OIT Project Portfolio Report

M365 Apps for Faculty, formerly called ProPlus, is a license entitlement added to A1 licenses that allows users to download the desktop version of Office 365 apps. Formerly provided at no cost by Microsoft, the cost model is changing so that ProPlus is an extra expense. Traditionally, we provisioned M365 Apps to A1 licensed users because it was provided to us at no additional cost. Because of the increase in cost (from $0 to $20 per user), we must reduce the licensed users and change ongoing provisioning rules to maximize our license use and minimize the cost impact. This involves removing the license from existing users. Concrete objectives for this project include:

1. Check with MS licensing specialist to validate our plan
2. Change eligibility rules for O365 license groups a. OIT-A1-Faculty-License group: No longer receives M365 Apps b. OIT-A3-Faculty-License group: Receives M365 Apps by default; A3 license provided upon request c. OIT-A5-Faculty-License group: Receives M365 Apps by default; A5 license provided upon request
3. Clean up O365 license groups a. Remove M365 Apps license from those who do not use it or should not be entitled to it (within the OIT-A3-Faculty-License group: remove 1805 inactive/ineligible accounts) b. Move O365 accounts to more appropriate groups (move 3072 accounts in OIT-A1-Faculty-License group to OIT-A3-Faculty-License group) c. Remove M365 Apps license from OIT-A1-Faculty-License group (affects 19,222 accounts)
4. Change provisioning rules for O365 license groups a. Only provision A1, A3, or A5 Faculty license and not M365 Apps to new employees
5. Develop request process for A1 Faculty license group members to request M365 Apps a. If approved, there will be a process to apply the A3 license to the user’s account.
6. Implement buy-your-own option for those we don’t/won’t provision a. OIT’s cost per license is $20/year (cost recovery model may change the charge to the user; estimated at $40/year)
7. Communicate and manage change to impacted users

Make MS Office software available to eligible CU affiliates that need it Ensure licenses that are purchased are consumed and used to receive the benefit of that license

To better ensure the integrity of the shared information technology environment as it relates to end-user devices, all university-owned end-user devices, and personally-owned end-user devices that access or store university data, must meet the following conditions: For university-owned devices: • Enrollment in an approved endpoint management tool that reports security posture, such as MECM or Jamf Pro • Hardware and software asset tracking using the campus standard asset tracking tool (Eracent) • Public safety emergency notification client software (Alertus) • Up-to-date antivirus and anti-malware software • Full disk encryption • University data stored on enterprise standard cloud storage (OneDrive) For personally-owned devices: • Up-to-date antivirus and anti-malware software • Full disk encryption • University data stored on enterprise standard cloud storage (OneDrive) There are three overarching objectives of this project to reach this goal:

1. Develop and obtain approval for the Certified End-user Device policy by having it run through the official policy proposal & adoption process. This policy will address both university owned and personal owned devices.
2. Create the infrastructure and processes needed for ensuring all new end-user devices procured through the university comply with the end-user device policy requirements. Create guidance, best practices, and certification process.
3. Create the infrastructure and processes needed for remediating existing university owned end-user devices to comply with the certified end-user device policy.

Increased security of university computing assets including personal and university owned data Reduce risk to university intellectual property Simplicity and consistency to procure and deploy Lays groundwork for consistency in support Visibility into enterprise procurement practices to drive efficiencies and cost savings

This project will manage the design and implementation of the new Video Delivery Network service, as well as the migration of all content from Kaltura to YuJa. It will include the configuration of the new platform and integrations with Canvas, Zoom & Playposit, change management, user support, IT security and accessibility reviews, and the retirement of the Kaltura service.

Implementing the new video delivery network, designed for educational purposes, will lead to a better user experience for students and instructors. Implementing the new video delivery network will result in cost savings for CU Boulder.

