Fall 2025

ITS IA and the Privacy Office have been busy developing new and updated interactive, streamlined, online courses including Data Stewardship, and Security Unit Liaison training. Noori says, “These courses are designed by U-M and for U-M to support us all in our shared responsibility to help protect the university’s digital assets. They are a level up in terms of learning experience and cover information people can use in their daily work.”

IA is also gearing up for Cybersecurity Awareness Month and the Security at U-M in IT (SUMIT) event series in October. The theme for this year will be “Protecting Identity.” Noori says, “We have a great line up of presentations and events planned. We look forward to connecting with people across U-M about how to protect their identity and online accounts. It’s also a great opportunity for us to touch base with units about cybersecurity capabilities, updates, and data protection best practices.”

Sol Bermann, Executive Director of Privacy & Faculty Affairs, is celebrating the revision of Institutional Data Stewardship Policy (SPG 601.12) that was published in August: “SPG 601.12 is one of U-M’s foundational policies, first published in 1994. This revision has been in the making for over a decade and the strong momentum of data governance revitalization has brought forward important updates that will support and guide successful institutional data stewardship in an ever-changing technology landscape.” Read more about other policy and IT standard updates published over the summer in the newsletter. 

This summer, ITS Information Assurance (IA) welcomed two interns: Nathan Rao and Amberly Shi. They brought curiosity, energy, and a spirit of learning to their respective teams. From endpoint security to risk frameworks, their projects reflect the real-world impact interns can have across IA’s work. As the internship wraps up, we’re celebrating their growth, accomplishments, and favorite memories.

Nathan Rao – Incident Response Team

Nathan hit the ground running on the Incident Response (IR) team, taking on a high-impact scripting project tied to CrowdStrike, the University’s endpoint security solution. Initially unfamiliar with some of the tools, Nathan dove in headfirst, with the guidance of his supervisor, Angel Fletcher, learning both technical and communication skills that will stick with him well beyond the summer. “My supervisor was there every step of the way, showing me how to work with other ITS offices and eventually giving me space to take the lead on communication with them.” 

Over time, Nathan transitioned from relying on support to independently connecting with teams across ITS to move his projects forward. He also appreciated the supportive culture around him, describing the IR team as “interactive and encouraging.”

Some of Nathan’s favorite moments were during ITS Professional Development (PD) sessions, where he connected with other interns and found inspiration in the interactive challenges and conversations. When asked to describe the summer in one word, Nathan chose “journey,” which is fitting for a summer of technical growth, team collaboration, and a few geography quizzes along the way (Nathan scored over 90% on one!).

Amberly Shi – Responsive Information Security for Campus Team

Amberly joined the Responsive Information Security for Campus (RISC) team as a Business Systems Analyst intern, quickly becoming integral to their efforts to strengthen internal data access and structure. One of her key projects involved auditing the IA Google Drive, identifying external collaborators who may no longer need access, and recommending changes to ensure sensitive data remains secure.

Amberly appreciated her team’s support, including daily check-ins with her coach and weekly meetings with her supervisor, which helped her ease into her work and gradually take on more responsibility. “To work with people who have experience already, I think it’s great,” Amberly said. “They try their best to help you in the moment.”

She highlighted the importance of multitasking and asking for help, which were two skills she strengthened throughout the internship. Looking back, Amberly wishes she had come in more open-minded about team culture, but she’s grateful for what she learned along the way.

Her favorite memory from the summer was the Michigan Stadium tour, where interns got a behind-the-scenes look at technology within the Big House. It was a fun and unforgettable break from spreadsheets and risk assessments. To sum up her experience in one word, Amberly chose “ambitious”, not just for the scope of her projects, but for the collective energy of this year’s cohort.

Over the summer, Nathan and Amberly leaned into challenges and embraced opportunities to grow. As Nathan shared, “The internship is what you make of it. Take every opportunity to learn and talk to people.” IA is grateful for the time and talent Nathan and Amberly brought to their internship experience, and can’t wait to see where their journeys take them next.

 

What is Hardening (Configuration Management)?

Hardening is the process of securing systems and the data stored on them against possible attack, theft, and accidental loss by following best practices and mitigating known vulnerabilities. It is at the core of compliance with IT standards like Information Security Risk Management (DS-13) and Vulnerability Management (DS-21) , and is crucial to IT security at U-M. A key part of hardening is configuration management: comparing a system's configuration against a known set of best practices in order to achieve a baseline of security. From that baseline, systems can be further hardened to meet the requirements outlined in Minimum Information Security Requirements for Systems, Applications, and Data. IA uses the Center for Internet Security (CIS) benchmarks for configuration management assessments.

