Fall 2019

Sol Bermann was named executive director of Information Assurance (IA) and chief information security officer (CISO) for the University of Michigan in June. He served as U-M’s interim chief information security officer during the 2014–15 and 2017–19 academic years. He has also served as chief privacy officer and IT policy and compliance strategist.

As CISO, Bermann works across the university’s academic campuses and in partnership with Michigan Medicine to establish and maintain the university’s information security program, while enabling an open and collaborative academic environment.

Over the fall semester, ITS is actively reaching out to students to encourage them to turn on Duo two-factor authentication for U-M Weblogin. Currently, Duo@Weblogin is required for student employees of U-M. It will be required of all students on the Ann Arbor, Flint, and Dearborn campuses effective January 29, 2020.

Fall outreach activities include articles in university publications, in-person participation at student events, targeted emails to students, pop-up messages on websites, prize drawings for students who start using Duo before January, and more. ITS, with support from all of you, is working to get as many students as possible to start using Duo@Weblogin before it is required, so they have plenty of time to choose the options that best meet their needs.

Expanding Duo@Weblogin will improve the security of everyone’s personal information at U-M and reduce risks to university systems.

Microsoft will end support for Windows 7 and Windows Server 2008/2008 R2 on January 14, 2020. That means it will no longer provide security updates or support for these operating systems. To avoid security-related risks and support issues, we ask that you prepare now.

• If you have not already done so, plan to stop using Windows 7, Windows Server 2008, and Windows Server 2008 R2 before January. The number of machines running Windows 7 at the university is dropping week by week. Thank you to those of you who have already taken action!
• If it is not possible for you to upgrade, begin planning how you will mitigate in other ways.
  • Remove the device from all networks or isolate it on a protected network and restrict access.
  • Purchase extended support for university devices through the ITS Software Store. See Windows 7 Extended Security Updates and Windows Server 2008 Extended Security Updates.
  • If you need help with mitigation, contact ITS Information Assurance through the ITS Service Center.

MiWorkspace staff members are working with unit IT staff on plans to upgrade computers to Windows 10 wherever possible. Health Information Technology & Services staff members are ensuring that Michigan Medicine devices running Windows 7 will be upgraded by October 31.

If you have Windows 7 on your personal devices that are not managed by the university, plan to upgrade to Windows 10 by January. The consultants at the Tech Shop can help you figure out what you need to do to upgrade your Windows software.

For more, see IA Notice: Plan for end of Windows 7 support and IA Notice: Plan for end of Windows Server 2008 support.

You are off to a great start! Security Unit Liaisons and other U-M IT staff have made good use of the first nine months of the two-year implementation period for the revised Information Security (SPG 601.27) and supporting standards.

More than 30 U-M units hosted presentations from the SPG 601.27 implementation team. In addition, many of you participated in the standards working sessions hosted by ITS Information Assurance (IA). Each session, with an average of 120 people attending in person and remotely, focused on two of the 13 standards. If you missed a session or just want to review, see materials from standards working sessions.

Your suggestions and insights are already making a difference. IA staff members are reviewing several of the standards in preparation for clarifying some of the language and making adjustments based on your real-life, early-implementation experiences.

Almost three quarters of Security Unit Liaisons (SULs) attended an SUL Renew/Refocus session this summer and fall to learn about changes to the SUL role, their new responsibilities, and the support they can expect from Information Assurance (IA).

Every unit, school, and college has a staff member designated as an SUL who serves as that unit's primary IT security contact. SULs have an important role to play in their unit's security and compliance posture, risk assessments, risk treatment plans, vulnerability mitigation, sensitive data discovery, education and awareness, incident investigation, and implementation of the IT security policy and standards.

Security Unit Liaisons (SULs) are invited to attend an introduction to MitiGate on Wednesday, October 23, 9:30–10:30 a.m., in the Great Lakes South room at Palmer Commons. MitiGate is an online gateway to unit IT security risk and compliance data for SULs and unit IT leadership. It provides a window into risk data pulled from multiple systems in one place.