Prior to January 2023, all CU Boulder students were provisioned Gmail as their default email service while faculty and staff were provided Microsoft Exchange accounts as their default. Faculty and staff were offered the option to switch to Gmail via a web form on the OIT website. As a result of Google’s announced storage limits, CU Boulder is making the shift to Exchange as the default email system for all users. As of January 2023, all new students are provisioned Exchange email accounts and the option for faculty and staff to switch to Gmail is no longer permitted. We are currently in a state where CU Boulder has active users and secondary accounts on both Exchange and Gmail. As part of the Google Migration project, Faculty and Staff on Gmail were given multiple windows, beginning in August of 2023 to migrate to Exchange. This project intends to continue that task and extend it to students, POI, secondary and any other remaining account types.

Single campus email provider (security, calendaring, routing) Simplification of support Removal of barriers for future provisioning/deprovisioning projects

In March of 2021, Google notified its customers that unlimited storage will no longer be available. Google for Education is a server OIT is has offered since 2008, taking advantage of Google’s free service offering for education customers. In the announcement Google claims the service was never meant as a storage solution, but rather a collaboration platform that provides storage. As such, it is not Google’s intention to provide space for mass amounts of storage, but rather small amounts of storage to accompany their cloud services and native file types. Google’s announcement included the intent to cap data usage by July of 2022 for all education customers. Customers using the free services from Google will receive an amount of storage based on the university’s enrollment numbers across a 90-day period. In June of 2021, Google announced additional provisions provided to Internet2 members, where universities will be able to make a multi-year commitment to the paid version of Google for Education and in return, the amount of time they will be provided to reduce their consumed storage will be extended for the duration of the contract. While this is a tempting offer, CU Boulder should make every effort to reduce its usage from 3.2 PB to 300 TB by July of 2022 in order to avoid additional costs and duplication of services. Furthermore, Google currently has no plans to offer anywhere close to the amount of storage CU Boulder is currently consuming, resulting in the need to significantly reduce our storage usage regardless of purchasing licenses. This project will shift the primary focus of the Google Suite from a storage and collaboration solution to a collaboration only platform and take advantage of the Microsoft offered cloud storage solutions as a replacement by migrating all non-native google file types to Microsoft OneDrive, Teams, and SharePoint. All Google accounts will be accompanied by a small amount of allotted storage with an enforced quota, sufficient for the collaborative focused aspect and Google specific file types of Google for Education. This project will make every effort to maximize usability, specifically for the teaching and learning community, by providing alternative solutions for departmental data, research data and non-student email. This project will be charged with reducing the storage usage in Google by 3 Petabytes down to 300 TB and maximizing the usability for collaboration among active CU Boulder students and faculty. This project should also consider the creation of a steering committee that meets periodically to review the status of the project and approve large campus affecting decisions that the project could not otherwise make.

Consolidation and consistency of data storage Reduction in cost of storage Tighter integration into day-to-day work with Outlook and Teams. Scalable storage and data protection/redundancy for campus data More secure storage that meets university data classification requirements.

In response to the CU Boulder data center assessment, it was determined that SPSC N190 data center is to be vacated. To accomplish this declaration, there are two distinct activities that need to occur:

1. Move existing services from SPSC N190 to COMP data center or SPSC N180
2. Install infrastructure at Anschutz data center to support CU Boulder servers
3. Begin populating initial 6 racks at Anschutz with systems still-to-be-identified (will be identified by March 2024).
4. Plan for network separation of SPSC N190A from SPSC N190.

Lowers risk of data center component failure Provides more geographical separation between data centers

The AD operating system will no longer be supported after December 31, 2022 and there is need to rebuild the infrastructure to meet security standards and apply recommendations from an external consultant following an incident in January. In this project, the 8 domain controllers (DCs) will be rebuilt and the 2 temporary DCs will be decommissioned. A new design will be developed, reviewed, and approved, to include the incorporation of such recommendations as group policy objects (GPO) evaluation, firewall rule changes, privileged access workstations (PAWs), and other security measures as identified.

