Syncplicity: File Sync and Share From

a CIO's Perspective

October 7, 2015

Danny Miller, CCISO, CISA, CRISC, CGEIT, ITIL System Chief Information Security Officer

Defining our need…

2

Basic Requirements

All users in our members were using random file synch and share solutions, which meant that information was not secure. A&M required a secure, cloud-based system that allows its members to quickly, collaboratively, simply and securely store unstructured information. We also required the ability to have our users be able to store our data within the U.S. and Texas if necessary and ensure that Export Restricted information automatically be kept within the borders of the U.S.

3

Initial Considerations for a Solution

4

For the solution to be effective, considerations of the alternative to any other solution would include: •  Collaboration: the solution must have an easy way of sharing

information •  Security of information: we have to assume that information being

stored and synchronized is at level that equates to “critical”, not being information that should be co-mingled with other institution’s information; elements include role-based security, encryption

•  Accessibility: ability to access, recover or re-synchronize quickly •  Ease of use •  Total Cost of Ownership should be low •  Flexible: ability to grow+shrink storage capacity is important •  Ability to control: TAMUS and its members need to have visibility

into the solution and to be able to work with the vendor influence direction

Constituents & Use Case

•  Students •  Faculty •  Administration •  Researchers •  Customers •  Partners •  Vendors

•  Communicate and share files and content between students and teachers

•  Planning and collaboration among internal personnel

•  Long-term secure storage •  Geo-fenced collaboration •  On-premise AND hosted

storage seamless to users

5

Selection Methodology

6

Look at relevant vendor solutions

4

Identify key processes served 2 Check to ensure each payment

received approval.

Print Checks. Check stock is in locked printer that only Controller has

access.

Log into system to print checks.

Forwarded to Administrative

assistant for mailing.

CFO signs Checks over $20,000.

Check register reviewed for checks

under $20,000.

Is Check over

$20,000?

Yes

No

Short List/RFP Issuance 5 0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Vendor 1 Vendor 2 Vendor 3 Vendor 4

Interview key users 1

Requirements development

3 Critical 2

Nice to have

Not Required

Meaning

1

0

Score

Select/Recommend 6

Challenges in Planning

7

•  What can go into someone’s account? (data classification and security)

•  How long can a file stay? (data retention) •  Who owns the data? •  Comfort with the security model •  What happens when legal challenges occur and information

must be preserved? (litigation hold) •  How many instances of Syncplicity do we need? •  How do multiple instances of Syncplicity interact? •  How to provision/de-provision accounts? •  What happens to someone’s account when they leave?

(students and employees) •  When users find out that you’re implementing this,

they will start demanding more

Rollout Considerations

8

•  Design of the instances was critical when we began to rollout the solution

•  We started small, doing incremental implementations with only IT professional staff having accounts at first

•  Policy development (automated) as we found at each instance is also very important. Each instance had different sets of requirements in that area, including file retention, what could be stored, etc.

•  Have a mechanism in place for when people leave. Just because their account can transition to a personal account does not mean that they can take their files with them

•  Have a plan for which storage should be on-premise (private) vs storage with Syncplicity

•  Have your requirements fully developed and written before you move forward. Requirements may surface that would change your schedule of implementation

Question and Answer Time…

9

Backup Material…

10

Methodology/Steps to Complete

11

1. Develop Requirements and Issue RFP

Current State Analysis

Process Review & Requirements

Definition

2. Vendor Demonstrations and Solution Selection

3. Total Cost of Ownership and Recommendations

Develop R

FP

Develop Total Cost of Ownership

Estimate

Finalize Selection of Software Solution

Implem

entation Planning

Vendor/Solution Testing

Identify Solution Gap (Best Fit

Analysis)

Establish Evaluation Criteria

Step 1 – Requirements and RFI Issuance

Objectives Assemble and prepare the project kickoff. Understand the current business landscape and future objectives. Identify and document the functional requirements to be used in evaluating potential vendor solutions.

Activities •  Identify Stakeholders & Project Team •  Discuss the selection process with key executives

and project team members. •  Conduct interviews with internal and external

stakeholders and document functional and reporting requirements

•  Understand the integration between various systems and document any interface requirements

•  Identify decision criteria and appropriate weighting, if applicable.

Deliverables •  Functional Requirements documentation •  Request for Information from key vendors

1. Develop Requirements and Issue RFI

Current State Analysis

Business Process Review & Functional

Requirements Definition

Develop R

FI Request

12

Step 2 – Testing & Selection

Objectives Augment existing knowledge of the software landscape with information relevant to the requirements identified in Phase 1.

Activities •  Research available solutions and industry trends to identify potential vendors.

•  Gather requirements for any vendors not pre-loaded into our proprietary database

•  Benchmark standard vendor offerings against TAMUS requirements

•  Jointly agree on a short-list of 2-3 vendors

Deliverables •  Solution Short-List with 2-3 vendors

2. Conduct Testing and Solution Selection

Facilitate Testing

Identify Solution Gap

Establish Evaluation Criteria

13

Step 3 – TCO and Implementation Planning

Objectives Determine solutions that best serve the needs of the University and members

Activities •  Conduct testing for short-listed solutions •  Facilitate post testing discussion •  Review gaps identified during testing •  Schedule follow-up vendor meetings to discuss

responses to identified gaps •  Compile results of RFI, testing, gap analysis and

follow up discussions. Perform fit analysis to determine best match using the decision criteria

Deliverables •  Overall fit assessment •  Total Cost of Ownership •  Recommend to CIO Council solution A, solution B

3. Total Cost of Ownership and Implementation Planning

Develop Total Cost of Ownership

Estimate

Finalize Recommendation of Software Solution

Implem

entation Planning

14

Contact Details

Danny Miller, C|CISO, CISA, ITIL, CRISC, CGEIT System Chief Information Security Officer Office of the Chief Information Officer GDMiller@tamus.edu 1124 TAMU | College Station, TX 77840-7896 Tel. 979.458.6433 | Mobile: 409-600-1614 | www.tamus.edu 301 Tarrow St., Suite 310 College Station, TX 77840-7896

15