Wireless Networking - Planning Shift

I'm working on how I will explain the wireless network expectations shift to my campus.  The following story is where I am starting.

Legacy:

Wireless networking was first implemented around 2000 as a service to fill gaps in locations that were underserved by wired networks, especially in the Residence Halls.  In early 2003, we developed a campus-wide wireless network plan. In 2003-2005, we completed expansions into Dodge Hall, Kresge Library, Pawley Hall and Elliott Hall.  By 2006, funding for expanding the wireless network was not available.  All funds were used to refresh or maintain the existing wireless network.  A proposal was submitted and approved for a base budget increase in June 2006.  This enabled a campus wireless network that met the requirements of coverage and roaming.  The wireless culture moved from a “gap provisioning” to a “coverage provisioning” model.  We stilled viewed the wireless network as a convenience and not the main business network, and security was handled to that lower standard.

Culture shift:

Today’s community expects shows a culture shift:

•  Wireless must meet a standard of preferred access point, as a primary network, not just a convenience network.  The standard expects a client who is using the wireless for primary work, and not just for roaming access.
• As a result, the current wireless network technology provider is no longer meeting service expectations, for us or other clients.   
• Density to handle volume is expected, not just coverage.  We have an increasing number of requests, for example, for an entire classroom to access the same resources on the wireless at the same time.  Students are carrying more devices that connect, such as a smartphone and a tablet at the same time.  This translates into greater density, which means more wireless access points are needed in a space, and more capacity for traffic is required on the network backbone.
• Those using Internet Native Banner are increasingly asking for the security to access Banner on the campus wireless network.  That capability is not currently available.  As departments buy more tablets and devices that do not have wired connections, we soon expect this to be a wireless network service requirement.
• There are more requests for guest access, particularly for events.  This is currently in review with legal.  If we open the network to the community, that just puts more traffic burden on the network and increases the need for greater density.
• The vision is “stadium density.”  Imagine 60,000 fans showing up at the Super Bowl, as happened this year, and all expecting to connect to the wireless network to access the same resources at approximately the same time.  While we likely will not have to match this standard, this is the vision we need to keep in mind.

Action Steps:

UTS completed a Request for Information from all key wireless vendors.  Based on the vendor responses, several vendors were invited to temporarily implement their product in the Oakland Center.  The results showed two product vendors met university requirements.  An RFP will soon be released to obtain pricing from those vendors.

Under the current university funding model, we will be able to annually replace 20 to 25% of the wireless footprint, as it existed in 2006.  We expect the new Engineering Building to be the first building with "stadium dense" wireless, meeting the community's expectation for wireless, and funded with the building fund. 

We do not have funding to accelerate the wireless network technology shift, including changing to a more robust platform and installing additional wireless access points.  We do not have funding for a technology refresh in the Human Health Building in 2017-2018.   The result will be a growing gap between the provisioned level of wireless network service and the service level expectations of students, faculty, and staff using the wireless network.   

Benchmarking, Trending, and Inspiration

Have you ever followed Bill Cunningham in the New York Times?  You can read about him here:  New York Times - Bill Cunningham On the Street

His life story fascinates me.  Cunningham is a photographer.  He mostly takes something that might be called fashion photography, but I would call it art photography.  He moves through the city of New York looking for fashion trends.  I have to say that carefully.  He isn't given an assignment like "Take photos of red coats" and then he looks for red coats to photograph.  He studies and watches and observes until the trend emerges before his camera.  He seeks inspiration from the visual world he sees on the street.  There's a terrific documentary about his work.

Cunningham started his life's work as a photographer on the street during World War II.  He still bicycles around the city and his photos gather attention.  You can watch current video clips with him narrating what he is seeing:

• Coat of Arms
• Legs of Manhattan

So much of what we talk about in information technology centers around analytics and data trends.  There is much discussion about looking to our data to find trends, and to benchmark where we are compared to our peers.  There is certainly a value to using the past and our data in order to understand the road we travel.  We need data analytics to inform our decisions.

