If you’re reading this right now, you might be interested in learning more about IT security policies or you might be wondering why we keep writing about them. If you fall into the latter group, the answer is simple: It’s our job!
According to Rule 4-004O: Security Awareness and Training, the University of Utah is responsible for providing information security education to students, faculty, staff, and others who use the university’s information systems (e.g., UMail, Campus Information Services, and Epic).
Education efforts include IT security awareness to help users recognize IT security concerns and respond accordingly, and IT security training to help them understand their information system security roles and responsibilities. You may already be familiar with some of these efforts, such as Bridge training, a Canvas course, and Cybersecurity Awareness Month.
Ariel Baughman, a data security analyst for Governance, Risk & Compliance (GRC) in UIT’s Information Security Office (ISO), said security awareness and training are important because the U is a public institution that handles many types of data, making it a prime target for bad actors intent on carrying out a cyberattack.
“As an attacker, I can pick a person and figure out what kind of data they handle so I can tailor a message that is so convincing that they might think it's legitimate and follow a malicious link or provide their credentials,” she said. “… Human error is an easy thing to exploit.”
Under Rule 4-004O, security training is required for employees who access restricted data (e.g., personal health information or PHI) or who have specific roles or responsibilities with security requirements.
“If you access student data, let’s say as an instructor, you're required to complete security training surrounding the Family Educational Rights and Privacy Act (FERPA). If you access PHI, you're required to take Health Insurance Portability and Accountability Act (HIPAA) training,” Baughman said.
Although the U does not have a university-wide mandate on information security training, the ISO strongly recommends that U students, faculty, and staff — regardless of their roles — take advantage of the courses and resources to better protect you and the university.
“As [part of] a public institution, our contact information is easily accessible through the internet. So, students and employees are vulnerable in the sense that we can be contacted through our email by phishers, and our university IDs and passwords can be compromised,” Baughman said. “Everyone has data that's important to them and the university, and that's why it's important that everyone takes the training.”
These are just a few of the information security-related trainings provided by the university:
Bridge: In the Bridge learning management system (login required), campus and student employees have access to several information security courses (login required), all of which take about 10 minutes or less to complete. Training includes general awareness about security essentials, social engineering, Duo Security two-factor authentication, and the access review process. New Employee Orientation also includes a module to familiarize new hires with information security policies and the proper use of the university’s data and resources. For those who handle payment card industry (PCI) data, there’s also the PCI DSS Annual Training course (login required).
University of Utah Health employees can access required HIPAA training in the Learning Management System (LMS) (login required).
Canvas: The ISO offers two versions of security awareness training (login required) in Canvas, one for students and one for campus employees. To accurately reflect the current digital landscape and cyberthreats, both are reviewed and updated on a regular basis. For example, Baughman said, if the ISO notices an uptick in phishing, her team will modify the Canvas course and use other communication channels to notify the community about the threats, how to spot them, and how to report them.
Most recently, she added information about employment scams, which started circulating among students and instructors around the start of school.
“What's unfortunate is that the phishing scam targeted students, and some faculty and staff also thought the job advertisement was real even though it paid insanely well for almost no work,” she said.
FERPA: The Office of the Registrar offers several resources for faculty and staff, including an online FERPA Review course that is required to access student information. The module is also a good way to refresh your knowledge of FERPA policies. Other resources include a quick facts FAQ, a guide on working with students in a shared space, and an infographic on how to securely handle student data.
The Registrar also provides information for students about their FERPA and privacy rights.
Custom training: The GRC team provides a range of information security training, tailored to meet the needs of the campus audience or organization that requested it. For example, Baughman said, if her team gives a presentation at the School of Business, it would provide cybersecurity best practices (e.g., Center for Internet Security Controls), review the university’s IT security policies (e.g., Policy 4-004), discuss federal laws that apply to the school (e.g., FERPA), and talk about how to properly secure university data (e.g., PCI-DSS or National Institute of Standards and Technology 800-171). Anyone can request training by contacting the team at email@example.com.
Security awareness efforts
These are just a few of the U’s information security awareness efforts:
Cybersecurity Awareness Month and other IT security events: Each October, the university participates in Cybersecurity Awareness Month (CSAM), joining dozens of other organizations worldwide to provide the resources people need to stay safer and more secure online. The ISO leads the effort, publishing a website with timely information and resources, which are also shared through @theU, Node 4, Twitter, and other university communication channels.
CSAM, Baughman said, helps grow the university’s culture around cybersecurity.
