Office of the Vice Provost

NEW: Strategic Investment Plan

Oregon State University has a compelling strategic vision – to create healthy people, a healthy planet and a healthy economy through an aggressive research agenda, excellent educational programs, and community engagement. Our growing student population on and off campus, expanding research profile, and a service mission that reaches across Oregon and around the world creates a dynamic environment in which technology must play a critical and transformative role for the University to achieve its goals.

Information Services is helping to realize the University's strategic vision by:

  • Supplying instructors and students with technology tools that enhance learning and engagement in the academic community
  • Equipping the OSU community with the network and collaboration tools needed to enhance scholarship and enable collaboration between the Corvallis campus and programs and sites across the state and around the world
  • Building a strong foundation of technology infrastructure that can support advanced research in disciplines from the arts and humanities to sciences and engineering
  • Offering administrative systems that enable efficient and effective business processes

As the University is changing, Information Services is evolving as well. We have a strong record of providing reliable and secure systems, and we're building on this legacy by leveraging IT investments for a cost-effective enterprise, adopting best practices for technology and service delivery, and collaborating widely on and off campus with OSU, higher education and industry partners to find the best solutions to meet the University's challenges.

This website offers a gateway to Information Services at OSU and I invite you to explore it to learn more about the services we offer.

 

University Policies

The most important policy work that Information Services does is not internal in focus. IS plays an important role in defining and administering university policy in three key areas: information access, acceptable use of resources, and network administration. Each of these policies is designed to serve the university's interests by balancing the need to protect our data and infrastructure with the recognition of the critical role that technology plays in the achievement of the university's strategic goals.

University Data Management, Classification, and Incident Response

Network Policy

Data Management and Classification

If you work or study at Oregon State University or access any OSU data for any reason, this policy applies to you.

If you access OSU data, you MUST

  • Protect the data you access.
  • Follow OSU policy, procedures, standards and guidelines.
  • Report unauthorized access or misuse.
  • Get trained on the appropriate use and protection of university data.
  • Understand how to classify the information you handle, so you know how secure it has to be
  • Report data quality issues.

Protecting the data you access

Storing information – You are responsible for making sure the system you store information on meets OSU minimum standards. Those standards are available at http://oregonstate.edu/helpdocs/security-and-tuning/computer-tuning/baseline-standards-care.

Lost, stolen, hacked, infected – Have you lost confidential or sensitive information? Do you know or suspect that someone has stolen confidential or sensitive information from you? Do you know or suspect someone has hacked into your computer? Do you know or suspect your computer has a virus (or other malware)? If you answered yes to any of these questions, you need to report it to the Office of Information Security

Third-party services – Before using confidential data with a cloud-based (third-party) service, contact the Office of Information Security. They need to conduct a security assessment of the service before it can be used.

Three data classifications for university information.

  1. Confidential.
  2. Sensitive.
  3. Unrestricted.

⇛ Specific types of confidential and sensitive data are listed at http://is.oregonstate.edu/ispolicies/datamanagement/examples.

How secure should this data be?

We have three data classifications (categories of data) based on the level of security the information needs. Understanding the relative sensitivity of that information helps you understand which category the data fits in.

Confidential information

This is the most restrictive classification. Four types of data fall into this category.

  1. Personal information that could be used in identity theft or exposure of personal health information if it’s not secured.
  2. Research data that a funding agency or other research partner has identified as highly sensitive.
  3. Financial, legal and other data of a highly confidential nature.
  4. Specific technical information detailing how we restrict access, or otherwise secure data, in this classification.

Sensitive information

This classification covers university data that has some security risk. It is less restrictive than the confidential classification. Sensitive information is commonly used in conducting Oregon State business and may be confidential or bound by non-disclosure expectations.

Unrestricted information

This is information that carries no security risk if it’s made public. Most university data is unrestricted.

What should you do if you suspect data’s been compromised?

There are two things you need to do immediately if you suspect your data’s been compromised (the data was out of your control, someone accessed it who wasn’t supposed to, etc.).

  1. Figure out its data classification.

What type of information is it? Which of the categories above does it fit into?

  1. Report it to your IT support group (departmental computer administrator – DCA).

Give the DCA as much information as you can, including how you think the data would be classified.

Follow the directions they give you, even when that means you’ll lose changes to files.

