OIT Project Portfolio Report

This is a multi-phase project focused on automating the provisioning and deprovisioning of Microsoft Office 365 licenses. Currently, some of the processes are automated while others are entirely manual. The manual processes are labor intensive and error prone that results in O365 licenses not being assigned properly based on the license entitlements. The MOLR project assisted with the development of Grouper license entitlements groups and identified uses cases for the provisioning and deprovisioning of O365 licenses. These include the following license types: • Faculty A5 • Faculty A1 • Student A5 • Alumni Exchange Plan 1 • Retire Exchange Plan 1 The work completed on the MOLR project was an important enabling step toward automating the processes. The scope of this project includes designing, developing, testing, and deploying the automation for the provisioning, deprovisioning, and reprovisioning of the O365 licenses. The project includes the following phases. • Phase 1 – Faculty A5 licenses on primary accounts. Focus will be on use cases for new/departing staff and changes to user license entitlements. • Phase 2 – Student A5 and Alumni licenses • Phase 3 – Faculty A5 licenses for secondary accounts and Faculty A5 licenses for retirees • Phase 4 – Faculty A1 licenses

Manages audit risk for lack of compliance with Microsoft O365 license contract. Reduces manual processes Manages cost of Microsoft O365 licenses

The current NAC solution, deployed in 2023, was a stop gap measure procured and deployed in under 3 months to address the immediate problem that the Secure Computing initiative had with the previous ImpulsePoint Opswat NAC. There are various problems with the current NAC solution, some of which have resulted in multiple major incident “outages” impacting student’s, faculty, and staff’s ability to access the Wi-Fi network. The objective of this project is to investigate, test, procure and deploy a new enterprise NAC solution for Wi-Fi that replaces the existing NAC solution with the following high-level features and requirements.

1. Robust, scalable, and zero-trust architecture for Higher Ed.
2. Optimized for end user experience and BYOD devices on UCB Wireless, which is especially vital to our students (includes passwordless and independent from device Wi-Fi MAC, a large source of frustration today).
3. Complete Integration with IAM for user and contractor authentication on UCB Wireless.
4. Enabling Wi-Fi enterprise grade encryption for authorized users on UCB Wireless.
5. Secure onboarding of business critical IOT devices deployed by university business units or research on UCB Wireless.
6. Aligned with the Secure Computing, reporting and compatible with SIEM tools used by OIT-SEC.
7. Better authentication and audit trail for users that register on UCB Guest.
8. Self-enrollment of student and faculty owned consumer headless Wi-Fi devices on UCB Guest.
9. Better integration to achieve zero-touch configuration and enrollment on UCB Wireless by End Point Management Services for DDS managed Wi-Fi compute devices.
10. Single interface for system administration, reporting and troubleshooting for ITSC, NEO and OIT-SEC.

Password less, no annual registration and BYOD friendly EAP-TLS authentication with Wi-Fi encryption Enterprise grade solution with proper technical support Integration with Azure/Entra ID Integration with JAMF and MS Intune

The University of Colorado (CU) system serves over 67,000 students and employs 28,000 faculty and staff across its campuses. As Colorado’s flagship public research institution, CU is committed to delivering high-quality, accessible, and innovative education that meets the evolving needs of learners and supports the state and nation with graduates who are prepared to fill critical workforce roles. Over time, CU Boulder’s CRM, web, data, and integrations ecosystem has grown organically across various units, resulting in a fragmented landscape of tools, platforms, and processes. This complexity has created challenges in delivering a unified, data-informed, and learner-centered experience, causing problems for students and their support staff who need to navigate across our silos to be successful. In August 2023, CU Boulder’s executive leadership approved a multi-year Constituent Relationship Management (CRM) Strategic Roadmap to address these challenges. A formal business case was developed and approved in December 2023, setting the stage for a phased transformation of the university’s CRM infrastructure.

