Spring/Summer 2016

If you haven't looked at the proposed new IT Security Policy (SPG 601.27) and related standards yet, you might want to set aside a little time to do so. The policy has been almost completely rewritten, and it will have a big impact on how all of us contribute to IT security at U-M.

The rewritten policy establishes a single, comprehensive, university-wide "information assurance and cybersecurity risk management framework and program, based on an enterprise security architecture that makes utilizing secure university-provided services straightforward and readily accessible to faculty and staff." The policy will be supported by more than a dozen operational, procedural, and technical standards.

The policy was originally issued in 2008, soon after U-M first established a separate information security group and program. Given the significant increase in cyber attacks directed at higher education institutions—and the attendant costs and risks associated with such attacks—it is important that this policy be revised and updated to provide for 21st century security best practices while supporting and advancing U-M's core missions.

Faculty, staff, and U-M governance groups are reviewing the policy as it moves through the process of being incorporated into the the Standard Practice Guide. If you have comments or suggestions, please submit them using the online feedback form.

As IT security threats become more frequent and sophisticated, we must be more proactive about detecting attacks. "You cannot prevent all machines from being compromised," says Dennis Neil, IIA's IT security architect, "but with early attack detection and the right advanced security controls, you can better prevent compromises from escalating to data exposure or loss."

The university's Next Generation Security Architecture (NGSA) will provide the needed attack detection tools and security controls. NGSA goals are to:

• Address the challenges of the new threat landscape
• Make security the easy choice for U-M units and individuals
• Support the new IT Security Policy and standards (see "A Whole New IT Security Policy" above)

The NGSA will include three major areas:

• Threat Intelligence. Will include indicators of compromise, information about attack campaigns, industry-specific threat intelligence, collaboration across institutions, and more.
• Security Operations Center. People and processes to proactively support attack detection. Will include log aggregation and analysis, network flow analysis, and more.
• Data Enclaves. Environments built to protect the university's most sensitive data as defined in the new IT Security Policy.

Since fall 2006, thousands of users of many U-M administrative systems have used MTokens as a second proof of identity when logging in. More than 18,000 MTokens have been issued at U-M. In an effort to protect you and the U, U-M is stepping up its two-factor game and extending this added protection to more systems and services.

The first step is to replace our current MToken technology with new, more flexible options from Ann Arbor-based Duo. The new solution will be used across the entire university, including the Health System, Flint, and Dearborn campuses.

On July 20, those who currently use an MToken—whether hardware or software—when logging in to administrative systems accessed via Wolverine Access—as well as Flux, DART, and more—will switch to Duo. Some unit systems that use MTokens may switch on different dates. For example, the U-M Health System will transition from MTokens to Duo for the MiChart Electronic Prescribing for Controlled Substances (EPCS) system in a phased rollout throughout the summer.

Please encourage your colleagues who use MTokens to get enrolled so they are ready for the switch. Get yourself enrolled so you can show them how easy it is to enroll in and use Duo. Learn more at Two-Factor Authentication.

A university privacy program could provide you with clear, university-wide privacy policies, principles, and definitions. It would likely include guidance and tools to support units in developing, publishing, and maintaining privacy notices to individuals consistent with U-M privacy policy, legal requirements, and risk tolerance.

We are taking the first step toward developing a university-wide privacy program by getting U-M stakeholder input.

Since January, Sol Bermann, university privacy officer, has been meeting with dozens of university stakeholders to discuss the state of privacy at U-M and what a privacy program might look like. Stakeholders include senior university leadership, faculty, administrators, data stewards, and students.

"Privacy is part of the fabric of higher education, especially at U-M, where free expression, inquiry, and political thought are tremendously valued," says Bermann. "In addition, privacy historically has been challenged by technical innovation—never more so than in this era of big data and data science. The goal of a privacy program is to work collaboratively and have open conversations about how we strike the right balance, even as privacy norms evolve." Stakeholder engagement will continue through the summer and into the fall semester, and we anticipate a university-wide "State of U-M Privacy" report to be issued in fiscal year 2017.

It is time, once again, for Security Unit Liaisons (SULs) to contribute to the Internal Control Annual Certification Process by certifying that they are compliant, partially compliant, or non-compliant with a particular information assurance practice or process. This year's certification question is about IT security incident reporting responsibilities. Please ensure that your unit is prepared. The certification form will be sent to deans, directors, and vice presidents in early September.

