Yearly Archives: 2015

Review of UCISA activity in 2015

2015 continued to see institutions focus on improving the student experience, enhancing facilities and delivering efficiencies. With IT at the heart of the institution, our members are under increasing pressure to deliver more services to their institutions with budgets often decreasing in real terms. UCISA, through the work of its Executive, its Groups and the UCISA Office, has sought to address the needs of our community in these difficult times. Brief highlights of this work are given below.

The work to move UCISA from being a charitable trust to a charitable company limited by guarantee will be complete early in the New Year. Although this work has taken longer than anticipated, we are already seeing the benefits with UCISA reaching agreement with LEO for the provision of information security training for our members. We are expecting this to be available in the first quarter of 2016.

In 2015, we have promoted the sharing of good practice through:

  • Running a total of 17 events including three webinars and five multi-day conferences with exhibitions. Four of these events were fully booked. 2015 saw the inaugural Spotlight on Digital Capabilities event and the first event run by the Project and Change Management Group;
  • Providing bursaries for individuals within the UCISA membership to attend a wide range of conferences and update the community on the practices highlighted;
  • Recognising the excellent work that takes place in our institutions by the UCISA Award for Excellence, won this year by the University of Edinburgh, and the Amber Miro Memorial Award for innovation which was won by the University of Aberdeen;
  • Publishing a set of case studies on technology enhanced learning (TEL) to complement the TEL survey published in 2014.
  • We have represented our members interests and views by:

  • Responding to consultations on the Prevent duty monitoring framework, the draft Investigatory Powers Bill, the HESA Data Futures programme and the HEFCE consultation on changes to the National Student Survey, Unistats and information provided by institutions.
  • Continuing to work with Jisc on a broad scope of initiatives, contributing to the three consultative panels, and helping shape the Research at risk and the Electronic Management of Assessment strands of activity. The Spotlight on Digital Capabilities event demonstrated the effectiveness of our collaboration with Jisc, highlighting Jisc activity that addresses recommendations in the original survey report;
  • Membership of advisory and user groups including the UCAS Council, the HEDIIP Advisory Panel and the HESA User Group.
  • We have, in 2015, published a range of resources to assist our members in addressing key business issues and to help formulate policy and strategy. These included:

  • The Information Security Management Toolkit, authored by a number of member institutions under the guidance of Bridget Kenyon of UCL, to assist institutions at all levels of maturity in their implementation of an information security management system through practical guidance, case studies and templates;
  • Secure Network Management, the successor to the Exploiting and Protecting the Network Best Practice Guide;
  • Establishing a Project Management Office in an HE environment, which provides advice on designing your PMO and on implementation and a set of example artefacts;
  • The Social Media Toolkit: a practical guide to achieving benefits and managing risks contains short case studies from across the higher education sector, good practice tips and templates.
  • We have conducted a number of surveys to allow our members to benchmark themselves against their peers, and to establish the level of maturity of activity within the sector. In addition to the annual HEITS and CISG systems survey, this year we:

  • Published the results of the inaugural survey on Digital capabilities. The report from this survey informed the Spotlight on Digital Capabilities event;
  • Published a survey on Out of hours support which highlighted a number of issues which were raised with our HR sister organisation.
  • UCISA continues to work with suppliers to the sector. In 2015 we have:

  • Continued to grow our corporate membership;
  • Promoted a workshop for student records systems suppliers to inform them of HESA and HEDIIP developments;
  • Helped promote a greater understanding of the sector through the Selling IT to universities event, briefings for exhibitors at the UCISA15 and CISG15 conferences, and by meeting corporate members on a one to one basis.
  • Finally, we have continued to work with our sister organisations, both at home and abroad, to ensure that our members’ issues are understood across the sector and to collaborate on joint issues. This has included working with the Leadership Foundation for Higher Education and a number of professional associations to reshape the popular Future Leaders Programme into a new programme, Future Professional Directors.

    The list above highlights just some of the work that our Committees and the UCISA Office has carried out on behalf of our members. A more formal annual report will be published in the New Year and presented at the Association’s AGM at the UCISA16 Conference in Manchester on 17 March.

    I should like to take this opportunity to remind you that bookings are open for the UCISA16 Conference in March. Bookings are also open for three other events taking place in the first half of the year. We will be inviting entries for the UCISA Award for Excellence early in the New Year – always an opportunity for our members to showcase the excellent work that takes place in IT departments across the country.

    Finally, thank you for your support in 2015. I wish you, on behalf of the UCISA team, all the best for Christmas and the New Year.

