Cyber security – top table interest

October 28, 2014

The risk cyber crime presents to the higher education sector was highlighted to Vice-Chancellors at the Universities UK Conference in 2012. Since then, there have been a series of round table discussions which have looked at the ability of the UK higher education sector to respond to cyber crime attacks. I attended the most recent of these which focused on the outcomes of a self-assessment exercise UUK promoted earlier in the year.

Those institutions that had completed the exercise will receive individual reports in the near future and a briefing will be circulated to Vice-Chancellors reflecting on the exercise. The briefing will include an additional report giving details of a number of UCISA resources that support institutions in their cyber security initiatives. The detailed results of the exercise are embargoed until the institutions have received their individual reports but, although it is clear that there is work to be done, there are some encouraging signs that cyber security is being taken seriously at a senior level within many institutions.
There are a number of factors that support this assessment. Firstly over sixty institutions took part in the exercise. In addition to these institutions, I am aware of a number of others that did not take part as they had already carried out similar work either utilising already published controls (such as the CPNI’s twenty controls for cyber defence) or by engaging external consultants.

Secondly there was a good level of interest shown in security and risk related topics by delegates at the Universities UK Conference this year. UCISA exhibits at the Conference to promote our resources and activities. Two publications that drew particular interest were the revised Model Regulations for the use of institutional IT systems and the Information Security Toolkit. Effective information security is underpinned by effective regulations and the Model Regulations give institutions a template to utilise locally. The current version of the Information Security Toolkit provides specimen policies for institutions to revise. The delegates were also interested in the Major Projects Governance Assessment Toolkit – effective governance reduces the risk of projects failing to deliver their anticipated benefits, or having major cost or time overruns.

So there are positive signs that risk and cyber security are being taken seriously. Care is needed though that cyber security is not just seen as an IT problem – people and processes are also important components in implementing effective information security measures. This is something that will be highlighted in the revised Information Security Toolkit – there is a need for senior management ownership and good governance in order for information security to be successfully managed. We also need to guard against IT only featuring at the top table for ‘problem’ issues – we need to work to ensure that the role IT can play in enhancing the student experience, delivering efficiencies is also understood by senior institutional managers.

Postscript – work is currently in progress on a revision of the Information Security Toolkit. It is anticipated that the new version will be launched at the UCISA15 Conference in March 2015.

Meeting the accessibility challenge

October 1, 2014

I attended a session at the Educause conference today on accessibility. This has become more of an issue in the US as a number of universities have faced litigation because of their lack of compliance with disability discrimination legislation. The number of cases is, in the overall context of the US education industry, relatively small but the amount of the awards made against institutions has made some university executives nervous and has driven moves towards greater compliance.

Temple University was one such institution. The University Board set a project in motion to review the current level of provision and take the steps necessary to comply with disability discrimination law. The initial analysis showed that Temple were not compliant with many aspects of that legislation – essentially in the same boat as many other institutions. I suspect that this is much the case in the UK too – there is some awareness of the disability legislation but not of what is required in order to comply.

However, Temple’s Board sought to address this, recognising that they needed to tackle to problem on a number of fronts. It was necessary to define the policy for the institution but then follow it through so that considering accessibility started to become business as usual. A broad based committee was established to oversee the project. Led by the CIO, it included representatives from the service departments but also Estates and the institutional counsel. The policy the group established was clear – we will be accessible. Responsibility for accessibility was devolved to the person providing the technology or information – so faculty were responsible for ensuring their materials were accessible and heads of service were responsible to ensuring compliance in their areas. Will became the watch word – where there were items that could not be made accessible, those responsible were challenged to think of another mode of delivery or whether the items were necessary at all.

After the initial audit, Temple instigated departmental liaison officers that were responsible for promoting the accessibility message within the department, ensuring departmental accessibility initiatives were funded and evaluating accessibility during the procurement process. The group established standards for the web services, learning spaces and IT labs with each bearing in mind the principle that accessibility should be standard provision, not the exception. Checklists were prepared to assist faculty in assessing their materials. Once the preparation was complete, the CIO promoted the policy and available support to a wide range of institutional groups through a series of roadshows.

There were some quick wins once the policy began to be implemented. The largest and most used IT labs were upgraded first bringing an instant return. Web accessibility standards were introduced and processes established to ensure compliance. Control panels in smart classrooms were upgraded. However, not everything gave so rapid a return. Although the processes were in place to ensure the web sites were compliant, adoption was slow. The guidelines for instructional materials took over 12 months to complete and a larger group was established to review and amend them as required. The initiative wasn’t cheap – Temple spent over $600k in their move towards compliance.

