University of Utah Cybersecurity Program
Higher education faces an ever-growing number of cybersecurity concerns, from surges in phishing and ransomware attacks to regulatory changes and rising premiums for cyber insurance.
In response, University of Utah President Taylor Randall has commissioned a university-wide cybersecurity program led by UIT Partner Relations and the Information Security Office.
Objective
The University of Utah Cybersecurity Program is a multiphase cybersecurity initiative commissioned by the Office of the President and Board of Regents, and backed by Chief Information Officer Steve Hess and Chief Information Security Officer Jake Johansen. The program’s objectives include the implementation of a suite of cybersecurity tools at the college/department/organization level and associated support and auditing efforts by UIT.
Five strategic goals:
- Conduct a third-party assessment of university-wide IT security (complete)
- Deploy cybersecurity tools in alignment with:
- Center for Internet Security (CIS) 18 controls
- Utah System of Higher Education IT Resource Security Policy R345
- Standards established in the U’s Information Security Policy 4-004
- Implement cybersecurity maturity model certification (CMMC) 2.0 standards
- Establish unit-level IT security reporting responsibilities with the Information Security Office (ISO)
- Measure progress toward industry standards (e.g., CIS 18) and the U’s desired security state
Scope
As directed by President Taylor Randall, with approval of the President’s Cabinet and the Council of Academic Deans, this initiative is mandatory and applicable to all U of U units.
UIT Partner Relations is meeting with colleges, departments, and administrative units at the university. These discussions are intended to help orgs identify, implement, and document compliance requirements with existing and emerging IT security policies, initiatives, projects, and programs, and better understand the consequences for noncompliance. Sessions typically involve local IT support teams that assist in the inventory of U-managed IT systems and devices.
Timeline
All tool implementations other than network access control (NAC) are expected to take 12 to 18 months to complete. NAC, an IT security control that restricts unauthorized users and devices from accessing a network, is a separate project scheduled to go live in approximately 18 months.
Frequently asked questions
The initiative addresses the key findings of an external assessment of the U’s cybersecurity posture that concluded in 2022 and is designed to create a more secure IT environment for students, patients, faculty, staff, and affiliates at the University of Utah and University of Utah Health. To meet this need, a standard suite of tools allows the ISO to consolidate monitoring, logging, and response activities around cybersecurity incidents and provides a consistent framework for insurance underwriters to reference.
Below are some examples of cybersecurity tools that are either in development or fully deployed in the U’s IT environment:
- Network access control (NAC)
- Protect by default at the network perimeter
- Duo Mobile two-factor authentication (2FA)
- Data loss prevention (DLP) software
- BeyondTrust privileged access management (PAM)
- BeyondTrust endpoint privilege management (EPM)
- Tanium endpoint detection and response (EDR)
- Microsoft Defender for Endpoint
In most cases, the university still requires you to use ISO’s standardized suite of tools. If your group uses a tool that provides functionality that exceeds what ISO can offer, UIT Partner Relations will work with ISO to facilitate the development of comparable functionality.
University-managed devices. Personal devices are subject to current rules governing data access. For example, personal devices must comply with Policy 4-004 if they create, process, store, or transmit restricted or sensitive university data.
Definitions:
- Personal device (or personally-owned device): A device such as a computer, laptop, or tablet that was purchased with personal funds and has not been reimbursed by the university through budget or grants.
- Mobile device: A portable, handheld electronic computing device that performs functions similar to a workstation, e.g., an iPhone, Android phone, Windows phone, Blackberry, Android tablet, iPad, or Windows tablet.
- Mobile Operating System (OS): An operating system used for smartphones, tablets, smartwatches, smart glasses, or other non-standard computing devices that is limited in functionality and designed with an emphasis on mobility. Examples include iOS, Android, and Windows 10 Mobile.
Yes. It will be extremely difficult to meet and maintain the university’s target level of security without the ability to remotely manage devices. Microsoft Defender policies for Mac operating systems require a mobile device management (MDM) tool to meet basic requirements. Mobile device support in general is being investigated to determine the best solution for individual use cases.
Expanded data encryption is not in scope for phase one of this implementation, however, the ISO recommends that you encrypt all devices and data as a best practice. The encryption of devices and data is subject to Rule 4-004C: Data Classification and Encryption. The ISO will verify that a standard tool set is implemented. As part of this verification process, it will check against data protection policies. Devices that do not comply with the above policy/rule will need to be addressed as part of the validation step of the program.
If your org is running a device or IT system that cannot be upgraded or secured with ISO’s standard suite (e.g., it uses specialized instrumentation or hardware configurations critical to a research project), a policy exception must be submitted to the ISO Governance, Risk, & Compliance (GRC) team. Please email iso-grc@utah.edu and include a brief statement that justifies the exception. The GRC team will help you through the process. All exceptions will be revisited annually or more often as needed per Policy 4-004.
Support
- For general questions about this initiative, please email uit_partner_relations@utah.edu. If needed, the team will provide technical points of contact who support tools that are being implemented.
- Additional resources:
- UIT Partner Relations department page
- Unified Security Toolset Microsoft Teams channel (access permission required)
- Weekly cybersecurity open office hour via Microsoft Teams each Thursday from 3:00 p.m. to 4:00 p.m.
Communications
- Vice President for Research (VPR) Statement on Research Security, April 2024
- Weekly office hours support U Cybersecurity Program efforts, @theU article, July 17, 2023
- Weekly office hours support U Cybersecurity Program efforts, UIT Node 4 newsletter article, May 31, 2023
- Flowchart: Exception to policy
- Flowchart: Firewall configuration (aka default protect) certification — Phase 1
- Flowchart: Attestation and certification — Phase 1
-
Memo from CISO Corey Roach to faculty and staff: U Cybersecurity Program Implementation (in Box), May 4, 2023
- Do not use Slack for university business, @theU article, April 27, 2023
- Letter from U President Taylor Randall, January 23, 2023 (in Box, login required)
- UIT Partner Relations department page
- Memo: Remove account access for terminated faculty, staff, UIT Node 4 newsletter article, March 29, 2023
- UIT Leadership Spotlight: Clay Postma, director, UIT Partner Relations, UIT Node 4 newsletter article, March 29, 2023
- U-wide cybersecurity program establishes unit-level tools and reporting, UIT Node 4 newsletter article, January 25, 2023
- U-wide cybersecurity program establishes unit-level tools and reporting, @the U article, February 13, 2023
- Clay Postma rejoins UIT as director for UIT Partner Relations, UIT Node 4 newsletter article, September 28, 2022