    Peter Tinson
    Executive Director
    22 December 2015

    Identity and access management –a project from the US



    Michelle Griffiths
    ITS Project Manager
    IT Services
    University of Oxford
    Member of UCISA-PCMG

    Looking at TIER

    This Educause session Trust and Identity in Education and Research: Identity for Everyone  was run by Ron Kraemer (Vice President and Chief Information and Digital Officer, University of Notre Dame), Kevin Morooney (Vice Provost for Information Technology-CIO, The Pennsylvania State University), Ann West (AVP, Trust and Identity, Internet2 ) and Steven Zoppi (Vice President, Internet2). Internet2’s  Trust and Identity in Education and Research (TIER) initiative  will provide a common framework for campus identity and access management (IAM) components.

    An overview of the TIER project

    • TIER will provide a set of integrated components that address IAM as a whole.
    • 500 US HE institutions are involved.
    • Primary users: medical students, researchers, faculty staff and students.
    • TIER will address community requirements across components, and sustain components that were developed together.
    • During the next few years the project will focus on maturity and sustainability models for workforce and funding.

    The TIER vision was outlined for the Educause audience:

    • “We believe identity will be a service.”
    • “We believe in a cloud service with campus localization.”
    • “We believe that if we don’t develop it, then we will have to accept that someone else has (social identities).”
    • “Effective collaboration with partners will be key (includes federated agencies).”
    • “We know we are at least three to five years from achieving this vision.”
    • “We will build frameworks and tools to make it simpler for ourselves.”

    Components of TIER

    • Secure directories
    • Identity and metadata services
    • Single sign-on and identity components
    • Registry services
    • Workflow services
    • AuthN (who) & AuthZ (What)
    • Federated registry (Directory Search/lookup)
    • Persistence and reputation

    The TIER project is moving from investor to sustainable models (financials and governance) via the TCIC – Tier Community Investor Council. Fifty campuses invested $75,000 each over three years ($4 million in total which includes funding provided by TIER themselves).  There is also programme support for community – Anne West (AUP trust and Identity), technology – Steve Zoppi (AUP services integration and architecture) and sustainability (community engagement and membership).

    The first integrated release is scheduled for 2106.  There will be minimal installation/configuration of user interfaces, and the preliminary requirements will be set for scalable content.  The objective is point in time consistency.

    Partners involved: Shibboleth, Grouper and COmanage 

    The primary focus for the first release is: container/packaging, APIs, continuous update cycles every eight months, 250 user stories driving requirements, documentation and the Initial deployment.


    • MOU management community forum
    • Financial timetabling and reporting
    • Technical requirements revision
    • Working groups
    • First two corporate partners – Unicon (for Shibboleth and Grouper) and Spherical Cow Group (for COmanage)

    The work is sponsored by the community, who are responsible for the for HE standards and by Internet2 who is responsible for industry approaches.


    • Several key working groups are formed or are forming including 3M (monitoring, measuring & managing)
    • Continuous meaningful feedback (how the community is utilising the components everywhere)
    • Community adoption – working group needed
    • Emerging community contributors

    Building curiosity



    Michelle Griffiths
    ITS Project Manager
    IT Services
    University of Oxford
    Member of UCISA-PCMG


    If you build it: The power of design to change the world

    Emily Pilliton began her keynote session by talking about her book, ‘Design Revolution: 100 Products That Empower’ which was published October 2009. She then moved onto to say that her presentation would be based around a couple of stories that she would like to share with us.

    Emily runs a non-profit company named Project H Design, which practices design and architecture in a more meaningful way. Project H has been involved in various projects, including the re-design of playgrounds, computer labs, and a gym for a local football team. Emily started up the company after finishing her Master’s degree, because she felt that, during the course, she hadn’t learned enough about areas that provided any real value.

    Emily then went onto talk about the people/experiences that influenced her through her life and career, including TV secret agent, MacGyver.

    'MacGyver's Multitool', via Charles Williams, shared via Creative Commons licence

    ‘MacGyver’s Multitool’, via Charles Williams (, shared via Creative Commons licence

    MacGyver focused on solving problems in unconventional ways, thinking ‘outside of the box’ and using whatever objects that he had to hand.

    Other major influences in her life came from her grandmothers, who were both very strong-willed and passionate people. They were both librarians; one was a calligrapher, and the other was a cross-stich artist and part time musician.

    The teachers at Emily’s school were also very supportive, and made her feel cool to be a nerd! Being a nerd is useful in architecture school, along with building knowledge in the following areas: maths, science, community, and social sciences. It is also useful for obtaining an understanding of and user knowledge about local areas, and the social landscape of the community that you will be developing or building in.