Not all institutions in the US had followed the same road – some opted to steer clear from even establishing an accessibility policy as they felt that doing so would put them at greater risk of litigation. I suspect the reverse is true – if you have a policy in place and plans to implement it then I believe you are less prone to litigation as you have recognised that you have a problem (in not being compliant) and are taking steps to address it. I wonder how compliant UK institutions are with the Disability Discrimination Act. My gut feel is that there probably aren’t that many. Will it take litigation in the UK to change that?

Sharing across borders

September 30, 2014

UCISA is a member of the Coalition of Higher Education IT Associations (CHEITA). Many of the issues we face in the UK are the same in other countries – it is hoped that the existence of CHEITA will encourage international collaboration to address those issues. The following is a report on the Spring meeting of CHEITA.

The Spring CHEITA meeting took place ahead of the UCISA14 Conference in Brighton, UK in March. The meeting looked at the four main issues that were identified at the CHEITA meeting at EDUCAUSE in Anaheim in October 2013 and sought to identify resources that member associations were willing to share to assist others in addressing those issues. In addition, there was a brief update on the benchmarking activities since Anaheim. The afternoon session was dedicated to the support of research and included a number of presentations. The meeting was attended by representatives from France, Italy, Sweden, EUNIS (the Europe wide association), Hong Kong, South Africa, the USA and the UK.

Benchmarking

Susan Grajek gave a brief update on the work of the CHEITA Benchmarking Group and the work EDUCAUSE have carried out. Susan highlighted the Top Ten IT Issues and the Top Ten Strategic Technologies for 2014. The discussion in Anaheim had focused on the need to develop maturity indices for technologies in higher education institutions (HEIs). Susan noted three areas where EDUCAUSE had developed indices:

• Research computing (see http://www.surveygizmo.com/s3/1125699/Research-Computing-Maturity-Index);
• Analytics (see http://www.educause.edu/ecar/research-publications/ecar-analytics-maturity-index-higher-education);
• E-learning (see https://www.surveygizmo.com/s3/1298256/E-Learning-Maturity-Index).

In addition SURF have developed a maturity index for Green IT (see http://www.surf.nl/en/knowledge-and-innovation/knowledge-base/2014/surf-green-ict-maturity-model.html).

A meeting of the EUNIS Benchmarking Group was held in December with Leah Lang attending from EDUCAUSE. The group had identified five elements that could be established as international IT benchmarks. It was noted that there were particular challenges in measuring spend and the quality of service delivered. It was also noted that it was difficult to compare institutions internationally because of the different educational systems in each country and different institutional missions within it. The CAUDIT Complexity index may provide a mechanism for facilitating international comparison. It was noted that the index worked well in South Africa and initial results in applying the index to US institutions was encouraging.

Jisc have developed a Financial X-Ray to establish the cost of IT in institutions. This work has identified a taxonomy for IT Services in institutions and looks through financial and staffing information to identify full costs for each element of the IT service provision. This is available as a service from Jisc. It was noted that a substantial amount of effort was required to establish full and accurate costs. A group looking at benchmarking of all university services is considering using the X-Ray method across all service departments for facilitate nationwide benchmarking.

There was a brief discussion on the role of benchmarking in driving improvements and efficiencies in institutions. There is a need to link cost with the quality of the service provided, both in terms of the service itself and customer satisfaction. Without an understanding of the quality of service and its relationship with cost, there is a risk that institution management may jeopardise quality services if they compare on cost alone. The UCISA approach has been to encourage benchsharing – institutions looking at the outputs from statistics exercises should compare all aspects of that service with their peers.

In addition to core data surveys, UCISA has carried out a benchmarking study on university service desks in the UK (report launched at the UCISA14 Conference) and Technology Enhanced Learning (report published in September 2014). UCISA is also planning to carry out a survey on Digital Capabilities and will look to see how these surveys can be shared effectively across the CHEITA members.

Information Security

A number of associations were carrying out work to improve information security in institutions in their countries. Cineca have developed systems to provide services on demand. These include virtual machines, disaster recovery and a remote systems management service. Cineca are storing and maintaining scientific data sets, backing them up and managing access to them through various clients. It was noted that institutions in Italy are mandated to have business continuity plans in place; the Cineca system assists in those plans.