Bill Cunningham inspires us to look around ourselves, and to be intensely observant.  He doesn't gather data about how many red coats are purchased, and then go out to take photographs about red coats.  His is not a data-driven endeavor.  There certainly is a value for merchandisers to track data that way, but observational trends add value to that discussion, particularly if you want to be creative and forward-thinking.

We need to observe details around us.  Trends happen right in front of us, if we pay attention.  We can't lose sight of what is around us and in front of us.  What paths do our students choose to walk right now?  What classes are they taking now?  What are they telling us?  We can be inspired to find links and connections in what is happening now.  This is the creative edge and allowing ourselves the time to observe, synthesize, and connect details is inspirational and motivational, as we try to invent our technology future.

Working with People with Issues

Recent events remind us that we all can be vulnerable in our schools and universities.  While external people are often the sources of violence in our environments, violence in the workplace, triggered by disgruntled and angry employees or former employees, is a real issue.  Perhaps we can share insights so we all can better protect ourselves.

I've worked with people who were struggling with problems.  In a few and rare situations, a couple folks moved beyond the usual anger and frustration that you can see in tense and stressful working environments.  These are "red flag" cases.  I'm not a psychologist or mental health professional, so I can only speak from personal observations.  Maybe if we all share observations, we can get smarter about how to handle situations and prevent harm to those around us.

What I've observed:

• Some people can get angry and frustrated easily, but generally, this is an emotional maturity issue that just requires mentoring.  When you talk through a situation with that individual, they hear what you are saying and they are able to see how their anger hurts themselves. 
• A few people seem to enter onto a path where they are unable to act in their own best interest. Their anger or reasoning of situations leads them to make decisions that are just not beneficial to themselves.  An individual may have angry outbursts in a management meeting, and when you approach that person to discuss the situation, the individual justifies the angry outburst and does not reflect on the situation.  And the individual may continue to demonstrate the same behavior, even though you've warned the person about the negative consequences from their behavior.  The individual may over-react to any perceived criticism.   Some people seem to just completely lose the ability to recognize that their actions are working against them.  A defensive and hostile attitude is demonstrated.  The individual is consistently belligerent when behavior is discussed.  
• One behavior that commonly emerges is ignoring or breaking rules and policies.  It may start small, like not parking in an assigned parking space or not following department procedures for reporting being out of the office.  Increasingly, the person does not feel the need to comply with basic rules, and when confronted, is unable to comply with rules in a way that is in the individual's best interest.
• Another typical behavior is isolation.  The individual will separate and not join groups for lunch or campus events.  The individual will not engage or will avoid typical office conversation, even simple stuff like "Did you watch the football game Sunday?".   You may note someone becoming invisible in the department. 
• One therapist I spoke with suggested that some people need to build up anger, almost to build up a head of steam, to make themselves feel important and to have a real presence.  They feel dis-empowered and invisible.  Demonstrating an angry outburst puts them at the center of all attention.  It gives them a sense of power, because they now control the conversation and the attention.
• A behavior labeled as grandiosity, a state of being delusional about one's importance, may be displayed.  The individual may appear overly boisterous about his job title, role, or decision-making authority.  Another behavior that can be inappropriately displayed is moral righteousness; the individual believes he or she is are totally right and others are not following the rules.  

When we find these situations on our campuses, we probably try to act specifically:  avoid confrontation, do not question, minimize the situation, and report it to Human Resources.  You may have a campus behavioral concerns committee, and that group should also be informed.  My personal experience is that when you see someone not able to act in their own best interest, and demonstrating outbursts timed to attract attention and get control of a space, you must confront the behavior immediately and consistently.  You should characterize this as "red flag" behavior.  Lack of confrontation further empowers the individual and over time, the situation worsens.  It does not get better on its own.