    Experience is more important than content
    Emily argued that experiences matter more than content; students remember experiences better if they have to work through a series of problem solving activities. She gave the following example:

    First Project  (Farmers’ Market public space) – Project H were invited to go along to a high school in eastern North Carolina, to design a public space in the format of a farmers’ market for the town of Windsor. The town has an agricultural background, high obesity rates, poor public health record, and a stagnant economy. The students built the first set of models, which they took along to present to stakeholders. There were a number of constraints that the project had to work with, which included the following:

    • A $50,000 budget
    • A short time period (three months)
    • The local area being on a flood plain, so the building had to be above a certain height off the ground
    • They could only use construction students who were all under 18, apart from one student who became 18 during the project. Only people of 18 years and above were allowed to legally use power tools, so this one student became the go-to power tool guy!

    The construction was made on the ground using manual tools such as mallets, and then the frame was raised up to position. The design of the farmer’s market building came entirely from the teenagers, who expressed the desire for it to be a “bold façade”. The next challenge was to find suppliers to sell their wares at the market. The students set out to find people to sell products such as kale.

    The launch of the farmers’ market created four new businesses and fifteen new jobs. Emily mentioned that she asked one of the students involved in the project to provide feedback, and the following quote was given: “I want to come back someday with my kids, and tell them I built this”.

    Seeking is more important than knowing
    Emily suggested that asking questions, such as how and why, is more important than knowing the answers. Being in a constant state of enquiry is the best position.

    Second Project  (Middle school library) – Emily went on to discuss her next project at the charter school in Berkley California, which was a useful exercise to demonstrate that Project H can work at both ends of the spectrum. The principal of the school wanted middle school kids (8th graders) to be involved in the project. The group of kids provided extra sets of challenges, including not being able to speak English, autism, and disciplinary problems.

    The kids wanted to build a library for their school as a class gift, to give back to the school community. There had been a space earmarked for a library that was never built due to lack of funding. Emily decided as part of the initial planning process that the kids should visit a library; the feedback from the trip was that libraries are super boring! The following conclusions were reached:

    • The kids wanted the library to be a place of discovery and invention, not reference
    • The library would be designed to accommodate 108 8th graders

    The group began to design a bookcase that could be put together in 108 different ways. The design that was chosen involved convex/concave shelves with a wavy design, which could be interlocked together in various ways to keep it as flexible as possible. The project felt unfinished and chaotic, but it was what the students wanted: “In Algebra, X is the unknown; the X-space is where we go to discover the things we don’t know”

    Third Project (two individual homes built for the homeless) – Emily told us that Project H knew that, as a team, they could get this done no matter what happened. They did not have planning permission to begin with, and were in full view of the principal’s office, so they were expecting a visit to stop their work; fortunately, this didn’t happen.

    When the big day arrived to raise the walls, Project H had up to 25 teenagers all working together, using geometry and trigonometry as core subjects that were applied to the project. Pallet wood was the material of choice to be used for the side walls, which posed problems as the wood was different colour, and often contained odd staples and nails hanging out of them. One of the students related to the pallet wood by saying “It’s all different, just like us, like a tapestry.”

    Important design decisions were made as a group, such as, although this was a home for a homeless person, it would not contain running water, toilet or a kitchen. The group needed to address the issue that although it was public space, it also needed to provide a level of privacy.

    The initial design the kids came up was that of a traditional house, and the two halves that were built, once placed together, resembled the original pencil drawing. A student that had worked on the project gave the following feedback: “I gave someone a place to live. Oh, and I got an A in this class, and I know how to build a house!”

    Fourth Project (to create a space for young girls that celebrated curiosity) – This space was based around ideas to do with curiosity: “Curiosity breeds confidence.”

    Project H wanted to create a space for young girls who were part of the Camp H after school summer programme for girls aged nine to twelve.

    The first step for the girls to create was to build a bird house as a confidence builder, to get the girls used to working with the materials and some basic tools. The second step was to open up their curiosity, develop what you mean personally in order to express your identity as a person.

    One of the favourite lessons was to learn arc welding, which really develops the girls’ confidence to move onto bigger welding projects.  The task set was to weld a symbol using four pieces of steel that represents both your first name and your last name. Emily talked through an example of a student with the first name “Ultraviolet” and a last name involving the word “Taylor” and a synonym for dark. The student created a symbol that featured a light and dark side, representing ultraviolet and darkness, which were stitched together to bring in the reference to “Taylor/tailor”.

