Question
What are the roles and responsibilities for managing the BigFix service at UC Davis?
Overview
The objective of this knowledge base article is to define the different roles and their corresponding responsibilities for the BigFix service at UC Davis. A primary concern repeatedly expressed is what changes could be made to participating computers and by whom these changes would be made. The implementation of BigFix at UC Davis is predominantly departmentally managed and any changes made to participating computers would primarily be performed by that department's currently established IT support staff. Any change to this methodology would require substantial engagement with the campus community before implementation.
Answer
Change Management
Changes to the BigFix service, such as upgrades of the application versions, are only initiated after communication and consultation with a change advisory board, currently consisting of central and departmental IT staff, allowing advisement in the assessment, prioritization and scheduling of changes and their potential business impact. More substantial changes, such as to the roles and responsibilities defined here, would be communicated broadly and seek both guidance and approval from existing governance bodies, such as the CIO Strategic Advisory Council, Academic Senate’s Committee on Information Technology, and Deans’ Technology Council.
Roles
Master Operators
The responsibilities of the central administrators, or Master Operators, for the BigFix service include:
- Provision infrastructure to support the BigFix service, such as virtual servers, databases and coordinating central firewall rules
- Install BigFix server roles, such as master servers, top level relays, web servers for reporting applications, and terminal servers for console application access
- Upgrade BigFix server roles as new releases are available to address security issues and add new functionality
- Upgrade BigFix agent software on participating computers after communication with departmental IT staff and opportunity for departmental deployments of upgrades
- Establish roles, groups and security boundaries for multi tenancy, allowing departmental access for management of computers only within their defined scope of control
- Provide API read access to BigFix data to approved campus applications, such as ServiceNow
- Provide support to departmental IT staff in deployment and usage of the BigFix service
- Engage with vendor to escalate issues, advocate for improvements, and identify future opportunities
- Create knowledge base articles to assist in the deployment and usage of the BigFix service
Information Security Team
In conjunction with the identification of emerging threats, the Information Security Team reviews information collected by BigFix about participating computers to identify computers that are vulnerable to these threats based on multiple criteria, such as operating system and application versions. When vulnerable computers are identified, the Information Security Team would use the information to communicate with the responsible departmental IT staff to further investigate and remediate these vulnerable computers. The Information Security Team does not have the ability through BigFix to make changes to vulnerable computers. Other Information Security responsibilities include:
Generate reports using data collected by BigFix for CIO, CISO, and other senior management (e.g. Chancellor and Provost). Reports may include:
- Vulnerable software on endpoints
- Operating system information
- Patch compliance
- Hardware configurations
- User identity and security settings
- BigFix software status
- Network configuration
As required, cooperate with Master Operators and Departmental Operators, campus counsel, human resources, and law enforcement to identify specific indicators of compromise on participating computers, such as specific files, file hashes, or malware indicative of a compromised system.
Departmental Operators
The capabilities available to departmental IT staff within the BigFix service are numerous and varied in their implementation. Permissions to individual computers are governed by the roles created by the Master Operators, so Departmental Operators only have access to make changes on computers for which they are responsible. Some common examples of current usages and responsibilities include:
- Maintaining accurate inventory information from participating computers, including hardware, operating system and installed applications details
- Ensuring compliance with campus policy by deploying operating system and third party software patches
- Distribution of software applications to end users
- Deployment of industry hardening standards, such as the Center for Internet Security benchmarks
- Escalating issues to Master Operators
Customer Support
Customer support for computers with BigFix installed is provided through the each department’s normal IT support channels and procedures. For customers wishing to install BigFix on their computers themselves, instructions for using the https://getbigfix.ucdavis.edu web site and installation are available in the IT Knowledge Base: https://servicehub.ucdavis.edu/servicehub/?id=ucd_search2&query=bigfix You may contact IT Express if you need assistance identifying the appropriate support channel.
Policies
IT professionals must comply with UC Office of the President and UC Davis policies and procedures including privacy policies. As a general rule, IT professionals may not access a system or information stored, processed, or generated by a system unless there is a specific concern with cyber abuse or potential for cyber abuse, cybersecurity policy violations, a legal precedence in combination with law enforcement actions, or a compelling safety reason. These are the primary policies governing roles and responsibilities of UC Davis and UC employees:
UC Office of the President
- UCOP’s IS-3 Electronic Information Security policy (BFB IS-3 Electronic Information Security)
- UCOP’s Electronic Communication Policy (Electronic Communication Policy)
UC Davis
- Electronic Communications Privacy and Access Policy (310-24, Electronic Communications--Privacy and Access)
- Cyber-Safety Program (310-22, UC Davis Cyber-Safety Program)
- Electronic Communications Allowable Use (310-23, Electronic Communications--Allowable Use)