Like many top-tier universities, information technology at UChicago is largely a distributed endeavor, with many units and divisions supporting the technology needs of the campus community. While this can provide some benefits, it can also mean duplication of services across campus, inefficient or sub-optimal use of resources, increased risk, and decreased visibility into a range of valuable service offerings.
The Office of the CIO, in collaboration with the Offices of the Provost and CFO, is taking a proactive approach to understanding how IT is leveraged by the University community and what measures the IT enterprise can take to reduce IT risk and maximize the impact of the institution’s overall IT investment in support of research, teaching, and business operations.
IT Rationalization—and the initiatives that proceed it—is a forward-looking endeavor. Phase one included a comprehensive data collection and analysis activity, culminating in a set of project recommendations designed to improve not only the efficiency of IT delivery but more importantly, the IT risk profile across the institution and the quality of services available to campus. In phase two, the IT community, by way of the IT Leadership Council, will work together to implement those recommendations.
IT Risk Program
A significant factor in the University’s current IT security risk profile is related to the distributed nature of IT systems, oversight, and management across campus. Three IT Risk initiatives in the areas of data centers, end-user devices, and web properties, will strengthen IT security practices and increase efficiency, while improving service delivery and support for the research, teaching and learning, and business operations of the University.
An outgrowth of the IT Rationalization project, broadly, the program focuses on ensuring data and systems are managed in professionally-operated data center environments; laptops and desktops are managed with common standards and reporting practices; and University web properties are secure, accessible, and well-maintained.
The IT Risk Program spans three broad project areas, including:
Server rooms and their machines will be secured through a process of inventory, risk review, remediation, and in some cases, relocation. This work reduces the likelihood of data breaches, operational downtime, and data loss.
End-user devices will be secured through common practices such as firewalls, anti-virus, encryption, and backup. These practices guard against external breaches and protect the privacy of research and university data, especially in an era of zero-day exploits.
Websites will be secured through policies and resources which address site patching, upkeep, accessibility, and brand observance. These processes protect the online reputation of the University.