Winter 2017

The revision process for the U-M Information Security Policy (SPG 601.27) is getting closer to starting the approval stage, as are the standards that support it.

• You can see current versions of the revised SPG and standards on the CIO website. These versions reflect revisions incorporated from feedback received during multiple stakeholder feedback sessions and focus groups, as well as a considerable number of online comments. Thank you for your insights and constructive criticism. Your feedback, as well as feedback from many other stakeholders, was invaluable in improving the final versions.
• We are finalizing plans for a university-wide cyber security awareness campaign that will broadly support the new version of the information security policy and the associated standards, and emphasize that IT security is a shared responsibility across the U-M community.
• In anticipation of the policy’s approval, the new U-M data classification levels, which are an important part of the new policy, have been published on Safe Computing.

The new Information Assurance (IA) Security Operations Center (SOC) went live in March. IA security analysts received training and developed new processes to help them identify and examine indicators of compromise, process information about potential cyberattack campaigns, review industry-specific threat intelligence, and more. In addition, they are collaborating with other Big Ten institutions to develop tools and processes to proactively identify threats before they become attacks.

The SOC is one of the first efforts of the larger Next Generation Security Architecture (NGSA). IA is building NGSA capabilities with these goals in mind:

• Address the challenges of the new threat landscape.
• Provide enabling technologies and capabilities that improve secure and compliant IT systems and services.
• Make security the easy choice for U-M units and individuals.
• Support the revised IT security policy and standards.

As of early March, more than 47,000 people at U-M were enrolled in Duo two-factor authentication—about 21,000 across the Ann Arbor, Dearborn, and Flint campuses and about 26,000 at Michigan Medicine. Between them, about 36,000 authentications go through Duo each day. That's a lot of extra protection for U-M systems and data, and we are grateful to all of you for your support of this important initiative.

When it comes to protection of personal information, more than 7,500 people across the university have already chosen to turn on two-factor for Weblogin. A number of people, including some of you, have told us they would turn it on if it were a bit more convenient. In particular, people want Duo to remember their devices. Some want to use YubiKeys. We are working on both.

• Remember Me. We are working out the implementation and support details for Duo's "remember me" feature as we explore turning it on. The feature is application-specific (we are considering turning it on for Weblogin) and works by putting a cookie on your browser. The user would check a "Remember me" box at login, and then not be prompted for two-factor when using the same browser on the same device for logins via the U-M Weblogin page for a specified period of time.
• YubiKeys. Members of the project team are trying out use of YubiKeys to begin exploring support needs, and a unit-based pilot deployment is being explored.

What you can do: Keep encouraging people in your units to turn on two-factor for Weblogin. Turn it on for yourself so you can show others how easy it is. Print and post this 8-1/2 X 11" poster: Turn on Two-Factor for Weblogin.

The MCommunity Directory is getting a complete overhaul this year, and you can try out the new beta interface now. The beta interface is designed to work well on all your mobile devices and in modern web browsers. It includes a number of features that users have asked for:

• Set and edit your Away Message easily from a mobile device.
• Search within groups you own for a particular group member.
• See member names and affiliations for large groups.
• See all group members on one page, even for large groups.
• And more.

The ITS Identity and Access Management (IAM) team recently added group creation and management functionality to the new directory interface. The new interface will likely replace the current interface around the middle of 2017.

What you can do: Check out the updated beta interface (which connects to the live, production MCommunity Directory) and share it with people in your unit. Those who do a fair amount of directory group management may benefit from using the new interface now.

The Enterprise Identity and Access Management (EIAM) Program, which received joint funding from the U-M Office of the Provost and Michigan Medicine last fall, officially launched in January. DePriest Dockins of Information & Technology Services (ITS) and Nimi Subramanian of Health Information Technology & Services (HITS) co-direct the program, and Vice President for Information Technology and Chief Information Officer Kelli Trosvig is the executive sponsor.

Today, identity and access management is inconsistent across U-M’s four campuses, which results in gaps in meeting the needs of faculty, staff, and students. The EIAM Program seeks to begin addressing this and other issues by prioritizing projects that offer short-term benefits and lay a strong foundation for future IAM initiatives.