    Fifth Project (creating items to be used in a domestic abuse centre) – The project focused on creating a number of items that improved the experiences of the people living at the domestic abuse shelter. This included the following: coffee table, play house, shelving units, and a metre square garden.


    • “Curiosity takes you to a place where you can help others.”
    • “Curiosity is incremental, curiosity helps others.”
    • A student involved in the project was quoted as saying “I am a ten year old girl and I know how to weld: what can’t I do?”

    Emily went onto to discuss the badge system that project H has created. This is similar to the badge system of the Boy Scouts, but the badges are a little different; they include as badges for welding, using power tools, carpentry, electronics and architecture.

    She closed the session by advising the audience to think of themselves as learners, and to nurture their own creativity; that way you can nurture and mentor others.

    A recording of the presentation will be publicly available 90 days after the conference ends.



    Educause – the final day



    Simon Geller
    Senior Project Manager
    University of Sheffield
    Member of UCISA-PCMG




    The final session I attended was on preparing your organisation for the Cloud. It was noted that most organisations were already in the Cloud to some extent. A question was raised – ‘what does an IT Director actually do?’ – something I’m sure we’ve all asked ourselves.

    The last general session was an inspirational talk from Emily Pilloton of Project H Design, who has found some exciting new ways of teaching kids how to build things. It was a great way to remind ourselves of what the business we’re in is all about – sometimes, as we plough away in our chosen furrows, this can be forgotten.

    All in all, a very interesting conference; thanks to UCISA for making it possible for me to attend.

    Performance management and assessing capacity

    Giuseppe Sollazzo



    Giuseppe Sollazzo
    Senior Systems Analyst
    St George’s, University of London






    Velocity day three – the final one – has been another mind-boggling combination of technical talks and masterful storytelling about performance improvement in a disparate set of systems. The general lesson of the day is: know your user, know your organization, know your workflows – only then will you be able to adequately plan your performance management and assess your capability.

    This was the message from the opening keynote by Eleanor Saitta. She spoke about how to design for ‘security outcomes’, or, in other words, ‘security for humans’: there is no threat management system that works if isolated from an understanding of the human system where the threats emerge. We have some great examples of this in academia, and at St George’s one of the major challenges we face is securing systems and data in a context of academic sharing of knowledge. Being a medical school, the human aspect of security – and how this can affect performances – is something we have to face on a daily basis.

    One of the best presentations, however, was by David Booker of IBM, who gave a live demo of the Watson system, an Artificial Intelligence framework which is able to understand informal (up to a point) questions and answer them in speaking. As per every live demo, this encountered some issues. Curiously, Watson wasn’t able to understand David’s pronunciation of the simple word “yes”. “She doesn’t get when I say ‘yes’ because I’m from Brooklyn,” David said, triggering laughter in the audience.

    Continuous delivery
    Courtney Nash of O’Reilly spoke at length about how we should be thinking when we build IT services, with a focus on the popular strategy of continuous delivery. Continuous delivery is the idea that a system should transition from development to production very often, and this idea is taking traction in both industry and academia. However, this requires trust: trusting your tools, your infrastructure, your code, and most importantly, the people who power the whole organization. Once again, then, we see the emergence of a human factor when planning for the delivery of IT services.

    The importance of 2G
    In another keynote with a lot of applicable ideas for academic websites, Bruce Lawson of Opera ASA has focused on the ‘next billion’ users from developing countries who are starting to use internet services. Access to digital is spreading, especially in developing areas of Asia, where four billion people live. India had 190 million internet users in 2014, and this is poised to grow to 400 million by 2018.

    The best piece of information in this talk was the realisation that if you take the US, India and Nigeria, the top 10 visited websites are the same: Facebook, Gmail, Twitter, and so on. Conversely, the top 10 devices give a very different picture: iPhones dominate in the US, cheap Androids in India, and Nokia or other regional feature phones in Nigeria. This teaches us an important lesson: regardless of hardware, people worldwide want to consume the same goods and services. This should tell us to build our services in a 2G-compatible way if we want to reach the next billion users (91.7% people in the world live within reach of a 2G network). This is of great importance to academia in terms of international student recruitment.

    Performance optimisation
    The afternoon sessions were an intense whistle-stop tour of experiences of performance optimisation. Alex Schoof of Fugue, for example, gave an intensely technical session about secret management in large scale systems, something that definitely applies to our context: how do we distribute keys and passwords in a secure way that allows that secrets to be changed whenever required? With security issues going mainstream, like the infamous Heartbleed bug, this is something of increasing importance. Adam Onishi of London-based dxw, a darling of public sector website development, gave an interesting talk on how performance, accessibility and technological progress in web design are interlinked, something academic website managers have too often failed to consider with websites that are published and then forgotten for years.