CU will have a more resilient AD infrastructure to help protect the University from cyber-attacks and security incidents Move the AD infrastructure from the temporary DCs built after the January AD attack to permanent hosts hardened by remediation measures

This is a project charter for RedHat 6 Linux Operating System Upgrades. RedHat 6 reached end-of-life November 30th 2020 and security updates are no longer available for this Operating System. As such, the services on these servers must either be migrated to new servers, migrated to other platforms (cloud native or containers), or retired/decommissioned. The Systems Engineering team can no longer maintain/support RedHat 6 operating systems or any services running on top of RedHat 6.Failing to prioritize upgrades has resulted in 68 RedHat 6 systems owned by OIT/OIS service teams in production, and so we are turning upgrades into a project to gain visibility and resource allocation. This will allow resources from groups within OIT/OIS who own RedHat 6 systems to be tasked with assisting the ITSE-Unix team in the upgrade process. An expected deliverable will be an upgrade cadence be developed to address this RedHat 6 technical debt generated by the 68 systems in production. A typical system upgrade, and steps therein, are outlined in 1.9. On average, an upgrade requires around 16 hours of an ITSE admin, and around 40 hours from a service team to refactor or rewrite their apps to work on the new system. This usually involves new underlying software stacks, such as PHP or Python, which necessitates a rewrite on the service team end.

Reduce our security risk as an organization. Services migrated to supportable platforms allowing for continued development/improvement of the service if desired by service managers.

Customers on the CU Boulder campus have a need for flexible and continuous access to software, either through remote access to physical computers or via virtual applications or desktops. The COVID-19 pandemic brought an emphasis on remote learning and hybrid/remote work modalities that require more flexible options that allow students, faculty and staff to access software from anywhere. This project will focus on the implementation of a new solution for remote and virtual access to LST software. Based on decisions from an earlier project, LST will deploy the Apporto cloud solution for use by LST campus customers. This project will:

1. Issue PO to vendor
2. Buildout Apporto cloud environment
3. Integrate with SSO
4. Integrate with Canvas
5. Create and deploy images
6. Test Apporto environment
7. Create & implement new LST operational/maintenance procedures
8. Cutover as production environment
9. Scale down of current remote-desktop solution.

24/7 access to software by students, faculty, and staff. Delivery and support for solution can be scaled to support access from all campus customers. Seamless and efficient experience for customers accessing software

Account provisioning is the process of making information technology (IT) systems available to users, groups, and other entities. Deprovisioning is the process of removing access to software and network services. Put simply, it’s the exact opposite of provisioning—and typically occurs when employees change roles or leave the university. Both provisioning and deprovisioning play an important role in securing IT systems and applications. CU Boulder (UCB) has processes and systems in place to provision and deprovision user, administrative, and service accounts. Historically these systems have focused on provisioning accounts, but very little has been implemented on the removal of these accounts at the appropriate time. Additional focus is needed to ensure that there are processes in place for all user, administrative and service accounts managed by OIT and that they properly address the evolving security needs of the organization. This project will define the totality of entity account deprovisioning, reprovisioning, and provisioning (d/r/provisioning) managed by OIT at UCB. It will define the desired end state, where things are today, and map out the path to make the transition. Business systems, processes, and organizational/cultural aspects will all be considered. A result of this project will be a value-based plan for incrementally improving OIT’s d/r/provisioning practices.

Prevent data exposure – User accounts can potentially pose huge security risks if they remain provisioned to individuals no longer entitled to access, whether because they have left the university (withdrawn/graduated/separated from employment) or have moved into a role at UCB that is not authorized for the same level of access (for ex. Employee -> retiree, or student -> alumni). Reduce the number of active accounts - User accounts should only be active when an individual has an active affiliation with UCB. Once an individual is no longer affiliated, the account must be disabled. Failure to disable accounts of those who are no longer affiliated poses a significant security risk. Reclaim resources – Users may no longer be entitled to certain resources when their affiliation changes. Reclaiming resources, such as software licenses, will help financially and ensure the university is compliant with licensing agreements. Improve ease of provisioning and deprovisioning entity accounts – standard or automated processes will add consistency and structure to how entity accounts are provisioned and deprovisioned. cent