In summary, the red flag characteristics:

• Unexplained, ongoing anger that may appear as a quiet, seething edginess or loud, emotional outbursts.
• Inability to recognize and act upon a positive path that is in the individual's own best interest.
• Belligerence or silence when behavior is discussed. 
• Over-reaction to criticism.
• Overly defensive or hostile attitude, especially when confronted about unacceptable behavior.
• Deflects responsibility for unacceptable behavior to other rationales, moral righteousness, or actions from other people.  Accusatory behavior with co-workers. 
• Breaking rules, even just a series of small rules, and an unwillingness to discuss or correct the behavior.
• Changing work schedules without approval, disappearing, or working random hours.
• Isolation from co-workers and the campus community.
• Repetitively appearing anxious or confused.
• Behavior displayed as grandiosity.

If you encounter these behaviors, you must start keeping a journal noting the dates, times, attendees or witnesses, and a full description of the disruptive behavior or angry outburst.  Pay attention to the journal for patterns of similar incidents or increasing anger.  Monitor and retain technology messages and note any messages of concern in the journal. 

One challenge is that Human Resources or police (if contacted) will ask you if you or others have been threatened.  For most of us this is harder to answer than we might think outside of a specific event.  I've been in situations where I definitely felt threatened, even though no specific threat was articulated.  I've tried to use words such as intimidation and belligerence.  Sometimes the behavior might be described as harassment. 

But it is important to remember that a threat may be non-verbal.  Did the individual stand up?  Stand over you?  Invade your sense of personal space?  Slam a door?  Punch a wall?  These actions can all make you feel threatened, even if no specific verbal threat was issued.  Since we work in technical fields, be aware of threats that may come to us via technical resources (email, social media sites, etc.).  These may contain veiled references to violence.  Campus public safety or police units should be informed of any threat.

Human Resources often wants to provide cooling off periods or time to mentor the employee.  I believe it is important to recognize the behaviors quickly, confront the behavior promptly, and to report it to Human Resources immediately.   We may need to insist on immediate involvement from Human Resources. We all need to be comfortable communicating the degree that we felt threatened by the situation, and whether we perceive the behavior as escalating over time.    Use your journal to keep other units informed.  Push for attention to the issue.

Some reading that may be useful:

FBI Report on Workplace Violence http://www.fbi.gov/stats-services/publications/workplace-violence

Resources for Preventing Workplace Violence and Bullying http://workplaceviolencenews.com/

Important legal issues and court cases http://www.sgrlaw.com/resources/trust_the_leaders/leaders_issues/ttl13/869/

Book:  The Gift of Fear by Gavin de Becker (Thanks, Craig Blaha, for the recommendation).  http://gavindebecker.com/resources/book/the_gift_of_fear/

I hope you have tactics and strategies that work at your institution that you can share.  

Finding the Path

I have two Samoyeds, dogs that are bred to be on the move.   As a result, Thomas and I are committed to hiking every weekend.  We've been to our selection of local parks and recreation areas enough to know the trails.  Trails are clear paths.  You know where you are going, you can see where you've been.

We can see a water slide and park platform around a pond from one of our regular trails.  We've never seen people there.  We decided last weekend to take a side-spur to see what this platform was all about.  Hiking there we found an abandoned camp.  We then decided to hike on parallel to our regular trail, figuring we'd eventually find a path back to the trail.  Instead we found ourselves in a pasture, with some cows in the not-too-far distance, who were very interested in us.  Taking a hard right-angle, we figured we'd get back to the trail, only to find a pasture fence.  After hiking around, we found a spot to go through the fence. 

Then we had to hike cross-country through the woods.  This involves pushing through the faded rose brambles and stepping over logs.   We had to maneuver around a low-lying swampy area.  There was no path; nothing was clear.   At a higher point we paused to look for signs of the trail and saw nothing.

We were never lost, really.  We knew we were in the recreation area, and we even knew what section.  We knew which direction we left our car, and we knew where the trail was located, sort of.  But the path was not clear.  We kept going and found the trail, but we only saw it when we were about 10 feet away.