The regulations institutions have in place underpin good information security. UCISA was launching the latest edition of its Model Regulations at the Conference; these are designed for institutions to take and adapt as they require. In addition, UCISA was revising the Information Security Toolkit. This is a substantial piece of work and the expected publication date is March 2015. The current version is available online.

In the UK, the operations of universities are overseen by governing boards that include members with no higher education background or involvement. UCISA has worked with the Leadership Foundation for Higher Education in the UK to produce a guide for institutional governors to help them understand the application of IT in universities and the related issues that institutions might face.

Efficiencies and modernisation/cloud and shared services

It was noted that all associations seek to drive efficiencies and modernisation in their membership by promoting best practice and sharing knowledge. Those that are consortia will help their members achieve efficiencies by developing new (and potentially shared) services for their members. The challenge within individual institutions is demonstrating that initiatives are delivering the efficiencies expected.

There were a number of developments taking place in Italy. Cineca were looking at providing facilities for a use on demand service for MOOCs. The prospect of developing a system based on the complete student lifecycle was being investigated. Cineca were developing a number of cloud solutions. EUDAT is a collaborative data infrastructure which will allow research data to be shared between communities and fortissimo provides services running on a cloud based high performance computing (HPC) infrastructure. In the UK, the possibility of a data centre being shared between a number of research focussed institutions to facilitate the sharing of research data was also being investigated. The University of Aberdeen and Robert Gordon University have refurbished a data centre and are now sharing it with another institution in the North East of Scotland. The initiative won the UCISA Award for Excellence this year.

EDUCAUSE have established a working group looking at the total cost of ownership of cloud computing and are starting work to establish if Cloud is cost effective. The Financial X-ray work from Jisc started as an initiative to ensure that institutions understood their full internal costs and so were able to compare their internal provision with cloud offerings. UCISA has produced a briefing paper on Cloud Computing targeted at senior management within institutions.

There is an initiative in Europe that is looking at the area of learning analytics. The LACE project is funded by the European Union and is considering the ethical aspects of learning analytics as well as looking to share best practice.

Support of research

The afternoon part of the meeting focused on the support of research and CHEITA delegates were joined by representatives from universities and a number of other organisations. It was recognised that, with increasing international collaboration, standards played a key part in sharing information. The session opened with two presentations looking at standards.

EuroCRIS is the European organisation for international research information. Although primarily Europe based it has members worldwide, including Australia, Canada and the USA. EuroCRIS promotes sharing through CERIF, the Common European Research Information Framework. CERIF supports a range of data objects, including publication, person and funding. It is intended that Research Information Systems (RIS) will hold information or be able to import/export information in the CERIF format. In the UK, the framework has been used to track publications and harmonise reporting. Germany is following the UK model. EuroCRIS are linking with CASRAI and ORCID.

A working party formed by Jisc and including representation from UK universities, research organisations and UCISA, recommended that the ORCID was adopted as a standard identifier for researchers. Following on from that recommendation, Jisc have established a number of pilot projects to streamline the ORCID implementation process at universities and to develop the best value approach for a potential UK wide adoption of ORCID in higher education. The pilots were due to begin in April 2014 and mirror similar projects taking place in the US.

Open access to research outputs, including data, is proving a challenge to CHEITA members. The pressures to develop an infrastructure to facilitate open access come from both governments who are seeking to maximise the investment they make in research by making the outputs more publicly available, and from the researchers themselves (particularly younger researchers) who seek to build their reputations through publications. The difficulty for publications is balancing the timeliness of public access against the desire for research outputs to be peer reviewed and the commercial aspects of publishing against the open movement. Open access to research data presents a further set of problems – the data need to be made available in such a way that they are discoverable and reusable and its curation and preservation need to be well managed. Both data and publications need to be discoverable. In Italy, Cineca have produced a number of resources to assist Italian universities. These include a directory of open access repositories, a registry of archiving policies where open access has been mandated, a directory of open access journals and a portal to provide a central point of access to publications archived in Italian open access repositories and journals. In addition, they have been participating in cross-Europe initiatives such as OpenAire to support the discovery, sharing and reuse of research outputs.

The meeting moved on to discuss institutional responses to the challenge of supporting research. In both instances it was clear that institutions need to invest heavily in supporting research if they are to maintain and/or enhance their research standing. The University of Cape Town (UCT) have established an eResearch Centre. The University recognised that leading research universities have a strategy that ensures that their researchers are equipped with the latest tools and techniques to raise their profile and improve collaboration. Consequently UCT planned to build an eResearch Centre to support their strategic mission to raise the quality of research within the institution and its profile globally. The first phase is to establish the core IT infrastructure to support research – HPC, storage and on demand (cloud) services were key to the initial phase but they must also be supported by dedicated IT and Library staff with a strong understanding of research. Thereafter the infrastructure can be built on by identifying discipline focussed pilot projects to develop institutional capabilities. Interdisciplinary projects can then follow before finally moving to international collaboration.

