Approval of Previous Minutes —

Meeting minutes from Sept. 25, 2023. Motion to approve by Dave Rahn. Seconded by Arvind Tripathi. Motion passed unanimously.

Guest Speaker Presentation —

1. The beginning of the year was a bit eventful, with a Duo shutdown that was suspected to be a phishing attack.
   1. IT was able to bypass the Duo authentication until the system was functioning again so that campus could continue working. Fortunately, there did not seem to be a major impact on normal business.
2. There were also several phishing attacks during the first week, which specifically targeted students. This highlights the need to get multi-factor authentication (MFA) implemented for students, as well as improve IT security education for students. This type of knowledge is a part of preparing students for the workforce.
   1. Financial aid also presents an additional phishing risk for students, as phishing attacks are timed around disbursement times and can gain control of those crucial funds. This can create a host of other issues as KU tries to get students the money they need in the case of such a phishing attack.
   2. IT is currently working on implementing MFA for students, starting with some crucial and visible groups, i.e. student government groups. The goal is to get MFA implemented for all students by the spring semester. There are challenges around maintaining equity and privacy for students who do not have a smart device.
   3. Q: What types of education are there for phishing education, especially given that the attacks were at the beginning of the semester?
      1. A: Most of the current training that KU provides is tailored to employees. We need to develop better training for the student demographic. IT has also been in contact with Student Senate leaders to figure out the best ways to communicate with students.
   4. Q: Does every KU log-in go through single sign-on (SSO)?
      1. A: Most do, but there are a few things that are not behind SSO. Most of these have the capability, so we are hoping to get SSO universally implemented.
   5. Q: Could we utilize flyers to be posted outside of classrooms for education purposes?
      1. A: Yes, and we are also looking into digital signage.
   6. Q: It seems that OneDrive on KU computers are not behind MFA, only account sign-on. Is there anything that can be done about this?
      1. A: Personal OneDrive’s should not be used to store sensitive information. Microsoft Teams drives can be configured to secure sensitive information. We have striven to find a middle ground between security and productivity.
   7. Q: Arvind Tripathi supervised a recent graduate student who researched what types of IT education is most effective. Arvind can share this.
      1. A: Ed would love to see the research and use it as part of the education campaign. This would also be a great way to showcase student research. Ed mentioned that this research would be especially useful in navigating changing IT security threats, e.g., the use of AI.
3. KU IT is in strategic planning mode and has utilized Gartner to complete two benchmarks against budgeting and IT maturity. This has highlighted the need for IT governance. Gartner is a research organization and is very prevalent in IT. We have a subscription to Gartner that allows us to do a lot of technological research.
   1. A big initiative right now will be revamping our identity and access management system (IAM). Our current system is not suited to the large scale that we currently operate at, with a myriad of different identities needing to access different things. This poses a barrier to HLC accreditation.
4. Ed recently attended a conference on Artificial Intelligence (AI).
   1. He will share a link to a recording of the opening keynote, which discussed how the “hype cycle” around new technology functions: https://www.linkedin.com/video/live/urn:li:ugcPost:7119684233421312001/. People get hyped around a new technology and then fall into a “trough of disillusionment” when things do not turn out as expected. Gartner likens the development of AI to the development of the World Wide Web, smartphones, etc.
   2. Gartner categorizes AI into two forms: back-of-house, productivity-based AI that we may already be using at home and at work; transformative, game-changing AI. Gartner is encouraging organizations to identify “lighthouse” AI principles. Ed thinks that as a research institution, we will see both forms of AI.
5. Policies
   1. Ed shared that IT has finished its second draft of the new information security policy and has shared it with John Curran, Chief Risk Officer. They are trying to condense the number of policies and instead have more operational content and guidance.
   2. IT is also considering an AI policy but have learned that universities are shying away from actual policy around AI because it is changing too quickly. They are instead opting for guidelines around AI that can more easily be updated, a draft of which has also been shared with John Curran.
   3. Q: What are your thoughts about integrating AI chat features into KU functions?
      1. A: We need to develop education for people around what to use AI for and when to avoid it. This is a good reason for KU to develop AI guidelines.
6. The committee had further discussion around the future of AI and how it is shaping young people’s lives. Members discussed how important it is to get varied perspectives involved when discussing how to manage AI in a university setting.

New Business —

1. Next steps
   1. IT will be presenting its strategic plan to the Provost in December. Ed would like to share this with the ACEC Committee, along with progress on IT policies.
   2. Dave shared that the committee will be inviting Tom Roderick to speak at another meeting, which he will coordinate over email.