Joint IT Governance Committee
April 9, 2002
Steve Barclay, Karen Butter, Thomas Ferrin, Terry Johnson, Mark Laret, Larry
Lotenero, Chuck Smuckler
Members Absent: Ron Arenson, Sheila Antrum, Thomas McAfee, Michael Stryker
Staff Present: Meg Kennedy
Guests Present: Ellen Amsel, Jose Claudio, Richard Drake, Cindy Fenwick, Ken
Jones, Reg Kelly, Heidi Schmidt, David Sproul, Michael Thomas, Ian Tuller
Action Items and Discussion
1. Review of February 2002 Subcommittee Reports
Steve Barclay opened the meeting by stating that the purpose of the review of the
reports was to get the subcommittees into action mode and see if they have
encountered any obstacles to accomplishing their charges. He also acknowledged
that the events of September 11 and the subsequent work of the Cyber-Security
Subcommittee involved many of the subcommittee members in other activities that
may have delayed some of their work.
The Subcommittees reported as follows:
Customer Support and Training Subcommittee – Richard Drake
They are actively engaged in the process of information gathering as recommended
in the Strategic Plan. A survey of all support activities is ready to go and the
responses will be collected into an online database which will provide information on
problems which were reported and resolved. The Subcommittee feels that the data
collected will give strength to their recommendations.
They believe that the support structure recommended by PwC is too simplistic to
address the needs of the existing structure at UCSF and hope to develop a
customer support infrastructure to assist, and provide communication to, the central
and departmental units providing support. Richard anticipates developing
something along the lines of a Federal/State model, i.e., there would be central
guidelines and tools, but it would be up to individual customer support units to
implement and adapt them to their own needs, working cooperatively with the central
Joint IT Governance Committee – April 9, 2002 1.
Regarding Training, the key people in this area are on the Subcommittee. They are
gathering information regarding where training occurs and what sort is provided and
are looking toward recommending a training approach.
Finally, their report lists an overview of how they will approach the recommendations
from the Strategic Plan.
In response to the question “How can we keep the various support structures in
synch?” Richard answered that he feels the issues collected in their database will
flow into a process that ties all these support structures together.
A process for Service Level Agreements will be developed and will be tied into the
support structure so that timelines for the solution of problems can be compared to
expectations. Then we will need to monitor adherence to SLAs to ensure that
responses are within the expected timeframe.
Larry Lotenero would like to make sure that support efforts are coordinated between
the Medical Center and campus. The question was asked whether there is enough
agreement across campus to use one Customer Support tool. Currently, Medical
Center IT and ITS are using Remedy, and this is working well for them. An effective
support system would provide for one central sign-in to report a problem which
would then be triaged to the right person for resolution.
The Support Survey will begin in May with the first results available in the summer.
When the Customer Support and Training Subcommittee make their
recommendations, they will ask for Joint Committee help to engage all the
support groups across campus in developing a coordinated structure behind
the scenes. The Subcommittee expects to have an on-going role in reviewing
and advising on the issues they identify in this area.
Information Security – Ellen Amsel
The Subcommittee has been working with the HIPAA and Cyber-Security
Subcommittees to help build a foundation of security policies and implementation
guidelines - particularly related to userids and stronger passwords - following UC
There is a need to address the conflict between IS-3* and HIPAA vis a vis encryption
of data. The Information Security Subcommittee will be looking primarily at
accountability and will provide tools to support HIPAA issues.
The recommendations made by the Cyber-Security Subcommittee will be forwarded
to the Information Security Subcommittee. They will be responsible for follow-up
and will address security issues, establish and publish standards, and work towards
compliance and a means to address noncompliance. An important part of this effort
Joint IT Governance Committee – April 9, 2002 2.
will be to establish a security awareness program as outlined in the Cyber-Security
recommendations. Terry Johnson, who is Co-Chair of the Cyber-Security
Subcommittee, pointed out that the Cyber-Security Subcommittee feels it is also
important to involve audit in assessing compliance.
Two security issues that are also being considered are:
1. Electronic Communication: This relates to the content of the electronic
information that is sent across the network and for which the privacy of the user
is respected. They are working on a procedure to follow when this information
needs to be accessed without the consent of the user. (See
2. IS-3*: University-wide electronic information security guidelines which address
the reduction of risks to electronic information resources through adoption of
preventive measures and controls. IS-3 relates to user accounts, passwords,
and the retention of information. Campus Information Security is currently doing
a self-assessment using an IS-3 matrix.
