ANNUAL REPORT 2021-2022 INFORMATION TECHNOLOGY AND COMPUting SERVICES

Assessment Measures

Ultimately, ITCS’s goal is to provide an excellent IT experience that supports the teaching, learning, research and business needs of the ECU community. We want to improve the ability of faculty and staff to use technology and IT services to get their work done, and for students to use technology and IT services to complete their studies. ITCS assesses feedback from the campus community as part of a continuous improvement process to make enhancements to systems and services to better meet faculty, staff and student needs.

2021-2022 ITCS Customer Service Survey Results

Assessment measures include a customer satisfaction survey that is sent to users once a Pirate Techs service request is closed. This survey — part of an overall strategy for continuous service improvement — identifies where we have opportunities to better serve the ECU campus community.

2021-2022 Information Technology Services Graduating Senior Survey

The ECU Graduating Senior Survey, administered by Institutional Planning, Assessment and Research (IPAR), includes questions specific to ECU technology services and resources. Average student ratings for 2021-2022 are shown in the table below.

When asked to rate the quality of support provided for information technology resources during their graduate education and/or thesis/dissertation research, the average rating was 4.0 on the 2021-2022 Graduate Student Exit Survey administered by IPAR.

The ITCS Project Management Office (PMO) continues to streamline project delivery and initiatives at ECU. Working collaboratively with cross-campus departments and talented ITCS technical professionals, the PMO aims to provide project onboarding, guidance, support, coordination, monitoring, and reporting.

2022 Projects Completed by Classification (Run, Grow, Transform)

Developed by Gartner, the Run-Grow-Transform model supports IT planning and investment in IT products and services. Projects classified as “Run” maintain essential day-to-day business functions and capabilities. “Grow” projects enhance or expand existing IT systems in support of business growth. “Transform” projects are often innovative and focus on expansion into new markets or audiences.

IT Strategic Goals

Goal #1: Cultivate an intentional culture of IT security

University Responsibility: We will reward innovation and continuous improvement in processes, technology, business intelligence and infrastructure.

ITCS shall cultivate an intentional culture of IT security within its workforce and its campus partners. This will involve adopting appropriate security requirements as essential elements of IT product and service selection criteria, IT system and application designs, IT service implementations, technology support activities and incident management processes. Appropriate safeguards shall be selected through a combination of risk-based decisions and university compliance obligations.

Goal #2: Enable innovative teaching and learning

University Commitment: Maximize student success

ITCS shall create an academic technology environment that promotes innovation and collaboration with stakeholders that encourages the exploration and adoption of new teaching tools and provides learning technologies that maximize student success by enhancing the learning experience of our students.

Goal #3: Governance

University Responsibility: We will reward innovation and continuous improvement in processes, technology, business intelligence and infrastructure.

Governance within ITCS is our method to ensure active and resourceful use of institutional resources and capabilities to meet the goals of the university. The ITCS governance structure focuses on strategic alignment and prioritization of investments, to assist with ensuring ITCS is working on the most important initiatives for the university and that appropriate resources are allocated.

Goal #4: Operational excellence

University Responsibility: We will reward innovation and continuous improvement in processes, technology, business intelligence and infrastructure.

Continuously improving and ensuring efficient/effective performance of core business functions and enterprise services by providing quality customer service and exceptional service delivery is crucial to accomplishing the ITCS mission. ITCS will implement customer-centric and service-management approaches to continuously improve IT delivery. This will result in cost-effective enterprise solutions that reduce costs, streamline development and provide staff, faculty and students access to excellent information technology and information services.

Goal #5: Staff development

University Responsibility: We will embrace an inclusive university community and are committed to recruiting and retaining faculty and staff with diverse backgrounds.

Facing constant challenges to recruit and retain high-caliber IT professionals whose skills reflect our current technology requirements, ITCS will continue to seek the best-qualified candidates, to promote career goals across the IT workforce and to provide appropriate training to nurture the talent required to deliver tomorrow’s technology in a changing workplace environment.

Goal #6: Strategic sourcing

University Responsibility: We will control costs and diversify revenue streams.

ITCS shall build a foundation for strategic sourcing that will aid in development of a plan to enable IT sourcing processes for choosing or procuring information technology resources from a party outside ITCS. With our fast-changing business environment and evolving business objectives, it has become essential for ITCS to generate a strategic sourcing plan where vendor relationships are collaborative and guarantee the capability to respond to ECU’s changing business needs with the assurance that goods and services are obtained at the lowest cost consistent with university requirements for quality, performance, service and resource availability.