We talked about the difference of hiking on the trail versus hiking cross-country.  We both felt a very different sense of orientation.  Even when we rejoined the trail in a familiar location, we both continued to feel a sense of disorientation.  Our perspectives had changed.  We've noticed this just walking through our neighborhood, which we do daily.  Even walking on the other side of the street, or reversing the direction that we walk along the same street, gives a perspective change.

I am one to let my mind wander back to work items (probably too much).  This experience made me think about my experiences with project management.  Early in my career I worked in places where we had very locked project management processes in place.  EDS had very strict rules for project management in the 1980s.  I also worked in places where KnowledgeWare was used.  Another methodology was proprietary to the Arthur Young accounting firm where I worked.  The path for managing a project was clear, and we stayed on the path. 

When I first came to Oakland University, I brought those project management paths with me and tried to use them in the university environment.  I stuck with it for over 5 years, and felt there were some positives.  For example, one positive is that before the project management communications standard, there was a feeling at the university that the central IT organization didn't do or accomplish much.  With public project lists and joint priority setting, each silo became aware of the projects completed for other areas of the organization, and as a result, central IT's value became more apparent.

However, the path locked us out of seeing different perspectives and different ways to solve problems.  It was too easy to get locked into a particular way of seeing things, without understanding the value of the locked step.  Right now I'm more likely to try to shake things up, to see things from different angles, and to value fresh perspectives.  I also want the organization to be more agile.  If the shortest path is cross-country, we need to be ready to try it.  This is another way to create space in the organization for innovation.  Finding steps off the common path help inspire us all.

Capacity for Innovation

Discussions with fellow professionals at the Educause conference are engaging.  I so appreciate all the opportunities to speak with fellow CIOs and IT leaders at this conference.  I find this a time to pause and think.  That ability to pause and think is increasingly rare on our campuses as we try to go faster, move with greater agility, and do more with dust.

The phrase that caught my attention today was from Lev Gonick of Case Western Reserve University.  He spoke about reorganizing to create capacity for innovation.  I thought about the characteristics of that innovation.  It is time to think in one sense.  Innovation needs time to play and time to experiment.  It includes access to tools and techniques to facilitate innovation.  It needs time to experiment, make mistakes, and find solutions and resolutions to both the mistakes and the paths that led to the mistakes.

Innovation doesn't happen alone, in my view.  To be really effective, we need to create a community, a group with availability to think creatively together.  There's a synergy and a flow that gets created when a group has the capacity interact.

I am giving thought to how I can create capacity for innovation in my organization.

Conference Center Network Services

After spending much of last week scrambling to support creation of open wireless network "conference" services in the new campus golf clubhouse, I recognize that traditional campus networking and conference networking are different animals.  I'm learning the conference stuff; needs to be second nature in planning.  A couple folks asked me to comment more, so here's another opportunity to think this through.

Our campus has a limited access network.  All the clients connecting to the campus network are known.  We have limited public access in the library, but patrons must provide an identity and register.  We have limited public access in the student center, but again, participants have to register for an event hosted in the center.  We do not provide open, unauthenticated, public access.  This is due to several requirements for identification, such as limiting access to a limited resource to those actually paying for the resource or having some connection with the university (like students).  We also have determined how we want to respond to DMCA complaints and other legal documents requiring that we identify who is on the network.

When I go to our golf center, there are three constituent groups requesting wireless network access:

• University employees conducting university business activities.
• Event guests who are visiting for a defined event hosted under the terms of a contract.
• Pass-through guests, those dropping in for a round of golf and staying for a visit to the clubhouse.

There are differences in the requirements.  The differences may be characterized by roaming, service level agreements, accessed content, access density, and authentication, among other items.

University employees want to use the wireless network to access university services.  Access is protected by authentication and authorized use of services.  We try to make that network more secure by make sure that that devices are properly updated with anti-virus services and operating system patches.  This is a closed and controlled environment.