    As someone who has developed mobile applications, I really enjoyed AT&T’s Doug Sillars’ session about ‘bad implementation of good ideas’, showing that lack of attention to the system as a whole has often killed otherwise excellent apps, which are too focused on local aspects of design.

    Velocity has been a great event. I was worried it would be too ‘corporate’ or sponsor-oriented, but it has been incredibly rich, with good practical ideas that I could apply to my work immediately. It has also offered some good reflection on ‘running your systems in house’: we often perceive this dualism between the Cloud and in-house services. This is a technology that can be run in-house with no need to outsource. As IT professionals we should appreciate it, and make the case for adopting technologies that improve performance and compliance in a financially sound way. This often requires abandoning outsourcing and investing on internal resources: a good capital investment that will allow continuous improvement of the infrastructure.


    From IT Support to CIO



    Michelle Griffiths
    ITS Project Manager
    IT Services
    University of Oxford
    Member of UCISA-PCMG


    A journey of three women

    This session  was a panel discussion session where each of the panel members gave their views to the audience in response to a number of questions. The session started with a poll to establish how many of the audience had career aspirations to become a Chief Information Officer (CIO).

    The panel consisted of: Melody Childs (Associate Provost and CIO, University of Alabama in Huntsville), Cathy O’Bryan (Director, Client Support, Indiana University Bloomington), Wendy Woodward (Chief Information Officer, Wheaton College) and Sue B.Workman (Vice President for Information Technology Services, Case Western Reserve University).

    Why in the world would anyone hire you as a CIO?

    • Those of you who are in support probably feel undervalued, although you are one of the main communication links that bring the institution closer to the staff, students, parents, etc.
    • You will probably have a holistic view of people’s needs and infrastructure, and where to go for resources.
    • Study the organisational chart so that you know all the sections and departments, and all your staff names.
    • Seize on trends before they actually become trends.
    • Ensure you gather and have to hand the best data and analytics available.
    • You will be seen as the front door to the centre of IT.
    • You will probably be one of the only non-technical staff members in IT.
    • You have to think on your feet during technical meetings; if you don’t know a technical phrase, just Google it.
    • The CIO is often there to bridge the gap between the CIP and the technical staff, although they don’t need to be technical themselves.

    What skills have you developed that has helped you bridge that gap (from IT support to CIO)?

    • You really have to know the business of the University to be the CIO.
    • You need to fully understand changes and how to manage them, and how they will impact every part of the business.
    • You need to be able to build strong relationships, which you may need to call on in time.
    • The breadth and depth of knowledge you acquire in support puts you in a good position to become a CIO.
    • Many CIOs don’t have an IT background.
    • The CIO manages all interactions between IT and its internal and external support elements.

    What are some examples of major initiatives that you have started as a CIO where you directly leveraged your experience in the support organisation?

    • Change management – you have to have the correct mind set to crack this area of expertise.
    • Understand and support what is being done at a technical level to ensure business continuity.
    • Supports skills between service providers either inside or outside of IT.
    • The building of relationships is difficult and sometimes requires difficult conversations to take place.

    Tips on becoming a CIO

    • Undertake a listening tour when you first arrive, so that you can listen to people’s views on problems and improvements. Take time to have a coffee with staff members.
    • It’s very important to keep talking to people, and to take care of the little things.
    • Collaboratively building technology with your people in order to ensure that innovation and creativity are nurtured.
    • Don’t be the first person to talk in a meeting; listen and let other have their say.
    • If you want to become a CIO, employ a mentor and have regular meetings with them to track your progress and to offer support.

    Developing metrics and measures for IT

    Tim Banks
    Faculty IT Manager
    University of Leeds

    This morning I attended a session run by Martin Klubeck from the Consortium for the Establishment of Information Technology Performance Standards (CEITPS)

    This group is working to establish a common set of measures and metrics across education IT. CEITPS volunteers have spent some time over the EDUCAUSE 2015 conference writing the first 21 metrics, in between attending sessions.

    CEITPS have a refreshingly common sense approach to develop standards as follows:

    • Get some interested and enthusiastic people in a room
    • Write some standards, plagiarising as much as possible from other sources
    • Review within the group and amend as necessary
    • Don’t worry if you don’t get everything perfect first time
    • Send out to the wider CEITPS group for comment, but give them a limited time to respond (e.g. seven days). If you give them six weeks, they will take that long.