This project will transition the Data and Analytics website from Web Express to a new site managed by OIT’s Customer Engagement and Information Design team. The primary components of the current ODA Web Express websites are:

1. General information about the organization
2. Data and links to data related to institutional research including data about students, departments, institutes, faculty and staff. The format of the data includes web pages, PDFs, excel files and Tableau dashboards. The information is sourced from various CU data sources, public data sources and surveys. Some characteristics and uses of the data: a) Data available to the CU Boulder community b) Public and SSO restricted data c) Information written for news and information sources d) Information mandated by the regents e) Data that must be publicly available for institutional accreditation and to follow state and federal rules and laws. f) Data that is made available to national higher education data consortiums and partner institutions
3. Information about program level assessment at CU Boulder including resources for programs conducting assessments. Program assessment is necessary for Institutional accreditation.
4. Descriptive and training information about the Faculty Course Questionnaires program administered for the Boulder, Denver and Anschutz campuses. The explanatory information is primarily web pages, with some PDF’s and videos. Data results for the FCQ’s are Tableau dashboards.
5. Links to a Faculty Information Services Web Express site with information about their software products and services
6. Data and analysis request forms for the CU Boulder community and the public. The forms generate an email message to ODA’s Service Desk

Accessible data visualizations Improved information architecture Custom access parameters for content that requires limited access

Improve aspects of the incoming student process by reducing or eliminating delays moving data between systems and reducing account provisioning times.

Reduce built-in delays and get information to admitted students sooner and allow admitted students to take certain actions sooner.

Aurora is an application that has grown out of necessity to become an application that many teams depend on, including ITSC (Help Desk), IAM (Identity Management), M&C (Messaging and Collaboration), among others. The application has developed in to 5 distinct functions: • Search and display user data • Modify user attributes • Initiate provisioning • Request Portal • Reporting / Reconciliation / Proactively fixing user data. As part of the above functionalities, the Aurora application is built with access to data available through different services throughout OIT, including Office365, Azure, Google, Grouper, OIM, AD, JAMF, Sympa, EDB, LDAP and ServiceNow. As the users are aware of this, there are requests to see information from those systems through a simple and unified user interface, I.e Aurora user interface. To paint the picture of Aurora usage, here are some statistics: • Admin portal has 460 users with diverse access levels and capabilities from 52 unique departments. • Automation process has created 10,000 secondary accounts since Jan 2019. • Remediated 6000 compromised accounts since Oct 2020. • Scrambled 400,000 account passwords during Active Directory security incident in Feb 2022. • Resolved 2,500 requests to M&C team (that is about 75% of all requests to M&C) in 2022. New group of users requiring access to Aurora will present difficulty as currently there is no clear process and governance procedures in deciding who can get access to which data. This typically just delays the assignment of the access, as the team must consult to security team. New feature requests from end users also do not go through a formal review whether the feature should be built or not. In the meantime, the application today is supported by a single developer (Youcef Baouchi) and a student employee. This project request was created with the goal of having a formal project to define the right scope for Aurora application, define the Aurora user provisioning process, and define the future roadmap of Aurora.

Better organization for the effort to define Aurora. Better support to the Aurora application. Better and clear definition of the application. Better governance process and access control. Improve access request speed (when they are appropriate)

The goal of this project is to leverage automation to ensure that all in-scope (as defined in this charter) academic classes offered at CU Boulder have a presence in our Learning Management System (LMS), Canvas, by the start of each academic term. Instructors will still have the ability to decide whether or not they wish to use Canvas as part of their pedagogy.

Ensures that in-scope course shells will be available in Canvas prior to the start of the semester, leading to timelier access for students Reduces cognitive load & stress by removing the need to manually request in-scope Canvas course shells in MyCuInfo, streamlining the process of Canvas course creation By ensuring that all in-scope courses have a presence in Canvas, we maximize the University’s ability to leverage the metrics & data available in the system, which is critical to strategic efforts like Buff Undergraduate Success and our ability to remain a top university for innovation.