Unified Learner Experience Across the Lifecycle Students will have access to a more cohesive, personalized, and accessible experience from recruitment through graduation and beyond. This includes improved visibility into their academic journey, support services, and communications. Consolidated and Actionable Data for Staff and Advisors Staff and advisors will gain a 360-degree view of each learner through integrated data from SIS, LMS, Degree Audit, and Slate. This enables more proactive, personalized, and efficient support. Retirement of Legacy Systems and Reduction of Technical Debt By decommissioning CRM01 and consolidating CRM functionality into Education Cloud, the university reduces redundancy, simplifies support, and improves long-term maintainability. Improved Communication and Engagement Capabilities Marketing Cloud will enable targeted, automated, and data-driven communications to prospective and current learners, improving recruitment, retention, and engagement.

In response to the CU-Boulder data center assessment, it was determined that SPSC N190 data center is to be vacated. To accomplish this declaration, there are two distinct activities that need to occur:

1. Move existing services from SPSC N190 to COMP data center or SPSC N180
2. Install infrastructure at Anschutz data center to support CU-Boulder servers
3. Begin populating initial 6 racks at Anschutz with systems still-to-be-identified (will be identified by March 2024).
4. Plan for network separation of SPSC N190A from SPSC N190.

Lowers risk of data center component failure Provides more geographical separation between data centers

The Name Change Process Documentation Review and Improvement project aims to address immediate concerns raised by students, faculty, and staff regarding the complexity and inconsistency of the name change process across CU Boulder’s institutional systems. This initiative responds to feedback from multiple campus entities, including the Staff Council, Pride Office, and direct communications with leadership, about the complexity, fragmented documentation and disjointed support pathways. There are two primary issues:

1. The current name change process is confusing and frustrating to our campus students, faculty, and staff. In some cases, the documentation lacks an overall “holistic view” from the faculty, student, or staff perspective and could do more to set expectations for how the process works and the time it takes for changes to synchronize.
2. The technical fragmentation and disjointed data governance results in a challenging landscape for application administrators and a resulting frustrating user experience. This project’s scope is issue #1.

Improves consistency and accuracy of documentation and support resources Enhances user experience by aligning websites and providing clear escalation paths Lays groundwork for long-term governance and technical improvements

The University currently uses Microsoft Entra as one of its two Multi-Factor Authentication (MFA) solutions. Entra MFA is implemented for users of Microsoft Office 365 (O365), Teams, and Microsoft Exchange (e.g. Outlook Email and Calendar), as well as any applications integrated with Microsoft for its MFA solution for Federated Authentication (FedAuth). What users with appropriate licensing (A5, A3) have for MFA is risk-based conditional access (CA). When originally set up, the lowest frequency implementation of Entra MFA was put in place. All users are low risk (prompted only at set up), but can move to medium risk (prompted for a new device) or high risk (prompted frequently) automatically. Password resets can move a user back to a lower risk level. Unless you are high risk (either associated with a high risk application, of which there are few with typically audiences restricted to OIT administrators) or have engaged in an identified high risk behavior (failed login attempts + impossible travel + new device), a University constituent will effectively never receive an MFA challenge/prompt from Microsoft. MFA allows OIT’s Security Team to provide a timeout on compromised devices and accounts. By not prompting for MFA, we are not taking advantage of the benefits of strong MFA. Additionally, by not providing greater granularity to our audience – we could divide the audience into different buckets, or personas, to apply different rules to different user types – we are providing blanket protection across all risk, instead of providing greater protection to higher risk audiences. Additionally, in an effort to unify our MFA experience and offering to the campus, we will move the shibboleth service (fedauth) to authenticate using Entra ID and Microsoft MFA, moving away from on-prem AD authentication and DUO MFA. This project proposes: • performing a policy review and data driven analysis on a test-audience (OIT) before rolling out to campus to implement a stronger baseline security where prompts are more likely to occur, and security is strengthened • This will also deliver a repeatable process for the involved OIT teams to propose, test, review, seek approval for and introduce these changes going forward in a repeatable fashion for introducing further layers • Performing a similar review and data driven analysis to introduce “layers” of conditional security requirements depending on audience/persona and situation. • Migrate shibboleth to proxy authentication to Microsoft Entra and enable a baseline policy for all fedauth authentications.

