CSG “Shared Services” Update

Participants - Working Group – Legal & Governance (May 2010 mtg)

–Mairead Martin–R David Vernon–Asbed Bedrossian–Steve Cawley–Ken Schuetz–Tracy Futhey

–Ron Thielen–Shel Waggener–Klara Jelinkova–Kitty Bridges–James Hilton–Deborah Keyek-Franssen

Since Last We Met..

• May ‘09 – CSG Workshop; Working Group Formed• Summer ’09 – Sample docs collected• August ‘09 – Assemble sub team: email and hosting• Oct ’09 – NACUA team formally engaged• Nov ‘09 – Email “Issues” Matrix complete (.9?)

• Feb ‘10 – Model Mail Contract complete (.9?)

• March ’10 –Model Mail RFP complete (.85?)

• April ‘10 – Early draft of hosting RFP (.4?); Educause agreement to manage as “open source” documents

Participants - Sub Team – Email Outsourcing and Hosting RFP

–Mairead Martin (Penn State)–Kitty Bridges (NYU)– James Hilton (Uva)– Tracy Futhey (Duke)–Beth Cates (Indiana)–Madalyn Wessel (UVa) –Henry Cuthbert (Duke)– Tracy Mitrano (Cornell)

Strategies Adopted by Sub Team• Avoid Hardcore Technical Requirements List– Outsourcing service/function ≠ Dictating technical solutions;

Ask to “Describe Your Solution” rather than more typical “required” “preferred” etc approach

• Recognize Leverage Limitations on Free Services– Build RFP with assumption of payment for services

• Assume Reuse; Organizing Materials Accordingly– Premise that the combination of email outsourcing and

hosting/data center management would most likely hit most of the big issues for outsourced/shared services

• Admit Rumsfeld was right: “there are also unknown unknowns, the ones we don't know we don't know”– Include “Director’s Cut” Commentary; Model Contract

Issues – Data Stewardship (kinda common) A. Data

Stewardship Description

A-1 Data Ownership

a. Content of email messagesb. Email attachmentsc. Account informationd. Message headerse. Address booksf. Logs

Retained by the user/retained by the Institution

A-2 Data Security a. Encrypt web interfaceb. Encrypt message transmissionc. Encrypt password transmission/storaged. Auditing capabilitiese. Intrusion Detection

Technologies, policies, and practices to secure data.

A-3 Data Retention & Disposal

a. Retention policies; ediscovery support b. Archiving solutionsc. Institutional record management: eg., archiving of and ultimately transfer of messages to institutional respository

Retention schedule to comply with local, state, and federal regulations.

A-4 Data Integrity A-5 Data Privacy Policies on access provision. Restricting access

to data to ensure confidentiality but need policies on when access is provided and to whom (eDiscovery, for example).

Issues – Privacy, Integration (kinda common) B. Privacy &

Confidentiality Description

B-1 User privacy Protecting Personally Identifiable Information. Restrictions on use of user identities and search terms for marketing or other purposes.

C. Integration & Operational Issues

Description

C-1 Entry strategy a. Migration strategies Mailbox migration, institutional directory, email name space provisioning, end-user terms of service.

C-2 Exit strategy a. Migration strategies Data migration to another service provider, data conversion.

C-3 Integration with institutional Identity & Access Management (IAM)

a. Authentication, SSO using institutional credentials b. Authorization: via LDAP, etcc. Membership of InCommon. d. Federated authN/Z (SAML2.0)

Integrate with central directory, using institutional credentials. Align with Higher Ed federated IAM infrastructure (e.g., Shibboleth) and trust federations (e.g., InCommon).

C-4 Integration with other applications

a. Instant Messagingb. electronic calendarc. mobile device applications d. document sharing/collaboration

Enabling unified messaging and calendaring. Integration with other applications.

Issues - Functionalities (unique) D. Functionalities D-1 SPAM support a. Anti-spam filtering software b. SPAM retention policiesD-2 Virus D-3 Storage a. Individual email quotas b. Scalability

D-4 Mobile Devices a. Mobile client support - list clients hereD-5 Email protocol a. IMAP b. POPD-6 Emergency broadcasts D-7 Account Management a. Create, delete, suspend accounts c. Group mailboxes

b. Delegated administration d. AliasesD-8 Interface a. ADA section 508 compliance c. Email message formats

b. Compliance with WC3 standards d. Institutional brandingD-9 Email client support a. Outlook c. Mac mail

b. Eudora d. List clients hereD-10 Platform support a. Windows c. Linux

b. MAC OSD-11 Miscelleanous

functionalitiesa. Mail forwarding e. Email taggingb. Search functionality f. RSS feedsc. Email filtering to folders g. User preferencesd. Global address book

Issues – Service Level (kinda common)

E. Service Level E-1. Handling of service requests

E-2. End-user support a. Telephone supportb. Online supportc. Training

E-3. Availability a. % uptimeb. Business continity/redundancyc. Performance

E-4. Backup and restores E-5. Incident Response Management of unscheduled outages,

interrupted services, degradation in service. Handling, investigation and resolution of these.

E-6. Maintenance

RFP Sample

Contract Sample

What (may be) next?• Assess interest in glomming on RFP (CSG +….?)• Finalize plan for Educause to hold docs• Issue common RFP in June/July?• Responses in August? • Campus discussions in fall? Vendor negotiation?– Not clear vendor(s) will be responsive to “our”

concerns, or that “we” will like the responses• Decisions by Jan 1, 2011?• Pilots during spring 2011?• Fall 2011 go live dates?

Discussion… Questions… Volunteers…