As the University of Michigan gets ready for winter break, remember that cyber attackers never take time off. The university takes measures to protect the institution’s data and systems no matter the time of the year. While Information Assurance (IA) leads and coordinates these efforts, everyone in the U-M community has a shared responsibility to do their part.
The revised Information Security SPG 601.27 policy, the accompanying IT Security standards, and the expansion of two-factor authentication are recent examples of steps U-M has taken to appropriately secure the university while continuing to enable its teaching, research, clinical, and administrative missions.
Two-factor authentication: Where are we?
Two-factor (Duo) for Weblogin will be required for all U-M faculty, staff, student employees, and sponsored affiliates across all campuses on Wednesday, January 23, 2019. It has been required in Michigan Medicine since October. Thus far, nearly 70,500 U-M employees already have turned on Duo for Weblogin.
Some of the steps taken to encourage individuals to turn on two-factor before the go-live date include:
- Targeted emails, which are being sent regularly to those who have not enrolled in Duo, as well as those who have enrolled, but not turned on two-factor for Weblogin.
- Expanded help documentation and videos for U-M community self-service.
- The U-M Duo tool, which helps individuals determine whether they are using two-factor and, if not, assists them in turning it on.
- The U-M Weblogin page, which currently includes a banner reminding people to turn on two-factor—in January, employees who are not using Duo will encounter an interrupt screen encouraging them to turn it on.
- The Duo dashboard, to be shared with deans, directors, and department heads and unit IT staff—the dashboard will allow unit leaders to track how their unit is doing and to use the information as a means for encouraging participation.
- Prize drawing for those who turn on Duo before December 19, consisting of a chance to win an Apple Watch 4, iPad Mini 4, or Airpods.
IA highly recommends that U-M employees turn on two-factor for Weblogin sooner rather than later. This approach allows new users time to become familiar with the tool and its various options, such as the seven day “Remember me” function, availability of offline passcodes, and more. While the overwhelming majority of the university community prefers using the Duo Mobile app on their smartphone, other options are available to address individual circumstances and needs.
Revised information security policy: What’s coming?
Back in August, U-M’s Executive Officers approved a long-awaited revision to SPG 601.27, the university’s IT Security policy. Since then, IA has been meeting with a variety of stakeholders, including unit IT staff, to provide support for their implementation planning well in advance of December 31, 2020, when full compliance with the policy and standards is expected. The goal is to provide IT staff with information, tools, and resources—with an emphasis on the key message that IT security and compliance is a shared responsibility for all university community members.
In addition to the SPG approval, 13 IT Security standards were approved. These standards provide specific direction on how to appropriately secure U-M systems and data. An IT Standards Advisory Group is being convened that will provide IA with feedback and support on how best to actualize the SPG and standards. Advisory group members will represent a cross section of the university community.
Beginning in winter 2019 and continuing through the spring, IA will hold campuswide information sessions on each of the IT Security standards. The goal of these sessions will be to provide IT and interested business and administrative staff with an opportunity to expand their technical knowledge of each standard, ask questions of subject matter experts, and get a better understanding of the implementation process. Information session dates, times, and locations will be announced in the Michigan IT Newsletter and through communications to a variety of U-M IT communities and other stakeholders.
Detailed implementation guidance and documentation is available on the Protect Your Unit’s IT webpage along with Minimum Information Security Requirements for Systems, Applications, and Data. These materials provide a baseline that applies to all U-M units, faculty, staff, affiliates, and vendors with access to institutional data, and are a useful backdrop for the coming information session discussions.
The latest updates and information about two-factor authentication, the revised SPG 601.27, and the accompanying IT standards can be found on the Safe Computing website.