Security benefit – MFA reduces the ability to compromise an account with just a password, and provides a forced timeout Privacy benefit – this has the ability to raise the barrier of entry to sensitive data for specific users Grant and research bonus – by having higher security controls, we can demonstrate more systems compliant with stricter security standards, which means more ability to meet system requirements more broadly for grants tied to sensitive or controlled data handling Compliance benefit – GLBA, SOC, ISO 27001K, PCI, and NIST 800-171 standards all expect MFA. It is easier and less expensive to meet requirements from these types of audits with a central authentication system protecting data and access with MFA.

Classroom Capture is an automated lecture capture service provided by OIT at CU Boulder. The service is currently available in 50 classrooms across campus and is used by approximately 45% of courses scheduled in classrooms equipped with the technology. Feedback from both instructors and students highlights the high value of Classroom Capture, with recent Academic Technology survey results showing strong satisfaction with the service. This project aims to identify opportunities to expand the availability and adoption of Classroom Capture, with a particular focus on increasing its use among first- and second-year courses. The goal is to assess the requirements and opportunities for extending Classroom Capture services to the majority of these courses, ensuring broader access and enhancing the learning experience for students across the university. By enhancing lecture capture in foundational courses, we aim to provide students with greater flexibility and access to course materials, particularly during the transition into higher education when they may face new academic challenges. Capturing lectures in these introductory courses ensures that students—many of whom may be adjusting to the rigors of university-level coursework—have the opportunity to review key concepts at their own pace, revisit complex material, and improve retention. This is particularly valuable for students who may need additional support to succeed in these critical early courses. Data analysis will be conducted to identify the classroom locations where most first- and second-year courses are scheduled. An analysis will also be conducted on first- and second-year courses that have previously utilized Classroom Capture, examining which classrooms they were scheduled in. One potential data point for analysis is the correlation between courses that utilize the Classroom Capture service and student outcomes. By examining this relationship, we aim to assess whether the availability of recorded lectures impacts overall success in the course. A central focus of this project will be working closely with the Office of the Registrar’s Academic Scheduling team. The project will review current classroom scheduling processes, specifically seeking to understand how classroom assignments are determined based on technology needs. As a result, this project will collaborate to provide recommendations on how the room scheduling process can accommodate enhanced course technology needs related specifically to Classroom Capture. Our data shows that one of the main barriers to adoption of Classroom Capture service is a lack of awareness about the service and the benefits it offers. This project will explore and identify opportunities to raise awareness on the benefits of the Classroom Capture service to encourage greater adoption.

The results of this assessment will help us identify optimal paths to expanding access to course recordings by providing Classroom Capture services to the majority of first and second-year courses. This increased availability ensures that a larger number of students have the ability to review lectures and course material at their own pace, improving retention. It also enhances flexibility for students, enabling them to catch up on missed content or reinforce their understanding of key concepts. Providing automated Classroom Capture technology in more classrooms will significantly reduce the amount of time and effort required from instructors to record each class session, allowing them to focus more on teaching and less on administrative tasks. By automating the process, instructors can easily provide high-quality course recordings without the need for manual intervention. By expanding the adoption of Classroom Capture across more courses, this project will lead to a more efficient use of the existing platform infrastructure. With greater utilization, the cost per course for delivering lecture capture services will be reduced, maximizing the value of current resources.

Design and build of the new south pod, readiness for new equipment in ~Q2FY26

Wider cabinets can accommodate expected compute needs for Alpine Upgrades at an appropriate time to cause minimal disruption Critical Equipment on support contracts

