2019 CISOA Brain Dump

15 min readMay 12, 2019

What Every California Community College CISOA/CIO/CTO Should Know

I participated in a year-long California Community College Chief Information Officer’s Certification Training in Sacramento in 2016–2017. The program was developed to train IT professionals in the art of leading and managing technology organizations in the California Community Colleges. It was an incredible opportunity to work with a cohort of Community College technology leadership and to be mentored by CIO/CTO’s across the state. The series of intensive weekends covered the expectations and skills required to become a Chief Information Systems Officers (CISO).

I compiled my notes and added additional information from the recent CISOA 2019 conference as well as relevant Educause articles to make a comprehensive reference for myself and other CISOA participants. The following is a list of responsibilities expected of a California Community College CIO/CTO/CISO. The list is daunting, and in colleges with limited financial resources, you may be wearing multiple hats. If you have a larger team, you may be overseeing the work of staff responsible for these areas. Regardless of your resources, in order to be effective in your position, you will need familiarization with everything listed below.

Accreditation

Standard IIIC — Every California Community College goes through an extensive accreditation processed. You will be involved in assisting them with Standard IIIC. Ensure you familiarize yourself with that standard and that your IT department has all the processes in place to ensure you are meeting those expectations requested by the Accrediting teams.
Technology Strategic Plan — You should always have a current plan spanning 3–5 years about the technology strategy and how it aligns with the college strategic plans.

Administrative Systems (ERP)

The ERP system stores all student, employee and financial data. It typically runs on one of the four most popular systems. A portion of your IT team will be supporting Administrative Systems which includes your ERP and everything that integrates, reports or needs access to the data.

Ellucian Banner
Ellucian Colleague
PeopleSoft
Workday

Backups

Server Backups
Backup & Recovery Process
Physical Location & Security of Backups
Backup Retention Policy
Quality Control with Backup (dealing with corruption)
Employee Backups
Encryption
Cloud or External Drives?
Ensuring you have all Employee data & backups when they leave

Board of Trustees

You should always read the board packet & minutes
Always know what the board priorities and keep track of new contracts and initiatives. Almost everything indirectly impacts ITS because technology has become central to most business practices.
Check the Board Agenda to ensure nothing is being discussed that requires IT involvement
Items being added to the Board Packet typically need to be on the agenda almost two weeks prior
Familiarize yourself with the Brown Act

Budget

Familiarize yourself with your college annual budget report
IT Budget
Understand the different types of funds, one-time monies, bond, innovation, etc…
If you are overseeing a District, understand how shared software and technology are budgeted

Business Continuity & Disaster Recovery

Business continuity is ensuring essentials systems are running regardless of catastrophic technology issues.

Perform a risk assessment to identify weaknesses
Hardware & Network Redundancy
DR failover strategy, plans, workflow, drill, post-mortem and plan revisions
Who should be involved in ensuring business continuity and in what role?
Who needs to be informed when we experience issues and what is the best way to communicate with them?
Considerations
Physical locations on or off campus.
Virtual locations (address security and privacy concerns)
Cloud resources (address security and privacy concerns)
Availability for sufficient communications excellent/redundant/multi-vendor cell capacity, landlines, internet bandwidth from more than one vendor and physical supply (not all coming through the same conduit, following the same path), and satellite access.
Availability for alternative power sources — generators with adequate fuel supply and delivery. (Natural gas is ideal, if available, as long as the location is not prone to flooding, hurricanes, tornadoes, or earthquakes. It minimizes delivery issues.) Multiple suppliers should be contracted for other types of fuel supply. Remember that generators need routine maintenance and testing.
Sufficient physical access during emergency situations (not located along a major evacuation route, yet highly accessible).
Proximity to locations that contain hazardous material, or are near river banks/flood plains, avalanche zones, mudslide zones, frequent forest fires, or earthquake-prone locations.

CISOA and attend 3CBG/CISOA Conference

Get on the email distribution lists
Familiarize yourself with what is offered by the State Chancellor’s Office and how it impacts us

Colleges

Familiarize yourself with colleges strategic goals and ensure your technology strategic plans are in alignment.
Understanding all the services and support that the IT department provides the colleges
Participating in College Committees
Find out the expectations of ITS from the Colleges
Importance of understanding and supporting college initiatives but allowing items to be properly vetted through the college administration.
Familiarize yourself with College business processes for purchasing technology
In a College district, the importance of trying to get consensus from multiple colleges to avoid redundant work
Understanding the big picture and college dependencies (example: knowing that if A&R makes a change it will break something in Financial Aid )
Consistently managing college technology expectations, negotiate priorities based on existing project lists and do not make uninformed promises.
Respecting the hierarchy, never overstep your administration. Offer suggestions or solutions and provide consultations.
Respecting the faculty, staff, and students. You are part of an ecosystem reliant on each other for the success of the organization
Familiarize yourself with Title V & Ed Code to ensure compliance when implementing technology solutions.

Compliance

Have an awareness of relevant regulations/laws.
Awareness of relevant policies, review the board policies and procedures, take note of the items that apply to technology or information.

Citation: Compliance Management | EDUCAUSE. https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/resources/information-security-guide/compliance-management

Awareness of relevant contractual agreements. (Do you know what agreements your institution has made that impose conditions on the use of data?)
Knowledge of relevant standards or best practices. (Do you know what standards or best practices your institution chooses to follow with respect to information use?)
Data Retention Policies and management of institutional records (Do you know what you need to keep and for how long?)
Awareness of how records are managed by your institution.
Approach to complying with each item. (Do you know what your organization is doing to follow the law?)
Awareness of internal and/or external audit activities. (Do you know what internal/external audits exist and what is required to meet or pass these reviews?)
Awareness of Federal Laws on Data Security
Family Educational Rights and Privacy Act (FERPA)
Payment Card Industry Data Security Standards (PCI DSS)
Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act; GLB Act; GLBA) Safeguards Rule
Fair and Accurate Credit Transactions Act of 2003 (FACT Act; FACTA) which amended the Fair Credit Reporting Act (FCRA), and amendments thereof, including Red Flags Rule (Identity Theft Prevention Program)
Standard Confidentiality Agreement or Statement
Higher Education Opportunities Act of 2008 (HEOA) Technology Mandates (Including illegal peer-to-peer file sharing, emergency notification, and distance education student verification.)
International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) (e.g., Baylor University’s Export Compliance Policy and Purdue University’s Export Control Regulations)
Digital Millennium Copyright Act (DMCA)
Awareness of Federal Laws on Privacy

Citation: Privacy | EDUCAUSE. https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/resources/information-security-guide/privacy

The Family Educational Rights and Privacy Act of 1974 (FERPA): Designed to protect students and their families by ensuring the privacy of student educational records.
Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
The Gramm Leach Bliley Act of 1999 (GLBA): Imposes privacy and information security provisions on financial institutions; designed to protect consumer financial data.
Federal Policy for the Protection of Human Subjects (“Common Rule”): Published in 1991 and codified in separate regulations by 15 federal departments and agencies, outlines the basic ethical principles (including privacy and confidentiality) in research involving human subjects.
The Children’s Online Privacy Protection Act (COPPA): Governs the online collection of personal information from children under the age of 13.
The Fair and Accurate Credit Transaction Act of 2003 (FACTA, or “Red Flags Rule”): Requires entities engaged in certain kinds of consumer financial transactions (predominantly credit transactions) to be aware of the warning signs of identity theft and to take steps to respond to suspected incidents of identity theft.
The Privacy Act of 1974: Specifies the rules that a federal agency must follow to collect, use, transfer, and disclose an individual’s personally identifiable information (PII).

Curriculum

Curriculum Workflow
Catalog Rights
Counseling
Degree Audit

Citation: Asset and Data Management | EDUCAUSE. https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/resources/information-security-guide/asset-and-data-management

Data Management

Sensitivity Level — An institution should be classifying data as to sensitivity to assure that proper security protection is in place appropriate with the given data set. EDUCAUSE has excellent materials, including the Data Classification Toolkit.
Retention Period — Consistent with records management practices, an institution needs to be aware of the period in which data is to be retained, to ensure that data’s availability and integrity for that retention period.
Data Utilization — In every part of an institution that controls a given data set, appropriate procedures for how that data is utilized must be established. This includes access restrictions, proper handling, logging, and auditing.
Data Backup — How an institution creates backup copies of data and software is a critical element. Procedures need be in place that memorializes and verify the implementation and inventory of back-up copies.
Management of Storage Media — Processes to ensure proper control of storage media, including restrictions of types of media, audit trails for movement of media, secure disposal of media no longer in use, and redundant storage.
Electronic Data Transfers
Disposal of Media
Ferpa — Are we compliant? Who has access to what? Why do they have access? What is the workflow to remove access?
Databases — Oracle, Microsoft SQL Service, MySQL, etc…

Disaster Preparedness

Ensure you have a radio linked to Public Safet
Find out evacuation procedures, drills and how to ensure the safety of your staff
Location of First Aid, AED, Fire Extinguisher
Nims/Sims/ICS training for Disaster Preparedness
Emergency Alert & Emergency Response System
Digital Signage
Panic Buttons

Educause

College .edu domains provided by Educause
An excellent resource for Listservs, Conferences and User Groups

Evidence Discovery

Understand approvals & workflow for evidence collection
Working with your County Council (legal counsel) on all evidence requests
Validating Subpoenas
Forensics
You may be called to testify in the trial on how the data was collected. From the moment the request is made you need to follow a formalized process and assume every move you make may be scrutinized.

Funding

Understand the college funding formulas
Understand State Apportionment vs. Basic Aid and where your college stands
Grants
Bond Measures

Helpcenter & Support Services

Helpdesk Ticketing System
Helpdesk Inventory
Helpdesk Knowledgebase
Equipment Replacement Schedule
Technology Standards
Technology Planning in Construction Projects
Technology Advisory Committees
Computers, Laptop & Tablets
Media Services
Phones
Digital Signage
Smart Classrooms
Printers
Projectors
All Electronics (tvs, external hard drives, microphones, mice, keyboard, headsets, etc..)

Identity Management

Account Provisioning Processes
LDAP/Active Directory
Syncing Directories with your ERP system
Single-sign-on (SSO)
State Chancellor’s Office SSO Proxy
2-Factor Authentication
Practices for disabling accounts

Incident Management and Response

Monitoring your systems
System outage notifications
Response workflows
Proactive notifications
Notification fatigue, reducing false positives

Management (General)

Personnel Action Forms (PAFs)
Time-entry approval
Leave Requests
Overtime & Comp-time process
Mileage
Conference Expenses
Staff Development
Staff Evaluations
Discipline Procedures
ADA/Worker’s Comp
Liability
CSEA Contract — Need to understand the union rules and ensure you stay in alignment with their contract to avoid grievances.
Hiring Orientation, ensure IT is included in new hire orientations
Understand AB 806 and the 50% Law — and how it impacts college hiring
New Employee IT Requests (workflow for setting up accounts, email, phone, etc..)
Exit Process (ensuring you get college-owned property, disable access and change passwords)

Network

Cenic provides internet — https://cenic.org/
Hubs, Switches, Routers
Segmenting Networks
Wireless
Firewall
Network Security — External, Internal & Lateral

Policy & Processes

Rules & Regulations
Understand your college purchasing procedures
Procard Policies
RFP
When do you need to get approval from the Board of Trustees
Acceptable Use Policy — AP 3720 (these are existing standards you can use that automatically update for you)
Creating policies in a shared governance environment. The proper channels and approvals.
Familiarize yourself with AB 1725

10+1 — Faculty must have involvement in these 11 areas

Curriculum, including establishing prerequisites and placing courses within disciplines
Degree and certificate requirements
Grading policies
Educational program development
Standards or policies regarding student preparation and success
District and college governance structures, as related to faculty roles
Faculty roles and involvement in accreditation processes, including self-study and annual reports
policies for faculty professional development activities
Processes for program review
Processes for institutional planning and budget development
Other academic and professional matters as are mutually agreed upon between the governing board and the academic senate
Understand the difference between a policy, standard, procedure, and guideline.

Citation: Security Policies | EDUCAUSE. https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/resources/information-security-guide/security-policies

Policies: The highest level of a governance document. Policies typically have general applicability and they rarely change (or are hard to change). They are leadership’s high-level statement of information security goals and expectations.
Standards: Standards state the actions needed to meet policy goals. They are more specific than policies and easier to update in response to changing circumstances. Often standards set the minimum level of action needed to comply with a policy.
Procedures: Procedures are often step-by-step checklists that are particular to a task, technology, or department. They are easily updated in response to changing technology or business influences.
Guidelines: Guidelines are documents that specify recommended actions and advice. Institutional employees may not be required to follow guidelines as part of their jobs, but the guidelines are shared in order to promote good information security hygiene practices. Guidelines are flexible and easily updated.

Program Review

Accreditation requirement
Each college does it differently
Colleges need to have self-assessment
Needed for budget and planning
Research & Institutional Effectiveness
Colleges need quality data to make informed decisions
Chancellor’s Office has a Data Mart of all MIS submitted data
Familiarize yourself with the tools your college use to run reports (Hyperion, Tableau)

Security & Risk Management

Citation:

Chief Information Security Officer (CISO) — InfoSec Resources. https://resources.infosecinstitute.com/job-titles/chief-information-security-officer-ciso/

Direct and approve the design of security systems
Ensure that disaster recovery and business continuity plans are in place and tested
Review and approve security policies, controls, and cyber incident response planning
Approve identity and access policies
Review investigations after breaches or incidents, including impact analysis and recommendations for avoiding similar vulnerabilities
Maintain a current understanding of the IT threat landscape for the industry
Ensure compliance with the changing laws and applicable regulations
Schedule periodic security audits
Oversee identity and access management
Make sure that cybersecurity policies and procedures are communicated to all personnel and that compliance is enforced
Brief the executive team on status and risks, including taking the role of champion for the overall strategy and necessary budget
Communicate best practices and risks to all parts of the colleges. The State Chancellor’s Office offer training — Securing the human
Application Vulnerabilities
Web Application Scanners (static and dynamic), Web Application Firewalls
Network Layer Vulnerabilities — Network Vulnerability Scanners, Port Scanners, Traffic Profilers
Host/System Layer Vulnerabilities — Authenticated Vulnerability Scans, Asset and Patch Management Tools, Host Assessment and Scoring Tools
Virus & Malware Protection
Handling Data Breaches
Data Breach Insurance Policy
Senate Bill 1386 (Breach notification law)
Regular Firewall policy review (every two years)

Server Room

Security/Access Control
Generator/UPS
Fire Suppression
Cooling/Humidity

State Chancellor’s Office Tech Center

The California Community Colleges Chancellor’s Office (CCCCO) and the California Community Colleges Technology Center (CCCTC) have teamed up to provide California Community Colleges (CCC) with a suite of no-cost software solutions geared toward improving student outcomes, increasing college efficiency, and strengthening the CCC as a whole. Your college is assigned a College Relationship Manager (CRM) to help you be successful in all the services below.

Accessibility Center: Technical assistance, training, and resources specific to assistive technology, alternate media, and web accessibility topics to help colleges identify and improve access for individuals with disabilities .
Career Coach: Provides students with career, salary, and employment data, and recommends college programs for careers. Requires: SSO Proxy, CCC MyPath
CCCApply Standard Application: Application for non-international students to apply for California Community Colleges. Requires: SSO Proxy, OpenCCC
CCCApply California College Promise Grant: Digital version of the California College Promise Grant (formerly BOG Fee Waiver). Includes assistance for the purchase of books and supplies. Requires: CCCApply
CCCApply International Application: Application for international students to apply for California Community Colleges using CCCApply. Requires: CCCApply
CCC MyPath: Customizable Guided Pathways onboarding system which provides dynamic onboarding and guidance experience based on student-provided information. Provides various student services, such as Financial Aid and Online Orientation, and access to placement data, and will become the launching pad for most CCCTC products. Requires: SSO Proxy
eTranscript California: Supports the requesting and delivery of electronic transcripts across all of California’s postsecondary systems. Visit https://cccedplan.org/etranscripts/edexchange. Requires: EdExchange(pesc.org), SuperGlue
InCommon Federation: Provides a trust fabric for higher education, their vendors, and partners to facilitate single sign-on from local campus accounts. Chancellor’s Office and the CCCTC have facilitated InCommon memberships for all California community colleges to be paid centrally. Requires: SSO Proxy
Library Services Platform: Working with the Council of Chief Librarians, California Community Colleges (CCL), this is a new cloud-based library management system for use by all CCC libraries, and replaces existing college/district stand-alone systems.
Multiple Measures Placement Service (MMPS): Facilitates collection of high school transcript data and delivery of AB 705 compliant placement recommendation (self reported data from CCCApply, verified data from CCGI or CALPASS). Requires: SuperGlue, College Adapter, CCCApply, CCCMyPath
OpenCCC: Student account system which provides administrative access for OpenCCC student applications, and streamlines the admissions process. Requires: SSO Proxy
Information Security Center: The Information Security Center proactively assesses the information security needs of the community colleges , and offers services to CCC campuses designed to maintain the integrity of information systems, including vulnerability assessment scanning, server monitoring and security awareness training.
SSO Proxy “Authentication”: California Community Colleges Single Sign-on Federation (SSO) “Authentication” is the process of verifying a student or staff member at a college using the SSO Proxy. Provides users single sign-on convenience and privacy protection. Configuring SSO Proxy with Canvas and SuperGlue further expand efficiency and user experience. Requires: District level IdP for staff and student accounts
Starfish Enterprise Success Platform — by Hobsons: Hobsons Starfish combines Degree Planner and Early Alert retention tools . Degree Planner builds a multi-year plan based on college/district information; Early Alert/Connect allows faculty and staff to track students, engage students, and assists with appointment scheduling and wait-room kiosk. Requires: CCCID, SSO Proxy
SuperGlue (formerly “Project Glue”): Provides a secure, robust framework for data exchange between Chancellor’s office products and colleges. The College Adapter is installed locally behind a college’s firewall to facilitate data exchange between CCCTC products and college’s Student Information Systems (SIS). SuperGlue enables disparate SISs to communicate in a standardized way through a cloud service, and provides a single point of reference for which systems are considered “systems of record” for specified data elements and data exchange interactions. Keeps college data synced with CCCTC centralized applications like CCCApply, and OpenCCC, etc. Required: SSO Proxy supplied CCCID as required by product
Unlimited SSL Certificates: Secure Socket Layer Certificates. Available for no charge as part of InCommon Membership.Requires: InCommon Federation

