Fall 2018

The revised Information Security policy (SPG 601.27) was approved and published, along with a number of new information technology standards, over the summer. The policy and accompanying standards represent the most comprehensive revision of the institution’s information security program since its inception over a decade ago.

Information Assurance (IA) sent email to Security Unit Liaisons (SULs) in late October asking them each to facilitate and coordinate their unit’s implementation planning. Implementation will be phased in over the next two years, with an anticipated compliance date of December 31, 2020.

"Information security is a shared responsibility," said Sol Bermann, U-M’s chief privacy officer and interim chief information security officer. "The IA team looks forward to working with units across the university to support implementation, interpreting the policy and standards, and receiving feedback along the way.

"The Information Assurance team will work with and support all U-M campuses and Michigan Medicine as we work towards implementation," said Bermann. IA staff members are meeting with university stakeholders, IT governance groups, and others to outline the implementation planning process.

Watch for announcements soon of some general implementation planning meetings that are now being scheduled across the university. If you'd like an individual implementation planning meeting with IA staff, send your request to [email protected]. In the meantime, check out the information being added to Safe Computing to support implementation under Protect Your Unit’s IT. And if you have suggestions or feedback, please send them to [email protected].

"We appreciate your support as everyone works together to improve IT security and compliance," said Bermann.

One revised policy and 13 new standards are a lot to work through. What, specifically, does it all mean for you? A new table on Safe Computing gives you the specifics: Minimum Information Security Requirements for Systems, Applications, and Data.

Use the table to identify the detailed minimum security requirements for your system or application. The security requirements are organized by standard. Each requirement is clearly labeled as required, recommended, or not applicable according to the classification level of the data involved and the mission criticality of the system. Scroll through the table to learn what you need to do to protect university data and systems in accordance with the revised Information Security policy (SPG 601.27) and new standards.

Michigan Medicine Information Assurance is proud to be partnering with other healthcare organizations to continuously monitor and improve cybersecurity through the new Michigan Healthcare Security Operations Center (MI-HSOC).

The MI-HSOC is a group of highly-skilled teams that leverage shared technologies, processes, and skills to prevent, detect, analyze, and respond to cybersecurity events. The new shared environment, located in Plymouth, Michigan, brings together the information security organizations of Beaumont Health, Munson Healthcare, Michigan Hospital Association, and Michigan Medicine.

"We are truly excited about this partnership, as this new facility represents a unique method of cooperation that has never been seen in Michigan," said Jack Kufahl, Michigan Medicine’s chief information security officer. Operating as a shared workplace for cybersecurity teams across major health care organizations, "will allow all partnering organizations to share best practices and resources more effectively, in turn providing ample benefits to students, employees, physicians, and patients when it comes to increased levels of protection."

Two-factor for Weblogin will be required starting January 23, 2019, for all faculty, staff (including student employees), and sponsored affiliates on the Ann Arbor, Dearborn, and Flint campuses. That means people will need it to access their U-M Google Mail and Calendar, log in to services via Wolverine Access, use Canvas, make changes to their MCommunity profile and groups, and more.

Regular emails are going out to those who still need to enroll in Duo two-factor and turn it on for Weblogin. In addition, lots of materials are available for you to share as you encourage your colleagues to get set up now:

• New enrollment app (duo.it.umich.edu). Tells you your enrollment status and streamlines setup.
• Two-Factor (Duo) for Weblogin. Information about turning on and using two-factor for Weblogin, enrollment instructions, documentation, and more.
• Duo@Weblogin Project. Information about the expansion of Duo at U-M, stories from units, FAQs, and more.
• Tip sheets:
  • Duo Options at-a-Glance
  • Traveling with Duo Two-Factor
• How-to videos and more at Two-Factor Authentication Support
• Communication Resources. An IT support guide, digital signs, brochures, and more.

A toolkit is now available to help your unit comply with the General Data Protection Regulation (GDPR), which went into effect in May. The toolkit includes an assessment to help you figure out if the GDPR applies to your data, along with a data survey, a privacy notice template, and more to help you comply if it does. It is part of the university's emerging GDPR compliance program.