This is phase three of the Inventory, Equipment, and Asset Tracking Solution (“IEATS”) project and is intended to result in the full implementation of a tracking tool no later than July 1, 2025. During phase one of this project, it was identified that OIT lacks unified inventory, equipment, and capital asset procedures and tools. Because of this, OIT is not able to easily comply with financial reporting requirements related to the proper recording of inventory and reporting of capital assets. Many of the current processes for such work require heavy manual intervention and the use of disparate software tools and spreadsheets. Additionally, OIT does not have a clear understanding of inventory, equipment, or capital assets under its custodianship which may be contributing to unnecessary, untimely, or duplicative purchases, inaccurate depreciation calculations, the inability to leverage warranties, and questionable property disposal decisions. The conclusion of phase one resulted in a recommendation to launch phase two which focused on requirements gathering while identifying possible tools that would address the issues documented in phase one. Upon the completion of phase two, OIT’s Cabinet approved the selection of ServiceNow as a solution to OIT’s current inventory, equipment, and asset tracking and reporting problem. The third and final phase of this project will include the acquisition of the necessary ServiceNow modules and licenses, identification and selection of a consultant to assist with process mapping, implementation, and integrations, the ingestion and validation of OIT’s FY25 capital asset data, and will conclude with the full launch of a tool capable of tracking and reporting all of OIT’s inventory, equipment, and capital assets purchased on July 1, 2025 or later.

Manages audit risk for lack of compliance with accounting standards Reduces manual processes Yields better purchasing and disposal decisions Creates consistent processes for OIT and enables a pilot project that could be adopted by campus

Brand Indicators for Message Identification (BIMI) is an emerging email standard that allows organizations to display their official logo next to authenticated emails in supported inboxes, such as Gmail and Yahoo. To enable this functionality, the sending domain must have strong email authentication in place—specifically, a DMARC policy of quarantine or reject. BIMI enhances brand recognition, builds recipient trust, and helps users visually identify legitimate communications. For CU, BIMI is particularly valuable in strengthening the institution’s digital presence and safeguarding against phishing and spoofing attacks on external sends. By prominently displaying the university’s logo in inboxes, it reinforces credibility with prospective students, alumni, donors, and other key audiences. BIMI also aligns with cybersecurity best practices by requiring full adoption of DMARC across all email-sending subdomains. To implement BIMI, the university must ensure that all relevant domains and subdomains are properly configured with SPF, DKIM, and DMARC. The flagship domain already meets this requirement, but several sub domains will require updated DNS and DMARC records. All subdomains that send mail will be required to be at least p=quarantine unless the owner provides a reason to remain at p=none. In addition, a BIMI-compliant logo must be created in the correct format, and a DNS record must be published pointing to it. A Verified Mark Certificate (VMC) is also required to authenticate the logo. BIMI is targeted at external marketing and advancement messages. It is supported by Apple, Google and Yahoo, but not Outlook at this time.

The university logo is displayed next to emails, increasing brand recognition and trust. Reinforces the university’s brand with every email interaction. Requires DMARC enforcement, helping prevent email spoofing and phishing. Provides a visual trust cue to distinguish legitimate emails from phishing attempts. Recognizable branding can increase open and response rates. Proper authentication improves email deliverability and reduces spam filtering. Demonstrates professionalism and modern cybersecurity practices. Protects the university community from malicious impersonation attacks. Positions the university as a leader in digital communication and security.

This project intends to enable sensitivity labels for data, email and Teams chats on the O365 environment as a step towards closing security and compliance gaps within the commercial O365 tenant. Closing these gaps is a prerequisite for future projects on the O365 space, including storage futures, AI initiatives and email security. Sensitivity labels allow users to set boundaries on how their data, emails and chats are shared with others. They persist across the O365 environment and to many 3rd party applications and can prevent forwarding, sharing and can be used to set encryption requirements for the data. Enabling these labels would immediately help users of confidential and highly confidential data on campus, such as OIEC, HR, researchers, and the Registrar. The technical aspects of this project were largely completed a few years ago, although some testing is needed to ensure the policies created are compatible with O365 changes since the first effort closed. This is being chartered to cover the communication and training needs to roll out sensitivity labels to the campus and to cover the resources needed to conduct a pilot with OIEC or HR. Once the rollout of sensitivity labels is complete, many users who rely on the Large File Transfer service to share sensitive information can share this same data straight from OneDrive or Teams, reduce the number of copies of that file that are being created. Likewise, departments who rely on PGP to protect highly confidential data and must first decrypt the data prior to sharing it can now transition their storage of the data from UCB and the PGP solution to a Teams storage solution.

