Information Security and Policy

Information Security and Policy

Joining forces to mitigate IT security threats with education, protective policies, and detection tools

Raising awareness

The Information Security and Policy Office (ISPO) continued training sessions and other outreach efforts to raise awareness about IT security in the campus community. A new security awareness resource was developed at http://learnaboutsecurity.uiowa.edu, featuring information about information-stealing attacks (a.k.a, phishing), security training, and IT compliance information and checklists. An awareness campaign called “It’s a Jungle in There” was launched in December of 2013 with multi-mode marketing.   

Staff also worked collaboratively with campus stakeholders to implement a video surveillance policy and a secure, centralized video surveillance service.

Securing the ITF

ISPO was heavily involved in the transition to the new Information Technology Facility. Staff members designed, built, tested, and implemented the network firewall architecture and subsequently created over 27,000 access control rules in the firewalls to support the migration of over 500 servers into this facility.

Data protection and risk assessment

In 2013, ISPO efforts focused on several institutional data protection and risk assessment initiatives, including an institutional data classification project, enhanced monitoring of the network for malicious activity, a multi-factor authentication pilot for web services, development of guidance and assessments to achieve regulatory and policy compliance, and continued development of a “cloud computing” security strategy and cloud vendor assessment procedures and resources.

Plans for 2014

The Information Security and Policy Office has several strategic projects planned or underway for 2014. Development of an isolated virtual network specifically designed for carrying sensitive credit card transactions will be completed, and point-of-sale applications used by the university will be migrated to it. This will help the UI meet the newly revised Payment Card Industry Data Security Standards v3.0. A shared e-commerce gateway for processing credit card transactions is also being investigated as another way to help the university meet these evolving security standards.  

Enterprise-level risk assessment

An enterprise-level IT risk assessment is also on the roadmap for 2014 to provide a high-level perspective on the strength of the university’s security program and any weaknesses that may be present in the highly diverse and complex computing environment at Iowa. A risk assessment of this nature provides executives with additional assurance that the university is addressing institutional risk in IT with appropriate controls, policy, and procedures.

Enhanced network monitoring

Another important goal for the year is to plan for and develop the infrastructure to enable the indexing of many different types of log information created and collected by the university’s network and computing systems. The UI has had visibility to detect problems occurring over the network for many years, but a more robust solution will enable visibility into critical application or server activity. In addition, the future capability to correlate between systems and network activity will enable staff to respond to problems more quickly and help prevent costly exposures of information.

IT Security Policy

ITS updated the Network Scanning policy to address audit requirements for Network Penetration Testing, and updated the University Credit Card Handling Policy to meet evolving industry security requirements. In addition, the policies for records management, mass e-mail, and acceptable use of IT resources were revised and adopted. 

Network Monitoring & Intrusion Detection

Staff designed, procured, and implemented a next-generation monitoring and intrusion detection system for the UI campus network. The system supports monitoring of higher capacity network traffic, as well as both IPv4 and IPv6 network communication protocols, and provides a scalable solution that will support future network improvements.

Security Outreach

The Information Security and Policy Office conducted its eighth semi-annual university “Security Day” awareness and training event for the UI campus, offered bi-monthly security seminars and training classes, and updated online security awareness courses and materials for both students and staff.

Security Service Pilots and Vendor Evaluations

ITS completed a pilot for a new two-factor authentication solution on the Virtual Private Network (VPN) service, and another for user security certificates, which can be used for encryption, digital signatures, or authentication. Security evaluations were completed for 14 cloud-based applications.

Wireless Security

Staff assisted with specifications, design, and implementation of an updated network architecture for the UI Wireless service, involving utilization of private (internal-only) addresses and a gateway/translation service for Internet access, as well as basic security access controls.

Copyright Infringement Complaints

The university responds to reports of copyright infringement through procedures outlined in the Digital Millennium Copyright Act, which include prompt removal or deactivation of access to the copyrighted material, and notification to the alleged infringer. Because of improved awareness of copyright law, as well as technical measures that restrict sharing of copyrighted material, the number of infringement complaints received by the Information Security and Policy Office about UI campus users is about one-eighth of what it was three years ago.

Categories2010201120122013
Number of DMCA Complaints66638217085

Percentage of Faculty and Staff Using VPN for Off-Campus Access

About 65% of faculty and staff report using the Virtual Private Network to access their files from off-campus, an increase from only about 53% two years ago.

Year201120122013
Percentage of Faculty and Staff535565

Number of Faculty and Staff Completing Security Awareness Course

One of the best ways to prevent IT security breaches is to increase user awareness, so a lot of effort goes into educating users about ways they can help protect both personal and institutional data.

  • The number of faculty and staff who have completed the ITS online security awareness course has increased almost 2.5 times since 2010
  • Visits to the Information Security and Policy Office website nearly quadrupled from 2012 to 2013
Year2010201120122013
Number of Faculty and Staff351395743841

Visits to IT Security and Policy Office Website

Year20122013
Visits1,6706,626