The overall program goal is to coordinate and unite IAM efforts for all U-M campuses—Ann Arbor, Dearborn, Flint, and Michigan Medicine—so that the right people get the right access to systems and information at the right time. Doing so will contribute to the teaching, research, and clinical mission of the university, particularly by better enabling cross-disciplinary efforts. Projects underway include:

• Account Lifecycle Optimization. Will deliver incremental enhancements to the existing employee, student, and affiliate onboarding and offboarding processes, documentation, and functionality.
• Role and Access Management. Will establish an access framework and conduct a pilot to improve the processes for assigning, managing, analyzing, and reporting on roles and access, including automation of tasks.
• Social Login. Will conduct a pilot to allow U-M affiliates—such as contractors, vendors, and parents—to use their social identities (Google, Facebook, Yahoo, etc.) to log in to a low-risk, U-M-provided service.
• Uniqname Re-Evaluation and Recommendation. Will document the administrative, technical, and end-user challenges associated with our current uniqname design and use, conduct an impact analysis of alternatives, and develop a plan to move forward.

What you can do: If any of these projects or topics are of interest to you or your unit, contact the IAM program leads at [email protected] to learn more or provide input.

Michigan Medicine has embarked on a year-long program to ensure that only authorized computing devices with the appropriate security protocols and settings can connect to Michigan Medicine networks. The program aims to make the IT environment within the academic medical center as secure as possible for all patients, faculty, and staff. It also includes consolidation of all servers into a secure data center and upgrades to the network switches.

The new network access restrictions only affect wired and wireless networks at Michigan Medicine—those that require a uniqname and Level-2 password for login. They do not apply to MWireless or other campus networks that you log in to with a uniqname and UMICH (Level-1) password.

• Michigan Medicine devices must use standard platforms. Health Information Technology and Services (HITS) teams are working with departments to identify institutionally-funded and/or owned devices—desktops, laptops, servers, medical devices, and so on—that need to be reconfigured to use the standard Michigan Medicine platforms and policies.
• Personal devices must be enrolled in AirWatch. Beginning April 27, personal devices not enrolled in the AirWatch device management encryption system will not be able to connect to Michigan Medicine networks. People who do not need to use Michigan Medicine resources from their personal devices can use MWireless for WiFi access.

Michigan Medicine faculty and staff are receiving information about numerous pop-up clinics and “Help Me Now” stations where they can get help in determining the best options for connecting their devices to the internet and accessing the services and systems they need.

When the U-M IT Security Community asked for cyber security training, IA responded by purchasing several Merit training courses, scheduling them throughout the 2016-17 academic year, and inviting staff members from the U-M Ann Arbor, Michigan Medicine, Flint, and Dearborn campuses to attend. In addition, IA has a limited number of licenses for SANS Securing the Human available for units to use.

Merit Training. Participants report that the Merit training was informative and the instructors were knowledgeable. U-M IT staff members and leaders who took the training now have additional knowledge to help them support implementation of the university's revised information security policy and standards.

The courses included cyber security for executives, cyber security for technical staff, secure coding, secure web application engineering, and more. See more detailed descriptions at Courses Presented by Merit Professional Development.

SANS Securing the Human. IA has purchased a limited number of licenses on a pilot basis for this basic IT security training in response to requests from units. The training covers phishing, regulatory compliance, device security, and more.

What you can do: If you would like to pilot use of the SANS training in your unit, send email to [email protected].

ITS Identity and Access Management (IAM) staff continue to make routine and ongoing updates to IAM services to maintain and strengthen security. Here are some upcoming initiatives:

• March 31. The length requirement for Active Directory (UMROOT) domain passwords will change from seven characters to nine. This aligns with other Information and Technology Services (ITS) password-length requirements. The requirement will be enforced for new accounts, password changes, and password resets. This will not force the change of existing passwords.
• April 1. The SSL certificate for ldap.itd.umich.edu will be upgraded from SHA-1 to SHA-2.
• Summer. The Certificate Authority (CA) used for Cosign's backend connection will expire later this year. At that time, the current umweb CA will be replaced with one from InCommon.
  Action needed: Those who manage websites that use Cosign (those that require login via Weblogin) may need to update their website configuration this summer. Instructions will be communicated to U-M IT staff email groups by the end of April.

What you can do: Share this information with staff in your units who might be affected.

If you are a Security Unit Liaison, your incident-response responsibilities are to:

• Notify the Information Assurance (IA) Incident Response team when you become aware of an IT security incident that may be serious.
• Communicate and coordinate IT security incident-related activities with the IA Incident Response team.
• Evaluate and respond to non-serious incidents.

In addition, there are other roles and responsibilities that support IA during potential serious IT security incidents. Check out the recently updated Incident Response Roles and Responsibilities (U-M login required) to find out what everyone else does—the CIO, the User Advocate, data stewards, U-M Police Department, Office of General Counsel, and many more.

If you ever need to find the Roles and Responsibilities page quickly, look for the link to it at the bottom of the Report an IT Security Incident page.