Prevent data leakage and move the commercial tenant to a higher security level, closing the gap with LASP and GCC. Educate users on the usage, importance and need for sensitivity labels. Prepare the O365 environment for AI integrations in the future. Meet the needs of HR and OIEC data storage in the O365 environment Take a step towards meeting higher compliance requirements in NIST 800-171

The need for this project is from internal and external forces that are working together to change the landscape of data storage in higher education. CU Boulder’s storage vendors, Google and Microsoft, have each determined that unlimited storage for high education users is an unsustainable business model. Google implemented storage quotas, which kicked off the storage war, with Microsoft following suit in the summer of 2023. CU’s current Microsoft multi-campus contract runs through 9/31/2025, allowing a short runway to create and implement a storage strategic plan. In addition to the changes made by our vendors, our Federal and State research and grant partners have begun migrating towards stricter Data Lifecycle Management (DLM) and Data Loss Prevention (DLP) standards, meaning CU Boulder must adapt, or potentially lose research grants and researchers. To addresses these changes, OIT is proposing a broad ranging effort that hopes to establish a strategic plan and roadmap for the storage of data of all classifications, origination sources and retention periods on the CU Boulder campus. In addition to the strategic plan, known tactical and operational deliverables to communicate and enforce the strategic plan are also in scope. Currently unknown tactical and operations deliverables may spawn future projects as part of the roadmap deliverable.

Unified storage strategy, regardless of vendor, or affiliation type Enhanced and unified view into data loss prevention and data classification labeling Campus wide plan for data lifecycle management Campus education of data classification levels, DLP policies, data related policies and the enterprise storage options available to meet CU business requirements

We have identified a strong need for uniform, easily accessible, and accurate usage data across more than a dozen technology tools within the OIT Academic Technology (AT) team umbrella, such as Canvas and Zoom. Improved access to this data will ultimately enhance our ability to support student success and will help us better connect the campus’ needs for technology with the most relevant solutions. In the current state, we have limited and extremely variable reporting (e.g. non-standard personnel identifiers, different ways to access and present data, etc.), and don’t have a way to combine the data across tools in an easy and useful way. Each tool’s usage data comes from a different place making it difficult to determine important metrics like comparative usage (e.g., number of instructors using each tool) and cross-usage (if student A uses Canvas, does student A also use Zoom, etc.). Without regular data importing, the time to refresh data for current week, month, or even semester and year is time-consuming. Current data reporting sources across AT Tools: • Canvas: Canvas Data 2 Database, API • Zoom: Looker Dashboard updated through D&A git script, API • Lecture and Classroom Capture: self-reporting, internal logs • Canvas Studio: API • iClicker: vendor sends report • Enrollment Statistics: CU Data • Course/Faculty Statistics: CU Data • Employment Tables: HCM Personnel Roster • Affiliation Tables: D&A request In this project, AT and D&A will develop the initial data connection and maintenance of service and tool data belonging to the Academic Technology (AT) Team into the Snowflake data mart, managed by the Data and Analytics (DA) Data Engineering Team. This will include usage data and other available tool data for applications supported by AT including but not limited to Canvas (Canvas data ETL integration), Zoom, MediaSite Lecture and Classroom Capture, iClickers, Canvas Studio, PlayPosit, Digication, and Qualtrics, etc. To keep the scope of the initial phase manageable, we will define a limited set of high-priority data points and tools to integrate first. This will include only the most essential metrics needed to demonstrate value and support decision-making. Once the foundational connections are in place and validated, we will iterate and expand the dataset incrementally—guided by team capacity, evolving needs, and feedback—by incorporating additional tools and metrics over time.

Data consolidation and regular refreshes. One stop reporting and dashboard tool Efficiencies in data management. Greater understanding of data available to us from different tools AT supports and other datasets and metrics available to us from Campus via the Data Mart.

