Monthly Archives: May 2013

Securing card payments

Peter Tinson, UCISA’s Executive Secretary, attended the PCI DSS SIG conference this week to find out more about the standard which is intended to protect payment card data and processes. The PCI (Payment Card Industry) Data Security Standard is a global standard; compliance with the standard reduces the risk of credit card fraud and the resultant cost (both financial and reputational) to the organisation.

The scale of the problem cannot be underestimated. A Government report on the results of a survey on information security breaches revealed that over 90% of large organisations (those employing over 250 people) were affected by security breaches with an average of 113 breaches per organisation in 2012. This is perhaps indicative of the growth in cyber crime which can range from the sale of credit card numbers through to sophisticated schemes to steal on a large scale.

There was great mention of risk throughout the day. Clearly a starting point has to be that the institution needs to know where payments (or card details) are being taken and whether or not the information is stored. Once the location of information is known, an assessment can then be made of the risk (and impact) of its loss and proportional measures introduced to protect and secure it. There was general agreement that the potential loss of payment card data should be included in the institution’s risk register and so be clearly visible to the governing body.

Implementing technical measures to protect data is only part of the solution. The report on information security breaches notes that over a third of breaches were the result of inadvertent staff error. Training of staff is critical to ensure that staff are aware of their responsibilities; this needs to take place at the start of employment (including when there has been a role change within the institution) and at regular points thereafter (the suggestion was at least annually).

Whilst poorly trained staff present a risk to security breaches, so too do poor processes. One of the recommendations made at the conference was to review business processes to see whether they could be re-engineered so that it was not necessary to use card data. Obviously if card data is not being used in a process, then the risk of its loss disappears and so too does the need to comply with the DSS.

This summary only gives a brief snapshot of some of the issues being faced by institutions seeking to implement the standard. It was clear that institutions are at different stages in their adoption of the standard and that the barriers to adoption are not always technical. UCISA is looking to work with the PCI DSS SIG and with our sister organisation for Finance Directors, BUFDG, to promote best practice in this area and so reduce the risk of our institutions falling victim to fraud.

Leading the governing body

The need for effective governance for ICT within our institutions has long been recognised. This extends beyond the senior management executive as decisions on spend and projects affecting the IT department are sometimes made at the Board level. However, not all governors will have expertise of ICT and the role that ICT plays in delivering institutional business. ICT is no exception; it is clearly unrealistic to expect members of the governing body to be expert in every aspect of an institution’s business.

This is something that has been recognised by the Leadership Foundation for Higher Education and they have sought to address this by producing the Getting to grips range of guides for governors. Each volume in the series deals with a specific aspect of business such as Academic Standards and Quality, Research and Knowledge Transfer, Finance and Human Resource Management. The guides look to provide core information on the specified topic and include a number of dilemmas typical of the issues that might be raised during board meetings.

Given that IT now underpins the strategies and operations of all universities, it is essential that governors understand the contribution ICT can make to their institution. As Steve Williams, Director of Information Systems and Services and Newcastle University noted

For members of governing bodies, familiarity with the use of technology is increasingly important. In the same way as governors both challenge and support on financial matters, or major building projects, the challenge and support needs to be applied to IT. Designing the IT into the operations of the university is essential.

UCISA and the Leadership Foundation have collaborated on the tenth volume in the series – Getting to grips with Information and Communications Technology. The guide, which has recently been published by the Leadership Foundation, contains chapters on the role ICT plays in teaching and learning, research and administration, the strategic role of the governing body with regard to ICT, compliance and legislation, and costs and value for money. The guide will be published on the Leadership Foundation website in due course but in the meantime, complimentary copies have been sent to the lead representatives of each full UCISA member institution.

The guide illustrates some of the work UCISA carries out on behalf of our members and we hope that the latest edition to the Getting to grips series will become as valued as its sibling volumes. Getting to grips with ICT contains contributions from a number of individuals within the UCISA membership, namely Adrian Ellison (University of West London), Jim Nottingham (Regents University), Luke Taylor (University of Bristol), Sue White (University of Huddersfield) and Steve Williams (Newcastle University), plus Anna Mathews and Peter Tinson from the UCISA office.


UCISA Enterprise Architecture Community of Practice Start Up Meeting

(& as a prelude, just to say this is my first blog on the UCISA site, hence the following is also repreated on my usual personal blog)

2nd May 2013: a group convened at Liverpool John Moores University to discuss the setting up of a UCISA Enterprise Architecture Community of Practice (EACP).

Following work by Luke Taylor & the UCISA-CISG, & commissioned by the UCISA Executive, the objective of the meeting: to baseline where we were up to with EA, and work out how this Community of Practice thing was going to operate, as it’s a bit of a new departure for UCISA & those previously involved in the JISC EA Practice Group. Representatives from 8 institutions, JISC InfoNet & the Open Group, and facilitated by Richard Chapman, of Richard Chapman Consulting.

This is a picture of where we started:


I’m not going to do a blow by blow account of the day, as that will come out in due course, but just wanted to highlight a few things that were key or of interest for me.