Changes to Hardening at U-M

In the past, IA has recommended and provided customized templates for the CIS tool known as CIS-CAT. However, both CrowdStrike and Tenable, which already have widespread deployment, both include similar functionality natively. In order to simplify our environment, IA now recommends using one of these two tools. IA will no longer provide and support a customized CIS-CAT version.

Moving forward:

• IA recommends the use of CrowdStrike Falcon's configuration assessment tool as the primary means of benchmarking configurations.
• IA will also provide and support Tenable's assessment capability.
• If there are reasons your unit cannot use the CrowdStrike or Tenable tools, please contact IA through the ITS Service Center.

Please share this information with any IT staff that may be impacted. If you or your staff have questions about this change, or about any IA provided capability, please contact Information Assurance through the ITS Service Center.

The Security Unit Liaison (SUL) serves as the primary point of contact between ITS Information Assurance (IA) and all units, schools, and colleges. SULs are appointed due to their strong commitment to IT security and compliance, and they serve to communicate this commitment to their units, building awareness and support for the university’s IT security posture.

We recently spoke with Joe Lubomirski, Director of Cybersecurity, Infrastructure, and Operations at the Dearborn campus, to learn what inspired his commitment to cybersecurity awareness.

Joe has just celebrated 23 years as a full-time staff member with the University of Michigan. He started at the university as a temp employee in the Summer of 2000, working on what was then the MPathways project. Much of his time was spent “cleaning out the service desk fridge, making copies, and schlepping PeopleSoft training manuals across campus.”

The next couple of summers, he worked on Business Objects reports to assist units with their PeopleSoft data. After 15 years in Ann Arbor, Joe moved to Dearborn as the Infrastructure manager, overseeing the server, storage, network, wireless, and data centers. Since then, Security and Operations teams have also been added to his purview.

As you can imagine, security is a major focus as Director of Cybersecurity, Infrastructure, and Operations. We asked Joe how his work as an SUL fit within his primary role. “Security kind of permeates throughout everybody’s day-to-day job. So, the SUL role keeps me on point with making sure that we’re doing everything securely. I see part of that role as trying to raise awareness and educate throughout the Dearborn campus. Dearborn is treated as a unit in Ann Arbor, so I am the SUL for the Dearborn campus, which is a little daunting and challenging since it is not strictly ITS. I try to get the message out there to all the units, departments, and colleges everywhere–for them to think about security as best as they can.”

Spreading awareness and communicating cybersecurity needs across the Dearborn campus is no small task. When asked about his preferred channel of communication, Joe said, “At this point, I take any and every opportunity that I have. The Dearborn campus has something called the Staff Senate, which is an opportunity for staff to get together once a month. I give them an update, usually, to talk about phishing. We talk about IT security and best practices.” In addition, “I have gone out to different departments around the campus and gone to faculty meetings to talk to them to give them a brief, high-level overview of the security program. I have talked to campus leadership about how we define our security program on campus so they can permeate that message throughout their areas. We send information through the Student Newsletter, which gets sent out weekly. The ITS Communications team sends me slides to put on our digital displays throughout campus. I leverage our international affairs department because a lot of the job scams seem to impact international students more than others.”  

IA consistently advocates that defending U-M from cybersecurity threats is a shared responsibility. Promoting awareness of this message is often Joe’s biggest challenge as an SUL. “I think part of the challenge is, people think that I am covering it all for everyone, or IA is doing it all, and they don’t have a role or a part to play. I’m trying to raise awareness that this is really something that is day to day for all job titles.” Joe points out that this could mean everything from being aware of the latest phishing attacks and not leaving an open laptop on your desk to paying attention to where you are storing sensitive data.

One analogy Joe likes to use is of a shared home. The university is like “a property that has the fence up and the locks on the doors - think of this as our firewall. But the units are the different rooms in the house, and we don’t necessarily always know what they are doing. They could be opening the window to let fresh air in - think of this as responding to a phishing email. They could have cut a hole in the floor - bypassing our security on the front door. It’s a joint effort to keep the house safe.”  

When Joe isn’t educating university staff on the importance of cybersecurity awareness, he is teaching the importance of fitness to K-8 students as a cross-country coach. He loves the challenge of seeing his young athletes develop a sense of empowerment and self-mastery. Joe has also coached track and field, soccer, and basketball, and in April 2025, he completed his first marathon!
 

