BCG policy: Banner Data Extracts to Support Departmental Reporting Needs
DuckWeb and the data warehouse, have continued to be refined and enhanced with feedback from UO departments and offices. These systems now provide features and functionality that were not available several years ago. In view of this increased functionality, and the frustration and risks that are being reporting by offices attempting to run their homegrown shadow systems in synchronization with Banner, the BCG recommends the following policies and procedures.
- The data warehouse is the source of Banner information for departmental reporting needs not met by Banner:
- Information Services will no longer create special data extracts for individual departments.
- The core offices will work with departments to identify where Banner and the data warehouse do not meet their needs, and provide the necessary information via new forms and reports, or by populating the data warehouse with the additional information.
- If a department has an application that provides functionality currently not provided by Banner, and it is something that would be useful to the rest of campus, add the functionality to the central system, for long-term sustainability and cost savings.
- Authentication and authorization should be a central function, and should not be decentralized.
Specific areas of concern:
- Security of the data
The BCG has developed policies for access to Banner and the data warehouse (and the termination of such access). Security officers in the core offices, along with the database administrator at Information Services, monitor access and investigate suspicious and irregular use. IT auditors (Chancellor, State of Oregon, and independent) monitor IT administration of policies, in addition to reviewing privacy, security and access procedures. Departmental servers do not receive the same external scrutiny or enforcement of policy.
- Security of the departmental server
Information Services has staff that are responsible for the security and protection of resources (i.e. router configuration, firewalls, encrypted passwords, SSL etc) that are physically located at the Computing Center. They are monitored by the same auditors mentioned in #1. Again, departmental servers do not receive the same external scrutiny.
- Appropriate use of data
Before gaining access to Banner or the data warehouse, a person must demonstrate a need to have the access to the data, and then attend training in the appropriate use of the data, including confidentiality and privacy issues, and the importance of protecting username and password. The trainer provides up to date and consistent information, covering both FERPA and UO policies, and the core office security officer then grants access to ONLY that data which the person needs to do their job. Departments that extract information from the central systems and re-serve it via their own shadow systems, bypass the formal training and security access controls.
- Duplication of resources
Redundant databases increase the risk of data inconsistencies with the production database (and that users could be accessing incorrect information and not realize it). This duplication translates to increased support costs.
- Departments reliance on non-central computing
As departments become reliant on their shadow systems, what happens when departmental IT support leaves? In the case of Jim Warhol's Degree Check system, enough people were using it that it fell to Information Services to support it when the departmental programmer left. This is problematic since Information Services staff were not involved in the development of the system and therefore do not have the benefit of background knowledge or source code. At the same time, Information Services staff are needed to work with the Office of the Registrar to implement the Degree Audit Reporting System (DARS).
Banner is a very dynamic system, with changes occurring daily and instigated by the UO core offices, vendor-supplied patches and upgrades, Information Services "fixes" to address production critical problems, and OUS directives. There is no way to automatically propagate the changes to the numerous departmental shadow systems. The BCG does not know how many departmental servers are re-serving Banner data (although OUS auditors report that the UO has the highest number of shadow systems in the Oregon University System).
The risk is that departmental databases could be out of sync with Banner for some time before someone notices and investigates, again increasing the risk of users getting incorrect information (and being unaware of it). This can be time consuming, since the departmental support person has to troubleshoot first, and then central IT has to do the same investigation --- not to mention what the user might be doing with the data, not knowing there is a problem.
The re-serving of Banner data complicates banner support. Users of departmental servers call central Banner support for assistance, confusing Banner and the departmental-Banner data. Banner support people in core offices (i.e. Admissions, Registrars, Financial Aid, Business Office, Resource Management, Human Resources, Information Services) are at a disadvantage because they are unaware of the operations of the departmental servers.
- Centralized IT support
Central IT staff work with Banner on a daily basis and are intimately familiar with its internal structure. They know the Banner product at every level, from the database "nuts and bolts" through high-level applications. They are kept apprised of the many changes made to the Banner product through interaction with the vendors, other institutional clients, and their co-workers, who share the daily assignments of modifying and enhancing the product. This provides them with invaluable experience and an awareness of how individual changes to the individual components (including not only the hardware but all of the interoperable software pieces: network changes, VMS, Oracle changes, program language changes and Banner) impact the integrated product in its entirety.
They communicate directly with vendors (SCT, Oracle, HP) to troubleshoot problems, apply patches and identify issues for future development. At the same time, the work closely with the functional users in the core offices (Registrar, Admissions, Human Resources, Budget, Financial Aid, Business Affairs) to implement the product to their specific needs, thoroughly test changes and fixes, and make modifications to better serve the rest of campus. They also have the benefit of working closely with networking, systems and security staff, who can advise them of potential vulnerabilities and performance issues.
Departmental IT support staff do not enjoy most of these benefits. While many are highly competent and have the technical skills necessary to download Banner data and re-serve the data from a departmental server (i.e. build a web site), they lack the experience and specific training to thoroughly understand the underlying database structures and relationships between the tables and modules. This can lead to misinterpretation and misrepresentation of the data, resulting in erroneous decisions made by their fellow staff members.
(approved by BCG April 24, 2003; Strategic IT Issues Committee April 24, 2003)