The standard for ensuring security of data will be to use generally-accepted industry
(*UC Business & Finance Bulletin IS-3; Electronic Information Security; dated
November 12, 1998; http://www.ucop.edu/ucophome/policies/bfb/is3.pdf)
Joint Medical Center/Campus Systems and Interfaces – Cindy Fenwick and Ken
There are currently two ledger systems - DBS for the Medical Center and PeopleSoft
for the campus - which creates reconciliation issues. Both Accounting Offices are
currently working on reconciling the two ledgers. A high-level reconciliation has
been performed as of 12/31/01. The Campus is working to separate Medical Center
transactions from campus transactions and place them in separate accounts in the
PeopleSoft ledger in order to enable an automated reconciliation process by fiscal
Because changing the Medical Center ledger system at this time had already been
ruled out, the Subcommittee turned to the issue of finding a reporting tool which
would provide data from both ledgers in a similar way. They looked at WebLinks,
the current system the campus uses, and after much study decided it would not be
workable because the different ledger closing dates would create complications, and
increased transactions in Accounts Payable would make reconciliation cumbersome.
The Subcommittee concluded that it would be a large and costly project to point
WebLinks at DBS data. The Subcommittee is currently looking at a simple approach
to making Medical Center ledger data available electronically.
Joint IT Governance Committee – April 9, 2002 3.
The campus will be upgrading next year to PeopleSoft 8.4. This merges P/S
corporate and government/higher education products into one and is a web-based
product. ITS will provide the Medical Center with information on PeopleSoft 8.4
capabilities. The Medical Center will look at PeopleSoft while the campus upgrade is
going on and will form a subgroup to consider implementing the PeopleSoft General
Ledger for the Medical Center.
Cindy Fenwick feels that the manual reconciliation at year-end close will be
acceptable to the auditors – especially since the unbundling of accounts will enable
some electronic reconciliation.
Steve Barclay asked about campus/Medical Center collaboration on other new
systems which are being planned (e.g., asset management, purchasing/payables).
Cindy answered that currently the Medical Center and Campus are looking at
working together on an internet payment gateway system.
Terry told the group that there is an ad hoc group (Terry Johnson, Larry Lotenero,
Ken Jones, Cindy Fenwick, and Randy Lopez) talking about potential collaboration
opportunities on administrative systems such as PeopleSoft General ledger and a
Time and Attendance System.
Regarding the Time and Attendance project, the Medical Center has to move quickly
because the product they’re currently using will no longer be supported by Kronos,
which has purchased their original vendor. They hope to partner with UC Davis and
UC San Diego in a contract with Kronos. There may be opportunities at a later date
for the campus to join with the Medical Center on this project.
Network - Heidi Schmidt
Wireless network recommendations developed by the Subcommittee have
been reviewed by the ADMIN-L listserv as well as by Terry Johnson and Larry
Lotenero. A mechanism for moving this and other proposals forward needs to
be identified, and Terry Johnson will work with the VCIO Group to develop
“Rules of the Road” for departmental networks are included in the report but are still
under review and revision by the Subcommittee. They deal with accountability, the
ways in which Local Area Networks work independently, and their unique ways of
interacting with ENS.
The Subcommittee feels there need to be guidelines so that LANs are able to work
independently without disrupting the entire network.
A draft document regarding Service Level Agreements has been written by Mark
Jenkins and attached to the Subcommittee report. There will be further discussion
of this document within the Subcommittee to address issues which have arisen
around identifying what is rather than what should be.
Joint IT Governance Committee – April 9, 2002 4.
Regarding the Subcommittee becoming a formal Network Advisory Group,
they believe this is possible but recommend a review of the membership to
determine if the subcommittee adequately represents campus constituencies
and can function in this way. The role of such an advisory group would be
related to policy, standards, and Service Level Agreements.
The Subcommittee still want to address outstanding network needs which have been
discussed but not completely identified.
The Joint Committee would like to see the list of ENS projects which is
referred to in the report as a list of outstanding needs.
In their review of the Mission Bay wiring standard, the Subcommittee felt it could be
used as a standard for the enterprise. It is likely that network construction is often
dependent on the budget of the department doing the construction or renovation
leading to inequities between departments. If the “Mission Bay standard” were
applied to all new construction or renovation these inequities would eventually be
reduced or even eliminated. It was agreed that there is a need for consistent
allocation of funding to resolve inconsistencies in individual departments’ ability to
build infrastructure. Terry reminded the group of the need to consider how to apply
these standards to build-outs and renovations in leased space as well as UCSF-
Steve pointed out that the standard used at Mission Bay was the standard needed to
support the scientific mission and was decided on by the Mission Bay Information
Technology subgroup of the IT Planning Committee that was active at that time.