“It's a good annual reminder that cybersecurity is important,” she said. “And it's a fun way to bring security awareness to our organization.”
Through the ISO, the university also participates in Data Privacy Day, held each January 28, and Identity Management Day, held annually in April. Data Privacy Day, which will become a weeklong celebration in 2022, aims to create awareness about the importance of respecting privacy, safeguarding data, and enabling trust. Identity Management Day stresses the importance of managing and securing digital identities.
The ISO also will share tips or resources on other national and international holidays, such as Internet Safety Month and World Password Day.
Security Champs/HIPAA Champs: The university enlists campus Security Champs and hospital HIPAA Champs to share information security and privacy awareness and best practices with their organizations. The champs, many of whom already serve in an IT role in their organizations, help the Information Security Office and Privacy Office disseminate timely information, participate in and support incident response and reporting processes, implement security measures, and more.
Baughman said departments that handle restricted or sensitive data should have a Security or HIPAA champ because that information makes them more vulnerable to attacks.
“If your department doesn’t already have a representative, please join Security Champs. It's a good way to gather timely security awareness tips from the Information Security Office to share with your department,” she said. “It's also a good way for you to meet us and stay in contact. Then, if you're faced with a security attack or threat, the ISO will work with you and your department to handle the incident.”
Mock phishing campaigns: The ISO routinely conducts mock phishing exercises to test whether users identify or fall victim to a fake phishing email. The simulations are intended to build awareness about phishing attacks and help the U community become better at identifying, avoiding, and reporting malicious emails.
Departments can request phishing exercises for their employees, Baughman noted. For more information, please refer to the Mock Phishing Campaign webpage.
UIT news and information resources: On behalf of the ISO, UIT provides information security awareness, best practices, and resources through the UIT and ISO websites, Node 4, UIT information email service, UIT and ISO Twitter pages, @theU, NotifyIT, system status webpage (status.io), IT Knowledge Base, and other university communication channels. For example, UIT recently launched a monthly digital security tip in its Node 4 newsletter to help readers stay safe and secure online. And on the ISO website, you’ll find the most recent security articles, as well as useful tips and resources.
Additionally, the Chief Security Officer organization occasionally posts information about scams and other information security threats at the university.
What you can do
Baughman said U faculty and staff who have a direct line to students are in a unique position to help amplify the university’s information security awareness efforts.
For example, she said instructors could include information on their syllabi about low-cost cybersecurity tools, including anti-malware and antivirus software, from the Office of Software Licensing and the Canvas information security training course.
“If you are a professor or you work for an organization that supports students, please encourage your students to take the Canvas training — mainly because those employment scams started right at the start of school, and students gave their money away and that's not OK,” she said.
Instructors also could provide information about where to find information security resources, such as the ISO website, or report security incidents, such as a compromised university account or a stolen device, Baughman said.
“I don't think enough students know that we can help them with this kind of stuff,” she said.
As part of the U community, Baughman said we’re in this together — it takes each and every one of us to protect the university and its data. Even if you feel confident that your data and devices are secure, you still need to check in on them now and then. The ISO also recommends an annual refresher, like a review of the U’s information security training or a digital checkup during Cybersecurity Awareness Month.
“Security threats always change,” Baughman said. “One year, phishing could be the No. 1 reason for data breaches; the next year, it could be romance scams.”
Ultimately, the U aims to reduce human error — the No. 1 cause of data breaches — through its information security training and awareness efforts. The ISO also hopes to create a culture around cybersecurity that will help prevent security incidents and protect the university and its data.
“It's definitely a state of mind — that habit that, before you select a link in an email, you need to check all these boxes to see if it's safe,” Baughman said. “Information security training equips people with confidence to recognize and respond to security threats. We love providing it to employees, but you're also your own person outside of work, and it's important that you know how to protect your personal data and devices, too.”
October is Cybersecurity Awareness Month!
The U’s Information Security Office (ISO) is asking students, faculty, and staff to identify opportunities to improve their cybersecurity habits and implement stronger security practices. We’ll provide the resources to help you along the way.
For this year’s resources, please visit the 2021 Cybersecurity Awareness Month website. Topics include:
- Back to basics: Easy ways to improve your cybersecurity
- Phishing fundamentals: 3 tips to shore up your defenses
- The risks of ransomware, and tips to prevent and handle an attack
- Your identity is under attack. Here’s how to protect it.
For more information about the U’s information security program, please visit the Information Security Office (ISO) website.
Other useful resources include: