/04/2016 01/07/2016

Pre-negotiation (phase 1) Formal negotiation (phase2)

30/09/2015MS EES agreement in place

Service development & deployment (phase 4)

Architectural development (phase 3)

30/04/2015ISC approval soughtCommunity

Engagement

8 of 9

Appendix 1 - Microsoft Enterprise CAL Suite The Microsoft Enterprise CAL Suite is equivalent to the following licenses:

• All of the components of the Core CAL Suite: o Windows Server CAL, o Microsoft SharePoint Server Standard CAL, o Microsoft Exchange Server Standard CAL, o Microsoft System Center Configuration Manager Client Management License, o System Center Endpoint Protection (antivirus client and subscription service) o Microsoft Lync Server Standard CAL

• Exchange Server Enterprise CAL with Services* • Exchange Online with Archiving for Exchange Server • SharePoint Server Enterprise CAL • Lync Server Enterprise CAL • Windows Server Active Directory Rights Management Services CAL • System Center Client Management Suite

o System Center Operations Manager Client Management License o System Center Service Manager Client Management License o System Center Data Protection Manager Client Management License o System Center Orchestrator (formerly Opalis) Client Management License

*Includes Data Loss Prevention and Exchange Online Protection

9 of 9

1 of 2

IT Governance Minimum Standards of IT Provision and Integration

1 ISC Terms of Reference The Terms of Reference for the Information Services Committee, as set out in Ordinances, specify that one of its duties is:

“5(h) to set, consulting the Councils of the Schools, Colleges and other institutions as necessary,

minimum standards of service to be provided;”

The Committee has established the following governance processes to enable it to carry out this remit.

2 IT Service Catalogue The introduction of a university-wide IT Service Catalogue will foster more structured ways of allowing for the discovery of services available to end user communities, be it staff members, students or visitors. Sections within the catalogue will be used to identify the different classes of service: core versus local versus experimental; school, departmental or college-based; or particular constituency targets such as staff or students.

Different policies and standards will apply to how services and offerings gain entry into the different sections of the catalogue, and depending on their status, different governance procedures may be necessary to regulate what is and is not included in each. The assurance of minimum standards of functionality and quality will be indicated by the service’s position in the Catalogue. Entry into the Catalogue will act as a level of approval, a kind of ‘kite-mark’ showing adherence to a particular

standard.

Core services, available to all, will typically be provided by the UIS or other major IT service providers across the University, and will represent a minimum guarantee of reliability and service level delivery. Such services will guarantee a level of commitment, management, design quality and secured funding to a specified minimum standard.

Local services may be available to a more restricted community, such as within a College, department or for a particular course. Service levels for these offerings will be appropriate for the context within which they are provided, but may not be supported for more widespread usage.

Community offerings, representing experimental, pilot or casual offerings might be listed in a ‘pot

luck’ section of the Catalogue, where service levels and quality may be ad hoc. Whilst some control over what is listed here may need to be exercised, offerings here would be used at the users own risk. However, this could be an ideal place for sharing developing and innovative ideas with the community, and might foster collaborative development of new facilities and tools which might be worked up into core or local services in time.

Information Services

njw40

Text Box

ISC 69

2 of 2

Early plans for new services should be shared through the IT Service Catalogue to enable institutions to comment at an early stage of design, and the ability for users to ‘rate’ existing services, similar to many consumer websites, would be a useful feedback mechanism.

3 Governance As part of its engagement with the IT, academic and administrative communities across the Schools and Colleges, the UIS will establish and hold regular Engagement Meetings with representative groups across these communities to engender consultation, collaboration, and consensus on IT issues and future developments within the IT sphere. The Engagement Meetings will be run on formal lines, with structured agendas and formal published minutes. Copies of the minutes of all such meetings will be submitted to the ISC for its review.

The UIS IT Service Catalogue will be used as an instrument to promulgate and guarantee minimum standards for the IT services available throughout the University. Sections for at least the following will be included:

Core Services – available university-wide, with guaranteed minimum standards

Local Services – available to local communities or specific constituencies, with specified local standards. Institutions would be able to substitute core University-wide services with local services provided these at least meet the minimum standards

Community Offerings – available university-wide, but used at the user’s own risk

The User Needs Committee of the ISC, under its delegated authority, will be responsible for recommending minimum standards of service for IT provision to the ISC, based on advice provided by User Panels established for the purpose by the UIS. Day-to-day operation of its policies will be delegated to the Director of UIS, who will consult with the Schools’ and Colleges’ Engagement Groups to ensure the priorities of institutions are taken into account.

S. Kearsey April 2015

Incident reports, lessons learned and remedial activity

Purpose of this paper This paper provices a progress report on the provision of a resilient network connection, lessons learned as a result of an earlier incident at the Central Network Hub (ISC52) and reports on two significant incidents that have recently occurred:

• West Cambridge (Soulsby) power issue – 23 February 2015 • Old Schools power outage – 24 February 2015

Actions requested ISC members are asked to:

• note the progress of the provision to the University of a resilient network connection; note the lessons learned from the incident at the Central Network Hub and to support the UIS recommendations on addressing future risks to the network by major works;

• note the incident at the Soulsby data centre for 23 February, the success of remedial activity to date and future planned work to address the operation of air handler units;

• note the incident at the Old Schools on 24 February, remedial activity taken and proposed procurement to address identified single points of failure.

1 Progress on the provision of a resilient network connection Our network provider, Janet, have provisioned a second fibre to the University via the William Gates building to operate as a short-term backup for the existing connection. External to the University the fibre does not have a diverse route but once on the University estate it is extended via the GBN to the West Cambridge Data Centre (WCDC), where a temporary router terminates the connection to provide the University with a high capacity active/passive backup connection. Procurement of a new gateway router (at a cost of £23,1001) has taken place and we are waiting on delivery. As part of work to reprocure their regional fibre connectivity, Janet had already committed to replacing the University’s external fibre circuits. As part of this work Janet will provide the University with diversely routed 40 GB connections to the WCDC and William Gates building. Delivery dates have yet to be finalised but Virgin Media have been asked to prioritise this work and it is anticipated that it will be carried out during the summer of 2015 Following delivery of the fibres, Janet will provide – at the University’s cost (of ~£36,0001) – a second Janet regional PoP router. This will provide a second regional presence and enable the University to eventually connect to Janet in a resilient active/active manner. Full details on this work can be found in Annex A.

1 Prices exclusive of VAT, funded from the network sinking fund

1 of 13

njw40

Text Box

ISC 70

2 Lessons learned following the incident at the Central Network Hub At its 5 March 2015 meeting the ISC requested that lessons learned from the incident at the Central Network Hub on 30 January (reported in ISC52) were reviewed. A detailed report is provided in Annex B. The ‘near miss’ on at the CNH highlights the critical dependency of the University and its affiliated institutions on a reliable network and Internet connection. As a result, the work to deliver a resilient network connection to the University has been accelerated and an interim backup solution has been deployed. The risk of of siting the Janet regional PoP and the University’s gateway router at the CNH, beneath the building work at the New Museums site, had been balanced against the the risk of delaying a major construction project. At the time the risk of damage to the network was identified as less significant and a more tolerable risk. 2.1 UIS Recommendations UIS continues to address operational issues relating to the provision of a stable connection to the Internet, including reducing single points of failure within the network architecture. Operating in a highly complex organisation such as the University will always create competing demands and conflicting risks, however we recommend that:

1. future risks to the network and Internet connectivity should not ordinarily be tolerated and if apparent should be escalated to the most senior decision makers;

2. to ensure that appropriate consideration is given to the effect of future building works that UIS is added to the Estates Management ‘sign-off’ process for major works.

3 Incident reports Two significant incidents occurred on 23 and 24 February 2015, both as a result of mains power disruptions. 3.1 West Cambridge (Soulsby) power issue – 23 February 2015 The West Cambridge site experienced a mains power event on the evening of Monday 23 February which ultimately caused the Soulsby data centre to shut down. As a result of an interruption to power to the air handling units they did not re-start correctly and the facility was shut down by the building management system when the temperature rose to a critical level. As a result of work in January to replace circuit breakers no breakers tripped, which is a positive outcome on this long-standing issue. Subsequent work to complete activity on the UPS system and generator was completed on 14-15 March but would have had no effect on this incident as the air handlers would still have failed to restart correctly. Remedial action to reprogram the building management system, to force a shutdown and restart of the air handlers in the event of a rising room temperature, has been scheduled for May. Tests completed during work on 14-15 March have demonstrated that the data centre can switch between mains power and generator-supported UPS at load. UIS has deployed temperature probes and set up independent alerts as an interim and additional measure to ensure that appropriate staff are alerted in the event of the facility’s temperature exceeding the defined threshold.

2 of 13

Further information relating to the incident is included in Annex C. 3.2 Old Schools power outage – 24 February 2015 On Tuesday 24 February a power event was experienced at the Old Schools site, which caused desktop, telephony and desktop network infrastructure to go offline. One of the University’s core network switches is hosted at the Old Schools site and was protected by a small UPS with approximately one hour capacity. Reviewing the limited capacity of the UPS and concerns about the time necessary to mobilise staff to provide emergency generator power has resulted in UIS reviewing single points of failure across its IT estate. A small portable generator has already been located at the Old Schools (£1,200) and local facilities management staff have been instructed on its operation. Further work to remove a single point of failure in the network (£10,000 switch, £1,700p/a network) and to procure a UPS with sufficient capacity for two core network switches (£5,000) has been initiated, with capital costs being met from the sinking fund. It is anticipated that this work will be complete by 1 August 2015. Further information relating to the incident is included in Annex D. Ian Cooper Jon Holgate Mark Ansell 21 April 2015

3 of 13

Annex A: Progress report on the provision of a second connection to Janet

Purpose of this paper To provide an update on the establishment of a second connection to the Janet network, providing the University of Cambridge a fully resilient Internet connection.

1 Actions required to enable resilient connectivity The following subsections represent the key steps required to deliver the University with a resilient connection to the nework, outlined in three key stages. Whilst the need for a fully diverse second link to the internet was understood and has been agreed, the recent water leak issues in the Central Network Hub (CNH) have expedited the need for its delivery. As such, the first action is to remove the CNH as a single point of failure. Subsequent deliverables are to implement a fully resilient Janet connection, and finally to re-evaluate the use of both the CNH and the William Gates Building (WGB) for network hosting.

2 Stage 1: Short term CNH dependant networking Presently the Janet Point of Presence (PoP) router is hosted in the CNH basement, along with the University’s Core Router, as well as both of the Network Address Translation (NAT) devices. The existing network backup link is also presented within the CNH, and as such the University is wholly dependant on this facility for all of its internet connectivity. 2.1 Provision of a backup fibre connection to a second location Janet have already provided an additional fibre to the William Gates Building (the location Janet’s regional network arrives on the University estate). Beyond the University estate this fibre does not provide any additional resilience (it uses the same physical infrastructure to connect from Nottingham to the William Gates Building); diverse GBN fibres extend this circuit to the WCDC which has enabled a backup connection which can be supported without the use of the CNH. Complete 2.2 Procurement of an additional core router The 10GB backup connection via the William Gates Building is presented in the WCDC without the need for a Janet PoP (the active routing is being handled from Nottingham). On behalf of the University UIS must procure and configure a local router to connect to this presentation. When stage two of the project is complete, this router can be re-purposed as the long-term replacement. A router has been ordered but will take a further four weeks to be delivered, and subsequently a month to configure and install in active/passive mode. In progress

3 Stage 2: Fully resilient second Janet connection The final proposition is to run a fully active/active Janet connection, providing improved resilience and additional bandwidth capacity.

4 of 13

3.1 Provision of a fully diversely routed fibre from the WCDC to London Janet have already committed to replacing the University’s existing external fibre circuits as part of a wider project to re-procure all of their fibre connectivity. This work is scheduled to complete in summer 2015, although Virgin Media (the fibre provider) have not committed to firm dates at present. The final solution for this iteration of Janet is diversely routed 40 GB connections presented to the WCDC and the WGB. In progress 3.2 Provision of an additional Janet router Once the diverse fibres have been installed, Janet will provide (at the University’s cost) a second regional PoP router at the WCDC. It is anticipated that this will be completed shortly after the installation of the diverse Virgin Media fibres. Awaiting commencement. 3.3 Implementation of active/active networking This will require a significant amount of routing changes to the University’s core network, to allow the NAT infrastructure to be physically separate. Additionally, in line with the netflow monitors of the network, some investigation and a significant amount of work will be required to monitor both internet connections simultaneously (to provide sufficient logs to CERT and ensure compliance). Finally, some thought will also be required to address the Janet traffic charging. Presently the UIS recoups the Janet connection charge by charging each of the ~180 connected institutions on a pro-rata basis dependant on internet traffic. Either we will need to monitor both connections and compile the significant logs on a regular basis, or use this change as an opportunity to review whether this is the best mechanism to recover the annual cost of ~£300,000 charge. Awaiting commencement.

4 Stage 3: Long-term use of the CNH and WGB The CNH is presently in the sub-basement of a major building project, and upon completion will continue to be vulnerable from flooding from the Kings ditch which flows beneath the Arup Building. The WGB is not a UIS controlled location, and the use of it as a Janet presentation location was only ever discussed as a temporary solution. 4.1 Review of the current network locations Some analysis needs to be undertaken to enable an informed decision on long-term suitable locations. Awaiting commencement 4.2 Potential relocation of Janet and UoC equipment If relocating from the WGB and the CNH is deemed desirable and a more suitable location (not the WCDC) is identified, then a subsequent amount of work will be required to move the active and passive connections. This should represent a logically simpler part of the project (as the routing and active/active issues should have already been resolved), and as we will have an active/active network at this point, the risk should be fairly minimal. Awaiting commencement Jon Holgate 23 March 2015

5 of 13

Annex B: Report on lessons learned from the CNH incident

Purpose of this paper This paper provides a summation of lessons learned from the recent incident in the Central Network Hub, during which scheduled building work accidently damaged a mains pressure water feed, resulting in significant amounts of water ingress into the CNH.

1 Introduction and context In the context of the enablement requirements for the redevelopment of the Arup Building on the New Museums Site (NMS), it was understood that the then University Computing Service (UCS) would need to relocate the Site and Core routing equipment that was based within server room A301 to an alternative location. In addition to the site networking requirement there was a requirement to relocate the University’s Janet connection, along with providing an alternative site for Janet’s EastERN2 equipment, which is hosted by the University. The original plan would have seen the Janet and EastERN equipment relocated to the new West Cambridge Data Centre (WCDC). However, due to the fact that the Arup Building project had been brought forward a year, and the completion of the WCDC had been pushed back a year, this was no longer a viable proposal. The acceleration of the Arup project had a further significant impact on flexibility of options. The entire IT enablement project for moving out of the Arup Building was less than 11 months. The aggressive timeline, coupled with the complexity of the relocation (several thousand copper and fibre connections needed to be relocated for the University alone), prompted pragmatic decisions to be taken. It quickly became clear that the timescales available meant that the Janet equipment and the core and site routers would have to be continued to be hosted on the NMS. The Central Network Hub (CNH, formerly the University’s telephone PABX) in the sub-basement of the Arup building had been used for many years by the UCS and with the added complexity of the several hundred BT copper phone connections still managed from this location a decision was made to re-fit this room and move the Janet and University network equipment to this locale. It should be noted that: 1. It was known from the outset that the room was liable to flood from below (the Kings ditch runs

beneath the Arup) 2. There was explicit acknowledgement by Estates Management, and the Arup contractors, that

the Janet equipment and associated fibre were of the highest importance to the University, and that both the room and the fibre routes to and from the room were to be provided with the highest level of protection

3. The risk of damage to the CNH by the construction project was acknowledged in the project risk registers and escalated to the project oversight committee, along with the JNMC

4. The specific risk of water ingress was identified prior to the re-fit of the PABX/CNH, was acknowledged by EM, the contractors and the project oversight committee and was deemed to be a low and tolerable risk

2 The Janet regional network service the east of England area

6 of 13

5. There was a balance of risk consideration explicitly made at the point of identifying the CNH as the new location for the Janet and University network, and this weighed the risk of delaying the commencement of the Arup Building project (identified as a high risk), against the risk of damage to the University and Janet connectivity (which was identified as a less significant and tolerable risk)

2 Lessons learned The possibility for accidental water damage to the CNH and some of the equipment within it was identified before the CNH was built and communicated throughout the organisation. As such, it would be incorrect to state that the events of 30 January 2015 were wholly unexpected, merely that this was deemed as a low risk. Whether the original risk analysis was correct is a judgement call, maybe the real risk of water based damage was much higher, or maybe the University was unlucky on this project. When considering an asset/utility as important as the local and internet connection, this ‘near-miss’ to the loss of the network identifies key issues for future decision making: 6. The University and its affiliated Institutions are now wholly dependent on a reliable network and

Internet connection. As such, it would be prudent to recommend that the University moves away from any single point of failure to the Janet Internet connection as soon as possible; this explicitly includes cable routes, networking equipment operating in an active/active environment, power supplies etc.

7. Whilst the nature of working in a highly complex organisation such as the University will always create competing demands and conflicting risks, future risks to the Janet and internet connectivity should not ordinarily be tolerated, and their consideration should be escalated to the most senior decision makers. It is recommended that this includes threats to the resilient network, where risk includes the loss of active-active connectivity, rather than risk to the primary connection.

3 Additional considerations The following additional considerations should be noted: 8. Some further work regarding the location of Janet’s EastERN equipment needs to be

undertaken. During Janet’s continued regional delivery to higher and further education institutions in the East of Englenad, via the CNH, there is a residual and significant risk of reputational damage to the University in the event of damage to or failure of the CNH.

9. It is requested that there is endorsement to the request to have the UIS added to the Estate Management ‘sign-off’ process for any major works.

Jon Holgate 25 March 2015

7 of 13

Annex C: Incident Report: West Cambridge Power Issue 23/02/2015

1 Background On Monday 23rd February at approximately 20:17, a power event was experienced at the West Cambridge site. The UPS-protected services at the West Cambridge Data Centre and Roger Needham Building detected the event and kept the facilities online via their battery backups. The power system within the Soulsby facility detected the power event and switched the server room to the UPS power feed. Unlike previous power event, no breakers tripped at the Soulsby site (a significant step forward). It is currently the belief of the Estates Management team that a second power outage (less than a second) was experienced after the first, which caused the air handling units to go offline. After running for 30 minutes without air conditioning the room temperature exceed the defined threshold and an automated thermal shutdown was initiated by the building management system. The site was visited by members of UIS and the Estates Management team to bring the facility back online. Outages to a number of key UIS, Library and Astronomy systems were experienced as a result of the power loss.

8 of 13

2 Timeline of Events TIME INFORMATION Monday 23rd February

20:17:33 Power event experienced at the West Cambridge site 20:17:33 Power distribution systems detect mains power issue and supplies power from UPS

batteries. Air handling units not on UPS went offline, room temperature begins to rise Mains power state restored to the West Cambridge site Air handling units come online Second power event / brown-out experienced Air handling units go offline Mains power state restored to the West Cambridge site Air handling units remain offline 20:49 Critical temperate alerts received from a number of systems 21:02:26 BMS initiates UPS thermal shutdown and all systems go offline 21:50 Call from Security reporting power event 22:20 Roger Needham Building (MER) checked and unaffected. 22:30 – 23:00 Attempts made to contact UIS staff and inform them of the situation. 22:55 Central Network Hub (new museum site) checked and unaffected. 23:05 Some phones re-routed to BT hard line. 23:40 Soulsby site attended and determined to be offline. 23:56 Security asked to contact Estates Management duty tech. UPS manually started Air handling units online Power distribution units back online Tuesday 24th February

00:30 Systems restart commenced 00:30 – 02:00 UIS infrastructure brought back online. Estates Management duty tech visited the Soulsby. 00:38 Communication sent to Library and Astronomy 00:53 Email communication sent to UIS staff mail list informing them of power outage and

requesting owners to check systems. 01:16 Message sent to Database team lead making him aware of outage. 07:30 - Investigation and resolution of individual system issues as and when reported system

owners.

9 of 13

3 Impact A number of UIS, Astronomy and Library systems were affected by the power issue at the Soulsby facility, these included: EDM Application offline until 07:45 (24/2/15) Apex Application offline until 01:00 (24/2/15) Digitary Application offline until 01:00 (24/2/15) CamCORS Application offline until 01:00 (24/2/15) CARD Application offline until 01:00 (24/2/15) Pensions Application offline until 01:00 (24/2/15) CHRIS Application offline until 01:00 (24/2/15) UFS Available via WCDC (one app server plus dev environment offline until 08:30) CamTools Application offline until 01:00 (24/2/15) Moodle Available via WCDC (one app server offline until 01:00) CamSIS Application offline until 07:45 (24/2/15) ICE Website Application offline until 09:20 (24/2/15) UAS Email Application offline until 00:38 (24/2/15) By-the-rack hosting Service restored at 00:35 (24/2/15) Falcon Interruption to 46 of 228 live and 18 dev site until 22:35 (23/2/15) CamSIS and the EDM system were unavailable until approximately 07.45 on Tuesday when the required storage resources were re-mounted and applications restarted. There was some disruption to telephony services delivered over the ACN network due to part of the resilient infrastructure being relocated.

Astronomy also reported that two systems were unable to boot following the power event and one drive failure. The Library reported one drive failure and a small number of systems which needed manual intervention.

4 Investigation Following the main power event a second power event occurred (lasting less than one second). This second power event caused the air handling units to go offline, which was not detected by the Aircon controller unit (which has its own UPS). Once the room reached a pre-defined critical temperature, the building management system switched off the power, causing the service outage.

10 of 13

5 Recommended Action 1. Reconfigured BMS to send a stop / start to the air handling units when a new critical

temperature level is reached. Recommended workaround to ensure air handling units are online.

2. Document process for manually restarting UPS following a thermal shutdown. 3. Configure BMS to alert UIS prior to thermal shutdown. 4. Investigate automated alerting (SMS messages to UIS). 5. Investigate moving one or more of the air handling units onto UPS. 6. Deploy IP-temperature probe and configure alerting based on defined threshold. 7. Investigate the deployment equipment to route critical telephone lines over via PSTN / ISDN

in the event of an IP failure. 8. Review requirement for out of hours support / on-call.

Mark Ansell 11 March 2015

11 of 13

Annex D: Old Schools Power Issue 24/02/2015

1 Background On Tuesday 24th February at approximately 15:17, a power event was experienced at the Old Schools site. The desktop, telephony and network infrastructure providing services to the desktop environment went offline as a result of the power outage. The Old Schools hosts a core network switch which a number of sites used to route traffic to and from the UIS datacentres and outside world. This key piece of network infrastructure is protected by a small UPS that kept the switch up during the power outage. The site was visited by members of Estates Management team to bring the facility back online. Alternate network scenarios were considered by the UIS Operations team in the event that the power event continued past the capacity of the UPS. The Old Schools is fed by two diverse mains power supply’s (via Market Hill & St Michaels Court), with a single supply then being presented to a 400Amp circuit breaker. It was this circuit breaker that tripped and caused the power outage. Power was restored to the facility at approximately 16:15.

12 of 13

2 Timeline of Events TIME INFORMATION Monday 23rd February

15:35 Power event experienced at the Old Schools Site attended by Estates Management team Portable generator prepared for dispatch 16:15 Power restored to the Old Schools Desktop, telephony and network infrastructure back online.

3 Impact Desktop, telephony and network infrastructure supporting the desktop environment went offline. Had the power not been restored within an hour then the core network switch located in the Old Schools would have gone offline, taking with it network connectivity to a number of sites. There are currently 263 active ports located within the Old Schools itself. The failure of the central router would have had a limited further impact on these users (failure of UPS protected IP phones) as it is presumed that the power to their desktops would already have failed. A far larger impact would have been noticed for sites that have a single network link originating in the Old Schools. There are currently 504 active network points across 23 sites that depend on network infrastructure within the Old Schools.

4 Investigation The cause of the outage is currently being investigated by the Estates Management team.

5 Recommended Action 1. Review UPS capacity and investigate options increase duration of power protection. 2. Add secondary network links to all sites that depend on the Old Schools core switch for their

network connectivity. 3. Review process for requesting mobile generator deployment.

Mark Ansell 11 March 2015

13 of 13

Information Services Governance Update Information Services Committee

Established and operational

Business Systems Subcommittee

Established and operational

Research IT Services Subcommittee

Professor Leslie looking at digital Humanities Research Computing and its relationship to this committee.

HPC Strategy Group Further talks with Professors Leslie and Gladden on finalising the membership for this Group.

Teaching and Learning IT Services Subcommittee

Established and Operational.

User Needs Committee Established and Operational

Student and HR Systems Committees

HR and Student Systems Committees revised and approved.

Finance Systems Committee

Finance Committee still to review ToRs.

Joint Network Management Committee

ToRs to be amended to have ISC appoint the Chairman after considering the JNMC’s advice. ISC to appoint a category 1a member on the nomination of the General Board.

IT Purchasing Group ToRs Revised and Agreed. New Chairman to be appointed by ISC.

Dr S. Kearsey April 2015

njw40

Text Box

ISC 71

UIS Performance Dashboard* – Mar 2015 Overall RAG rating Previous month

Service Delivery - top 12 Overall service RAG GREEN Unplanned downtime Helpdesk calls

Service Month YTD Month YTD RAG Hermes 0 3.3hr N/A N/A GREEN Web Hosting 0 1hr N/A N/A GREEN Managed Cluster 0 1.3hr N/A N/A GREEN CUDN/GBN 0 0 N/A N/A GREEN Wireless 0 11.25hr N/A N/A GREEN Telephone System 0 2.5hr N/A N/A GREEN Research Systems 0 0 N/A N/A GREEN Cambridge Website 0 0 N/A N/A GREEN Finance Systems 0 17hr 1,218 7,514 GREEN HR Systems 0 10hr 480 2,578 GREEN Student Systems 0 50.2hr 366 2,800 GREEN HPCS 0 23.93hr 141 1,599 GREEN

Project Delivery - top 12 Overall projects RAG GREEN Deployment date Budget

Project Plan Forecast Plan Forecast RAG Uni Moodle 01/07/15 01/07/15 £228k £240k AMBER Janet/EastRN 2nd 31/12/14 31/07/15 £80k £80k GREEN PandIS Reloc 30/04/15 15/06/15 £30k £110k GREEN Sales Delivery 01/12/14 15/05/15 £5k £5k GREEN DC UIS Migrn (RedC.) 01/01/15 01/06/15 £0k £10k GREEN EDM 28/02/15 31/07/15 £200k £200k GREEN HR TES System R1 30/06/15 30/06/15 £65k £65k GREEN X5 Upgrade 30/06/15 30/06/15 £75k £75k GREEN CUFS Winter Patch 05/05/15 05/05/15 £0 £0 AMBER NWC Accom. System 30/06/15 30/06/15 £300k £300k GREEN UFS Datamart Reorg. 31/07/15 31/07/15 £0 £0 GREEN 2nd GBN Addenbrks 31/12/15 31/12/15 £150k £150k GREEN

HR and Finance Overall RAG GREEN CS MI HPCS UIS Total RAG

Headcount 118 114 9 249 GREEN New joiners 0 3 1 7 GREEN Resignations 1 0 0 1 GREEN Retirements 0 0 0 0 GREEN

Annual Budget Chest funding £7,310k £6,706k £0k £14,017k GREEN Recharges £4,989k £517k £1,489k £6,995k GREEN Total budget £12,299k £7,223k £1,489k £21,012k GREEN Forecast spend £11,722k £7,223k £1,077k £20,022k GREEN Budget - forecast £577k £0k £413k £990k GREEN Change vs previous Month -£37k £0k £0k -£37k GREEN

New initiatives Overall RAG GREEN Project Status Delivery Budget RAG A. End User Compute Review Pre-initiation 05/15 TBD GREEN B. Storage Review Proj. Initiation 02/15 £50k GREEN C. Room Booking System Pre Tender tbd £40k AMBER D. Voyager Replacement Pre Tender 08/16 £2m GREEN E. CUDAR System Tender 12/14 £2m GREEN F. CBC Research Computing Pilot Initiation 12/15 £50k GREEN G. UXP Prototype Project Stage2 09/15 £30k GREEN H. A&H School Project Proj. Initiation 07/15 £139k GREEN I. ERP Systems Strategy Discovery 11/15 £150k GREEN J. Researcher Time Sheets Project Definition K. CamSIS Upgrade Project Definition L. Finance Reporting Framewrk Project Definition M. PostDoc Research & Dev Project Definition

* Changes highlighted

njw40

Text Box

ISC 72

njw40

Text Box

ISC 72

Annex: UIS Initiatives at AMBER or RED status

Project Delivery Overall projects RAG

Deployment date Budget

Project Plan Forecast Plan Forecast RAG

Uni Moodle 01/07/15 01/07/15 £228k £240k AMBER

ICE Saturn 2 31/12/15 31/12/15 £70k £70k AMBER

Room Booking System Pre-Tender tbc £40k £40k AMBER

MWS 3.0 Implmnt 01/04/15 tbc £0k £0k AMBER

Student Timetabling 28/02/15 30/06/15 tbc tbc AMBER

MML Exam Marking 28/02/15 30/06/15 tbc tbc AMBER

Open Access Support 28/02/15 30/06/15 tbc tbc AMBER

CUFS Winter Patch 05/05/15 05/05/15 £0k £0k AMBER

Project Notes Uni Moodle Status change awaiting next Project Board ICE Saturn 2 Developer has resigned

Room Booking System Programme Manager re-planning project

MWS 3.0 Implmnt Staff resourcing problems

Student Timetabling UIS picking up from CARET

MML Exam Marking UIS picking up from CARET

Open Access Support UIS picking up from CARET

CUFS Winter Patch Testing revealed Oracle bugs

Projects Exited Status Budget

HR Recruitment R4 Completed £0k Student Systems Q1 Completed £0 Phone Sys. Upgrade Completed £266k HPCS DC Move Completed £10k DC UIS Fit-out Completed £400k Greenwich House Move Completed £42k Falcon Upgrade Completed £12k COGNOS Upgrade Completed £0 Contracts Bs Prc Rev Completed £0 CHRIS Upgrade (TAX) Completed £0 NWC Website Completed £50k UAS Websites Completed £0 Emergency Plng App Completed £0 Autism Research Db Completed £0 Lucy Cav Review Completed £0

Update on the approval of expenditure from the TDF

Purpose of this paper This paper provides a highlight of funding approved from the TDF under the delegated authority of the Director of Information Services.

Action requested Members are asked to note the projects for which funds have been allocated.

1. Background TDF funds are awarded for small to medium sized IT projects and feasibility studies, where funding is not otherwise available. It is not to be used as a source of funds for recurring costs, including licence purchase.

2. Approved expenditure The following outlines expenditure approved between 26 February 2014 and 15 April 2015. TDFR11 CERT Systems Development

Description A nine-month project to develop new security monitoring and incident handling procedures and systems, including engagement with Janet CSIRT and other national bodies.

Funding profile 2014/15 2015/16 2016/17 Total 60,000 60,000

Participants UIS

Anticipated outcomes

Development of internal reporting tools and incident reporting procedures for the University; testing of new tools and development of tools and scripts.

Ian Cooper 15 April 2015

1 This is an allocation against the TDF reserve funds

1 of 1

njw40

Text Box

ISC 73

Documents

University of Cambridge Information Services Committee There will