CUNY Graduate Center Information Technology IT for & Effective Date: April 6, 2018 Introduction Organization Information Technology (IT) is the division of the Graduate Center responsible for voice, video and data systems and services. The mission of this unit is to promote, facilitate and support the effective use of technology in instruction and learning, in research, and in processing and accessing institutional information. Organizationally, IT is comprised of three divisions: Administrative Services, Client Services and Systems Services. Facilities The Graduate Center s primary site at 365 Fifth Avenue ( ) includes data centers located on the second floor directly connected to the CUNY ring. The secondary site, at the GC Advanced Science Research Center ( ), includes a data center below ground as well as end-user workspaces and is connected to the CUNY ring via City College using infrastructure currently overseen by CUNY central office CIS. The tertiary site, the GC Apartment Building ( GC/Apt ), which includes a designated IT room on the first floor as well as (limited) end-user workspace on the first floor, is connected to the CUNY ring via Hunter College and is also served by a separate redundant internet connection via Verizon FIOS service. Scope of This document outlines the provisioning currently in place by Information Technology to safeguard ongoing functionality for select IT systems and services specifically identified herein. The scope and suitability of such provisioning is reviewed on a regular basis as systems and services are decommissioned, added and changed. Definitions We distinguish between the phrases business continuity and disaster recovery by viewing a business continuity plan as essentially a proactive approach to safeguarding ongoing daily operations while a disaster recovery plan must attempt to react to the scope and nature of a calamity. That is, our business continuity provisioning guarantees that we have systems in place that are backed up and fail over, ensuring that key services stay up and running, that business processes remain operational, in the course of minor disruptions which are reasonably anticipated. recovery, in which an unlikely but catastrophic incident has rendered the data center lost in part or in total for an extended period of time, may call for wholesale reconstitution of facilities, resources and services depending on the nature and specifics of the disaster. Context For the purposes of this document, at IT services are considered to be centered at, with business continuity provisioning intended to safeguard that perspective and disaster scenarios envisioned deleteriously impacting that location. Related Policies & Procedures IT Backup and Restore Policies IT Incident Management Plan 1
Essential IT Services and BC/DR This section outlines the provisioning currently in place by Information Technology to safeguard ongoing functionality for select essential IT systems and services. Two types of provisioning are identified, business continuity and disaster recovery, for the essential IT services identified below. GC Data Center: The data center at consists of two adjacent dedicated rooms. Access to the data center is via restricted card-entry system, security cameras monitor the entrances and public safety routinely patrols the adjacent hallways. The rooms are on the second floor, above ground level, and are set apart from the general traffic patterns used by the community of individuals occupying the building on a daily basis. The rooms are supported by individual redundant cooling systems, with continuous monitoring and alerting in place for Facilities and Engineering. The rooms are supported by individual power systems provisioned with UPS backup, with continuous monitoring and alerting in place for Facilities and Engineering. The rooms are supported by individual sprinkler systems. The rooms are supporting by temperature, humidity and water alerting, monitored by IT staff and Facilities and Engineering. used as emergency relocation centers for restoration of targeted GC IT services. GC IT Network Infrastructure: The network infrastructure at consists of core switches and related componentry in the data center, connected via fiber risers to multiple IDFs on each floor housing edge switches serving end-user devices. A wireless network infrastructure rides on top of this framework. The network infrastructure at is currently under the purview of CUNY central office CIS. The network infrastructure at GC/Apt apart from resident services includes edge switches in the data center provisioned to support a collection of desktop computers that could be installed in the first-floor lounge. In the data center, core switches, distribution switches, firewalls, server-region switches and switches connecting the internal network to the CUNY ring are all deployed in pairs, with failover provisioning, providing high redundancy. From the data center, the IDF on each floor is supported by redundant fiber connections, however these are encased in the same pathway. The stack of edge switches in each IDF on each floor are configured for failover, however there are single horizontal paths from the edge switch to the individual enduser wall ports. There typically are multiple data ports in any given room. 2
