1-HELP

System Status

STANDARDS & GUIDELINES

GUIDELINE—Information Technology Support Guideline (Appendix M)

Responsible Office: Office of Information Technology
Responsible Officer: Chief Information Officer

GUIDELINE
A guideline is highly recommended.

Introduction

The secure operation of much of the computing infrastructure in the University is the responsibility of information technology support staff located in departments and colleges throughout the University. The University depends upon the effectiveness of this staff to protect its technology resources.

The purpose of these guidelines and recommendations is to provide definition and guidance to the University community on organizational issues that directly bear on the effectiveness of technical support and the security of the local computing environment. These guidelines are supportive to the related Information Technology Support Staffing Standard.

Because of the varying mix of applications and support levels required in different organizations, ratios of staff to the number of systems maintained can (and does) vary widely. Several factors affecting this ratio and the related productivity of staff are given below as well as guidance on maintaining the appropriate security technology support environment.

1. Continuity of support for private data: Units that have a substantial portion of their activity involving access or storage of private or non-public electronic data should assume that the entire unit accesses or stores private data and that all electronic devices need to be secured. In such an environment, it is likely that access to (or physical transfer of) such data will occur on a regular basis.
2. Professional oversight: Complete self-support of computers or other electronic devices by users with limited technical or security knowledge/skills is not appropriate if storing or accessing private data. They can unwittingly add significant additional risk to the environment through susceptibility to various security vulnerabilities by mis-configuration and lack of awareness and knowledge. Continuing professional oversight, not just sporadic or part-time problem solving support, is required to maintain security.
3. Leadership involvement: Without the strong interest and backing of unit leadership and sufficient staffing to accomplish it, security measures will not be effective. Security of information resources must be a focus of unit leaders and supervisors as well as technical staff.
4. Staff size: A technical support group must be of sufficient size to allow continuous support during absences such as vacations and sick leave as well as training time away from the workplace for the technical staff. If there is a requirement for any systems to operate or be monitored during non-work hours, a capability to provide such support must be included in the staffing levels. A staff size of one person cannot in most cases provide this capability, especially if private data is involved.
5. Server support staff: Smaller units often do not have dedicated server support staff. In such units, if there is a need to support multi-user servers, careful consideration should be given to the amount of reserved staff time/expertise required for that support. Additional requirements such as increasing desktop support will spread staff time thinner and thinner over time, with the potential result of a lowering of support for configuration and security of servers.
6. Staff selection: Selection of staff with appropriate education, experience, and personal qualities is a key ingredient to success in most occupations and especially so for information technology. Knowledgeable and capable supervisory staff should be able to make such selections.
7. Support model: The support method/model can have a significant effect on staffing and response time. For example, a department with 100 desktop computers that are centrally managed requires a lower staffing level (and can be much more easily secured) than one that requires a visit to every computer to perform maintenance. Explicit unit decisions should be made regarding the appropriate model after review of the alternatives.
8. Acquisition model: The equipment and software acquisition model can have a significant effect on staffing, response time, and security. A department with a smorgasbord of ages and models of equipment and software requires greater expertise and more staffing than one with more limited options. Vendors do not issue security patches for older versions of software and operating systems. Explicit unit decisions should be made regarding the appropriate hardware and software replacement model after review of the alternatives.
9. Long-term costs: Web servers, databases, and other specialized technologies can be relatively easy to set up but difficult to maintain and secure. If private information is stored or processed, there is a much greater responsibility and corresponding resource requirement for securing it. Explicit unit decisions should be made after review of the alternatives.
10. Use of resources: Duplication of centrally provided services should be carefully examined and decisions should be made by unit management after careful consideration of the costs, both apparent and hidden. For example, significant hidden use of support resources can occur in running an email server (anti-virus and spam filters), secure web server (security configuration, patching, monitoring), or private network (maintaining expertise, monitoring).
11. Continuing education: Availability of training resources (time/dollars) to maintain a current knowledge level is important in a rapidly changing technological environment. In addition to formal training, technical staff should be responsible for attendance at internal technical meetings (e.g. Comp-sec, NetPeople, etc.).
12. Communications: Two-way communication between supervisory/administrative and technical staff is extremely important. To be effective, supervisors need to be acquainted with technical terminology and concepts. The needs and goals of the University, college, and unit should be reflected in the technical environment supported. The potentials, challenges, choices, and limits of the technologies should be effectively communicated to the unit management by technical staff.

Recommendations for potential improvements:

• Share technical support staff between smaller units.
• Share a knowledgeable technical supervisor across units.
• Establish unit/collegiate standards and policies appropriate to the environment.
• To reduce risk and cost, provide certain services such as running servers or storage of private data at the collegiate level.
• Seek assistance and advice from OIT or other comparable departments in the selection of supervisory or technical staff.
• Manage desktop computers with a more centralized model.
• Support all desktop computers that store non-public data at the department or collegiate level
• Consider use of centralized services such central email, listserv, or web services.
• Utilize 3rd party or vendor provided patch-management software to allow centralized security updates.
• Send supervisors to training to improve their knowledge of technology.
• Send staff to training to improve their skills in new support models.
• Contract with other units for certain services as needed.
• Consult with successful departments in other parts of the University to get ideas.
• Obtain specialized assistance in maintaining and securing a web server or database that stores private information.
• In higher risk environments, perform periodic reviews of systems.
• Schedule periodic technology planning meetings to improve decision-making
• Budget specifically for continuous education/training of technical staff

See the Information Technology Support Staffing Standard for more information.

Resources and Links:

• OIT information: http://www.umn.edu/oit/
• OIT Security information: http://www.umn.edu/oit/security/
• Policy links: http://www.umn.edu/oit/policies/index.html