The need for this project is from internal and external forces that are working together to change the landscape of data storage in higher education. CU Boulder’s storage vendors, Google and Microsoft, have each determined that unlimited storage for high education users is an unsustainable business model. Google implemented storage quotas, which kicked off the storage war, with Microsoft following suit in the summer of 2023. CU’s current Microsoft multi-campus contract runs through 9/31/2025, allowing a short runway to create and implement a storage strategic plan. In addition to the changes made by our vendors, our Federal and State research and grant partners have begun migrating towards stricter Data Lifecycle Management (DLM) and Data Loss Prevention (DLP) standards, meaning CU Boulder must adapt, or potentially lose research grants and researchers. To addresses these changes, OIT is proposing a broad ranging effort that hopes to establish a strategic plan and roadmap for the storage of data of all classifications, origination sources and retention periods on the CU Boulder campus. In addition to the strategic plan, known tactical and operational deliverables to communicate and enforce the strategic plan are also in scope. Currently unknown tactical and operations deliverables may spawn future projects as part of the roadmap deliverable.

Unified storage strategy, regardless of vendor, or affiliation type Enhanced and unified view into data loss prevention and data classification labeling Campus wide plan for data lifecycle management Campus education of data classification levels, DLP policies, data related policies and the enterprise storage options available to meet CU business requirements

This project intends to enable sensitivity labels for data, email and Teams chats on the O365 environment as a step towards closing security and compliance gaps within the commercial O365 tenant. Closing these gaps is a prerequisite for future projects on the O365 space, including storage futures, AI initiatives and email security. Sensitivity labels allow users to set boundaries on how their data, emails and chats are shared with others. They persist across the O365 environment and to many 3rd party applications and can prevent forwarding, sharing and can be used to set encryption requirements for the data. Enabling these labels would immediately help users of confidential and highly confidential data on campus, such as OIEC, HR, researchers, and the Registrar. The technical aspects of this project were largely completed a few years ago, although some testing is needed to ensure the policies created are compatible with O365 changes since the first effort closed. This is being chartered to cover the communication and training needs to roll out sensitivity labels to the campus and to cover the resources needed to conduct a pilot with OIEC or HR. Once the rollout of sensitivity labels is complete, many users who rely on the Large File Transfer service to share sensitive information can share this same data straight from OneDrive or Teams, reduce the number of copies of that file that are being created. Likewise, departments who rely on PGP to protect highly confidential data and must first decrypt the data prior to sharing it can now transition their storage of the data from UCB and the PGP solution to a Teams storage solution.

Prevent data leakage and move the commercial tenant to a higher security level, closing the gap with LASP and GCC. Educate users on the usage, importance and need for sensitivity labels. Prepare the O365 environment for AI integrations in the future. Meet the needs of HR and OIEC data storage in the O365 environment Take a step towards meeting higher compliance requirements in NIST 800-171

Microsoft is retiring and deleting all Stream Classic (SC) content on April 15, 2024. Before this date, CU’s 650GB of Stream data must be migrated to Stream on SharePoint (SoS). Stream is Microsoft’s enterprise video platform. Transitioning to Stream on SharePoint will allow users to have access to a fully O365 integrated video platform. This project will create a communications plan, a method for users to indicate their migration/deletion preferences and perform the migrations prior to 4/15/2024.

Prevent the loss of data for faculty, staff and students as users are likely unaware of the retirement if SC. OIT 1:1 assistance in migrations and guidance on setting up of new Sharepoint locations and links Reduction in storage by deleting data that is no longer needed by campus.

The intent of this project is to migrate from the Cisco UCCX platform to the Microsoft Teams compatible Enghouse contact center solution. There are two distinct phases of the project which must be completed by June 2024. Phase 1 includes implementing the infrastructure in the OIT virtual environment and migrating 27 contact centers to the new platform using the same telephony-focused call routing structure as exists today. This phase will also include supervisor and agent training sessions, user acceptance testing and activation on the Enghouse platform.