GC IT Network Infrastructure: The network infrastructure at consists of core switches and related componentry in the data center, connected via fiber risers to multiple IDFs on each floor housing edge switches serving end-user devices. A wireless network infrastructure rides on top of this framework. The network infrastructure at is currently under the purview of CUNY central office CIS. The network infrastructure at GC/Apt apart from resident services includes edge switches in the data center provisioned to support a collection of desktop computers that could be installed in the first-floor lounge. The CUNY ring provides two paths, in opposite directions, for redundancy. There is a single path from the data center to the external connection to the actual ring. There is no secondary internet connection in place at. This equipment is currently the purview of CUNY central office CIS. used as emergency relocation centers for restoration of targeted GC IT services. GC domain (faculty & staff) email: Email for GC staff and faculty uses the gc.cuny.edu domain, and is implemented in a Microsoft Exchange environment, hosted locally at. Email in the legacy asrc.cuny.edu domain is hosted on the CUNY central office CIS email platform. gc.cuny.edu domain (faculty & staff) email The Exchange platform is maintained in a dedicated cluster environment housed in the data center, made up of multiple fault-tolerant servers, provisioned for fail-over redundancy. ProofPoint and other supplementary systems apply additional security processing to incoming/outgoing email for the purpose of safeguarding operations; these systems are likewise configured as a cluster of multiple faulttolerant servers, provisioned for fail-over redundancy. Backups are executed daily, stored onsite; weekly backups are also performed and stored at off-site location(s). asrc.cuny.edu domain email This is currently the purview of CUNY central office CIS Email accounts for ASRC-based employees are now provisioned in the GC email domain; asrc.cuny.edu domain email accounts are legacy. gc.cuny.edu domain email 3
GC domain (faculty & staff) email: Email for GC staff and faculty uses the gc.cuny.edu domain, and is implemented in a Microsoft Exchange environment, hosted locally at. Email in the legacy asrc.cuny.edu domain is hosted on the CUNY central office CIS email platform. Subject to the nature of the disaster, backup tapes are available to restore the Exchange environment at GC/Apt. In order to do so, equipment required to read from back-up tapes will need to be acquired, as well as the equipment onto which the files and system are to be restored. Other operational steps will include making revisions to current DNS tables. Users will use Outlook Web Access from any internet-connected location to access gc.cuny.edu domain email. In a disaster scenario, existing supplementary systems such as ProofPoint will be Future planning: recovery provisioning currently supported by GC/Apt asrc.cuny.edu domain email This is currently the purview of CUNY central office CIS Externally hosted and managed IT services: Services such as email, file storage and collaboration services for GC students (using the gradcenter.cuny.edu domain), CUNYfirst HR and finance services, Blackboard and NetCommunity are externally hosted. GC student email, file storage and collaboration services (using the gradcenter.cuny.edu domain) are implemented in a Microsoft Office 365 environment, hosted externally by Microsoft and controlled by CUNY central office CIS. This is a Microsoft-hosted and supported environment, accessible to users from any internet-connected location. CUNYfirst and Blackboard are hosted systems overseen and managed by central office CIS. NetCommunity is a system contracted for by the GC Development office and hosted externally by the vendor. Subject to the nature of the disaster, these externally-hosted and supported environments are expected to remain operational and accessible to users from any internet-connected location. CUNYfirst and Blackboard are the purview of CUNY central. GC database services: Electronic databases underpinning file systems and applications are hosted locally at the GC. Database services for individuals at are currently provisioned on equipment overseen by CUNY central office CIS. The MS SQL database environment is maintained in a dedicated cluster environment housed in the data center, made up of multiple faulttolerant servers, provisioned for fail-over redundancy. 4