    What is the difference between a measure and a metric?

    This was a question asked by a member of the audience. Martin answered in the form of a tree analogy:

    1. The leaves are like data – there are a lot of them and a lot can be thrown away. Data are typically just raw numbers.
      1. NB: Never give data to a manager! Business Intelligence (BI) tools are particularly bad because not only do they give data to managers but they also make it look pretty…
    2. The twigs can be thought of as measures (e.g. ‘50%’ or ’20 out of 30′) – has some context.
    3. The branches are like information,which have more context around them.
    4. The trunk of the tree is your metrics,which have sufficient contextual and trend-over-time information to make them suitable for presentation to senior managers.
    5. It is vital to find out the root (i.e. underlying) question that the person asking wants answering before you provide any metrics.

    Martin gave us an example of one of the metrics that they have developed this week:

    Description: Rework [re-opening] service desk incidents.
    Definition: Each and every time any incident requires more effort after it was incorrectly or not fully resolved but was considered to be resolved.
    Presentation: Usually presented as a percentage of total incidents re-worked [re-opened] in a given timeframe.
    Note: Need to cover the use case where a member of IT staff opens a new incident is opened rather than reopening the old one.

    Other examples of metrics which the group have developed this week are as follows:

    • Defects found during development
    • Defects found during testing
    • Top 10 categories for incidents over given time period
    • Mean time to resolve (MTTR)
    • MTTR minus customer wait time
    • Adoption Rate
    • Call Abandon rate
    • On-time delivery

    In total they have developed 21 of a total of 42 IT service management metrics. 37 of these came from the ITIL framework and a further five were added by the group.

    The USA Core Data Survey was mentioned several times by both Martin and those attending the session. The Educause Core Data Service carries out surveys of standard benchmark data across all US institutions, and there has been much discussion about making sure that the CEITPS metrics could be combined with the CDS information to provide an even richer information source.

    The CEITPS has several member institutions from outside the USA, and they are keen to get some more involvement from UK Universities, especially those who are currently implementing the ITIL framework and/or developing service metrics and measures.

    Additional resource:

    The University of North Carolina Greensboro metrics page

    PaaS, bots, alerts and using analytics to improve web performance

    Giuseppe Sollazzo




    Giuseppe Sollazzo
    Senior Systems Analyst
    St George’s, University of London



    Storytelling at Velocity

    The second day of O’Reilly Velocity conference was definitely about storytelling: keynotes and sessions were both descriptions of performance-enhancement projects or accounts of particular experiences in the realm of systems management, and in all honesty, many of these stories resonate with our daily experience running IT Services in an academic environment. I will give a general summary, but also mention the names of the speakers I’ve found most useful.

    Evolution in the Internet of Things age
    An attention-catching keynote by Scott Jenson, Google’s Physical Web project lead, the first session was centred on a curious observation: most attention about web performances has traditionally been focused on the “body”, the page itself, while the most interesting and performance-challenged part is actually the address bar.

    Starting from this point, Scott has illustrated how the web is evolving and what its characteristics will be especially in the Internet of Things age. He advocated for this to be an “open” project, rather than Google’s.

    Another excellent point he has made is that control should be given back to the users. This was illustrated by a comparison between a QR code and an iBeacon : the former requires the user to take action; the latter is proactive to a passive user. Although we like to think of proactive applications, it only takes us to walk into a room full of them to understand being in control can be a good thing.

    PaaS for Government as a Platform
    Most of the conference talks have centred on monitoring and analytics as a way to manage performances. Among the most interesting talks, Anna Shipman of the UK Government Digital Service (GDS) illustrated how they are choosing a Platform-as-a-Service supplier in order to implement their “Government-as-a-Platform” vision.

    I’ve argued a lot in the past that UK Academia will need, sooner or later, to go through a “GDS moment” to get back to innovation in a way it can control – as opposed to outsource in bulk – and this talk was definitely a reminder of that.

    Rise of the bot
    As with yesterday’s Velocity sessions, some truly mind-boggling statistics have been released today. One example is that that many servers are overwhelmed by web crawlers or “bots” – the automated software agents that index websites for search engines. In his presentation From RUM to robot crawl experience!  Klaus Enzenhofer of Dynatrace told the audience that he spoke to several companies for which two thirds of all traffic they receive is Google Bots. “We need a data centre only for Google”, they say.