  • Baselining EA. Various people were not surprisingly at various stages, although there were common themes: how to keep up momentum, how to convince the business, how to get resources. Participants were asked to come up with ‘twEAts’ (140 characters about EA on a postit – thank you David Rose of the Open Group for that one, bit close to our great Prime Minister’s comments about what too many tweets make…). These got quite zen-like in parts – particularly this offering from Patrick O’Reilly/Bolton: ‘the curate has a fresh egg, but no eggcup, spoon and is waiting for a chance to eat’. I thought we might have invented Zen EA – but then discovered this: ‘Zen and The Art of Enterprise Architecture (Open Group Conference Newport Beach 2013)’ – although I may be being a little unfair, having not viewed it in detail, at 83 slides, some of dazzling complexity, I’m not sure this is in the spirit of Zen, or even EA…
  • Building a Community of Practice. Lots of interesting discussion on this, which will be rolled up in a wiki & considered further – but for me, the main issue was around leadership. The key objective of the EACP is to become self-sustaining – to not need a leader, or a Chair, or single person or even small group who keep it all going – leading to the usual leaders/followers scenario. Seems like a kind of variation on situational leadership – the idea that there is no one best leadership style, but that leadership is adaptive to the situation – which in some situations may mean following. So perhaps we have situational leadership & followership as well. For the EACP I would envisage a scenario where individuals would either lead or follow depending on the situation – which I think is what I’ve just said. Or to sum up, ‘We are all leaders now’.

Which is about all for the moment – the EACP is a work in progress & progress on this first day was excellent, we have actions, ideas for how to work, deadlines & all manner of good stuff, including the all important hash tag (#UCISA_EA) – so thanks to all the participants & also Richard Chapman for his great facilitation, kept us almost both on time & under control!

Also worth a look at Dave Berry from Edinburgh’s post on the same event.

& here’s a picture of where we finished:



The Support Service Group’s (SSG) remit is to help UCISA members get the most from information, technology enhanced learning, and computer mediated communication systems


The Project and Change Management Group (PCMG) provides a forum for the discussion, development and dissemination of information on best practice approaches to project management, change management and related activities within UK higher and further education institutions


The Digital Skills and Development Group exists for the purpose of enhancing the skills within universities and colleges so that staff and students can make effective and efficient use of ICT, including the support and integration of new technologies in teaching and learning.


The Networking Group’s purpose is to raise awareness of networking, telephony and IT security developments; to share examples of good practice; to act as a voice on the networking field within the UCISA community.

Support Services Group Meeting

We met today at Liverpool John Moores University and had another productive meeting. Attendance was good and I’m pleased that we now have a vice chair in Mandy Phillips, from Liverpool John Moores University, our host for today, as James (chair) is a busy man and can’t always get to meetings. SSG had mistakenly believed that UCISA had a policy that deputies are not allowed to attend UCISA Executive meetings if their chairs cannot attend.  This has turned out not to be the case, which is great  as chairs are normally busy people with busy jobs and busy lives, often with children to look after particularly in school holidays.  Mandy will be able to go to Exec meetings if James is unavailable.

We had a good look at the SSG engagement plan and did some tweaking of it as well as assigning tasks to individual committee members or groups of committee members. The principal aims of the engagement plan are to create physical and virtual communities of networking and collaboration, to organise events to encourage networking across member institutions and companies, to showcase and integrate the use of technologies including social media for better communications and networking and to stimulate the whole UCISA community to think about and respond to shared issues in a participative way. We considered lots of practical ways in which we would do that, and I was charged with having a look at the SSG web pages on the UCISA site with a small group to see how they could be improved and I will also take on responsibility for a new SSG blog on the UCISA site as well as forming a rota of SSG members to contribute to it so we have weekly posts about items of interest. That’s the hope, anyway!

After this we had a good look through the upcoming Support Services Conference which is taking place this year in Edinburgh under the capable chairmanship of my friend and colleague Steve Gough, Assistant Director (Customer Services) at the University of Reading. The conference is shaping up to be another excellent UCISA event with some great speakers lined up and plenty of opportunities for delegates to network with like-minded colleagues from other UK Universities and to contribute to the conference themselves. If you’ve not been before I’ll really encourage you to give it a try. It’s great value at £395 for two night’s accommodation, one full and two half days of networking and learning that could really change the way you work, increase your value to your University and do wonders for your own personal development. There is lots more about the conference, including booking information, on the UCISA website.

Learning and Resource CentreAfter a lovely cold buffet lunch (thanks Liverpool JMU!) we had a tour of some facilities at this University. I was impressed by the Aldham Roberts Learning and Resource Centre – particularly the displays of how many student PCs are available at any given time, the self-service laptop loan scheme and the hours of availability of that (9am-10.45pm Mon-Fri and 10am-7.45pm at the weekend).

In the afternoon we talked more about the upcoming conference making sure roles were filled and that we knew how organisation would happen. It promises to be an exciting event although I’m afraid I probably won’t be able to attend as it is just before our Oxford ICT Forum Conference and I’ve already been to the UCISA management conference this year. It seems only fair to step aside so one or more others from our Customer Services Group can attend the conference.
We had a brief update from the Executive committee and then set the date of our next meeting as 5th September 2013 when we will meet in Leeds.