(Tom Ferrin announced that the Mission Bay IT Subgroup has recently reconvened.)
With regard to videoconferencing, there are multiple entities working on this with no
coordination. The Network Subcommittee has proposed forming a new group to
consider what the requirements are and what standards need to be developed.
Mission Bay is going to increase the need for videoconferencing. It is felt that the
current system is not adequate, and that there should be an implementation strategy
for supporting not only classrooms but also large and small administrative needs.
There should be one central entity responsible for coordinating the
The Committee agreed there should be a new group formed to look at the
issue of videoconferencing services but felt that it should report directly to the
Joint Committee. Among the issues to be considered would be the
technologies available for providing videoconferencing, and coordinating the
various needs including space allocation. Richard Drake asked that the
customer support needs be included in these discussions.
Joint IT Governance Committee – April 9, 2002 5.
ADDENDUM: In a meeting on April 18, 2002, the VCIO Group discussed the
formation of a Videoconferencing Task Force, as well as a Mission Bay IT Task
Force, and incorporating both of them into the Governance Structure as part of the
fine-tuning proposed at this meeting (See Item 2. below)
Web – Michael Thomas
Three subgroups were formed: Infrastructure (which was disbanded early on
because so many of the issues were being considered in either the Information
Security or Architecture/Infrastructure Subcommittees), Common Applications, and
A draft mission/vision statement for the web was submitted to the Joint
Committee who were asked to review and comment on it.
The Subcommittee reviewed graphic identity issues. The primary and secondary
navigation bars are a point of disagreement as to what links should appear on the
navigation bars at the top of every web page. There is a conflict of how best to
address this issue in a way that is acceptable to all constituents.
They feel common applications – what they are calling the “tool box” – should be
available to all web developers.
Michael submitted a sample proposal regarding a search engine to show how
applications will be reviewed and recommended.
The following questions were raised: “Who is responsible for enforcing
compliance? What is the best way to implement software recommendations?”
Steve answered that it will be the task of the Joint Committee to work on a
procedure for this.
While there are not a lot of guidelines and policies which are directly related to web
issues, some, such as copyright laws, are remotely related so the Subcommittee is
forming a Policy Subgroup to address these.
There was discussion of Public vs. Private Websites. Reg Kelly asked whether we
have a private internal website. The Medical Center has what they call an “intranet”
and there are some sites/pages to which access is restricted to people on the UCSF
(A glossary of World Wide Web terms is appended to these minutes.)
Joint IT Governance Committee – April 9, 2002 6.
2. Proposal for Fine-Tuning the Governance Structure
Terry Johnson distributed a proposal for reviewing the IT Governance Structure and
recommending any fine-tuning which is felt to be necessary. A group, which is being
called the “Virtual CIO Group” and is comprised of Karen Butter, Terry Johnson, Reg
Kelly, Larry Lotenero, and Chuck Smukler, will coordinate the review. The
Committee accepted the proposal. The recommendations of the Virtual CIO Group
will be brought to the Joint Committee for their approval.
Joint IT Governance Committee – April 9, 2002 7.
World Wide Web Glossary
Intranet - A private network inside an organization that uses the same kinds of
software that you would find on the public Internet, but that is only for internal use.
(See http://intranet.ucsfmedicalcenter.org/ for the UCSF Medical Center Intranet)
Internet (Upper case I) - The vast collection of inter-connected networks that are
connected using the TCP/IP protocols and that evolved from the ARPANET of the
late 60's and early 70's. The Internet connects tens of thousands of independent
networks into a vast global internet and is probably the largest Wide Area Network in
internet (Lower case i) - Any time you connect 2 or more networks together, you
have an internet - as in inter-national or inter-state.
Extranet - An intranet that is accessible to computers that are not physically part of
an organization’s own private network, but that is not accessible to the general
public, for example to allow vendors and business partners to access a company
Home Page (or Homepage) - Originally, the web page that your browser is set to
use when it starts up. The more common meaning refers to the main web page for
an organization, department, person or simply the main page out of a collection of
web pages. (See http://www.ucsf.edu/ for the UCSF home page)
Enterprise Portal - Provide access to information, resources, business applications,
people and processes through a single interface that individual users can customize
to their own preferences and needs.
Differences between Home Page and Enterprise Portal
Home Page Enterprise Portal
The same for everyone Customized for each user
No personalization Personalization
Start to surf the web from here. The stuff The most important data and
that everyone needs is just a click or a few applications you need are right
away. If you can find it. here.
We change it when we want to. You change it when you want to.
Joint IT Governance Committee – April 9, 2002 8.