The ITS IT Policy team is focused on ensuring the university’s technology policies and standards are up-to-date and remain credible, implementable, and enforceable over time. This summer, we have updated a number of IT policies and standards. These revisions include:

• A modernization of our Institutional Data Stewardship Policy (SPG 601.12) that reflects updates to technology and our revitalized U-M Data Governance Framework.
• A revision to the university policy on Information Security Incident Reporting (SPG 601.25) to make it clearer and more concise.
• An update to the university standard on Security Log Collection, Analysis, and Retention (DS-19) to include new requirements for security log collection.
• A revision to the university standard on Access, Authorization, and Authentication Management (DS-22) to remove outdated references and include new requirements for access to U-M systems.

We encourage SULs and security community members to regularly visit our Policies Under Review page on the website of the Office of the Vice President for IT & CIO to stay up-to-date on the latest updates and revisions. We welcome your feedback at [email protected].

We all have a role to play in protecting U-M’s digital assets, and educating ourselves and others is an important part of that shared responsibility.

Cybersecurity Awareness Month is a great time to check out the training and education on topics related to Cybersecurity and Data Protection. There are a number of new and refreshed courses in My LINC that may be of interest to you and colleagues in your unit.

For faculty and staff: DCE101: Cybersecurity and Data Protection at U-M provides essential data protection guidance and cybersecurity awareness for faculty and staff across all U-M academic campuses..

For IT professionals: DPE110: Data Protection for Unit IT provides an overview of IT staff’s responsibilities for protecting the university’s digital assets. This includes understanding data classification at U-M, gaining basic knowledge of FERPA, HIPAA, and PCI, and learning how to safeguard institutional data and stay safe online.

For those who work with PCI data: ITSE202: Advanced PCI Training provides information on the university’s PCI infrastructure, the security safeguards that PCI requires, and how to follow PCI requirements when adding or maintaining devices in the PCI infrastructure.

For those involved in data stewardship: DSE101: Introduction to Data Stewardship at U-M is the first introductory course in an upcoming training curriculum for data stewards, data custodians, and U-M community members with responsibilities or interest in institutional data governance.

Use the ITS-Safe Computing and IA Training form to request assignment of any of these courses to your organization, or submit questions regarding data protection training at U-M.

Security Unit Liaisons (SUL) at U-M have been integral to the important collaboration between ITS Information Assurance (IA) and units. This year, IA is enhancing this mature program by adding an interactive, online training curriculum for SULs, which provides key information and guidance about performing the role at U-M. The four self-directed courses, which will be required for all SULs, are available in My LINC and can be completed in approximately one hour. They will be assigned in My LINC to current SULs and onboarding SULs beginning October 1, 2025.

SUL100: Role and Responsibilities
Describes the role, overall expectations, how SULs coordinate security activities within the unit and in collaboration with IA, and highlights key responsibilities with scenarios.

SUL101: Incident Response at U-M
Outlines the goals of incident response at U-M, defines what a security incident is and what makes it serious (per SPG 601.25), provides initial steps to take when responding to an incident, and describes the overall incident response process.

SUL102: IT Security Administration at U-M
Highlights capabilities IA offers in the areas of vulnerability management, endpoint protection, sensitive data discovery, and network security, and describes the SUL role in ensuring these capabilities are utilized in order to improve the unit’s security posture.

SUL103: IT Security Risk Management at U-M
Provides an overview of the Information Security Risk Management process, describes when RECONs (Risk Evaluations of Computers and Open Networks) are required, and guides SULs through the process of performing risk evaluations.

This training is required for SULs:

• New SULs will be required to complete the courses as part of the onboarding process for the SUL role.
• Current SULs will receive notifications about assignment of the training courses, and will be asked to complete them this fall.

Links to the required training are also available on the Security Unit Liaisons page of the Safe Computing website.
 

As the U-M community settles into another academic year of teaching, learning, and research, we are reminded why it is so important to protect U-M’s wealth of digital assets. It’s a great time to celebrate national Cybersecurity Awareness month with Security at U-M in IT (SUMIT) events throughout October. ITS Information Assurance (IA) and the ITS Privacy Office have planned events to reach U-M faculty, staff, and students. Please help us spread the word.

Keynote

Who: Rachel Tobac, CEO of SocialProof Security

What: Exploiting the Trust – The Human Element of Security (Big Ten Academic Alliance-sponsored webinar)

When: October 29, 12-1 p.m.

Description: It only takes 1 email, a 30 second call, or 1 social media DM for her to hack you and gain access to your money, data, and systems. Meet Rachel Tobac, who executes these social engineering attacks for a living and uses her real-life ethical hacking stories to keep organizations up to date on the methods criminals are using to trick people. She'll break down recent cyber attacks in the news, and how to defend against the latest hacking methods, even when criminals are using AI. Her tales from the field and live hacking demonstrations throughout the presentation are sure to keep you and your team "politely paranoid" to catch the next human hacker in the act.