• General Data Protection Regulation (GDPR) Compliance
• Toolkit: General Data Protection Regulation

Property Disposition now has an on-site hard-drive shredder that can destroy hard drives and other storage media in compliance with Electronic Data Disposal and Media Sanitization (DS-11). Property Disposition can also securely erase storage media to meet the requirements laid out in the data disposal standard if your unit chooses not to erase devices before sending them to Property Disposition for disposal, recycling, or resale. The $1 per-device fee is at least $2 lower than fees charged by other third-party strategic suppliers.

Dante Vasquez, Property Disposition supervisor, explained, "Property Disposition is the last stop when equipment leaves the university. With the volume of property we receive, the economies of scale allowed us to purchase the equipment [hard-drive shredder] to provide a cost effective, efficient, and secure service to sanitize and/or destroy these items for the university."

More details on procedures for sanitizing U-M devices and media before disposal are available at Erasing U-M Devices. For more about Property Disposition’s media destruction and data sanitization services, see Declaring and Sending Surplus: Computer and Digital Media Preparation.

About 2,100 managed systems in the College of Literature, Science, and the Arts (LSA) now have extra protection from malicious websites thanks to the Safe Computing Website Checker developed by Information Assurance (IA). The extension protects people from some types of malicious websites when browsing the web with Chrome.

"Utilizing Group Policy Management (GPO) we have deployed this extension to any LSA Windows 10 system connecting to Active Directory," said Bob Pelcher, data security analyst, LSA. "LSA is pleased with the additional layer of security this extension provides and the ease of installation."

"The extension helps us reduce the effectiveness of phishing and other attempts to trick people into revealing their passwords," said Matt Coons, IA incident responder. The extension:

• Warns you when you are about to visit malicious websites masquerading as the U-M Weblogin page.
• Warns you when you are about to visit other websites that have been identified by U-M IT security staff as significant threats targeting the U-M community.
• Automatically reports malicious web pages to U-M IT security staff so that they can take action to further protect the U-M community.
• Does not identify individuals who are using the extension when reporting malicious sites.
• Does not interfere with everyday web browsing activity.

The Chrome extension is included on all MiWorkspace workstations. Look for the yellow check mark in a blue circle at the far right of your Chrome URL bar that indicates its presence.

IA is looking to roll the extension out to additional units. Unit IT staff who manage computers with Chrome installed can add the extension to their installation. Members of the U-M community who do not already have the extension can install it themselves (installation instructions).

Interns in the Information and Technology Services (ITS) Intern Program developed and fine-tuned the extension, working with IA staff. Jacob Rickerd created the extension in 2016, with interns Adam Flickema and Tyler Tran contributing in 2017

• Back Up U-M Data. Guidance for planning backups that will prepare you for the planning associated with Disaster Recovery Planning and Data Backup for Information Systems and Services (DS-12).
• Cryptocurrency Mining Risks and U-M Restrictions. This new page outlines the dangers of cryptocurrency mining and reminds members of the U-M community that cryptocurrency mining using U-M resources is a violation of university policy.
• Disaster Recovery Management. Guidance to help you meet the requirements in Disaster Recovery Planning and Data Backup for Information Systems and Services (DS-12).
• New Links to the Sensitive Data Guide and Minimum Security Requirements Table. New links at the top of the Safe Computing home page get you quickly to the guide and the new table that lists the minimum security requirements associated with the revised policy, Information Security (SPG 601.27) and standards.
• Penetration Testing (Ethical Hacking). A new page describing the penetration testing service your unit can request from IA and what you can expect if you request it.
• SPG 601.27 and Standards Implementation Project Site. Phased implementation details, including a timeline, the support you can expect from Information Assurance (IA), and your unit responsibilities.
• Two-Factor Expansion. Information about two-factor authentication was moved to Safe Computing (from the ITS website) and expanded to include resources for the expansion of two-factor for Weblogin to faculty and staff.