Information Assurance (IA) has set up joinable MCommunity groups to serve as communities of practice around implementation of the revised Information Security (SPG 601.27) policy and supporting standards. Use the communities of practice to:

• Access the collective wisdom and expertise of your U-M colleagues.
• Ask questions of, or seek advice from, each other related to implementing and operationalizing a specific standard.
• Share resources, success stories, and potential solutions to implementation barriers.
• Ask IA subject matter experts for interpretation, elaboration, or clarification related to a specific standard in a forum where others at U-M with similar job responsibilities and interests will also see the response and have the opportunity to add more insight and experience to the discussion.

Have external collaborators, granting agencies or vendor partners ever asked you for information about the university’s IT security posture? Information Assurance (IA) has pulled together an overview of how we secure U-M into one document to help you answer those questions:

• U-M IT Security Posture (U-M login required). There is a link in the document to a PDF version (also requires U-M login) you can download in case you need to print or share it.
  IT security and compliance is a shared responsibility. This document does not account for unit-unique environments and systems.

Questions about the university’s IT security posture can be directed to IA through the ITS Service Center.

The ITS Identity and Access Management team is working to expand the use of the Identity Governance tool, which is used to automate the process of granting and revoking access to digital and physical resources. Access procedures and requirements vary widely across different units and systems, so ITS works closely with each unit to understand their needs and design solutions using the new tool.

ITS is working with the Registrar’s Office for access to M-Pathways Student Administration and with the Office of Undergraduate Admissions for access to Slate, a new admissions management tool. ITS also continues to work with the three units that first adopted the new automated access tool to improve its effectiveness.

The Identity Governance tool puts into practice the concept of role-based access control, which is to automatically assign people access to digital and physical resources based on their roles in an institution. This type of pre-approved access can be assigned to employees, changed, and removed based on their current positions. For example, if an employee changes positions, their access could automatically be adjusted in response to the job change.

Role-based access accelerates the start-up time for new employees who need access to systems and improves data security by promptly removing access when a person’s status changes. It also replaces some manual processes, increases the ability to track and report on access, and makes it easier for the right people to get access to the right U-M resources when they need them.

If your unit is interested in learning more about implementing the Identity Governance tool, contact the team by emailing [email protected]. Requests will be prioritized and evaluated based on several factors, such as the benefits in relation to the amount of work involved in the transition process.

Visit Identity Governance to learn more about the features and benefits of the tool.

Register now to attend the annual Security for University of Michigan IT (SUMIT) symposium on October 29 at Rackham Auditorium on the UM-Ann Arbor campus. This event presents a rare opportunity to hear nationally recognized experts discuss the latest cybersecurity and privacy topics and trends and threats at no cost.

See SUMIT_2019 for details, including a list of presenters.

We all know to call 911 for emergency assistance or to report a crime, but what if you suspect an IT security incident is in progress? Report it to ITS Information Assurance (IA) as soon as possible:

• Report all serious or potentially serious IT security incidents to [email protected].
• Report non-serious IT security incidents to the ITS Service Center.
• In some U-M units, reports go to the Security Unit Liaison (SUL) or local IT group, who then work with IA.
• Not sure? Send email to [email protected].

What to Expect from IA

IA has primary responsibility for coordinating the response to serious IT security incidents. Once you’ve reported an incident, you can expect IA to keep you involved while coordinating. SULs and IT staff who receive reports of suspected IT security incidents should work with IA. IA will involve other U-M offices, such as the Office of General Counsel, as needed.

IA Coordinates Communication

IA also coordinates all incident-related communication. This helps provide the greatest transparency possible while not jeopardizing any related criminal investigation or causing undue alarm. IA staff will help you ensure U-M leadership and others receive appropriate updates, only releasing information on a need-to-know basis.

If in Doubt, Ask

IA staff are always ready to help you. IT security incidents can happen at any time, so IA monitors the [email protected] mailbox outside normal business hours. Learn more about IT security incidents on Safe Computing:

• Incident Response Roles and Responsibilities
• Responding to an IT Security Incident (for SULs and IT managers)
• IT Security Incident Management Guidelines for U-M Units (U-M login required)

The Safe Computing home page has a new look! In addition to the links you depend on for the Sensitive Data Guide, the Information Security Requirements table, IA alerts, and more, the page includes a live feed from the Michigan IT Newsletter’s Safe Computing articles and tweets from @umichTECH.