Events

• Information Assurance Sessions: U-M cybersecurity experts will host virtual sessions on topics such as Phishing, Scams, & Protecting Identity, Vulnerability Management, and the ITS Disaster Recovery Planning Process.
• Trending Threats and Higher Ed Impacts: Matt Singleton, CrowdStrike Executive Strategist, offers an expert overview of the CrowdStrike 2025 Threat Hunting Report, identifying global threats and higher ed impacts.
• Drop-in Office Hours: ITS IA staff will host open office hours to answer questions about cybersecurity and data protection.
• Level UP Your Cyber Game – Big Ten: A virtual trivia game show hosted by the National Cybersecurity Alliance where teams can show off their cybersecurity knowledge. Join the U-M team in this friendly competition for the title of Most Cybersecurity Aware Institution in the Big Ten. Sponsored by the BTAA.
• Safe Computing pop-ups: IA and the Privacy Office will be hosting table pop-up events on the Ann Arbor campus to engage with students.
• Safe Computing Challenge for Students: An engaging, quiz-style challenge for students to learn about protecting themselves online and be entered into a drawing for ITS Tech Shop gift cards.

Check out the full schedule and event details on the Safe Computing SUMIT page. Thank you for supporting and promoting IT security at U-M!
 

Join award-winning journalist Karen Hao and Patrick Barry, clinical assistant professor at the University of Michigan Law School, for an eye-opening discussion on Hao’s best-selling book, “Empire of AI.” Monday, October 20, 5 p.m. - 7 p.m. at Rackham Auditorium, 915 E. Washington St.

As the first reporter to gain extensive access to OpenAI when its founder, Sam Altman, promoted it as an altruistic research non-profit, Hao has followed the company’s meteoric rise. Drawing on seven years of reporting across five continents, Hao sheds light on the hidden impacts of AI — from the exploitation of data workers in the Global South to the immense environmental costs of its energy and water consumption. Discover whose priorities are being advanced, whose voices are overlooked, and how we can work together to build a more equitable future for the world with AI.

“Empire of AI” will be available for purchase from BookSweet at the event. The author will stay for a short book signing after the program.

Register for this event, co-sponsored by the Wallace House, Ford School, School of Information, ITS, and Dissonance.

Registrations are not required, but allow us to send you event updates and reminders.

View more details of the event on the Safe Computing Dissonance events page. 

Putting the Eye in Identity

Proving identity is essential to ensuring appropriate access, but requires the collection and storage of sensitive personal details. OpenAI CEO Sam Altman thinks he's found the key to a world-wide identity system: your eyes. His company, World (formerly Worldcoin) aims to provide a global verification system using scans of people's irises as proof of identity and is proposing a solution for keeping this sensitive data safe.

Sam Altman’s eye-scanning ID project launches in U.S. with six locations

AI Shares User Conversations in Google Search

Artificial Intelligence can be a powerful tool for research, creativity, or advanced internet searches, but not all AIs are good at keeping your secrets. Recently, xAI made user conversations public, allowing them to be searchable with Google. Conversations ranged from innocuous to personal to even criminal. This is a real-world reminder that you should make sure you know what privacy and security guarantees an AI tool has. Remember that ITS provides U-M with a portfolio of AI tools that are available for students, faculty and staff. ITS AI services empower the university to maintain control over service security and user privacy. All data is encrypted and remains secure within the university’s domain.

Elon Musk’s xAI Published Hundreds Of Thousands Of Grok Chatbot Conversations
 

Threat actors and hackers regularly target universities, including U-M, attempting to disrupt operations and steal sensitive information. They also try to steal individual U-M account credentials in order to gain access to U-M systems and accounts, initiate scams, and disrupt both our professional and personal lives.

The following tips can help you protect your identity:

• Do not reuse your U-M password on other sites, especially those where your umich.edu email is your username. If you think your login credentials have been compromised, change your password ASAP.
• Beware of phishing emails (or texts) that ask you to verify, validate, or upgrade your account by logging in to a webpage or providing your password. They are most likely scams.
• Avoid logging into a U-M website like Wolverine Access while on an unprotected WiFi network. Your account information could be stolen if you don’t use a secure internet connection.
• Do not share your passwords. If you share your password with a friend, significant other, or family member, they might not be as careful with it as you are. Consider using a password manager to store your passwords in an encrypted file so that you don't need to remember them.

More tips and resources:

• Learn about how to Protect Yourself From Online Harassment.
• Visit the Protect Yourself and Protect Privacy sections of the Safe Computing website.

Please report suspicious messages or email to [email protected].