GC database services: Electronic databases underpinning file systems and applications are hosted locally at the GC. Database services for individuals at are currently provisioned on equipment overseen by CUNY central office CIS. The MySQL database environment is maintained in a dedicated cluster environment housed in the data center, made up of multiple faulttolerant servers, provisioned for fail-over redundancy. Backups of the data and the servers are executed daily, stored onsite and - for Windows environments - replicated offsite to GC/Apt; weekly backups of the data and the servers are also performed and stored at off-site location(s). This equipment is currently the purview of CUNY central office CIS Subject to the nature of the disaster, backup tapes can be used to restore the database environment at GC/Apt. In order to do so, equipment required to read from back-up tapes will need to be acquired as well as the equipment onto which the files and system are to be restored to house the database environment. Future planning: recovery provisioning currently supported by GC/Apt GC file services: Electronic file services for GC faculty and staff, commonly known as U-, S- and R- drives, are hosted locally at. File services for individuals at are currently provisioned on equipment overseen by CUNY central office CIS. (File services for GC students are discussed above.) The front-end system for file access is maintained in a dedicated cluster environment housed in the data center, made up of multiple faulttolerant virtual servers, provisioned for fail-over redundancy. The back-end system for file storage is a SAN system housed in the data center. 5
GC file services: Electronic file services for GC faculty and staff, commonly known as U-, S- and R- drives, are hosted locally at. File services for individuals at are currently provisioned on equipment overseen by CUNY central office CIS. (File services for GC students are discussed above.) Backups of both the front-end system and the back-end data are executed daily, stored onsite and also replicated offsite to GC/Apt; weekly backups of the data and the servers are also performed and stored at off-site location(s). This equipment is currently the purview of CUNY central office CIS Subject to the nature of the disaster, the data replica retained at GC/Apt can be used to restore the file services at GC/Apt. Future planning: recovery provisioning currently supported by GC/Apt Incoming/outgoing internet connectivity: The IT infrastructure ( CUNY ring ) traversed by incoming and outgoing traffic between the internet and the IT infrastructure internal to, GC/Apt and is controlled by CUNY central office CIS. is connected to the CUNY ring. is connected to the CUNY ring via City College using infrastructure currently overseen by CUNY central office CIS. GC/Apt is connected to the CUNY ring via Hunter College and is also served by a separate redundant internet connection via Verizon FIOS service. The CUNY ring is the purview of CUNY central office CIS. The CUNY ring is the purview of CUNY central office CIS. A separate redundant path to the internet is in place via Verizon FIOS service at the GC/Apt (only). 6
GC-hosted Windows-based websites & web-based services: Resources such as the primary GC website (gc.cuny.edu), Password Reset, Track-IT, and the web front-ends are hosted locally at. The asrc.cuny.edu website is hosted by CUNY central office CIS. The front-end systems are maintained in a dedicated cluster environment housed in the data center, made up of multiple fault-tolerant virtual servers, provisioned for fail-over redundancy. The database back-end is MS SQL, discussed elsewhere in this document. Backups of the front-end system are executed daily, stored onsite and also replicated offsite to GC/Apt; weekly backups of the data and the servers are also performed and stored at off-site location(s). asrc.cuny.edu website This is currently the purview of CUNY central office CIS. gc.cuny.edu website Subject to the nature of the disaster, the data replication retained at GC/Apt will be used to restore the GC website system at GC/Apt. (Noted: The dependency on the database restoration.) Other operational steps will include making revisions to current DNS tables. Future planning: recovery provisioning currently supported by GC/Apt asrc.cuny.edu website This is currently the purview of CUNY central office CIS. In the future, content residing on the CIS platform will be migrated to the GC s primary infrastructure. 7
GC-hosted Windows-based IT services: Resources such as WSUS, SCCM, EPO, software license server, print server and Active Directory are hosted locally at. These systems are maintained in a dedicated cluster environment housed in the data center, made up of multiple fault-tolerant virtual servers, provisioned for fail-over redundancy. Backups of the front-end system are executed daily, stored onsite and also replicated offsite to GC/Apt; weekly backups of the data and the servers are also performed and stored at off-site location(s). Subject to the nature of the disaster, the data replication retained at GC/Apt will be used to restore select systems at GC/Apt; not every system noted in this section would be considered essential. Future planning: recovery provisioning currently supported by GC/Apt GC-hosted Linux-based websites & web-based services: Resources such as GC Web Services, the CUNY Academic Commons, and the GC Library website, as well as the NML, DSC, MLD, CUNY BA, RILM, Brook Center and RedMine websites are hosted locally at. The GC Linux environment is purely virtual and consists of three layers: the MySQL database back-end, discussed elsewhere in this document, the file system and the front-end web services layer. The MySQL database back-end is discussed elsewhere in this document. The environment is maintained in a dedicated cluster environment housed in the data center, made up of multiple fault-tolerant virtual servers, provisioned for fail-over redundancy. Backups are executed daily, stored onsite; weekly backups are also performed and stored at off-site location(s). 8