The University of Bristol was also contemplating setting up an eResearch centre which would bring two strands of activity together. The first of these was to develop a research data service which would assist researchers to develop data management plans, provide training and assist archiving data. The other strand was to develop an effective IT infrastructure to support the diverse requirements of researchers at the University. Bristol already provide 5Tb of storage to their researchers but need to build the support and tools to further assist their research faculty.

There were a number of common themes from the two presentations. The first was that IT departments are poor at communicating with researchers – this has led to frustration and the trend for researchers to do their own thing and build their own research infrastructure and support. A possible solution to this was to create a new role of Research analyst with IT or the eResearch Centre. This would be someone with a research background who would be better placed to understand researchers’ needs and both help them to use the tools available and communicate what was required of IT. This would go some way to making things as easy as possible for researchers – the institution needs to provide tools and support to its research community.
The meeting concluded with a discussion on research infrastructure models. These varied between highly centralised and government sponsored services (such as in Finland), services developed by consortia (such as in Italy) and services developed collaboratively between institutions (a growing model in the UK). In South Africa, one institution (UCT) appears to be taking the lead. The conclusion was that there was no one size fits all solution. There are perhaps efficiencies to be gained from a coordinated national approach which may require direction from government to be achieved.

Mission impossible

June 17, 2014

I attended a session at the EUNIS conference on internet security given by Leif Nixon from the Swedish National Supercomputer Centre. The first two words of the presentation title were “Mission impossible” so it seemed unlikely that there would be many answers to the challenge of securing the internet. And so it proved. Although, as Leif pointed out, people will “hook up all sorts of crap to the internet” (his words), the problem is with how that crap is configured, allied with individuals or groups that take advantage of vulnerabilities to attack systems. A great deal of what is connected to the internet is insecure by default.

Leif highlighted a range of devices that were insecure when purchased. These included routers for which the default password for the admin username was ‘admin’. He had found how to reset the password but the chances of an ordinary member of the public resetting the password were practically nil. It was much the same story with patching firmware – even if end users received a patch to update firmware to correct a vulnerability, few would have the expertise to apply it. It wasn’t just routers that were the problem – webcams, access control systems and printers all had vulnerabilities of various forms. These included open root access, poorly configured firmware (support for which was often deprecated) and automated responses to polling on given communications ports. Such devices are not just home owned – the chances are that there will be unsecured devices in practically every organisation (Leif illustrated the point by identifying devices in a number of organisations).

Why is this a problem? In short, it is these devices that are used as the source of a range of internet attacks such as denial of service. Those that are so minded can gain control of the device or can utilise its configuration to generate targeted traffic. The consumerisation of IT means that there is pressure on low end manufacturers to produce devices at as low a cost as possible and as a consequence there is little or no effort put into ensuring that the devices are secure at sale or providing ongoing support for the firmware. There is no financial incentive for them to do so. As a result there will continue to be insecure devices connected to the internet for those who want to do harm to exploit, making securing the internet truly “mission impossible”.

Getting past “the computer says no”

April 16, 2014

Linda Davidson highlighted in her presentation at UCISA14 that IT continues to have a very negative image. There are many reasons for this but we have all had the “The computer says no” experience where IT is blamed for a lack of information or for the inability to respond to a question. It is a response borne of poor processes and is symptomatic of an uninterested and disengaged support service. The impact of the negative image is such that the services’ customers are also disengaged – they don’t even bother to ask the question as they expect a negative answer – but also it is often applied to all IT services.

Confidence in the reliability of the service underpins any efforts to build good customer relations. It is vital, therefore, to get the core services right to ensure that the service is regarded as a trusted partner and in order to be in a position of influence with key stakeholders and decision makers. All members of staff have a role to play – it is important for staff to be consistent in delivering the services message, becoming respected within their spheres of influence and to engage with the department’s customers.

The Service Desk is often the first port of call. It was encouraging, therefore, to hear Sally Bogg quote from the HE Service Desk Benchmarking report that professional standards are being adopted widely for service desk operation. As one delegate pointed out, “Service operation where is users get value from IT – get it wrong, people will think IT is rubbish”. However, many institutions are at the start of the journey; the absence of formal service catalogues and service level agreements are key indicators that the processes that underpin those standards are some way from maturity. Continued investment and continual improvement is needed to ensure that the people and processes continue to deliver quality service.