Goal #7: Support for world class research

University Commitment: Lead Regional Transformation.

ITCS shall deliver services and technologies that support the university’s research community initiatives through the creation and implementation of resources for research computing.

Cybersecurity Tabletop Exercises

Cybersecurity tabletop exercises provide ITCS the opportunity to share knowledge and best practices with campus partners, ultimately strengthening ECU’s overall cybersecurity. In June of this year, the Information Security Office facilitated cyber incident response tabletop exercises for the Emergency Management Team and the Data Stewardship Committee. The Information Security Office also represented ITCS in a campus-wide ransomware tabletop facilitated by the Office of Environmental Health and Safety in March 2022. This exercise was conducted by an external consultant, the National Association of Campus Safety Administrators.

Maturity Assessment of the University’s Information Security Posture

Traditionally in the past, ITCS has completed the annual ISO 27002 Gap Analysis, which examines ECU’s alignment with the framework’s 114 security controls, through a self-assessment process. However, this past year, ECU like other UNC-constituent institutions participated in an ISO 27002 maturity assessment conducted by the third-party organization MCNC. The purpose was to establish a documented baseline maturity level for all 18 institutions in the UNC System. MCNC provided their final report to ECU in December, with maturity ratings for each control clause and each of the 114 controls in ISO 27002. While the rated scores from completed assessments were not widely shared, ECU did learn that we scored considerably higher than the system-wide average!

Because the system-wide contract's scope didn't include recommendations or details on what specifically the assessors found missing, ECU entered into a separate engagement with MCNC for a deeper dive, and the assessors completed this analysis and provided their report with recommendations in May. Next steps will be to review the analysis, weigh risks, and consider how their recommendations might strengthen the university’s program and security posture and what resources might be required.

Technology Security Assessment (TSA) Improvements

Prior to purchasing or implementing new software and cloud applications at ECU, it is important to assess the information security posture of vendors and evaluate proposed solutions for security requirements, risks associated with their use, and compatibility with existing systems. ECU completes this through our Technology Security Assessment (TSA) process. The Information Security Office made improvements to the TSA through changes to the TeamDynamix ticket, revisions within PORT to emphasize requirements for protecting sensitive information, and updates to the TSA instruments used for collecting information for the assessment. These changes will improve the efficiency of the TSA process and help ensure the highest level of information security and customer service.

Security Assessments by Third-Party Consultants

Security assessments enable an organization to identify vulnerabilities and areas of weakness, along with opportunities for growth in security protection. This year, ECU contracted with third-party consultants for multiple assessments, including a network firewall assessment, comprehensive network penetration test, and evaluation of the university’s Payment Card Industry (PCI) environment.

Campus-Wide Phishing Simulation and Phishing Training

The Information Security Office implemented InfoSec IQ, beginning with a baseline assessment to examine campus-wide susceptibility to phishing. Additional phishing simulations and security awareness modules followed to better empower employees to stay cyber secure. The security awareness education includes short training videos in response to phishing simulation (turning errant clicks into teachable moments). These videos help employees spot real phishing emails and become more aware of important cyber security topics.

Privileged Access Management on Servers

Significant progress has been made at ECU with improving privileged access management for servers. In 2021, the Office of the State Auditor (OSA) IT audit (Review of Mobile/Remote Employees’ Computing Practices) recommended that the university restrict privileged users from performing regular business activities using their privileged accounts. Using elevated permissions for everyday functions such as checking email, browsing the web, or using Office applications increases risk levels for threats such as malware or compromise of IT systems or sensitive data. ITCS led university-wide efforts to create 200 dedicated accounts for system administrators to separate business functions from privileged access, for over 1000 university systems. System administrators in ITCS were identified who needed a dedicated privileged support account, general guidance was provided, new accounts were assigned, and the individuals completed migration to using this new account. Likewise, the same migration was completed for new dedicated privileged accounts for Distributed IT support staff.

Improvements to Risk Acceptance Processes

Formal risk acceptance processes give university system and application administrators, and any other risk owners, the ability to document risks within their environments and for leadership to become aware of these risks. Over the past year, significant improvements have been made by the Information Security Office to Risk Acceptance (RA) methods, documentation, and processes. In December, a revised Risk Acceptance Repository within Microsoft Teams/SharePoint was created to have a more user-friendly tool for maintaining RA information and documentation. During the spring semester, the Risk Acceptance Repository List was overhauled to better document and track the approval process, and to better monitor risk acceptances and remediation over their life cycle. A new Risk Acceptance Policy was developed, the Risk Acceptance Form was revised, and considerable process was made in working with departments to address risk acceptances that had expired.