State Reporting

320 Reports — CCFS-320 Attendance Report Program is used to create attendance reports, and the data is used to determine state categorical funding. https://misweb.cccco.edu/cccfs320/login.aspx
Management Information Systems (MIS) — is the system used by the State Chancellor’s Office to collect data about the community colleges. This data is used to determine funding as well as provide a data mart to help us better understand the populations of students we are serving.
Integrated Postsecondary Education Data System (IPEDS) — It is a system of interrelated surveys conducted annually by the U.S. Department of Education’s National Center for Education Statistics (NCES). IPEDS gathers information from every college, university, and technical and vocational institution that participates in Title IV federal student financial aid programs.

State Chancellor’s Office Resources & Initiatives

https://ca.college.technology/

Accessibility: A listing of state-provided accessibility tools & sites
.EDU Email Perks: A listing of discounts available to students, faculty & staff with .edu email addresses
Instructional Technology: A listing of technology resources focused on teaching and learning.
State-Created Services: The State Chancellor’s Office is sometimes faced with initiatives or unique challenges that require the development of new and innovative solutions to be developed from scratch.
State Discounted Tools: Listing of solutions vetted by the State Chancellor’s Office who provide discounts to California Community Colleges based on state negotiated pricing.
State License Software: Software purchased by the state and made available to you for free or subsidized.
Support Resources: Documentation, Training, and Communities for Higher Education Solutions.
News: Parsed feeds of TechEdge and Chancellor’s Office Newsletters
College Technology Plans: A listing of all 114 California Community Colleges and their technology plans (for the ones that I could find). Each plan is indexed using Natural Language Processing APIs, that allow you to automatically and intelligently parse chunks of text into groups. It can extract names, organizations, products, etc… into individual “entities” and then you can link the “entities” to Google’s knowledge graph to quickly pull description data and even trends. At a glance, you can quickly see which colleges tech plans are updated, what the overlapping themes are and find out which technologies each college is using.

Vendor, Contractor & 3rd Party Management

Contracts, District Terms, Purchasing Guidelines
Insurance requirements for on-site
Approved Vendors
Taxes
Sole Source Provider
Access to Data
Access to Network (VPN)

Virtualization

Servers
Backup
Data Recovery
Student Labs
Workstations
Imaging

Web & Mobile Services

Everything related to online applications for students and staff
Accessibility and meeting WCAG 2.0 and 508 Compliance
Analytics
College Websites
Content Management System
CRM — constituent/customer relationship management
Digital Signatures
Email (Typically cloud hosted by google apps of Microsoft 0365)
Faculty Websites
Learning Management System (Canvas is funded by the State Chancellor’s Office)
Online Employee Evaluations
Online Forms & Surveys
Online Portals
Online Orientation
Responsive Web Design (Mobile Friendly)
Self-Service
SSO
SSL & Encryption