Child pages
  • CTG Meeting 2013-03-22
Skip to end of metadata
Go to start of metadata


Notes and Meeting Outcomes

Thanks to all for an engaging discussion.

Two major themes emerged from the discussion as we wrestled with a way to articulate our current objective challenge and how we could address it as a working group.

1) There's a strong need for resources that support education and awareness, sharing of best practices and so on around contractual issues and approaches for managing the explosive growth of cloud services and devices that can present major benefits and major risks to our campuses.   The great news here is that we have sister working groups ( for example the Vendor Terms and Conditions team)  expressly chartered with helping us all with these issues.    

2)  Perhaps the best way for us to illustrate the issues of benefit versus risk/exposure would be to take a look at specific case studies.    Candidates that were discussed include Evernote, Google Docs, Github.   Clearly, we need a framework that supports qualification and quantification of the issues surrounding the services. Patrick will start a Google doc and will send it out to the group. Part of our challenge will be to pull enough data together that helps to show whether a challenge  to the Regents' ruling is worthy.

Other points made...

  • Google analytics was another example that presented OGC indemnification issues with the Regential standing order. Risks for privacy / security.  What are the levels of risk and conflicts with ECP?   Behavioral, privacy, etc.
  • Could the information being put in these services be eligible as institutional records.  How will this be managed / retention and discovery issues? Other data ownership/privacy.  Refer to work on T&C's already in progress.
  • Scoping of App environments – consumer oriented, small companies, not really enterprise strength / data liberation, data in a safe place.
  • Steve Lau – What is the leverage we can get from the i2 Net+ work?  It's certainly the case that any terms from external groups like I2 may be in conflict with our constraints at UC.  Lesson is that while these other resources exist, we still must do UC (and in many cases campus) due diligence.
  • Dave - contracts can be leverageable. Indemnification clause is one of the key difference (as a constitutional institution).  Other area is related to the ECP – we are tighter and tougher than most.  I2 service doesn’t guarantee us that it will work for us.  
  • Steve - we need to follow up with other benchmarking opportunities with other universities.
  • Charlie – is there a pattern of language for contracts?  Steve – no yet.  Dave – there is some emerging language coming from Box/Office365 that could probably be used. 
  • Charles from Santa Cruz – some systems we need controls on.  Github is used widely – should we be using this? What are the exposures?
  • Education needed.  Governance and policy to protect UC users from these services.  Different classes of users. Rights to the information if you decide to commercialize it later.
  • Distribution of Steve’s UC issues?   Need to get Steve’s permission to distribute more widely. 
  • Janine talked about her experience at Santa Cruz – opened up consumer apps to end users on campus. Performed an internal review for each. Did not allow revenue collection apps (based on internal controls), did not allow 3rd party apps. Google only.   Promoting user education as a way to promote proper use of the non-core.  Janine will see if she could share more details.
  • Article “losing control and loving it” was mentioned as a good paper that explores the growing difficulties of consumer apps in an enterprise setting. Is this the Link?  Does someone have a summary to share?

Action items

  • Patrick will propose a framework for the case studies described above, and distribute through Google Docs.  (which was not performed)
  • Steve Benedict  - can we get copies of some of his resources to distribute across the group?
  • Anyone know how to get a copy of the "losing control" article to share?



Original Agenda

Patrick McGrath, App Suite Subcommittee Chair will be leading

11:00: Welcome, check-in

11:05: Review of Last Action Items

11:10 Discussion and Approach

Brief: The focus is on identifying risks and impacts of using App Suite services - including core services such as email and calendar and document sharing, but also especially non-core services such as Google Analytics, Google+, Youtube, Blogger -- or non-Google services such as Evernote. 

The ITPS needs input on how policy should respond to potential risk scenarios, ie, "what could possibly go wrong?".  

Scenarios will help our policy and risk management people understand the risks and how to address policy.  This will also help in articulating possible exceptions or future direction with regard to the standing regent rule on third party indemnification.

Questions to seed the discussion (with a couple of assumptions):

    • What is the scope of "App Suite services" that will help us to also scope our benefits and risks discussion.
      • or alternatively, how do we want to organize the domains offerings that will help us to qualify what the benefits and risks are for these areas so we can explore institutional impacts.Something like this?
    • Would it be beneficial to compile a list or inventory of what we are actually offering at the campuses, maybe projects in process for offerings, and what we KNOW is being used by individuals?  
      • I can see this might be a way to show the fact that institutional activities are already being conducted on consumer-level agreements/SLA's.
    • Are there known challenges, case-studies, mishaps that are taking place by the fact that unsanctioned services or uses of services are in-fact in wide use.
      • Challenge: UCB released Box on campus. One of the major selling points is the wide network of 3rd party providers who provide additional specialized services on top of Box. But we cant allow them to use it.
      • Mishap: Students figured out how to use an unrestricted API (possibly via screen-scraping) and downloaded 10,000+ email addresses.  They then sent those people unsolicited email, apparently as a test message. Oops.
    • What should a deliverable to the ITLC look like?
      • How should we structure it?
      • What kind of timeframe makes sense AND is achievable?
      • How can we break down the data collection and writing?

11:50: Review Action Items


  • No labels