Some new and recently updated pages include:

• Access, Authorization, and Authentication. Guidance for implementing Access, Authorization, and Authentication Management (DS-22).
• Group Policy Resources for IT Security. A collection of Windows Active Directory (AD) Group Policy Objects that you can use as a starting point for securing computers connected to AD (UMROOT), as well as AD user accounts.
• Network Security Management. Guidance for implementing Network Security (DS-14).
• Network Security Threat Detection. Information about a new network security threat detection and mitigation system.
• SPG 601.27 Alignment with Presentations. Has links to materials from the six standards working sessions held during 2019.
• Third Party Vendor Security & Compliance. Updated to clarify and simplify the information.

Hackers Demand $2 Million From Monroe
Inside Higher Ed, 7/15/19

Ransomware has become a bigger problem for many institutions in 2019, including higher education. In one high-profile case, ransomware was used to hold hostage the digital assets of Monroe College.

Members of the U-M community can learn to protect themselves and U-M from ransomware with resources on Safe Computing, including Ransomware: Don’t Pay the Ransom! and a new Beware of Ransomware! print-and-post flyer.

Apple apologizes for listening to Siri recordings, promises changes
CNN Business, 8/28/19
Facebook Transcription Opt-In Says Nothing About Human Listeners
Bloomberg, 8/15/19

In the wake of revelations about the use and misuse of user data by large social media companies, there were new concerns raised after reports that Apple allowed contractors to listen to commands that users issued to Siri, and Facebook ran a program to allow contractors to listen to and transcribe some users’ audio clips. Some U.S. lawmakers are calling for stronger privacy protections, and companies are being forced to rethink their approach to reviewing recordings for product improvement.

Wherever you can, choose privacy settings you are comfortable with rather than accepting default settings. You can find privacy tips, resources, and more news stories in the privacy section of Safe Computing.

Ransomware attacks continue to be a worldwide risk. You may have read about attacks on state and local governments in Maryland, Georgia, and elsewhere. Manufacturing, energy, health care institutions, and higher education institutions have also been targeted.

Ransomware is a type of malware (malicious software) that can infect and encrypt files on your computers and other devices, preventing you from accessing them or the data stored on them. Criminals use it to threaten victims with loss of their data unless they pay ransom in return for a “key” to unlock their folders, files, and devices.

Ransomware typically gets on devices when people open infected email attachments, click shared document links to infected documents, or click links in email that go to malicious websites. You can protect yourself by doing the following:

• Make regular backups, and keep those backups separate from your devices.
• Hover your mouse over links in email to examine them before clicking.
• If you receive an unexpected email attachment, check with the sender before opening.

If your computer or other device is infected by ransomware, don’t pay the ransom. There are no guarantees when dealing with criminals. If the infected computer or device is owned or managed by the university, or it is used to access or maintain sensitive U-M data, report the problem to Information Assurance immediately.

A new school year often means getting new technology, and that means needing to safely dispose of old devices. Old disks, flash drives, smartphones, and computers can all contain personal data, and in some cases, U-M data if you used those devices for U-M purposes.

Keep that data from falling into the wrong hands by securely deleting it before disposing of the device. Even devices that you decide to sell or hand down to friends or family need to be properly erased or reset before you pass them on.

You can reference guidance on the Safe Computing website if you want to erase your devices yourself. If you prefer, you can use the for-fee service available at the Tech Shop. Property Disposition offers secure device erasure services for U-M devices. See these pages for guidance—and for U-M policy requirements:

• Erase Personal Devices Before Disposal
• Tech Repair Secure Device Sanitization
• Property Disposition—U-M Departments (U-M login required)
• Securely Dispose of U-M Data and Devices
• Electronic Data Disposal and Media Sanitization (DS-11)