Each year, U-M units are asked to certify that they are compliant, partially compliant, or non-compliant with a particular security practice or process that changes every fiscal year. For information about the annual certification and questions from previous years, see Internal Control Annual Certification Process.

IA staff are preparing guidance to help Security Unit Liaisons (SULs) work with deans and others in their units to certify for this year's question. In the meantime, here is a preview of the Fiscal Year 2017 question so SULs can begin thinking about their response:

• I have read Section IX (Information Technology Security and Privacy) of Procurement General Policies and Procedures (SPG 507.01) and have begun to assess how this affects my unit.

If your unit is thinking about contracting with a third-party vendor to provide a service that will access, process, or maintain sensitive university data, please be aware that the university has developed:

• A standard data protection contract addendum that should be attached to all contracts where a service provider accesses, processes, or maintains institutional data. If information protected by HIPAA is involved, a Business Associate Agreement is also required.
• The U-M Service Provider Security-Compliance Questionnaire (Excel spreadsheet; U-M login required), which is to be filled out by a service provider if they access, process, or maintain sensitive institutional data.

Procurement Services facilitates the execution of the data protection addendum and the appropriate use of the supplier security and compliance assessment. Information Assurance (IA) works closely with Procurement Services to support the review process for enterprise and ITS procurements.

For unit-specific services, the unit's Security Unit Liaison should typically coordinate the service provider security and compliance review process for an external vendor. This includes reviewing the completed questionnaire and/or related documentation to assess the vendor's security and compliance practices and ensure that they meet U-M expectations. IA is happy to support units if they have questions about the process or the vendor review. See Vendor Security and Compliance Assessment for more detail.

With C.I.A. Hacking Revelations, How to Protect Your Devices

The New York Times, 3/8/17

Reports of leaked documents appear to show that the Central Intelligence Agency has hacked a wide variety of the devices most of us carry with us daily. Such news, in addition to the constant news about data breaches and vulnerabilities, may leave people feeling there is little they can do. Not so.

“The one thing that people can and should be doing is keeping their apps and phones as up-to-date as possible,” said Kurt Opsahl, deputy executive director for the Electronic Frontier Foundation, a digital rights nonprofit. In addition, Google recommends that people "protect their devices with lock screens and PIN codes."

General information for members of the U-M community is at Safe Computing: Secure Your Devices.

Americans and Cybersecurity

Pew Research Center, 1/26/17

A majority of Americans have directly experienced some form of data theft or fraud, and a sizeable share of the public thinks that their personal data have become less secure in recent years, according to a 2016 Pew Research Center study. The study also reports that many Americans fail to follow cybersecurity best practices.

On a positive note, the study found, "roughly half of online adults (52%) report that they use two-step authentication on at least some of their online accounts." That's good news, because it means it is likely that many people at U-M are familiar with the concept of two-factor authentication and its benefits. This familiarity may help as we continue to introduce and encourage people to turn on two-factor for Weblogin.

Follow these tips to help you avoid online tax fraud:

1. Practice safe computing by securing your personal devices and using only secure Internet connections.
2. File your taxes as soon as possible to reduce the likelihood of criminals filing under your name.
3. If you file online, use only authorized IRS e-file providers to file your taxes.
4. Be suspicious of ads for tax filing services that promise you large or expedited tax refunds.
5. Beware of common identity theft and tax scams.

Check out the tips on Safe Computing—where there is more detail and links to helpful information from the IRS—and share them with your colleagues, family, and friends. You can also print and post this 8-1/2 X 11" poster: Don't Fall for Tax Fraud.

Do you have personal, non-work files on your university-owned computer or in online storage space provided by U-M? That's okay, but please store them in an appropriately labeled location to help the university respect your privacy.

U-M suggests that you place personal files in a folder named Personal and Private for any service provided by U-M. With some exceptions as outlined in Privacy and the Need to Monitor and Access University Records (SPG 601.11) (for example, when required by law or needed to avert threats to IT systems), the university will treat the contents of that folder as non-institutional data and will not monitor or access materials in folders labeled with the phrase Personal and Private.

Shortened URLs, such as those from bit.ly and goo.gl, make it easy to type in a web address quickly but hard to tell where your web browser will actually take you.

• Before clicking a shortened URL, check for the full URL. Many URL shorteners provide a preview feature. If you aren't sure it is safe, don't click!
• Before creating or sharing a shortened URL, consider alternatives. If you must use one, make clear where it goes.
• Be aware that criminals use shortened URLs to direct people to phishing sites and initiate malware downloads.

See Shortened URL Security tips on Safe Computing to learn how to reveal the full URLs behind shortened URLs, alternatives to shortening, and information about shortened U-M URLs.