It isn’t just about changing one aspect of a service – the whole department needs to reflect the service and have a strong customer ethos. This may require a shift in attitude amongst some staff who may be set in their ways and views. Changing culture, as Chris Day observed, is never an easy journey but is necessarily the first step to improving customer service. All members of the department need to be able to engage with your customers – particularly as they may offer less formal routes to key stakeholders.

Where there is more formal contact, it is important to ensure that the individuals involved understand the needs of the customers they are talking to. That way, trust and credibility will be built. This was seen as a particular issue when talking to researchers and some have sought to address this by employing staff with a research background specifically to talk to researchers. There were, however, few examples of such a specialist role – in many instances account management is tacked on to some jobs as an afterthought or in some cases is not acknowledged at all.

It is important to remember that all staff in IT service departments are essentially account managers. They each have their own sphere of influence, through formal and informal contacts and so all have the potential to influence customers and key stakeholders in the university. They need to deliver the services message and there needs to be consistency across the piece. The difficult part is getting them all to recognise their account management role and so play their part in IT services being a valued and trusted partner so that the computer says “yes”.

 

Current challenges in the sector

March 19, 2014

I circulate a briefing to exhibitors ahead of each of UCISA’s main conferences. As we are approaching UCISA14, here’s my take on the current state of the nation…

Current challenges for IT departments

1. Efficiencies and modernisation

The continued uncertainty within the sector has prompted increased focus on efficiencies and modernisation. CIOs and IT Directors continue to look at different ways of providing services and at streamlining operations. Many IT departments now deliver services by blending outsourced provision with internally provided services. The sector has been slow to adopt new shared services but there is growing evidence that institutions are looking to collaborate to share data centres and infrastructure. One such example is the North East Scotland Shared Data Centre which won the UCISA Award for Excellence and is featured in the University Showcase sessions on Wednesday afternoon.

Work on delivering efficiencies is not restricted to outsourcing alone. Many IT departments have responsibility for process improvement and for working with other departments within the institution to make more effective use of IT systems. The IT department will play a critical role in assisting the institution in identifying the benefits of new systems, prioritising those developments and demonstrating those benefits post implementation.

2. Student services and engagement

The advent of higher fees has seen a shift in attitude towards the student body in institutions. Students are now seen as partners helping shape decisions in their institutions and there is ongoing investment in understanding students’ expectations in order to build responsive services. In addition to the improvements in student engagement, institutions are looking at how they can make better use of the data they hold in order to both improve retention and improve student satisfaction. The aim of many of the efficiencies initiatives taking place in institutions is to improve the service for students, either by providing access to resources that could not be accommodated in house, or by improving system resilience. Additionally institutions are investigating ways of providing access to institutional resources from off campus.

3. Research data management

Whilst the changes in the fees regime are driving efficiencies and student related initiatives, a drive from Government and the Research Councils has made managing research data is a particular challenge to CIOs and IT Directors. There is a need to store large volumes of data generated as part of academics’ research but also to provide and manage wider access to that data for an extended period once the research has been completed. However, not all data should be openly available. Institutions carry out research that is commercially sensitive or contains personal (particularly medical) data; clearly such data needs a different level of protection to ensure that the information remains secure.

The current environment

A year ago the sector was managing the impact of the change in fees regimes in each of the four home countries. Although there was an overall fall in student numbers, the impact varied from country to country with the drop in undergraduate numbers not unexpectedly most pronounced in England. The different fees strategies saw an increase in EU enrolments offset a fall in UK domiciled undergraduates in Scotland but elsewhere EU student numbers also declined. There were, however, signs of recovery with undergraduate applications for courses for the current academic year increasing.

The optimism that undergraduate student numbers would bounce back was not misplaced – there were a record number of students placed into higher education through UCAS for the 2013/14 academic year. However, that does not give the complete picture. There were a number of institutions that failed to fill their undergraduate places despite the record numbers of acceptances UK wide. The sector has not seen a similar recovery in postgraduate and part time enrolments and there is evidence that the number of international (non-EU) students wanting to study in the UK is decreasing. This has led to a wide variation in the financial performance of individual institutions across the sector, and some institutions will face challenges if they experience repeated falls in student recruitment.