GC-hosted Linux-based websites & web-based services: Resources such as GC Web Services, the CUNY Academic Commons, and the GC Library website, as well as the NML, DSC, MLD, CUNY BA, RILM, Brook Center and RedMine websites are hosted locally at. Subject to the nature of the disaster, backup replicas will be used to restore the Linux system environment at GC/Apt. Other operational steps will include making revisions to current DNS tables. (Noted: The dependency on the database restoration.) Future planning: recovery provisioning currently supported by GC/Apt Desktop Computers: A collection of Apple ios Mac and Windows PC desktop computers are available at to support faculty, staff and students. These resources are maintained and supported on an ongoing basis. A collection of Apple ios Macs and Windows PCs are available at to support faculty and staff; these are currently under the purview of CUNY central office CIS. For desktop computers currently deployed, systems are kept current and protected by way of central management, via SCCM for Windows PCs and Casper for Apple Macs. SCCM is noted elsewhere in this document. Casper resides on a physical server, with a redundant hardware platform. WSUS, noted elsewhere this document, is used to keep PC computers current with Windows updates and patches as well as Microsoft application software updates. Casper is used to keep Macs current with Apple ios updates and patches. Ongoing preparedness: Critical updates issued by Microsoft are automatically pushed to all Windows desktop computers via WSUS. Critical updates issued by Apple are automatically pushed to all Mac desktop computers via Casper. McAfee EPO, noted elsewhere in this document, is used to keep the end-point security updated on both Windows PCs and Apple Macs. This includes anti- 9
Desktop Computers: A collection of Apple ios Mac and Windows PC desktop computers are available at to support faculty, staff and students. These resources are maintained and supported on an ongoing basis. A collection of Apple ios Macs and Windows PCs are available at to support faculty and staff; these are currently under the purview of CUNY central office CIS. virus, full-drive encryption for portable storage and data loss prevention for designated sensitive data (for the latter, Windows only). The same utility is used to provision full-drive encryption on GC laptops. Ongoing preparedness: McAfee updates are automatically pushed to desktop computers on a routine basis. Ongoing preparedness: A small collection of PCs and Macs are retained in stock ( spares ), as a redundant fail-safe precaution should a desktop computer currently deployed fail beyond immediate repair. Standard images for PCs and Macs are maintained in SCCM for Windows and in Casper for Macs. Ongoing preparedness: These images are backed up routinely. Desktop computers have been configured and installed by CUNY central office CIS and are currently maintained via that connection. Future planning: Desktop computers at will be integrated into the fleet of desktop computers at. Subject to the nature of the disaster, facilities at and GC/Apt will be Existing desktop computers at are suitable for such work. The lounge at GC/Apt is provisioned to support a collection of desktop computers. Future planning: recovery provisioning currently supported by GC/Apt GC telephone service: Telephony service for is provided via a voice-over-ip system hosted locally at, using circuits to Verizon and AT&T. Telephony service for GC/Apt is provided via Verizon. Telephony service for uses infrastructure currently controlled by CUNY central office CIS. The telephony system is comprised of a collection of components; all components are provisioned for redundancy. Additional end-user hand-sets are also stored on-site. Voicemail services enabling a caller to leave a message are maintained in a dedicated cluster environment housed in the data center, made up of multiple fault-tolerant servers, provisioned for fail-over redundancy. Voicemail services enabling the recipient to retrieve stored messages are not similarly provisioned. 10
GC telephone service: Telephony service for is provided via a voice-over-ip system hosted locally at, using circuits to Verizon and AT&T. Telephony service for GC/Apt is provided via Verizon. Telephony service for uses infrastructure currently controlled by CUNY central office CIS. Backups are executed daily, stored onsite. backups were successful. Redundant routes exist to the PSTN, however these traverse the same pathway between and the street connection. This is currently the purview of CUNY central office CIS. A small number of telephones at are provisioned independently of the IP network using traditional analog service. Telephone services at GC/Apt and are independent of and therefore, subject to the nature of the disaster, may remain operational. In a disaster scenario, certain existing supplementary systems such as voicemail may be This is currently the purview of CUNY central office CIS. 11