Once the initial risk has been eliminated, there are two more things you need to do.

  1. Report it to your supervisor.
  2. Report it to the Chief Information Security Officer.

The CISO will decide what needs to happen next. The Office of Information Security will lead the investigation of the possible breach and will let the appropriate data custodians know what’s happened.

Use the webform, or call x.7-9800 (541-737-9800).

The less activity that occurs on your computer after you realize information may have been compromised, the more likely it is that the security team will be able to tell whether or not it actually was compromised and what data was accessed.

Purpose of this policy

This policy is designed to help us comply with state and federal laws that require us to protect the confidentiality, integrity and availability of university data.

Data Classification Examples

Data classification by type of data

Information Security Policies and Procedures Manual
Data Classification by Data Element
Effective: 02/20/2014
Revised: 04/11/2014

Confidential information

Sensitive Information:

Network Policy

 ⇛ This policy outlines

  • Responsibility for maintaining the security and integrity of the university network.
  • Behaviors that are barred or expected of anyone connecting to the network.

Information Services is responsible for the university network.

If you connect to the university network, you MUST

Authenticate or register your device. This can be done by logging in through an official OSU account (such as your student or staff account), by registering your device directly with Information Services or by having a recognized representative of the university register your device.

If you connect to the university network, you MUST NOT

Disrupt or degrade the university network.

The Oregon State University network connects people within the university and with the rest of the world. The university network includes all networks, except the Guest network, at all Oregon State locations.

Only Information Services and those it authorizes may

Install, configure and maintain network hardware and software.

Systems and devices on the university network

  • Systems connected to the wired network must be authorized.
  • Systems connected to the wired network must meet configuration standards.
  • Hardware and software must meet defined standards.
  • Wi-Fi infrastructure on the university network must be installed and maintained by Information Services
  • Where Wi-Fi managed by Information Services is available, access points managed locally must be removed.

Information Services will

  • Appoint, and maintain a list of, network administrators.
  • Maintain a record of all devices registered or authorized to use the network.
  • Monitor performance and security of the network.
  • Notify users of any interfering devices that might impact the network.
  • Install and maintain Wi-Fi.
  • Disable network access to a device if we determine the device is misconfigured or compromised.
  • Disable network access to an individual if we determine they are acting in ways that violate university policy.

Exceptions

The Vice Provost of Information Services may grant exceptions to the requirements in this policy. If you would like to request an exception, please begin by contacting the Office of Information Security.

Purpose of this policy

This policy identifies which university roles are responsible for the wired and wireless networks at Oregon State. It also specifies certain behavioral expectations for anyone who connects to the OSU network.

Read the full policy here.

Defined Standards for Network Policy

Configuration standards for network equipment attached to the OSU Network (routers and switches):

  1. Routers and switches must use TACACS+ for all user authentication. Local accounts are allowed only for console serial port logins; these must be configured to not allow SSH or other remote access protocols.
  2. The enable password on the router or switch must be kept in a secure encrypted form. The router or switch must have the enable password set to the current production router/switch password from the device’s support organization.
  3. The following services or features must be disabled:
    1. IP directed broadcasts
    2. Incoming packets at the router/switch sourced with invalid addresses such as RFC1918 addresses, except where such addresses are intentionally routed internally.
    3. TCP small services
    4. UDP small services
    5. All source routing and switching
    6. All unencrypted web services running on router
    7. Cisco discovery protocol on Internet connected (border) interfaces
    8. Telnet, FTP, and HTTP services
    9. Auto-configuration
  4. The following services should be disabled unless a business justification is provided:
    1. Cisco discovery protocol and other discovery protocols
    2. Dynamic trunking
    3. Scripting environments, such as the TCL shell. Exception is granted for scripts for automated failover.
  5. The following services must be configured:
    1. Password-encryption
    2. NTP configured to a corporate standard source
  6. All routing updates for secured network areas shall be done using secure routing updates.
  7. Use corporate standardized SNMP community strings.  Default strings, such as public or private must be removed.  SNMP must be configured to use the most secure version of the protocol allowed for by the combination of the device and management systems.
  8. Access control lists must be used to limit the source and type of traffic that can terminate on the device itself.
  9. Access control lists for transiting the device are to be added as business needs arise.
  10. The router must be included in the corporate enterprise management system with a designated point of contact.
  11. Each router must have the following statement presented for all forms of login whether remote or local:

    "UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device. Use of this system shall constitute consent to monitoring."

  12. Telnet may never be used across any network to manage a router, unless there is a secure tunnel protecting the entire communication path. SSH version 2 is the preferred management protocol.

 

Governance & Advisory Groups

Executive Governance

  • IT Security Governance Committee
  • Data Governance Council
  • Instructional Technology Governance Council

Advisory Groups

  • Learn@OregonState
  • Canvas
  • Web Services
  • Mobile Services
  • IT Coordinating Council
  • IAM (soon to be formed)
  • Box (soon to be formed)

IT Security Governance Committee

Purpose

The purpose of the IT Security Governance Committee is to help the university effectively manage risk.

Scope

The committee has three major functions: Oversight, Strategy, and Expert Counsel. These functions are broken thusly:

1. Oversight

  • Annual audit plan
  • Annual security report
  • Annual policy review
  • Annual report to the University

2. Strategy

  • Advise on the development and evolution of an overarching information security strategy that responds to threats and legal mandates while allowing academic progress.
  • Oversee the development and evolution of an institutional security plan.
  • Advise on priorities Advise on appropriate university engagement

3. Expert counsel

  • Provide expert counsel on how to navigate risk levels as they relate to our complex environment of regulation, academic freedom, and threat.
  • Advise on implementation and accountability structures with respect to information security
  • Advise on formal, ongoing processes to examine policy and practices
  • Potential: architecture review

Members & Structure

Instructional Technology Governance Council

Purpose

The Instructional Technology Governance Council is a senior level governance committee that guides the directions and investments for technology to support the learning enterprise at OSU. It is not intended to be representational of university units. Rather, it is comprised of university leaders who bring broad thinking and represent university interests, guiding investments and future directions.

Scope

The work of the committee is currently focused on Learn@OregonState, the ecosystem encompassing learning management, educational content, metrics, and emerging educational technologies. Its purview includes a wider perspective on educational technology, however; and the council may at times consider investments in physical spaces, faculty support and analytics. It also oversees the Learning Technology Innovation Grants. The committee typically meets 1-2 times per quarter.

Members & Structure

The Counsel is advisory to Lois Brooks, Vice Provost of Information Services, and through her to Dr. Randhawa.

  • Dave King, Chair
  • David Barber
  • Faye Chadwell
  • Susie Brubaker-Cole
  • Susana Rivera-Mills
  • Cheryl Middleton
  • John Greydanus
  • Robin Pappas

 

Staff Directory

We're sorry but there currently are no results for your selection. Please try filtering on a different value.

Strategic Investment Plan

Technology and information, if used strategically and effectively, can amplify and accelerate OSU’s progress toward Strategic Plan 3.0.

The Strategic Investment Plan for the Information Technology Enterprise

  • identifies the core themes to the investment strategy,
  • describes the evolving information landscape, and
  • shows how our key initiatives serve the University’s strategy for meeting the goals identified in Strategic Plan 3.0.

Continue ReadingDownload the Report

Introduction - Strategic Investment Plan

There are two core themes to the investment strategy, achieving scale and enabling transformational experiences.

Oregon State University has embraced contemporary approaches for technology; mobile computing and cloud-based services are the norm. This serves OSU’s goals particularly well. Mobile enhancements untether faculty from the teaching podium to engage more directly with learners. Our learners, researchers, instructors, and workers not only gather and share data from our fields, forests, rivers, oceans and atmosphere, we collaborate with our colleagues in real time, be they on or off campus. Cloud services also enable anywhere, any time collaboration and work, providing useful and modern services that enable the learning, research and outreach activities of the OSU community.

As we enter 2016, we must build upon this momentum by creating an environment where each person can assemble a personalized learning and research experience from a well- selected set of tools and services. We will transform the university through a scaled and comprehensive approach that quickens the pace toward success, reducing overall expense and redundant effort even while allowing each person the flexibility to learn, teach, research and engage.