Financial driver is a result of evaluating the existing contact center solution costs and technical constraints Functional driver is the needed merger of voice services with the existing Microsoft O365 collaboration platform.

This project will implement Microsoft Teams as the enterprise voice service on the Boulder campus, replacing the existing Cisco VoIP phone service (not including call centers). This project is tied to the Financial Futures A5 licensing project, specifically this is the VoIP portion of that project. This enterprise voice service will primarily be a softphone application on existing desktops and laptops allowing seamless integration between Microsoft Teams and voice calling. This project will deploy and support a very limited number of hard phones (approximately 1000) in locations such as classrooms, common areas and office spaces, only as required. The existing Cisco VoIP phone service (not including call centers/separate parallel project) will be decommissioned on or before 6/30/2022. All phone equipment will be removed/recovered from existing campus phone users. A pilot implementation is in place on the Boulder campus which has gone through discovery and initial implementation of call routing, SIP integration and dialing plans. This was completed at no cost by Microsoft. Intrado E911 integration is currently in progress with the pilot and should be completed prior to the project migration activities beginning. This project will go through the RFP process and if awarded to current integrator, implementation timeline and complexity is simpler as it should include only adding additional redundant session border controllers in SPSC data center with SIP trunking from Centurylink (Lumen) in both Computing Center and SPSC data center. If RFP award goes to an alternate vendor (known only to be one other), project timeline will extend by about 6 months as discovery and implementation work will need to be initiated again with a new vendor. For this reason, and the fact CU Denver is using the same integrator CU Boulder used in its pilot, the project will examine the ability to sole source the RFP based on the limitations we have with integration to Intrado for the E911 services to the building and room number detail we are able to support through Intrado (requirement form CUPD). As migrations begin, a set amount of existing campus extensions, based likely on phone numbers and not physical location, will be migrated from Cisco to Teams. This activity will be a phased approach, working through campus phone numbers being migrated to Teams, analog lines and physical phones.

Functionality: Use calling features of campus phone on campus or remote with no need for telephone hardware. Cost: cost savings for auxiliary budget and campus. Provides a path forward to Four campus solution for voice services

The Office of Information Technology, IT Service Engineering (ITSE) unit requires observability solutions to perform their daily operational functions. Observability commonly entails at least three areas: • Monitoring • Alerting/Visualization • Log aggregation/analytics Additionally, it is common to include application or distributed systems tracing. Currently ITSE uses Nagios for monitoring and alerting, however the current implementation of Nagios is not meeting today’s monitoring and alerting requirements. Furthermore, there are issues with the current Nagios system where recovery alerts are being lost. We are worried that eventually outage alerts will be lost as well. Log aggregation is done with in-house infrastructure and scripting, which is rudimentary at best. Systems send some logs through rsyslog to a central logging server which merely dumps those logs onto a single disk. The purpose of the previous project charter was to establish the CU Boulder requirements, share the requirements with the potential vendors and obtain budgetary quotes. The purpose of this project charter is to allow us the time to engage with the vendors that are within our approved budget and verify the solution meets all our requirements. A good observability solution will allow us to set up common and custom monitoring, alerting on events, visualization of system/application status, log aggregation with visualization and searching abilities, and application tracing. It may well be that our “solution” is made up of a suite of tools, not necessarily a single vendor product. We will need to support multiple teams with different workloads, automated by different tools, for integrating into an observability solution. Having an observability solution that OIT can leverage will allow more efficient troubleshooting, more accurate system and application monitoring and alerting, better support for observability of dynamic services, and optimization of applications and services. Almost every service OIT provides could be improved with this type of product. The objective of this project is to: • Leverage previously gathered requirements to select possible solutions • Interview vendors and demo solutions • Collect budgetary quotes • Use the above information (as well as the current budget for this project) to select product(s) that will satisfy most requirements for monitoring, alerting, visualization, and log aggregation and analytics • Plan and implement selected product(s)

