Security Champs enlisted to promote information security best practices

The Information Security Office (ISO) kicked off its Security Champs Program on January 22, 2020 with an introduction to the program, information security training, and luncheon. About 40 people attended, volunteering to become Security Champs who evangelize best practices in their departments, colleges, offices, research groups, and centers.

Here are some highlights from the inaugural meeting.

• Chief Security Information Officer Corey Roach, who opened the meeting, encouraged the Security Champs, and all U employees, to be observant. He said if you see something out of place — like new software on a public computer — say something. Contact the Campus Help Desk (801-581-4000, option 1) or the ISO.

Enterprise Security Associate Director Jake Johansen said people should also enforce physical security by taking measures that prevent damage to personal and university property like the U’s hardware. He also said it’s important to guard against unauthorized access to facilities, equipment, and resources. Users can mitigate risk by logging out of their computers when leaving them unattended, or by not allowing unknown people to tailgate into secure areas. Employees, he noted, are the university’s best and first line of defense against security threats.

• Cybersecurity Operations Associate Director Colby Gray talked about the Security Operations Center (SOC), which responds to information security incidents from 7:00 a.m. to 11:00 p.m. seven days a week. For example, if you receive a suspected phishing email and forward it as an attachment to phish@utah.edu, the SOC will review the message in a secure environment to determine whether it’s malicious. If it is, the SOC will also investigate whether other U community members have received the same phishing attempt and remove it from everyone’s UMail accounts.

Gray also reminded the Security Champs to encourage users to keep systems and devices up to date through security patches. Applying patches helps eliminate vulnerabilities and significantly reduces the attack surface.

Lastly, he talked about using least privilege, the principle that users are granted only the minimum authorization to perform their duties. For example, if your role is only to provision and deprovision users, those two actions should be the extent of your rights in that system. Gray said security risks increase when users are granted rights that do not reflect their roles.

• Identity & Access Management Associate Director Chris Stucker asked the Security Champs to remind colleagues not to reuse passwords, and he recommended that everyone look for opportunities to use multifactor authentication (MFA).

Having the same password for the Campus Information Services (CIS) portal, your online bank account, and various social media platforms, Stucker said, makes it easier for bad actors to gain access to your data and devices. If your personal information is exposed, criminals will use your credentials to log in to every system they can think of, hoping that you used the same password somewhere else on the internet. Make it hard for them: Do not reuse your passwords.

MFA is a way of authorizing a user’s identity and gaining access to a system. Usually, users must provide two or more factors — something you have and something you know. For example, U employees are required to use Duo Security to gain access to certain systems by logging in with their uNID and password (something they know) and authenticating with a Duo-registered device (something they have). Stucker said Security Champs should encourage users to look for ways to implement MFA in their personal lives.

• Information Privacy Manager Chris Keller, from the University of Utah Health’s Information Privacy Office (PO), provided information about how to deal with unsecured protected health information (PHI). Anyone who finds unprotected PHI on campus or at the hospital, he said, should work with the ISO and the PO to secure the data. Keller also oversees U of U Health’s HIPAA (Health Insurance Portability and Accountability Act) Champs. The group, which meets quarterly, aims to keep PHI data secure.

• Governance, Risk & Compliance (GRC) Associate Director Trevor Long encouraged everyone to read the university’s information security policy and rules, which were approved by IT leadership and the Academic Senate to help create a culture of cybersecurity; protect the privacy of students, employees, and patients; and ensure compliance with applicable laws. For example, Rule 4-004C on Data Classification and Encryption describes the requirements for managing electronic data that might be informative for university students, staff, patients, and guests concerned about their privacy. Long urged the Security Champs and U community members to fully embrace the policy — “Learn it, love it, and live it.”

Anyone interested in joining the Security Champs Program can email ISO-GRC@utah.edu or visit the Security Champs website for more information. The ISO needs representation from all units.

 

Node 4 Search