IT Governance Charter Implementation

In July 2021, the first IT Governance Charter was approved in accordance with UNC System Office Policy 1400.1, requiring that each institution implement an IT Governance Program. The IT Governance Charter at ECU outlines our IT Governance Program and includes the organization and structure of Project Prioritization and Governance, Data Governance, IT Risk Management, Information Security Program, IT Funding approach, and Distributed IT oversight. The newly-created project prioritization structure includes the following committees:

Projects, Initiatives, IT Resources

The Technology Planning and Priorities Committee (TPPC) is the senior university information technology committee charged with prioritizing projects, initiatives, and IT resource requests. TPPC ensures that the university makes the best possible decisions in leveraging technology resources in support of the academic and administrative missions outlined in the University Strategic Plan. With a visionary view to the future needs of the university, the committee shall provide a stabilizing influence on ECU’s technology resource use and ensures alignment with ECU’s mission and plans.

The Administrative Systems Committee (ASC) acts on behalf of the administrative interests of the university and represents units, departments, and divisions by effectively participating in campus-wide Information Technology (IT) governance and strategic decision-making. ASC and its members work proactively with the Office of the Chief Information Officer (CIO), Information Technology and Computing Services (ITCS), and Distributed IT units on campus to promote a transparent, collaborative, and successful university-wide administrative IT environment.

The Academic Technology Committee (ATC) acts on behalf of the academic/instructional interests of the university and represents academic units and departments by effectively participating in campus-wide Information Technology (IT) governance and strategic decision-making. ATC and its members work proactively with the Office of the Chief Information Officer (CIO), Information Technology and Computing Services (ITCS), and distributed IT units on campus to promote, transparent, collaborative, and successful university-wide IT environment.

Transition to Microsoft Endpoint Manager

ITCS is currently working to finish the transition to the unified management platform Microsoft Endpoint Manager that includes a suite of powerful services and tools including Microsoft Intune and Configuration Manager. Endpoint Manager includes the services and tools to manage and monitor mobile devices, desktop computers, virtual machines, embedded devices, and servers. Configuration Manager grants ECU faculty and staff access to key applications they need to remain productive, while also giving administrators the proper tools that they need to protect sensitive university information. Intune is a 100% cloud-based mobile device management (MDM) and mobile application management (MAM) provider for ECU’s apps and devices that allows ITCS technicians to control features and settings on Android, Android Enterprise, iOS/iPadOS, macOS, and Windows 10 devices. Project accomplishments thus far include completion of extensive MS training, build-out of servers, analysis of KACE to replace current jobs, completion of MS onboarding accelerator, creation of firewall boundary groups, transitioning of windows patching for all of campus and replacement of Windows Server Update Services (WSUS).

Improved Endpoint Security on Macs

Endpoint security controls at ECU feature the one-two punch combination of Cisco AMP for Endpoints cloud-based malware protection, alongside Defender antivirus protection. These endpoint security applications are complemented by Cisco Umbrella Roaming Client that provides DNS/IP protections. This past year included improved management of security policies and related software configurations on Macintosh computers through the deployment of JAMF. ITCS adopted CIS benchmarks and pushed out software restrictions on university-owned Macs, enabling or disabling features or apps to improve endpoint security.

Registration Statistics Dashboard

ITCS and the Office of the Registrar collaborated to migrate the Registration Statistics Dashboard to Microsoft Power BI. The migration to Power BI allows for the latest advanced data mining capabilities to provide Vice Chancellors, Deans, and Department Heads a holistic view of ECU’s current registration numbers and how they compare to the last five years. University executives can slice and compare data between student population, colleges, programs, and courses and view which classes have extremely long wait lists or programs that are having difficulty retaining past students. The data from the dashboard can be used to improve the institution’s enrollment and retention numbers. The new dashboards use the institution’s Microsoft Power BI technology which is a dashboard tool used to find insights into the institution’s data by connecting data from multiple systems that are cleansed and presented with the help of over 200 visualizations.

Banner and ODS Hardware Upgrade

In September 2021, ITCS completed a multi-year project to replace the institution’s existing Banner and ODS hardware. The new hardware provides increased performance and a more secure infrastructure to protect the institution’s data. In addition to the hardware upgrade, ITCS also reconfigured all 3rd party systems that were integrated with Banner and ODS. In addition to ITCS staff, functional users from across campus assisted in the testing and configuration of the new hardware.