Reduce development time as we potentially would not have to shop a new solution for each application Reduce time to troubleshoot application, service, and system issues Assist with optimizing our applications and services by allowing more insight into how they run and potential problems

This project will create a standard method for DDS-managed Windows 10 computers to connect to the VPN in an always-on mode. Customer computers that are off-site will have access to on-campus networked resources prior, during and after login. This solution will provide access to user-facing services only available on the campus network, as well as tools, scripts, and services provided by OIT and DDS to manage Windows 10 systems. The Always on VPN will also facilitate the migration of data from UCBFiles to OneDrive via and automated process that needs to run prior to the user logging into the system, per the Storage Futures project. The concept of “open the laptop lid and you are connected to the campus network automatically” and without prompting the user to type in credentials is what this project hopes to achieve. The solution will leverage the existing VPN AnyConnect and ASA infrastructure in combination with the Active Directory and PKI and built-in Windows 10 technology, prioritizing the AnyConnect Windows Store version over the Native Windows 10 built-in version.

Windows 10 Users will no longer have to connect to the VPN manually and will have seamless access to on-campus recourses like UCBFiles. Systems will be more accessible to management tools There is a direct correlation to the Storage Futures Project. Having an Always on VPN for Windows 10 will streamline and allow OneDrive migrations to resume at the project's planned pace. Without the AOVPN, Storage Futures is at risk of missing its financial goal of FY21. Laptops (at home) will function better having access to policy and on-campus resources automatically (Office and Windows Licensing will no longer expire and system time sync issues will no longer occur) AutoPilot self-service deployment will be simplified.

In conjunction with Financial Futures, a campus strategic initiative, OIT has recognized the need to provide campus-wide software licensing services to campus units and employees in the form of a Software Asset Management (SAM) program. This program serves the entire CU Boulder campus, and not just specific units or individuals. This program will significantly expand the scope of OIT’s current software licensing activities (termed “OIT Site Licensing”) in order to meet campus service demands and strategic goals. The new SAM program will: ● Maximize the value of software assets by tracking, reporting on, and taking or recommending action for software licenses, entitlements, and installations across campus ● Improve awareness and customer service by creating a global software database, software catalog and contracts repository, and by creating standard processes for requesting, purchasing, and planning for support around software ● Improve services to campus ITPS by data sharing and reporting on software assets, and software-centric knowledge resources ● Improve support to customers by streamlined access, improved communications, expanded catalog offerings, facilitating cost-sharing models, and proactive license management ● Reduce campus spending on software by working to eliminate duplicative and redundant software purchases, reducing over-licensing, re-using licenses when available, and reclaiming unused software ● Reduce data security exposure, architecture exposure, and business risk by proactively planning and managing the entire software lifecycle ● Reduce campus compliance and audit risk by creating a proactive audit readiness plan and coordinating software audit response to vendors. This project will establish the SAM program as a centralized campus manager of all business- and mission-critical software, including integration into IT governance activities and creation of new or modification of existing IT policy. This project will also establish standard software processes (including purchasing, lifecycle management, and compliance), establish metrics and KPIs to track program effectiveness, create and publish a global software catalog, identify the best SAM enterprise tool(s) to use (based on defined business requirements), implement and/or integrate the identified SAM management tools into the enterprise IT environment.

Track and report on software installed on campus-owned computers Create software database and contracts repository Time gained from centralizing administrative tasks, and planning for expected outcomes Reporting on software assets and usage Expanded software-centric knowledge resources Publishing a global software catalog and streamlining access to available software Campus-centric, holistic, and proactive approach to license management, including vendor engagement Reduce overall campus spending on software Reduce business risk, data security exposure, and architecture exposure Reduce legal risk of software audits and noncompliance

This project builds on the decisions made in the ‘Inventory, Equipment, and Asset Tracking Project” and will define the tool(s), processes, roles, and architecture that are needed to create a centralized and consistent Asset Management program in OIT. A large part of this project will be understanding the detailed requirements for tracking CU property in OIT by the various OIT units who do this. The project will then analyze internal and external tools that could be used. The project will identify the technology and associated architecture, roles, and processes that will need to be implemented for a more holistic, centralized, and consistent Asset Management program in OIT. Active participation from the areas in OIT that track CU property (FPAM, PAL, DRR, RC) will be important for the success of this project and the future implementation project. A future phase of this project, or a new project, will implement the chosen technology solution and supporting architecture, process, and people.