There are 30,000 additional places available at English higher education institutions for 2014/15 and the student number cap will be removed altogether from 2015/16. The removal of the cap will create both opportunities and risks, and increasing levels of uncertainty over student recruitment. This could lead to greater volatility in financial forecasting and even greater variations in individual institutional financial performance.

One impact of the increased competition has been greater emphasis on infrastructure and systems relating to all aspects of the student experience. Many institutions invested in their infrastructure ahead of the increase in fees but institutions continue to make capital investments in infrastructure, particularly where there has been historic underinvestment. There is concern, however, that the current growth in capital investment is not sustainable, with accounting changings requiring institutions to carry pension scheme liabilities on their balance sheet impacting available reserves and uncertainty over future student recruitment.

It is clear that the future higher education environment will be characterised by increased competition and as a consequence, institutions will need to be more agile in order to stay ahead of or respond to the competition. IT is critical to higher education institutions with IT embedded in every aspect of an institution’s operation. This will require a highly skilled IT department which, from the top down, has a good understanding of the institution’s business and aims.

The Conference website gives details of the programme and will include the presentations. I am looking forward to many good conversations with delegates and exhibitors alike.

Shout it from the rooftops!

November 27, 2013

One of the messages from the Universities UK conference in September was that universities need to do far more to promote themselves. There continues to be scepticism about the value of universities and the introduction of the new fees regime has fuelled that scepticism further. In addition, there is a belief by some in Whitehall that the sector is “feather bedded” and inefficient. In his address to the conference, the Universities UK President, Christopher Snowden highlighted two risks identified in a report from 2011 by the National Coordinating Centre for Public Engagement – that

“public support for investment in the sector could be damaged because society does not fully appreciate the value of higher education”

and that

“without better insight into how universities generate value, we miss an important opportunity to achieve more with limited resources, and will struggle to engage in purposeful debate with wider society about the future direction of the sector”

He noted that “We need to pull together and communicate the value of higher education using real examples that mean something to the public, business and politicians”. It was a theme Toni Pearce, President of the National Union of Students, revisited in her address at the same conference. Universities need to go out and promote both themselves and the sector.

Although the focus of both addresses was at the institutional and sector level, there are some clear parallels for IT service departments within institutions. They are facing similar challenges internally – the value of what they deliver is not understood. All too often IT is seen not as a strategic contributor to the success of the institution but as a utility and a cost. To paraphrase Christopher Snowden, we need to communicate the value of IT using real examples that mean something to institutional management.

Delivering that message isn’t just restricted to the IT Director or the CIO. Everyone in IT Services has a role to play, to be on message, to listen to the customer, understand what they are trying to achieve and to promote what IT services does. There needs to be an efficient mechanism within the department to harvest all this information and to act appropriately on it in order to ensure that IT services can improve the service and anticipate demands. Providing a quality service, listening to customers and responding to their needs will go some way to IT services becoming a trusted partner in delivering their institution’s strategic aims.

There are, of course, other opportunities to demonstrate the excellent work that IT services perform – awards. UCISA has invited entries for both the Award for Excellence and the Amber Miro Memorial Award for innovation. Success gains recognition from the Vice Chancellor of the winning institutions and provides the opportunity to promote the institution more widely in the sector. However, institutional IT service departments face a wide range of challenges with demanding customers in a complex environment. They are delivering quality services comparable to commercial companies. So it is all the more pleasing to see two universities beating large commercial organisations to win awards at the UK IT Industry Awards. Congratulations to the University of Aberdeen (and their partners Robert Gordon University and North East Scotland College) for taking the Data centre project of the year category and to the University of Derby for winning the Network/infrastructure project of the year. I hope that the PR departments of the two universities promote their success beyond the institutions. We need to take every opportunity to demonstrate that universities are efficient and effective in delivering quality services, to promote not just IT services within institutions or even within the sector, but the sector as a whole.

Challenges for heads of Corporate Systems departments

November 20, 2013

I write a briefing for the Exhibitors at the UCISA CISG Conference which focuses on the challenges the Conference delegates are facing and highlights the current issues in the sector. The briefing is below….

