May 2015

Donald Welch joined U-M on April 1 as the University of Michigan Chief Information Security Officer (CISO). As CISO, Don is responsible for the university's information assurance program, covering the Ann Arbor, Flint, and Dearborn campuses, as well as the Health System. The information assurance program includes IT security, privacy, IT policy, compliance, and enterprise continuity.

Don has met with many people across the university already to learn aboutU-M IT security needs and will meet with more in the months ahead. "I am talking to as many people as I can, trying to understand what they do and what I can do to help them," said Don. He explained that the security strategy will, among other things, address categories of university information and the policies and controls around them.

"The ultimate goal of this work is to effectively manage risk while enabling the university to excel at accomplishing its mission," said Don. "To reach that goal, it will be important to continue to strengthen the IT security community across the entire university."

"I am enormously impressed with the enthusiasm and ideas shared with me thus far," Don said, "I am proud and excited to be a part of this community."

The new network Intrusion Prevention System (IPS) has been implemented for the networks used by about 50 ITS staff members, including those in IIA. The IPS is working well and blocking malicious traffic coming from the Internet without any disruption to normal operation.

In the coming weeks, IPS protection will be extended to additional ITS networks at Arbor Lakes, the Administrative Services Building, and the Boyer Building. Planning has begun to provide IPS protection to MWireless, the U-M VPN, and the ITS Virtual Web Hosting service. Phased rollout of the IPS to U-M units will begin soon. See Network IPS Implementation for updates.

Wouldn't it be great if the MCommunity Directory were easier to use on your smartphone and other mobile devices? ITS is working on a new look and feel for the directory and has a beta version ready for you to check out: MCommunity Directory Beta Version.

The initial beta version lets you search for people and view their directory entries. In the coming months, ITS will work to incorporate everything else you can do in the directory, as well as some enhancements. For updates, see A New Look for the MCommunity Directory.

As the number of security vulnerabilities continues to increase, how do you know what's urgent and needs attention versus what can wait? IIA has implemented a new triage process for the emails we send you to help with that.

IIA incident responders routinely monitor reports of new vulnerabilities, and also receive information from intelligence sources and the U-M IT community. When a new vulnerability is identified, they determine the risk of it contributing to a serious IT security incident as defined by Information Security Incident Reporting Policy (SPG 601.25). They look at factors such as whether exploit code is available, whether exploits are occurring, if U-M systems are at risk, and more.

Based on that analysis, IIA determines the vulnerability level:

• Alert. Immediate remediation is needed. The need for security outweighs concern about disruption in or degradation of service. Exploit code is available, and exploits may be already occurring. Critical systems and/or sensitive data could be at risk. There is the potential for a significant incident. IIA requests action.
• Advisory. Patching or other mitigation is needed, but it can occur according to regular patching schedules. There is time to test patches and follow routine procedures. IIA recommends action.
• Notice. U-M resources are not largely affected, and/or communication about any needed patching may already be publicly available. Personal devices may be affected and/or there is significant media attention. The ITS Service Center may be getting inquiries. IIA provides information.

Alerts and advisories are sent to the IT Security Community and other IT staff groups depending on the nature of the vulnerability and published to the Safe Computing website (see All Security Alerts). Notices are published on Safe Computing and may also be sent via email.

If you have suggestions for improving IIA alerts, advisories, and notices, please send them to [email protected].

Make sure that servers managed within your unit that access or maintain sensitive data are properly secured by following the hardening guidelines available on Safe Computing. Guidelines are available for Windows servers, Linux/Unix servers, and databases.

The guidelines for Windows servers have been enhanced with more detailed how-to instructions and links to shared Group Policy Objects (GPOs) for servers that are part of the UMROOT Active Directory domain. Using the provided GPOs makes the server hardening process quicker and easier by automatically configuring many of the required security settings for you.

If your unit is contracting with a third-party vendor to provide a service, you should know about the U-M Service Provider Security-Compliance Questionnaire (UMSPSCQ). The UMSPSCQ is a questionnaire for a third-party vendor to complete during the procurement process if the service will access, process, or maintain sensitive university data. IIA worked with the U-M Procurement office to integrate the UMSPSCQ into the procurement process.

IIA supports the service provider security and compliance review process for enterprise- and ITS-related procurements. For unit-specific services, the unit's Security Unit Liaison should typically coordinate the service provider security and compliance review process for an external vendor. This includes reviewing the completed questionnaire and/or related documentation to assess the vendor's security and compliance practices and ensure that they meet U-M expectations. IIA is happy to support units if they have questions about the process or the vendor review.

See the Third-Party Vendor Security and Compliance Assessment webpage for more information about the questionnaire, guidance for reviewing a completed questionnaire, and information about additional means of reviewing the security and compliance policies and procedures of an external vendor.

Work on gathering university requirements for expanded use of multi-factor authentication at U-M is nearing completion, according to DePriest Dockins, assistant director of Identity and Access Management, ITS.

Multi-factor authentication is the use of more than one authentication method or proof of identity when logging in. Options include passwords, PINs, tokens, security questions, security images, and more. As reported in the February 2015 issue of the Safe Computing Newsletter, ITS is working with other university units to explore how we can expand the use of multi-factor authentication at U-M.

A team of ITS staff members has begun outlining a project plan for expanding multi-factor authentication and expects to seek funding for the work in the coming months. There is still time to provide your input to the project if you would like to do so. Contact DePriest through email at [email protected].

After July 14, 2015, Microsoft will no longer issue security updates for any version of Windows Server 2003. See Microsoft: Migration is worth it! for information from Microsoft.

If machines or services you are responsible for still use Windows Server 2003, please upgrade before July. You can order Windows Server products for U-M through the university's Microsoft Campus Agreement. If your server is used to access or maintain U-M sensitive institutional data, be sure to follow the instructions in Windows Server Hardening Guide: Minimum Expectations for a Secure Server at U-M.

Depending on your needs, you might consider using the MiServer virtual server environment managed by ITS instead of running your own Windows Server.

ITS IIA asks that you not connect devices running out-of-date, unsupported software to U-M networks or systems, so please start planning now.