Comprehensive plan for technology, people, and processes needed for centralized and consistent tracking of CU property in OIT.

This project will fully implement OIT’s licensed email security products purchased from Abnormal Security (Inbound Email Security and Abuse Mailbox Automation) in the O365 production email environment for all employee, retiree, student, and alumni mail accounts. A now 6 month long (August ’23 – current date) proof of value assessment proved the value and effectiveness of the Abnormal Security platform’s ability to ‘detect and advise on’ malicious email sent to campus user mail addresses. Licensing has been acquired and the products can be moved from the ‘detect and advise’ mode to an ‘enforcing’ mode, preventing the malicious emails from being delivered to campus user mailboxes. Transition to the enforcing mode will require planning, technical, and change management milestones be completed. Project Goals:

1. Develop a change management and communications strategy/plan that addresses the change at an appropriate awareness level for end users regarding service need, governance, access, and oversight.
2. Enable anti-phish enforcement by the Abnormal Security products currently licensed by May 30, 2024.
3. Revisit and update the email forwarding exception process to account for changes introduced by the new email security posture.
4. Create a false enforcement reporting mechanism for recipients.
5. Establish a responsibilities model for ongoing administration and email security response (phish) for all stakeholders.

Prevent/reduce email-based attacks leading to account and system compromises. Reduced email phish response and management Enhanced and broad detection of email-based attacks.

The Laboratory for Atmospheric Space Physics (LASP) currently operates a small data center in the LSTR building on CU Boulder’s East Campus. Due to the age of supporting mechanical and electrical equipment the data center is in need of substantial investment to continue operating at the level that supports the overall mission of LASP. We have determined through a Feasibility Study that moving the LASP server infrastructure to SPSC provides better overall value to CU Boulder instead of continuing to invest in the current LASP data center. Due to a recent issue in this facility the need to move this equipment to Boulder has been identified. This project aims to relocate all equipment from the current LASP data center to the OIT co-location data center located in the Space Science (SPSC) building.

• The University will save on both OpEx and CapEx by consolidating data centers that we operate on campus • LASP staff will refocus on their core mission and not be concerned with data center operations • Business critical applications supporting LASP’s mission will be house in a reliable, centrally managed facility which supports other similar applications on campus.

Customers on the CU Boulder campus have a need for flexible and continuous access to software, either through remote access to physical computers or via virtual applications or desktops. The COVID-19 pandemic brought an emphasis on remote learning and hybrid/remote work modalities that require more flexible options that allow students, faculty and staff to access software from anywhere. This project will focus on the current and future needs of campus customers. While we have deployed Turbo.net and Splashtop solutions as immediate solutions to meet remote software needs, this project will determine if any new software delivery technologies have surfaced more recently. By the end of the project, the research of the project team will result in the selection of tools/technologies that best meet the remote/virtual software delivery needs of our campus customers. This project will:

1. Develop business requirements for a solution that meets the administrative and academic needs of our customers
2. Explore remote/virtual software technologies being used by peer institutions
3. Determine the best solution(s) for our CU Boulder customers (Administrative and Academic use including computer labs, MOOCs, etc.)
4. Pilot potential solution(s).
5. Identify a solution or solution(s) that we will implement through a subsequent project.
6. Determine the estimated cost of a solution.
7. Identify funding source for the proposed solution.

24/7 access to software by students, faculty, and staff. Delivery and support for solution can be scaled to support access from all campus customers. Seamless and efficient experience for customers accessing software