Azure Purview Proof of Concept

In Spring 2022, ITCS collaborated with Microsoft and their partner, 3Cloud, to complete an evaluation of the Microsoft Purview Data Governance tool. This tool will be used as a part of an effort to enhance the university’s Data Governance program. Initially, the tool will be used by the members of the Data Stewardship Committee and then expand out to other university personnel needing access to information about their data. The new product will be cloud-based.

Self-Service Opscan

Responding to feedback received from faculty and staff regarding exam grading delays and limited hours of operation for Opscan services, ITCS will be implementing a new process for the way exams will be graded in fall 2022. This new process will allow faculty and staff to grade their exams any time Joyner Library or Laupus Library is open. Faculty and staff will swipe their 1Card through the ID Reader, load their exam in the tray, walk through a few simple steps, and the exams will begin scanning. The exam results will be automatically emailed to the faculty or staff who swiped their 1Card, cutting down on wait time. Pirate Techs will provide assistance throughout the semester as needed.

Improved Xtender Application Security Access Review Process

In 2022, the ITCS Xtender team partnered with the ITCS ECU BIC team to develop and implement an improved access review process for the Xtender application. The new process reduced the manual effort needed to audit access semi-annually by leveraging ECU BIC to automatically generate and email a report to supervisors who have a direct report with access to Xtender. Within the report, a supervisor can verify and approve the access or submit a request to have the access modified. Approvals are written to an audit log which is used to identify users who are not compliant on their reviews. This new process improved operational efficiencies as well as the university’s security posture by ensuring supervisors validate user access to university data semi-annually.

Enterprise Network Attached Storage Replacement

The Network Attached Storage “NAS” known as Piratedrive is a secure and highly available storage platform used by ECU users, departments and key critical business processes to store university data. The underlying infrastructure reached the end of its viable hardware life and a replacement was required. In February 2022, new NAS storage arrays were deployed and data migrated. The new storage provides a robust and supported platform that is faster while providing increased replication capabilities for protecting university data.

Banner Application Tier Migration to VMWare

The Banner Application Tier is a virtualized environment running in our RedHat OpenStack Infrastructure. The environment consists of 20 physical servers split between our Cotanche and Brody data centers to provide multi-data center redundancy. The servers have reached the end of their OEM support and need to be replaced. The replacement cost would exceed $300K. As a cost savings measure and to simplify support overhead the Banner Application servers are being migrated to our VMWare Virtual Infrastructure.

Centralized Server Administration

The Distributed IT Work Group assessing server administration across campus finished its review, a process that involved over 40 departments and 480 servers. The recommendation was to centralize the operating system administration duties with ITCS for those systems identified as operationally feasible to centralize. The implementation plan is priority based and will be phased in over several years.

Array-Based Snapshots for the Virtual Infrastructure

This past year, ITCS implemented daily, storage array-based snapshots for our critical Virtual Infrastructure datastores. Should we experience widespread corruption from ransomware rendering many our virtual servers unusable, we can rapidly revert to previous day’s snapshot and be back in service in a very short time with a minimal data loss penalty, versus spending days restoring individual virtual servers a few at a time from backups. Leveraging this technology in this manner is a first for ITCS.

OneDrive for Business Migration

This year, ITCS began work on a multi-year project to migrate user data from its longtime onsite home, Piratedrive, into the cloud. Microsoft’s OneDrive for Business (ODB) allows users to easily store, access and share data from any Internet-connected web browser. As a key component of the Microsoft 365 software-as-a-service platform adopted as the university’s cloud-based collaboration solution, ODB provides access to data across a wide range of applications while meeting necessary security requirements. Migration of this data to the cloud will enable future cost avoidance associated with hosting these services onsite. In both fall and spring semesters, ITCS provided opportunities for users to attend a series of OneDrive-focused education sessions supported by our Microsoft Learning Consultants. These 12 sessions were offered over several dates with more than 200 in attendance.

Data Center Firewall Audit

Network Services underwent a firewall configuration audit of the enterprise data center firewall in conjunction with a third-party vendor. The audit consisted of a configuration review and evaluation against industry standard best practices. These practices contribute to a strong security posture, provide better identification of configured state, ensure secure administration, and restrict traffic to reduce exposure. The findings of this report indicated that the enterprise firewall was in good standing and minor configuration modifications were proposed. The implemented modifications were applied on all applicable firewalls within the enterprise.