    Analytics for web performance
    There has been quite a lot of discussion around monitoring vs. analysis. In his presentation Analytics is the new monitoring: Anomaly detection applied to web performance Bart De Vylder of CoScale argued for the adoption of data science techniques in order to build automatic analysis procedures for smart, adaptive alerting of anomalies. This requires an understanding of the domain of the anomalies in order to plan how to evolve the monitoring, considering for example seasonal variations in web access.

    Using alerts
    On a similar note was the most oversubscribed talk of the day, a 40 minute session by Sarah Wells of the Financial Times which saw over 200 attendees (with many trying to get a glimpse from outside the doors). Sarah told the audience about how it is very easy to be overwhelmed by alerts: in the FT’s case, they perform 1.5M checks per day generating over 400 alerts per day. She gave an account of their experience trimming down these figures. Very interestingly, the FT has adopted the cloud as a technology, but they haven’t bought it from an external supplier: they’ve built it themselves, with great attention to performance, cost, and compliance, surely a strategy that I subscribe to.

    Conference creation
    I also attended an interesting non-technical session by another Financial Times employee, Mark Barnes, who explained how they conceived the idea of an internal tech conference and how they effectively run it.

    Hailed an internal success and attended by their international crowd, the conference idea came from an office party and reportedly has helped improve internal communications at all levels. As a conference/unconference organiser myself (OpenDataCamp, UkHealthCamp, WhereCampEU, UKGovCamp, and more), having this insight from the Financial Times will be invaluable for future events.

    I’m continuing to fill in this Google doc with technical information and links from the sessions I attend, so have a look if you’re interested.

    Looking to the future: sustainable IT and HE web presence


    Simon Geller
    Senior Project Manager
    University of Sheffield
    Member of UCISA-PCMG

    Day Two at Educause

    I started the day at 8am – the Yanks get up early! – with a session on Google Apps. Sheffield was an early adopter of Google so I had an in on this but the session got a bit bogged down in questions about account creation and deletion rather than the potential for collaboration.

    Sustainable IT
    Then I moved on to a discussion session about sustainable IT. This doesn’t get talked about so much these days – I think one of the reasons for this is that the movement into cloud services means that institutions aren’t quite so conscious of their energy footprint. Also, IT shouldn’t beat itself up too much about how green it is – we enable so much green activity in other areas, from maps and journey planners on smartphones that make people feel more comfortable about walking and using public transport rather than driving, pool bike schemes that you register for online, to smart energy management systems and systems that make industrial processes much more efficient. The future is Green IT that you don’t even notice.

    A presentation from the University of Edinburgh on helping non-project managers to deliver success
    In the afternoon, I thought I’d better support our Edinburgh colleagues and went to their presentation  on how they provide support for non-vocational project managers. Although the AV wasn’t being helpful the level of resource they had brought to the issue was impressive.

    Then I continued on my quest to discover where the web would take us in the next 10 years. The key message from What Will Your .Edu Site Look Like in 10 Years?  is that your web presence will be going out and looking for your customers rather than waiting for them to come to you.

    Later I found myself in a compliance session I hadn’t really intended to go, but thought I’d take risk and stick with it. The message I took away from that is that there are two types of institutions – those that have been hacked, and those that had been hacked and don’t know about it. Scary!

    The final session I attended that day was a trend analysis run by journalists from the Chronicle of Higher Education , and the takeaway from that was that we used to talk about the for-profit sector, now, in the US at least, the whole area is for-profit. Plus two questions to ask suppliers: “What research is (that assertion) based on? and “What’s the upgrade cycle?” – cutting edge tech doesn’t stay there for long.


    A practical approach to risk management – two perspectives

    Tim Banks
    Faculty IT Manager
    University of Leeds


    This is a write-up of a session  I attended on Wednesday at Educause 2015  which was delivered by Bill Arnold, Information Security Analyst at the University of Tampa, and Dr Lawrence Dobranski, ICT Security Access & Compliance, University of Saskatchewan (Canada).


    The University of Tampa, Florida, is a liberal arts institution and has a student population of around 8,000 students, 65% of whom live on campus. There are 1,200 staff and the annual turnover is c. $235m with an estimated annual economic impact of around $850 million. They formally launched their Information Security Program 3 years ago with the appointment of a Chief Information Security Officer, who reports directly to the President (Vice-Chancellor). Their stated aim is to build a culture of risk management, security awareness and data protection, and as part of this, they have created a cyber-security lab. They achieved ISO/IEC 27001:2013 accreditation in July 2015.