Information Assurance marked National Cybersecurity Awareness Month during October with a variety of events and activities:

• Expanding two-factor protection. To better protect university systems and data, Duo two-factor for Weblogin was enabled for Michigan Medicine employees and sponsored affiliates on October 10. Communications began in October for enabling it on the UM-Ann Arbor, UM-Dearborn, and UM-Flint campuses in January 2019.
• Cyber security and privacy tips were sent in an email to faculty and staff on October 18 and shared throughout October in tweets. Follow us @umichTECH.
• Security 101 exam for students. Students on the Ann Arbor campus were invited to test their IT security knowledge by taking the Computer Security 101 Exam October 29–November 2. A total of 7,281 students completed the exam, and those with a score of 90% or higher were entered into a drawing for prizes.
• SUMIT_2018. Held October 25, the Security at University of Michigan IT (SUMIT) conference is a free annual event where you can hear recognized experts discuss the latest technical, legal, policy, and operational trends, threats, and tools in cybersecurity and privacy. More than 429 people attended SUMIT 2018 either in person at Rackham Auditorium or virtually via the live stream throughout the day. These individuals represented more than 170 colleges, universities, corporations, small businesses, and nonprofits from around the country.

Join us again next year when we celebrate National Cybersecurity Awareness Month in October 2019.

Video recordings of all presentations at SUMIT_2018, along with a photo gallery of the event, are now available at Safe Computing: SUMIT_2018. Security at University of Michigan IT (SUMIT), the university’s flagship event for National Cybersecurity Awareness Month, was held on the UM-Ann Arbor campus on October 25.

U-M tool measures ‘iffy’ news on social media in time for 2018 election
Michigan News, 11/3/18

How prevalent is the fake news you see on social media? U-M's Center for Social Media Responsibility in the School of Information has developed a public measurement tool called the Iffy Quotient, which monitors the "iffiness" of news on both Facebook and Twitter.

"At the Center for Social Media Responsibility (CSMR), we are working directly with social media companies to produce the designs, systems, and metrics to steer social media toward more beneficial discourse,” said Thomas Finholt, dean of the School of Information.

"Contributing to the accountability of social media platforms is one reason why the CSMR was created. This is an important area of focus for our faculty research. Our aim is to serve as a valued resource in the battle against misinformation."

Google cracks down on malicious Chrome extensions
10/2/18

The openness of Chrome extensions and the Chrome Web Store has unfortunately left them vulnerable to malware and malicious extensions. Google has recently begun efforts to increase its scrutiny of extensions to reduce this problem and to give users a bit more control over the access extensions get. Information Assurance (IA) encourages everyone to install and use extensions with care. Disable or remove extensions you are not using.

One Chrome extension you know you can trust is the one IA developed to protect you from some types of malicious websites. See IA Chrome Extension Protecting LSA in this issue.

You know about hovering over links in email with your mouse to see the destination URL before clicking. But what do you do on your smartphone or tablet where you don't have a mouse or trackpad? How do you tell where the link will take you?

1. Press the link and hold down till a dialog box appears.
2. The link destination (URL) will appear, and you can check to see if it looks suspicious before going to the site.

As more of us read email on our phones, we are more vulnerable to scammers who embed links to malicious websites in phishing emails. Take a few extra seconds to check link destinations before tapping on your smartphone or tablet. It's good to look before you tap as well as before you click.

Do you work with sensitive data? Any time you are thinking about using a storage or collaboration service—whether in the cloud or at U-M—for sensitive university data:

• Check the Sensitive Data Guide first to see which services are approved for your data type.
• If the service you want to use is not listed in the guide, ask Information Assurance about appropriate use by contacting the ITS Service Center.

U-M Login Does Not Equal Approval

Just because you can log in to a service using your U-M uniqname and UMICH (Level-1) or Michigan Medicine (Level-2) password does not mean that service can be used for sensitive university data. Different sensitive data types have very different legal and regulatory compliance requirements. The university offers access to a variety of services to meet different needs.

Permitted Services May Have Additional Requirements

You have a responsibility to use permitted services in ways that comply with legal and regulatory compliance requirements. For example, you must use a shared account when using U-M Box to store sensitive data.

Check the Guide

In short, always check the Sensitive Data Guide before using any service with sensitive university data—and only use services approved for your data type. Please ask those you work with to do likewise.