Challenges for CISG delegates
1. A blended approach to service delivery

IT service departments have long been in the position where they have had to support an increasing number of systems and services without a commensurate increase in resources. This has led to increased adoption of outsourced services for some aspects of the service whilst retaining a core of services in house. It is rare that the reason for outsourcing a service is to reduce costs. More often it is to improve the service offered, to free up resource within the IT department so that it can be redeployed on projects more closely aligned with the institutional mission, or to address skills shortages. The move to a blended delivery model has its challenges; integrating services from a range of providers is not cost free and institutions have to ensure that any outsourced service has at least comparable resilience to those provided in house. There is still some uncertainty amongst senior university management about the role cloud services may have in providing IT services and storage, particularly with regard to managing research data. This uncertainty is reflected in a continued trend to build data centres rather than procure cloud services.

2. Business intelligence, analytics and data/information governance

The volatility in student numbers over the past two years has resulted in increased use of business intelligence and analytics to model potential scenarios to assist planning. Analytics are also being used to improve retention by using data from a variety of sources to identify those students at risk of dropping out and we are starting to see more attention being paid to the potential for learning analytics to assist students in making their module and course choices. This has, along with the implementation of the Key Information Set (KIS), highlighted the variable quality of data within institutions and has brought greater focus on information and data governance. The need for strong information governance has been highlighted by the Department of Business, Innovation and Skills in its briefings on cyber security. Although primarily focused on ensuring that sensitive research is adequately protected, they have resulted in a greater attention being paid to managing information, securing data and ensuring compliance with legislation within an environment where open access, particularly to publicly funded research, is encouraged. The growth in the use of portable devices such as laptops, tablets and smartphones both on and off campus to access corporate information and to possibly store personal information and university records presents a new challenge in preventing data protection breaches and ensuring an institution’s data are not compromised. CISG are running an event on information management and governance in January which may be of interest.

3. Skills shortages

One of the reasons institutions have cited for moving to a managed service has been to address skills shortages. A number of institutions are facing skills shortages in key areas. This is partly as a result of year on year budget and staffing cuts which have meant that there is no flexibility in managing staff resource, and partly because internal role evaluation exercises have led to the salaries for technically focused posts being unattractive for suitably qualified personnel. This may see an increase in the use of external agencies to deliver projects and an increase in the use of managed services, either for service provision or for specialist IT support.

The current HE landscape

The 2013 admissions cycle closed with a more positive outlook for the sector as a whole. The number of undergraduate admissions returned close to the 2011 levels after the expected dip in numbers in 2012 and many universities achieved their target numbers. However, there remain concerns about the drop in postgraduate, part-time and mature student numbers and the impact of the Home Office rhetoric on immigration continues to be felt with international students proving harder to attract.

Although many universities budgeted for a drop in student numbers in 2012, few anticipated how far short of achieving their targets they would fall. This has resulted in institutions cutting budgets further whilst still looking to continue to invest in improving the student experience. The recovery in student numbers, whilst welcome, does not signal a significant improvement in the ongoing financial position for institutions. There are growing pressures on research funding and with requirements for open access to resources and long term storage of data, institutions are having to do more with, at best, the same but in many instances, less. The same is true of fee income. Undergraduate student fees are not increasing with inflation and so are falling in real terms, whilst the costs of teaching continue to rise. Consequently the focus on efficiencies and modernisation remains. Institutional initiatives are supported by national programmes to improve efficiency, notably by driving savings through better procurement. There will be many institutions that will look to modernise their processes by implementing new IT systems. However, IT is only part of the solution; the introduction of a new IT system needs to be supported by process improvement and, in many instances, a change in culture. The recent UCISA publication Strategic challenges for IT departments highlights the complexities of successfully embedding IT systems and services to deliver successful business goals.

The White Paper Students at the heart of the system, published in 2011, recognised the need for reducing the reporting burden on universities. The HEDIIP programme has been instigated to attempt to reduce this burden and looks to enhance the arrangements for the collection, sharing and dissemination of data and information about the UK higher education system. The Director of HEDIIP, Andy Youell, spoke about the Programme on Wednesday afternoon.

You can view the presentations from the conference from the link on the conference web page.

Starting point for rationalisation

August 28, 2013

Last week the Higher Education Data & Information Improvement Programme (HEDIIP) published an inventory of data collections made by higher education institutions (HEIs). The inventory verifies the results from a survey carried out in 2010 by the Higher Education Better Regulation Group (HEBRG) – there are over 500 different data collections required of the sector.

Although each HEI will only be returning a subset of the data collections listed (in some cases a fairly substantial subset) the inventory clearly illustrates the high demand, and hence burden, placed on the sector for its data. It was created to both allow HEIs to better understand the collections they are submitting and to give data collectors sight of the other collections being undertaken. The former may appear a surprising objective but the primary contacts for many of the collections required by the NHS and professional bodies are at departmental level. Consequently, although there is a clear understanding at institutional level of the major reporting requirements and their links to risk and audit, few have a complete overview of all reporting.