Fiscal Year 2016 Question. Faculty and staff in my unit have been informed of their responsibilities to report potential serious IT security incident reporting per Information Security Incident Reporting Policy (SPG 601.25) communications. (See also Report an IT Security Incident.)

• Yes. Within the last year, faculty and staff in my unit have been informed about their incident reporting responsibilities and how to report serious IT security incidents per SPG 601.25.
• Partial. Within the past two years, faculty and staff in my unit have been informed about their incident reporting responsibilities and how to report serious IT security incidents per SPG 601.25.
• No. Faculty and staff in my unit have not been informed of their incident reporting responsibilities and how to report serious IT security incidents per SPG 601.25 for three or more years.

Guidance and Support. All units should be able to reply "yes" to the fiscal year 2016 question because of campus-wide communications sent by IIA. However, all units are highly encouraged to send a unit-specific communication and can access a sample message to customize at Guidance for the FY16 Internal Control Annual Certification Process.

As are the Information Security Policy (SPG 601.27) (see article above) and many other IT-related policies, the Information Security Incident Reporting Policy (SPG 601.25) is being updated and revised. While the current version of SPG 601.25 does not specifically mention accidental sensitive data disclosure, units are expected to treat potential and actual accidental sensitive data disclosures as they would any other serious IT security incident described in the policy In fact, making this expectation explicit is a part of the update.

IIA will coordinate incident response activities for potential and actual accidental disclosures of sensitive data in the same way that IIA coordinates the response for other serious IT security incidents.

Did you miss the first Dissonance event, "Apple & the FBI - Encryption, Security, and Civil Liberties," back in April? No worries! The conversation was recorded, and the video is available on Safe Computing at Dissonance: Conversations at the Confluence of Technology, Policy, Privacy, Security & Law.

The Dissonance speaker series seeks to explore the confluence of technology, law, privacy, and security from a global and national perspective, and in doing so increase university-wide multidisciplinary discourse and support university initiatives related to data science.

The Dissonance speaker series was created through a collaboration of faculty, staff, and students from several supporting organizations across the university. If you would like to be informed of future Dissonance events please add your name to our email list. You are also invited to suggest a topic or a speaker for future Dissonance events.

You knew that, of course, but did you know how big the increase is? Several articles posted in the In the News section of Safe Computing offer statistics to give you a sense of where the increases are and how people are reacting.

• 2016 Data Breaches 10% Higher Than a Year Ago (4/21/2016, 24/7 Wall St.)
• Google Study Reveals 760,935 Websites Were Breached Last Year (4/20/2016, Gadgets 360)
• Consumer Attitudes Toward Data Breach Notifications and Loss of Personal Information (4/19/2016, Rand Corporation)

Tax fraud was big again this year, extending from the beginning of tax-filing season in January well beyond April 15. News articles reported thousands of taxpayers affected, and IIA received several reports of fraud suffered by members of the U-M community. No U-M systems were involved.

• Thousands of taxpayers affected by W-2 Phishing attacks this year (5/2/2016, CSO)
• IIA Notice: Identity theft & tax fraud continue (04/27/2016)
• Take action to avoid online scams and tax fraud (02/25/2016)

To keep U-M data and assets secure, we urge you to use your UMICH (Level-1) password only for U-M services. If you use your UMICH password with your email address to establish an account at another site (such as LinkedIn or other sites) and that site is hacked, your UMICH account is at risk.

• Hackers selling 117 million LinkedIn passwords (5/19/2016, CNN)
• Linkedin Statement on Protecting Their Users (5/18/2016, Linkedin Blog)
• Choosing and Changing a Secure UMICH Password (ITS)
• Password Security Checklist (ITS)

If you have used your UMICH password for non-university services, change your password, and do not re-use it elsewhere.

Several members of the IT Security Community have asked for IT security information that is ready to share with users. We are providing posters you can print and post to share IT security tips with your colleagues.

Two posters are available now:

• Protect Your U-M Account. Check links in email before clicking, don't open suspicious attachments or shared docs, and look before you log in.
• Tech Support Scams. Don't be fooled by fake tech support claims in phone calls and web pop-ups.