Present: William Dougherty, NI&S, chair and scribe; Richard Quintin-DBAA; Mike Moyer-Data Center Program; Dave Hawes-SIS-Middleware; Steve Cox-CCS; Lucas Sullivan-ITEE; Matt Serr-NI&S Network Infrastructure Installation; Phil Norman-NI&S PR; Brian Jones-NI&S Monitoring, Performance, & Analytics team; Laurie Zirkle-NI&S DCP and Application Management; Lee Doughty-TLOS; Wanda Baber-NI&S DCP; Tim Rhodes-Ops DCP; Brad Tilley-ITSO
TLOS:
TLOS will be doing NAS maintenance Friday, October 13th (Fall Break day) through Saturday, October 14th (time frame still not determined). During this time, the following services may become unavailable for long periods.
The following services will be impacted:
* Echo360 (echo360.tlos.vt.edu and "EchoCenter" links in Canvas)
* NLI Class registration / tracking application (app.nli.tlos.vt.edu)
* LED & Assistive Technologies website (led.tlos.vt.edu and assist.vt.edu)
* Vital / 4VA (vital.tlos.vt.edu)
* Canvas +Guest Button
* UDOIT (accessibility verification) canvas plugin
* Canvas user & course enrollment syncing
* Some legacy/archived sites
We expect Banner uploads to us to fail for the Canvas/user syncing, and we're fine with those failures, and don't think there needs to be any special scheduling adjustments.
Question about placing this on the IT Status page; if this is on SAMS calendar it will show as a planned maintenance activity. Should it also show as an "outage"? Concern over placing planned outages on the page to avoid undo traffic.
NI&S NeO:
Lots of maintenance activity on the network planned during regular maintenance windows (Tues & Thurs, 5am-7am). Resnet will have IP addresses changed next Tuesday.
DCP Ops:
Question about patching and how quickly important/critical patches are to be applied? Brad will inform Tim on what the ITSO has promulgated as this will impact many hundreds of systems.
CCS:
Patches will be applied this weekend.
DBAA:
November 4th Banner fall upgrades are scheduled. Is on calednar. CCS and DBAA will be migrating TimeClock Plus to the VME environment. Short duration outage.
ITSO:
Response re: Patching question
During SAMS this morning, Tim Rhodes said that he was under the impression that the ITSO required critical/security patches to be applied within 7 to 10 days. I told him I was unaware of this and that we do publish a 90 day max on patching in the 20 Critical Controls Methodology in section 2.3:
---
Implementing The 20 Critical Security Controls - Jan 9th, 2016
Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
• Responsibility - University departments and the IT Security Office
• Methods
1. Departments should run security configuration assessment tools on departmental computing devices at least once a year and use the resulting reports to further secure the systems.
2. Departments should restrict logical administrative access to key de-partmental employees who have been trained to administer systems.
3. Departments should install and monitor file integrity checking soft-ware on all critical systems.
4. Departments should use centralized endpoint management software,such as BigFix, Group Policy, and Ansible to ensure that departmental computing devices are securely and consistently configured.
5. Departments should apply critical security patches as soon as practical or within 90 days of release.
Updated after meeting: From Amy Kobezak:
Tim is correct in his understanding. The minimum security standards published earlier this year require critical and high security patches be applied within 7-10 days, otherwise 90. This is for servers and applications. End point is 90 days. http://it.vt.edu/content/dam/it_vt_edu/policies/Minimum-Security-Standards.pdf