The objective of this project is to pilot a deployment of Cloudforce’s nebulaONE AI platform to test three separate chatbot use cases and to evaluate the tool for potential wider campus use in the future. This project will help OIT in determining whether Cloudforce’s nebulaONE has the potential to be a future foundational service bringing the power of AI, especially in the administrative efficiencies space, to students, faculty, and staff without requiring a technical background through specifically defined pilots. The three test use cases all entail the creation of AI-powered chatbots that rely on internal or external campus sources of truth and can all be successful while utilizing only public data. Although this pilot is testing use cases that require only public data, nebulaONE will be evaluated for the increased capability that would come with the ability to utilize confidential data in the future. Selecting these use cases based on their low security risk will speed up implementation and evaluation as well as avoid significant cloud infrastructure development and configuration before evaluation can take place. NebulaONE has the capability to utilize protected data within our Azure ecosystem which is where this tool may provide a greater value proposition in the future, compared to other available options. Background information on the nebulaONE platform: NebulaONE is an AI tool created by Cloudforce, a Microsoft partner. NebulaONE offers the functionality to tie Large Language Models (LLM) to enterprise sources of truth to provide an institutional RAG tool that we anticipate would be in high demand primarily in the form of internal or external chatbots. Representatives from CU Boulder have been in touch with a current nebulaONE customer, University of Washington, and learned that the tool has a wide variety of potential uses within higher education (including a class tutor, accessibility assistant, resume critiquing tool, a medical training interview tool, student worker scheduling assistant, etc.). nebulaONE shows considerable potential to fit our campus’ needs and is situated in a beneficial place along the “build vs. buy” continuum where decisions need to be made on the best path to offer AI functionality to campus. nebulaONE is one of the most user-friendly and intuitive tools for customers to create their own solutions while offering administrative controls to centrally support access to the whole campus. There is a low cost of entry since there is no licensing fee and the only expected cost is for token usage through our existing Azure subscription.

Decrease the time and effort that administrative staff spend answering common and repetitive questions/support requests. Software Development Team and OIT staff gain experience w/ LLM technologies and chatbot use cases. Helps inform OIT if a future possible foundational service should be offered by OIT, one that is not dissimilar to our cloud foundations service, but for AI making it accessible with guardrails.

Students, faculty and staff on the CU Boulder campus have a need for flexible and continuous access to software, either through remote access to physical computers or via virtual applications or desktops. While we have deployed Turbo.net and Splashtop solutions as immediate solutions to meet remote software needs, the Apporto pilot demonstrated that Apporto would be the best solution to meet the future needs of our labs and other campus groups. The purpose of this project is to create a service for Apporto that will allow for its expanded use across campus. The project will: • Determine the costs for offering Apporto to campus and an on-going sustainable funding model. • Establish a service for remote and virtual software delivery. • Communicate the capabilities and availability of the Apporto service to a broader range of campus customers.

24/7 access to software by students, faculty, and staff. Delivery and support for solution can be scaled to support access from all campus customers. Seamless, consistent, and efficient experience for customers accessing software. Enhance student equity by providing learning resources and support, ensuring all students have equal opportunities to succeed.

The current Faculty Information System (FIS) at CU Boulder is no longer capable of meeting the university’s needs, necessitating its replacement. The following critical issues highlight the urgency: • In-House Oracle Support: The Oracle Database core of the FIS ecosystem was designed and implemented in the 1990s. OIT no longer supports these Oracle database technologies which impacts the maintenance and enhancement of the FIS core and key components. • Outdated Requirements: The current FIS ecosystem design reflects foundational business requirements and paper-based workflows in place from the 1990s through the mid-2010s. It will not be able to evolve to meet new requirements without a transition to a modern architecture. • Manual Data Entry: Lack of bi-directional integrations between DocuSign, OnBase and HCM requires manual data entry in FIS and other systems. This necessitates redundant manual data entry wasting valuable staff time, increasing the risk of errors, and negatively impacting productivity and employee morale. • Data Sharing Limitations: The system was not designed to share data with current campus and System data services and APIs. This compounds non-technical inefficiencies, duplication of effort, and barriers to collaboration. • Operational Risks: The above limitations compromise operational efficiency, data accuracy, and user satisfaction, rendering the current system unsustainable for future academic, research, and administrative operations. To address these challenges, CU Boulder must select and implement a modern approach that: • Aligns with contemporary and emerging business and technical requirements. • Enables seamless data sharing and integration across systems. • Minimizes or eliminates redundant manual data entry. • Considers “best practices” at peer institutions and favors commercially available software targeted at faculty processes.

