This blog is the first in a series of ten posts that has been prepared by the Jisc enterprise infrastructure team of subject specialists. This blog series details the key findings from the infrastructure reviews undertaken by the team between late 2016 and early 2020. The team was able to spend time undertaking a synthesis of the reports during the Covid-19 pandemic lockdown, whilst demand for the service was lower. Since the Covid-19 situation prevented travel to Jisc member sites the team has continued to undertake remote infrastructure reviews. If you would like to take advantage of the service, please contact your Jisc account manager for further information.
This introductory post links to a series of 9 further blogs. This material has been prepared for a general audience of Jisc members.
We have used a narrative approach, in the form of an ‘exemplar infrastructure review report’ to provide further insights into the state of the infrastructure found across the Jisc membership. In constructing the following blog posts we have used the same chapter structure as is used in the Jisc infrastructure review template:
- Strategic considerations for implementing a successful IT organisation.
- IT support arrangements to maintain IT and technology service, focussing on the IT staff team.
- Networks, covering wide area network links, the local area network, wireless networks and telephony.
- Servers, and storage, includes the core infrastructure used to provide IT services.
- Core enterprise services, comprising identity and access management, DNS and web services.
- Enterprise applications, encompassing the services and software used by the organisation.
- Device management, covering the methods used to manage, update and secure devices.
- Security and business continuity, considering the wider security arrangements inclusive of business continuity and disaster recovery.
- Governance, details matters inclusive of relevant policies and certifications.
Data aggregation and narrative drafting for the project have been undertaken by Rohan Slaughter, Jisc subject specialist (infrastructure systems and assistive technology). Marc Dobson, Jisc subject specialist (infrastructure applications) has undertaken data processing and additional data aggregation.
An executive summary is provided in this post that identifies the key findings from this piece of work.
In constructing this series of posts, we have used the same chapter structure as is used in the Jisc infrastructure review template. Infrastructure review reports are constructed with a brief executive summary, a set of key points that include any relevant notes and where appropriate our recommendations to address the point.
We also include any proposed next steps that Jisc can assist the organisation with. These next steps often include the digital strategy review, and the IT support skills assessment. In fewer cases we offer the applications review service or the enterprise security review and risk assessment. We also provide strategic or bespoke consultancy inclusive of recruitment support and organisational design. Such next steps are only suggested where we feel the organisation will substantively benefit from them. Of the 118 IRs undertaken to date a total of 64 of these ‘next-step’ consultancy offers have been taken up. This demonstrates a useful level of take up for these services.
In the majority of cases we provide an ‘appendix a’ that is based on the same chapter structure that is shown below in order for IT teams to reference why we have arrived at a particular key point or next step suggestion.
We use ‘appendix a’ to provide further information for the IT team that cannot be included in the main report. The main report is written for a general audience, whereas ‘appendix a’ does contain technical information of most use to IT teams.
The information provided in this series of posts is based on the data for general further education colleges, sixth form colleges, specialist colleges and land-based colleges. Where the collective ‘colleges’ is used it refers to these parts of the Jisc membership only. Other data has been omitted, inclusive of higher education organisations, institutes of adult learning and the performing arts colleges due to the smaller sample size for these types of organisation.
Taken together these posts are presented as an ‘exemplar report’ in order to highlight the best practice that we have found in the sector whilst undertaking this service.
The Jisc enterprise infrastructure sub team has been carrying out the infrastructure review (IR) service since late 2016. To date 118 IRs have been undertaken for Jisc members. The majority of IRs have been carried out in the FE and skills sector, with a minority of HE members taking up the service. We note that this may be due to the larger IT teams in HE organisations vs. their counterparts in HE means that FE colleges have a greater need for this service.
The IR service is intended as a supportive process that seeks to enable service improvement. The IR service is not an audit, it will only uncover what the Jisc member wishes to show the Jisc team. This means that the IR service is not a service that will seek to ‘find problems’ that a member does not wish to discuss. That said we are able to bring a fresh perspective to a Jisc member organisation to enable them to bring about service improvement. We are also able to reference examples of good or best practice that we have seen work well in other Jisc members that may have already worked to bring about a given service implementation or improvement.
We believe that we have seen the ‘middle range’ of Jisc members in terms of IT resourcing or IT / digital maturity levels. Those with the greatest IT resource challenges perhaps may not wish to have this seen by an external party. Additionally, those who are best resourced / most technologically mature may not require the service to the same degree as they do not perceive IT infrastructure to be a major concern. We note that we have undertaken infrastructure reviews with Jisc members that represent both ends of this continuum.