The report accompanying the inventory also picks up a number of issues. The HEBRG report identified that the NHS and its associated organisations accounted for around 10% of the data collections carried out by the sector. This 10% is made up of collections from a wide range of organisations with disparate requirements. This variation is exacerbated by some of the Strategic Health Authorities varied the standard NHS dataset to meet their own requirements – clearly any variation from a standard results in an additional reporting burden.

There are a large number of professional, statutory and regulatory bodies (PSRBs) collecting data for the sector accounting for just under 30% of returns. The development of the Key Information Set has clarified those PSRBs that accredit courses in the sector but there are a number that have some form of engagement with the institutions that do not appear to have a formal accreditation role (as identified by the KIS). However, institutions (perhaps at a departmental level) identify benefits of PSRB engagement. Whilst the volume and variety of PSRB collections is one challenge, a further issue is that institutions cannot easily use data from corporate systems because of the particular requirements of the collectors. This in itself leads to bespoke data collection and reporting with its incumbent cost.

There is some cause for optimism though. The establishment of Health Education England will provide some focus for the whole healthcare education and training system (at least in England) and it is hoped that the body will play a key role in rationalising institutional reporting to NHS bodies. Similarly the Medical Schools Council has been working with a broad group of bodies to streamline other health related data collections. The report notes that Contact with a number of PSRBs has identified attempts at reducing the load on institutions by setting common standards within a group of PSRBs, using available institutional data, collecting data with regard to internal business cycles and using, or encouraging the use of, HESA data. So it is hoped that this core set of PSRBs can achieve some streamlining and that they may act as champions to bring others on board.

The inventory marks a starting point for rationalising the number of data collections required of the sector. It is encouraging that some data collectors are at least starting on this path. But consolidating the number of data collections is only half the story. It is hoped that institutions will take the opportunity to use the inventory to get a better understanding of how others use their data and where data is processed within the institution. Improvements in the data quality and collection and processing of data may then follow. If both these objectives are achieved then HEDIIP will have delivered some major benefits to the sector.

Within these walls…

July 22, 2013

A recent article in the New York Times highlighted the growing number of cyber attacks on US universities. The situation is likely to be much the same this side of the pond. Universities host significant research which would be of interest to commercial organisations and certain overseas governments and are something of a honey pot for cyber criminals.

The Centre for the Protection of National Infrastructure (CPNI) has been aware of the risk that cyber crime presents to the UK’s intellectual property and, after focussing on the commercial sector, highlighted those risks to Vice-Chancellors at their conference in 2012. The advice that was given concentrated on the twenty controls for cyber defence – it was suggested that universities should adopt these in order to protect the research information and intellectual property within their institutions. However the controls are something of a blanket approach; they fit well for a commercial organisation where a breach of rules is likely to result in dismissal and they fit well for government departments where strict rules can be enforced relatively easily. Universities on the other hand are encouraged to be open. There is a requirement not just to share the results from research openly but also to make the data on which that research was based available so that it can be re-used. Collaborative research, with institutions across the world and with industry, is encouraged. There is a desire for universities to be a focal point in their local community, to foster greater engagement with members of the public and to play a role in regional development. Then there is the university membership –employees, students and visitors connecting their own devices onto the campus network. All in all, not the type of environment that lends itself to the rigid, blanket application of security controls.

The need for effective cyber security in the sector is being discussed by a working party convened by Universities UK. There is, I believe, understanding that the controls need not be applied to the whole of the university estate – most of the data held within an institution is not sensitive so doesn’t need that level of protection. However, whilst the locations of corporate data such as student or personnel records are largely known, the same is not necessarily true for research data. It has long been recognised that a significant body of research data is held on individual academics’ PCs and laptops and that this data is not always backed up, let alone secured. Similarly, whilst an administrator is likely to have an understanding of how personal data should be handled, is the same true of the researcher and sensitive data?

What is needed, as Brian Gilmore pointed out at a recent UCISA event, is a risk based approach – data needs a level of protection commensurate to its sensitivity. But in order to appropriately protect data, the institution needs to know where it is and understand its value and sensitivity. Educating research staff and changing their behaviours is critical to this and is probably the biggest challenge to effectively protecting the UK’s intellectual property held in our institutions. Once that has been addressed, institutions will have better control of the critical data within their walls.


Follow

Get every new post delivered to your Inbox.