    The (often misspelt) University of Saskatchewan is one of the top 15 research universities in Canada with 22,500 students from over 100 countries. They have a 16:1 student:staff ratio and an annual budget in excess of $1bn which includes $9.2m of scholarships and bursaries. They have 120 Graduate Degree Programs (taught postgraduate) and over 200 undergraduate degree programs. It snows regularly and can get very cold! They formally launched their information security program in June 2012, which is centred around the following three areas:

    • IT Security
    • IT Compliance
    • IT Access

    It is a risk based program, meaning that priorities for investment and action are based around a risk score. Bill observed that in 2014, cybersecurity criminals were making more money than drug cartels.

    A number of barriers to progress were noted which included:

    • Lack of executive support
    • Inadequate investment
    • Ineffective information security leadership
    • Information security ‘unaware’ community
    • Information security gaps especially with respect to 3rd party service providers

    Practical steps

    • Ask the right questions to the right people
    • Don’t adopt every aspect of a rigorous standard (like ISO27001), use common sense
    • Focus on information lifecycle
    • Insights will come quickly once you start working with your stakeholders. These will inform your future strategy.
    • Advance planning and effective communication are absolutely essential
    • Don’t use mass surveys (if you actually want people to provide useful information)
    • Decide how you will engage – either in person or through focused surveys
    • Keep the process simple
    • Focus on business processes and impacts on information (e.g. loss / unauthorised access) rather than using technical jargon

    The University of Tampa developed a very simple spreadsheet that included each major business unit on campus, each major process within the units and the process owner. The process owner was asked to rank each of their processes on a scale of 1-5 in three areas:

    • Degree of sensitivity of the data
    • Impact of loss of integrity
    • Impact of loss of availability

    The average was taken of each of the three scores for each process to arrive at a risk score for the process. A discussion was held with the process owner about the information handling lifecycle involved with each process which covered:

    • Accessing the data
    • Processing the data
    • Transmitting the data
    • Sharing the data
    • Storing the data (in both paper and electronic forms)

    They also looked into whether there were any compliance requirements associated with the type of information that was being stored, and determined whether the University IT department or a third party provided the service.

    Summary (University of Tampa)
    Bill provided the following summary of the University of Tampa’s risk based approach to managing information security.

    • Data Discovery – find out where your confidential data resides
    • Opening the Doors to positive change in University departments. You should be seen not as people who stop departments from doing things, but the people who help them to do it securely.
    • Re-engineering information handling, which will require a change in mindset from both IT and the business
    • Getting everyone to participate
    • Security Awareness (education is key)
    • Once they trust you, they will come (bringing information about risks right to your door)
    • Rinse, wash repeat (continual process)
    • Collaborate to reduce risks

    Blog_4__slide1Always remember there are a lot of things we don’t know that we don’t know, as demonstrated by this slide.





    Summary (University of Saskatchewan)
    Lawrence focussed mainly on the best way to present information security risks to University senior management. This is done most effectively when the senior officers of the University understand and accept the cyber-risk. In addition:

    • The information presented must be in a familiar format, as we cannot afford for the busy people we are trying to communicate with wasting time trying to understanding the presentation format.
    • We need to focus on risk information and focus on the high risk areas when talking to the University executive group.
    • Don’t make the visuals too complicated or people will stop listening to you and start focussing all their attention on trying to understand the graphics.
    • Read the IEEE publication (Slide Rules)

    During their audit, they discovered an internet accessible incubator control unit with a built in web server. On further investigation, if this had been hacked and the incubators shut down, then thousands of cute little chicks would have died (and research would be put back two to three years). They also found a robot roaming the hall talking to patients which the department was trying to control remotely by adding it to the wireless network. This robot was big enough to cause serious injury to somebody if an authorised person managed to take control of it.

    Blog 4_slide2The key stakeholders that Laurence identified were cyber security professionals (never be afraid to ask for help) and the staff and students at the University. It is vital that those closest to the business processes are closely involved in the threat and risk/privacy impact assessment process. The world of cyber security is a fast changing one, so dedicated cyber security professionals, either internal or external are vital in order to keep abreast of emerging threats and techniques to combat them. As an institution, we need to own risk and manage it.

    Some particular suggestions for ways in which to present the information security risks included using a Gartner-style quadrant with likelihood on one axis and impact on the other. Then encourage your senior team to only focus on the top-right quadrant, whilst being able to see at a glance the entire risk landscape.


    An alternative is to use a radar plot to display how well the University is doing with multiple aspects of a particular IT security concern.

    Overall this was a very informative session with some practical takeaways on how to both manage information security risks and communicate this to senior managers.