The most mature colleges undertake sufficient technology related strategic planning and ensure that the main strategic planning at colleges does include technology in such planning.
A key finding is that where organisations have a CTO, CIO or head of technology type senior role that these organisations are able to make embedded use of technology due to improved organisation wide technology decision making that occurs in the right place and time to make a positive difference to service delivery.
The majority of colleges find capital spending on IT infrastructure difficult. The ongoing FE funding challenges have led to a large number of out of date core infrastructure systems continuing in use beyond their manufacturer or vendor end of support dates. This creates a difficult cyber-security posture in a many of the organisations that we have worked with to deliver this service. Most colleges find managing the sustainable replacement or upgrade of both end user equipment and core infrastructure very difficult. We have seen some innovative practice by IT teams that has enabled desktop and laptop fleets to have their lives extended through the fitting of new faster solid-state drives and additional memory, however this practice does have limits.
Based on our analysis, IT support teams have been reduced in size in FE over the last two years in particular. The average IT support staff to supported user’s ratio in general FE colleges now stands at 814:1, this is a substantial rise, and is in our view too high to ensure a good quality IT organisation. In too many cases IT staff have left and have not been replaced. In some cases, experienced and well qualified staff have left the sector altogether. In the majority of colleges, an IT skills shortage of some kind is reported, often as recent technical training has not been undertaken by IT teams. In some cases, the skills shortage is down to the small size of technical teams. This concern is especially pronounced in sixth form colleges and in specialist colleges where the departure of even a single longstanding member of staff can result in serious difficulties for ongoing service provision. Whilst undertaking the IR service we have met a large number of highly talented and dedicated IT professionals, who are most certainly a credit to the sector.
Our most popular ‘next step’ service following infrastructure review is the IT support skills assessment that aims to map the current IT teams skills and knowledge in order to identify key-person dependencies, to identify specific skills gaps and to identify any risks associated with such. It is also possible to use the analysis produced by this service to design any new roles that may be created, with the current skills base of the team in mind. We can also support training programme design for IT teams.
Most organisations can improve elements of their networking provision (inclusive of WAN, LAN, WLAN, or telephony). In most cases these concerns are down to a lack of capital investment over time. A key finding in this area is that only a small minority of FE colleges have a resilient internet connection, this is a particular concern given the increased use of cloud hosted SaaS (software as a service) applications that the sector is now making use of.
Servers and storage provision are also impacted by difficulties associated with capital funding: This can mean that resilience is insufficient, or capacity is constrained. For the majority of colleges, the growth in the use of SaaS has not been matched by the use of IaaS (infrastructure as a service). In most cases this is due to cost barriers or the view that locally provided systems are more appropriate to meet business needs. It is our view that in almost all cases a hybrid model of both cloud and locally provided on-premises systems is the most useful option for FE colleges both in terms of cost-effectiveness and high-quality service delivery.
There is scope for trust and identify services to be improved to give students and staff a seamless experience of accessing all of the services and applications provided by organisations. This can include a review of single sign on and access to externally hosted resources such as journals and other academic resources.
Most colleges have moved email and calendaring to cloud services such as Office 365 and Gmail. A large number of colleges are making use of SaaS services to provide HR, finance, and other line of business applications.
Device management can be improved in almost all cases. Whilst the majority of colleges undertake Microsoft operating system and application patch management in a secure way, other third-party software management is not as well enforced. Mobile device management (MDM) can be improved in the majority of organisations that we worked with. Mobile phones are rarely managed by MDM systems, this may cause data protection concerns.
Backup and disaster recovery preparations can be improved in the majority of organisations. In some cases, this is due to the age of systems, with them having been designed to mitigate against physical damage caused by fire, flood etc. Such systems may not include logically or physically offline backups which in some cases can leave organisations without useful mitigations to recover from various common cyber-security threats such as crypto malware and bad actor / hacker attacks.
Data and information security can often be improved through the use of technical means such as mass storage policy enforcement, the use of compliance tools and through encrypting laptops and other mobile devices.
The majority of the organisations we worked with do not yet have cyber-security certifications in place such as Cyber Essentials, although most recognise the utility and usefulness of obtaining such certifications. For colleges in England the ESFA (education and skills funding agency) conditions of grant funding now requires colleges to hold the Cyber Essentials certification in the 2020-21 funding year. We understand that this requirement will change to require Cyber Essentials Plus in the 2021-22 funding year.
The most mature IT organisations join up accessibility and assistive technology provision sufficiently with the IT team, this ensures there are no missed opportunities to improve support for disabled students.