Identity Service Engine Update

ECU’s Enterprise Identity Services provides authentication, access control, and compliance to the ECU wireless, wired networks, and network device infrastructure through the use of integrated (Authentication, Authorization, Accounting) AAA, profiling, posture, and guest services. This past year, a major configuration change was adopted to add additional servers to the Identity Services application. The new appliances provide dedicated services to the ECU enterprise wired network. This design enhancement ensures the best level of service to end users while providing an enhanced disaster recovery option and increasing the enterprise network security posture.

Uninterruptible Power Supply (UPS) Systems Replacement / ECU Network Refresh

Each year, ITCS replaces network equipment to maintain the network infrastructure. Additional equipment was purchased but not received due to supply chain issues. ITCS anticipates receiving the remainder of the equipment in the upcoming year.

Uninterruptible Power Supply (UPS) systems are in place to maintain power to network switches, wireless access points and VoIP phones in the event of the loss of power in a building. This is to provide the life and safety coverage in the event of an emergency.

ITCS staff continually hone their skills and expertise through a variety of professional development activities each year. This past year, several individuals obtained or renewed certifications and completed degree programs:

Brittany Clark, Enterprise Data Management Support Services (EDMSS) – Certified Information Management Professional (CIMP) with a specialization in Data Quality

Rich Fraboni, Network Services – Cisco Certified Specialist – Enterprise Core Certification

Brian Hodges, Network Engineering – Cisco Certified Network Associate

Alex Kameniev, Network Engineering – Cisco Certified Network Professional Enterprise

Justin Littlefield, Client Engagement and Support – Canvas Certified Educator – CORE 1: Foundational Frameworks HE, QM-Certified Higher Education Peer Reviewer, Introduction to UDL: Addressing the Variability of All Learners

Brian Martin, Network Engineering – MS in Network Technology with a focus of Information Security CompTIA Network+

Belinda Perkinson, Client Engagement and Support – KM Institute Certified Knowledge Practitioner (eCKP) Program

Dearl Roughton, Client Engagement and Support – AVIXA CTS-I Certification

Petra Rouse, Robin Viera, Project Management Office – ScrumMaster Certification renewed

Matt Smith, Mary Frances Stalls, Ronda Stroup, Enterprise Information Systems – ScrumMaster Certification renewed

Stephanie Stroud, Enterprise Information Systems – MBA, East Carolina University

Angela Taylor, Client Engagement and Support – Website Development Certification, College of Engineering and Technology, East Carolina University

Dr. Huma Yeduri, Enterprise Data Management Support Services (EDMSS) – ASQ Six Sigma Black Belt Certification renewed

Info-Tech Cloud Workshop

ITCS worked with Info-Tech Research Group to develop a Cloud Vision and Strategy which includes an action plan for FY23. The workshop included an assessment of university goals, cloud drivers, and risks of moving to the cloud. ITCS’ cloud vision will be to leverage a combination of cloud and traditional infrastructure resources to accomplish ECU’s goals. IT will leverage cloud where organizational goals, cloud drivers, and cloud capabilities, are aligned, associated risks can be mitigated, and data integration and reporting needs can be accommodated.

ECU's Cloud Strategic Directions

Goal #1: Support the mission of ECU (education, research, patient care, administrative efficiencies)

• Hyflex Classroom Implementation – continue to receive equipment and implement the classrooms and train faculty on the use
• EAB Moonshot Initiative – implement transfer portal
• Clinical Integration – work with ECU Health to implement collaboration/integration goals
• Virtual Attendant Kiosk – implement virtual attendant kiosk in Cotanche
• Automated Account Provisioning – automate account provisioning scripts, primary focus admissions

Goal #2: Security and risk management

• Distributed IT Recommendations – continue to vet and implement DIT recommendations
• Tabletop Exercise – conduct annual tabletop
• Security Information and Event Management Review – review SIEM tool in light of significant cost increases, assess options and make recommendation
• Windows 2012/RHEL Operating System Upgrades – upgrade all upcoming end of life operating systems

Goal #3: IT excellence

• Application Portfolio Management – APM inventory and life cycle management, include ability to capture sensitive data inventories, MFA compatibility, etc.
• Data Inventory Software Implementation – Azure Purview
• Personal Piratedrive to OneDrive Migration
• Mobile App Strategy (to replace Ellucian Mobile)

Goal #4: Innovation

• Cloud Strategy and Roadmap