Reducing the need for custom software maintenance and development by using vendor solutions. Minimal configuration and integration effort is the goal. Reducing manual data entry, data management, and data reconciliation with HCM and other data sources/systems. Improved integration with other System and Boulder campus systems, e.g., HCM, DocuSign, and OnBase. Reduced end user support effort. Improved reporting. Improved user experience and end user support/documentation/training. CU Experts Direct use case by CU Class Search web site managed by Registrar. CU Experts Direct use case by Web Express Faculty module(s). CU Experts public profiles or replacement solution.

To better ensure the integrity of the shared information technology environment as it relates to end-user devices, all university-owned end-user devices, and personally-owned end-user devices that access or store university data, must meet the following conditions: For university-owned devices: • Enrollment in an approved endpoint management tool that reports security posture, such as MECM or Jamf Pro • Hardware and software asset tracking using the campus standard asset tracking tool (Eracent) • Public safety emergency notification client software (Alertus) • Up-to-date antivirus and anti-malware software • Full disk encryption • University data stored on enterprise standard cloud storage (OneDrive) For personally-owned devices: • Up-to-date antivirus and anti-malware software • Full disk encryption • University data stored on enterprise standard cloud storage (OneDrive) There are three overarching objectives of this project to reach this goal:

1. Develop and obtain approval for the Certified End-user Device policy by having it run through the official policy proposal & adoption process. This policy will address both university owned and personal owned devices.
2. Create the infrastructure and processes needed for ensuring all new end-user devices procured through the university comply with the end-user device policy requirements. Create guidance, best practices, and certification process.
3. Create the infrastructure and processes needed for remediating existing university owned end-user devices to comply with the certified end-user device policy.

Increased security of university computing assets including personal and university owned data Reduce risk to university intellectual property Simplicity and consistency to procure and deploy Lays groundwork for consistency in support Visibility into enterprise procurement practices to drive efficiencies and cost savings

The Data and Analytics Website Phase 2 project will enhance the user experience and functionality of the D&A website. The scope includes a comprehensive redesign of the front page, improving accessibility for public reports, and refining intake forms and processes. Metadata improvements by the Data and Analytics (D&A) team are a key focus, including quality control, revision processes, uploads, and feeds. Enhancements to search functionality, such as taxonomy and relevance, are also planned. However, the accessible Tableau module is not within the scope of this phase. The project approach involves several steps: redesigning the D&A front page, gathering requirements through interviews with the D&A team and collaboration with the Information Design team, conducting initial usability studies with key and general users, and providing recommendations in a report. UI designs will be created and tested with users before implementation. Metadata will be cleaned up and refined by the D&A team, with updates to internal documentation and automation of feed uploads, supported by the Information Design team. Information Design will test and implement these changes to ensure seamless integration and improved user experience.

Improved User Experience – Redesigned and Accessible Improved Search – Metadata, taxonomy and filtering

This project will evaluate and recommend a centralized notification and alerting solution to support timely, automated communication across OIT services. This initiative responds to several recent service interruptions where OIT struggled to quickly and effectively identify and notify the appropriate service teams and support groups. The current notification system is aging, difficult to maintain, and lacks the flexibility needed to meet modern operational demands. The project will involve gathering technical and functional requirements from OIT service teams, identifying and piloting potential solutions, estimating costs (including training and implementation), and determining long-term ownership and governance. The effort will also produce a migration and documentation plan to support eventual implementation. For clarity, the following definitions apply within the scope of this project: • Alert: A system-generated message produced by an existing monitoring tool in response to a detected issue or condition. • Notification: A communication (such as an email, page, or similar message) sent to users or support teams to inform them of an issue identified by a monitoring system. This project does not include any changes to, or development of, monitoring systems. It is focused solely on evaluating and recommending solutions for distributing alerts and notifications generated by those existing systems. Important Note: This project will not include the procurement or implementation of the selected solution. Those activities will be handled through a separate project charter once a recommendation is finalized.