Technology and information occupy a critical role in a 21st century university and are an essential part of developing greater efficiencies in institutional and administrative functions. Greater accountability, enhanced expectations of a current generation, and growth in the development, management, and delivery of digital resources point to the expanding role that big data, analytics, and information technologies provide as a strategic and enabling asset.
- OSU Strategic Plan 3.0, 2015

 

« Back

 

Evolving Information Landscape

The top trends shaping OSU’s IT investments and priorities are:

Intense scrutiny on learner success

We must enable the necessary curricular and co-curricular approaches that allow learners to thrive, learn and graduate. New demographics of learners need more flexibility in pacing and credentialing. Across all forms of learning, data is essential to understand what works, measure progress and improve outcomes.

Big data and the Internet of things

Past practices for IT services must evolve toward contemporary approaches that support computing on massive and personalized scales. Vast arrays of increasingly smart instrumentation underpin OSU’s natural resources, engineering, science, and human- focused research enterprise, enabling cutting edge research while creating data in massive streams that require ever-increasing computational, storage and network capacities.

Speed and flexibility

Through the private sector, academic partnerships, and university resources, these solutions support new forms of work, research and learning. Regular change and improvement is a hallmark of this new paradigm, enabling (and requiring) that our community quickly and regularly adopt new tools and services.

Cyberthreats to information and systems

Cyberthreats are pervasive, threatening the reliability of our systems and data, and posing the risk of harm and loss for the university and the members of our community. It is essential that we remain current with security tools and practices to prevent attacks and loss of data, and the OSU community must be knowledgeable and diligent in protecting their personal and shared resources.

Investment Principles

New investments in technology must meet at least one of these criteria:

  • Enable substantial and measurable progress toward Strategic Plan 3.0
  • Provide a positive measurable return on investment
  • Reduce risk by an amount that justifies the investment
students using survey tool

 

« Back

 

Key Initiatives

Each of the following initiatives serve the University’s strategy for meeting the goals identified in Strategic Plan 3.0, and to develop greater accountability and greater efficiencies in institutional and administrative functions. The benefits gained from these initiatives depend on the University’s ability to invest, the capacity to absorb new initiatives, and our community’s willingness to act collectively and purposefully toward common solutions.

  1. Transformative learning experience
    • Empower learners and teachers by extending the Learn@OregonState ecosystem of learning tools and analytical capability. Leverage our investment in Unizin to accelerate progress toward a transformative experience for all learners.
    • Embrace open content and new forms of course materials, substantially lowering the cost for learners and guaranteeing access from the first day of the course.
    • Develop next generation approaches for informal learning spaces, creating technology-enhanced digital maker and visualization learning spaces that support learner engagement with the tools and approaches of the 21st century.
  2. 21st century work experience
    • Fully embrace contemporary solutions for productivity, supporting communication and collaboration activities that are fully device and location independent, supporting the complex work styles of our community members.
    • Invest in technology-enhanced administrative services when accompanied by business process improvements to create true efficiency in the work experience.
    • Invest in training to assure that OSU’s technology investments are fully utilized by our faculty, staff and learners.
  3. Research growth
    • Move to a university-scale approach to cyber-infrastructure with a comprehensive data center and research computing strategy.
    • Create a center of excellence for research computing, offering programs and expertise that help OSU researchers most effectively move toward big data-scale solutions.
    • Bring research administrative functions into the 21st century through technology enabled, efficient business processes. This improves researcher efficiency, improves the university’s compliance profile, and enables a deeper and more accurate understanding of progress and gaps.
three image collage: graduate taking a selfie, researcher with equipment, helicopter flying in sky

 

« Back

 

University Scaled Approaches

  1. Communication, publication, notification
    • Create a digital concierge experience for learners and employees, making it easier to find information and resources, and use university systems.
    • Enable excellent web publishing, and assure our ability to communicate with parents and the community in the event of a catastrophic event.
    • Embrace modern approaches and create rich engagement with learners and community members through personalized notifications, easy access to resources, and just-in-time information.
  2. Become a data driven university
    • Create actionable information and analysis through a comprehensive approach to data and information, extending the work done through CORE and Institutional Research to move to the next level of realization.
  3. University-wide customer relationship management (CRM)
    • Understand the full lifecycle of engagement with OSU, from childhood programs, through recruitment, learning career, industry partner, donor, parent and fan. Leveraging work successfully done in several colleges, move to a comprehensive and standard approach in managing the university’s varied systems.
  4. Cyber security
    • Use security measures and design principles that protect OSU’s information and systems.
    • Raise and sustain cybersecurity awareness and education throughout the OSU community.
two students collaborating at a computer

 

« Back