Event guests are represented by an event organizer.  The event organizer consolidates requirements into a statement of work associated with an agreement.  The agreement will provide for a certain level of guaranteed access with a service level agreement;  specifics are provided in the contract.  We are hosting a state PGA event, for example, and they have specific requirements for network provisioning.  When we hosted the national Republican presidential debate event last fall, the Republican organization planning the debate had very specific requirements.  This technical requirements are covered in the event hosting agreement.  When we sign agreements, we have to fulfill the services described in those agreements.  We may need to segregate a service for an event, with a separate SSID and password (like the Educause conference).  There can be a login storm at the start of the event or during schedule breaks. 

Pass-through guests expect network access without authentication.  We may just present a basic terms of service splash screen, and limit the network operation to general port 80 traffic.  These folks are generally checking communications channels (email and social media).  Their access typically does not roam.  There's no formal service level agreement.  They may congregate in specific areas, so there needs to be higher density of access points in some places (like food service areas).  We have determined we do not need to know who is on the network.

On the main campus, our students, faculty and staff access the network through a centralized authentication service.  We need to know who is on the network.  Students and faculty tend to login once and roam the campus.   The area they roam tends to be larger than those attending an event.   There isn't a single event organizer with whom we work to meet requirements.  We decide the services in central IT and deliver those services broadly.  We do see the same density issues in food service areas, but there's no service level defined in a contract.  We try to meet service expectations, not contractual terms.

That's probably a start of what I've learned, but I would appreciate questions and comments about what I've missed.






  

Policies and Procedures

As a CIO, I've been writing policies, guidelines, and procedures for a long time.  My technical background did not prepare me to write these kinds of documents.  I suppose my general education and business background did provide some preparation.  I worked in a law firm many years ago and had to write guidelines for staff members that satisfied the partners (who had a high writing standard).  I have a Master's in Public Administration and we covered many similar topics in that program.  Still, I've never really studied "writing information technology policy."  For a while I've been thinking we need a uniform policy and compliance guideline, but I'm not sure who could write it.


Several years ago, Rodney Petersen wrote a useful article for Educause Review:  

“A Framework for IT Policy Development” (http://www.educause.edu/ero/article/framework-it-policy-development). Another useful piece from the Educause is by M. Peter Adler: "A Unified Approach to Information Security Compliance"  http://www.educause.edu/ero/article/unified-approach-information-security-compliance.

This SANS chart is good, but you have to interpret it for policies:  http://www.sans.org/whatworks/applicable_sections.php.

This week I attended the Educause Campus IT Policy Workshop, led by Greg Jackson, Educause Vice President, Policy, Jarret Cummings, Educause Policy Specialist, and Kent Wada, Director, Strategic IT Policy and Chief Privacy Officer, UCLA.  This was truly a workshop, with strong presentations followed by case studies and discussion.  Links and materials to useful references were provided.  The event was a positive learning experience, even for someone who has been writing policy for a while.

As a result, I came back and reviewed our university policy template again.  Our university policies are posted here:  http://www.oakland.edu/policies.  Our information technology policies exist within the university framework, but I isolate them on our web site for presentation with other procedures and guidelines:  http://www.oakland.edu/uts/policies.    

I'm in the process of updating a half dozen policies to incorporate feedback from the external PCI auditor.  I am trying to organize my "policy thinking" and I am going to try to bring some consistency to the documentation. The PCI auditor had recommended that we separate all PCI elements into one PCI policy, but after the workshop, I am more convinced that the separate policies that are IT-centric still makes more sense, particularly for a university.  Too many components for regulatory compliance overlap.  It doesn't seem to make sense, for example, to have separate policies for FERPA, HIPAA, and PII data, when it all comes down to information and data security.  I also want to create policies that are not obstacles to what the university is trying to accomplish.

Once a policy is developed, our review and approval process is described here:  http://www.oakland.edu/uts/policies#governance  It is quite of bit of work to shepherd a new policy or a policy update through the process, but it is worthwhile. You hear different perspectives and sometimes you realize the policy needs to be worded differently.  Shepherding a policy also presents an opportunity to get support for the policy, particularly when the subject matter is difficult.

To help organize my thinking, I've created a checklist, posted here:  Policy Checklist

Anybody want to talk Policy?