Improved incident response and reduced downtime. Increased visibility and accountability in service operations. Potential cost savings through tool consolidation and license management. Better support for hybrid work and learning environments. Standardization of alert processes and governance.

Broadcom completed the acquisition of VMware in November 2023, a deal valued at approximately $61 billion. This acquisition has brought significant changes, particularly in how VMware’s products are marketed and sold. Broadcom has shifted from perpetual licensing to subscription-based models, which has led to increased costs for many organizations. Universities are navigating the changes brought by Broadcom’s acquisition of VMware in several ways:

1. Cost Management: Many institutions are facing increased costs due to the shift to subscription-based licensing. To manage this, some universities are negotiating better terms or seeking alternative solutions to balance their budgets.
2. Strategic Planning: Universities are re-evaluating their IT strategies, considering cloud migrations, and exploring other hypervisors to reduce dependency on VMware. This involves careful planning to ensure minimal disruption to their operations.
3. Training and Development: There is a significant focus on upskilling IT staff to handle new systems and licensing models. This helps ensure that the transition is smooth and that the staff is well-prepared for the changes.
4. Vendor Relationships: Institutions are also working closely with vendors to understand the full impact of the changes and to find the best solutions for their specific needs.
5. Community Collaboration: Universities are collaborating, sharing insights and strategies to cope with the new landscape. This collective approach helps in finding effective solutions and mitigating challenges.

Potential Cost Savings: Alternatives to VCF can potentially offer more cost-effective solutions, helping OIT manage their budgets more efficiently. Flexibility and Scalability: Virtual Infrastructure solutions provide flexible and scalable options that can better adapt to the changing needs of higher education institutions. This ensures that IT infrastructure can grow alongside the UCB requirements. Avoiding Vendor Lock-In and risk associated with it: By exploring different Virtual Infrastructure options, universities can avoid becoming overly dependent on a single vendor. This increases bargaining power and reduces risks associated with vendor-specific issues. Specific to Broadcom, they do not have a great track record of supporting and continuing innovation around products they have purchased. Enhanced Security: Some alternatives may offer advanced security features or better compliance with specific regulatory requirements, which is crucial for protecting sensitive academic and personal data. Improved Performance: Evaluating different solutions can lead to the adoption of technologies that offer better performance and reliability, enhancing the overall user experience for students, faculty, and staff. Innovation and Modernization: Exploring alternatives encourages the adoption of the latest technologies and innovations, which can improve operational efficiency and support modern educational practices. Community and Support: Some alternative solutions have strong community support and extensive resources, which can be beneficial for troubleshooting and optimizing the IT environment.

This project will address the ~113 Red Hat Enterprise Linux (RHEL) 7 servers within OIT that will reach end-of-life support on June 30, 2024. RHEL 7 will no longer receive stability patches and security updates after June 30, 2024. As such, the services on these servers must either be migrated to new servers, migrated to other platforms (cloud native or containers), or retired/decommissioned. The breakdown of these systems and the service teams responsible for them are as follows: Group RHEL 7 Systems Description DATA 15 Data driven services (Data + Analytics, including EDB) AS 31 Academics and Student Services (FIS, ATAP, Buff Portal) SEC 36 Security, IAM, M&C NEO 15 NEO, Data Center, VOIP, Paging PE 5 Platform Engineering LNX 11 Linux Platform Engineering As part of the project, we will document the systems that have campus border firewall exceptions and how many do not. We will also determine which systems will require Red Hat Enterprise Linux Extended Lifecycle Support. Failing to

Reduce our security risk as an organization. Services migrated to supportable platforms allowing for continued development/improvement of the service if desired by service managers.