Security

Risk Management Program — UConn’s Answer to Server Security

A new project within ITS that is meant to increase server security and protect confidential data of students, staff, and faculty alike is the Risk Management Program (RMP).

Currently, the University and Information Security Office have implemented an initiative, secureU, which addresses individual security threats. RMP, as a whole, is a more high-level initiative focused on the critical needs to protect server data and provide effective solutions to address server specific security risks and issues.

While secureU is focused on protecting individual computers from potential risks, the RMP initiative is focused on University-wide server protection.

RMP will either eliminate or greatly reduce the possibility of key risks that could potentially translate to major issues that would compromise server and data security. Such issues would include the loss of data, such as personally identifiable information (PII; e.g. SNN numbers), which could potentially harm and sully the University’s reputation; compliance and regulatory failures, which could lead to fines and thus have a negative financial impact; and data corruption, which could lead administrators to make faulty and costly decisions.

ITS maintains and secures approximately 800 servers on campus. There are an additional 750 to 1,000 servers that use the University’s network and that are not wholly monitored or secured, thus allowing for the potential of data breaches, intrusions, and complete network shutdowns. RMP will address such issues and create a more stable, protected, and secure network for the entire University population.

Some of the specific features and security issues that will be addressed by RMP will be the creation of a comprehensive server inventory, the implementation of firewall policies that will restrict unintended connections to desktops and servers, University-wide server and application vulnerability scanning, and the installation of Splunk, a log collection agent, onto all University servers.

ITS plans to rollout RMP in four phases and is planned to be fully operational and implemented by December 2013.

For further information regarding the RMP project, please contact the project head, Mick DiGrazia, at mick.digrazia@uconn.edu.

 

This article, by Tim Williams, first appeared in the January 2, 2013 issue of Project Weeklies, the newsletter of the ITS Project Management Office.

 

UCONN-PUBLIC Wireless Network Closing For Business

UCONN-PUBLIC wireless network is closing up shop on May 20! Faculty & Staff who have used UCONN-PUBLIC to access the internet should now use UCONN-SECURE.

The UCONN-SECURE wireless network provides anyone with a UConn NetID:

  • Full Internet Access – including Internal UConn Resources
  • Unlimited Speed
  • Encrypted Security

Guests of the University should be directed to use the new UCONN-GUEST wireless network. Visit wireless.uconn.edu for more information.

For assistance connecting to UCONN-SECURE, contact the Technology Support Center at techsupport@uconn.edu or dial 860.486.4357.

For more information, contact: Information Security Office at UConnISO@uconn.edu

Business Impact Analysis

Information systems are vital elements in most University mission/business functions. Because information system resources are so essential to UConn’s success, it is critical that identified services provided by these systems are able to operate effectively without excessive interruption. Contingency planning supports this requirement by establishing thorough policies, plans, procedures, and technical measures that can enable a system to be recovered as quickly and effectively as possible following a service disruption.

For information systems, effective contingency planning begins with the University’s contingency planning policy and subjection of each information system to a Business Impact Analysis (BIA). This facilitates prioritizing the systems and business processes based on the risk impact level and develops priority recovery strategies for minimizing loss Risk Impact level is determined through a formula that examines three security objectives: confidentiality, integrity, and availability.

  1. Confidentiality: A loss of confidentiality is the unauthorized disclosure of information.
  2. Integrity: A loss of integrity is the unauthorized modification or destruction of information.
  3. Availability: A loss of availability is the disruption of access to or use of information or an information system.

Contingency planning considerations and strategies address the impact level of the availability security objective of information systems. Strategies for high-impact information systems consider high-availability and redundancy options in their design. Options may include fully redundant load balanced systems at alternate sites, data mirroring, and offsite database replication. High-availability options are normally expensive to set up, operate, and maintain and should be considered only for those high-impact information systems categorized with a high-availability security objective. Lower-impact information systems may be able to use less expensive contingency options and tolerate longer downtimes for recovery or restoration of data.

Working directly with mission/business process owners, departmental staff, managers, and other stakeholders, ITS estimates the downtime factors for consideration as a result of a disruptive event. The following terms are important for you to know.

  • Maximum Tolerable Downtime (MTD). The MTD represents the total amount of time leaders/managers are willing to accept for a mission/business process outage or disruption and includes all impact considerations.
  • Recovery Time Objective (RTO). RTO defines the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business functions, and the MTD.
  • Recovery Point Objective (RPO). The RPO represents the point in time, prior to a disruption or system outage, to which mission/business process data must be recovered (given the most recent backup copy of the data) after an outage.

If you don’t know the MTD, RTO, or RPO for your system, perhaps you need a Business Impact Analysis.

For more information, contact: Victor Font, ITS Business Continuity / Disaster Recovery Coordinator at victor.font_jr@uconn.edu

Business Continuity Plans

What happens if something so serious happens, such as a data center fire or flood, that “takes out” the IT systems you’ve come to depend upon for 30 days or longer while the data center is rebuilt?

Does your department have a Business Continuity Plan or Continuity of Operations Plan? How will you maintain operations without access to your IT systems? Here are several different types of non-IT related plans for you to consider for your own department’s resilience program. The plans listed are in alphabetical order and do not imply any order of importance.

Business Continuity Plan (BCP)

The BCP focuses on sustaining an organization’s mission/business functions during and after a disruption. An example of a mission/business function may be an organization’s payroll process or customer service process. A BCP may be written for mission/business functions within a single business unit or may address the entire organization’s processes.

Continuity of Operations (COOP) Plan

COOP focuses on restoring an organization’s mission-essential functions (MEF) at an alternate site and performing those functions for up to 30 days before returning to normal operations. Additional functions, or those at a field office level, may be addressed by a BCP. Minor threats or disruptions that do not require relocation to an alternate site are typically not addressed in a COOP plan.

Crisis Communications Plan (CCP)

The most effective way to provide helpful information and to reduce rumors is to communicate clearly and often. The CCP documents standard procedures for internal and external communications in the event of a disruption. It also prepares the organization for the possibility that during a significant disaster, the organization may be a communication-forwarding point between personnel, civil, state and federal authorities as designated by the Department of Public Safety, and affected families and friends.

Critical Infrastructure Protection (CIP) Plan

Critical infrastructure and key resources (CIKR) are those components of the University’s infrastructure that are deemed so vital that their loss would have a debilitating effect on the safety, security, economy, and/or health of the University of Connecticut. Protecting and ensuring the resiliency of UConn’s CIKR is essential to the University’s security, public health and safety, economic vitality, and way of life.

Occupant Emergency Plan (OEP)

The OEP outlines first-response procedures for occupants of a facility in the event of a threat or incident to the health and safety of personnel, the environment, or property. Such events include a fire, bomb threat, chemical release, domestic violence in the workplace, or a medical emergency. Shelter-in-place procedures for events requiring personnel to stay inside the building rather than evacuate are also addressed in an OEP.

The best mitigation action is effective planning.

For more information, contact: Victor Font, ITS Business Continuity / Disaster Recovery Coordinator at victor.font_jr@uconn.edu

Information Security Tip: Phishing Not Fishing

Phishing email messages are designed to steal your money and your identity. Criminals can do this by installing malicious software on your computer or stealing personal information off of your computer.

How can you detect a phishing email?

  • Cybercriminals are not known for their grammar and spelling. If you notice mistakes in an email, it might be a scam.
  • Don’t click on links in a suspicious email. Rest your mouse (but don’t click) on the link to see if the address matches the link that was typed in the message.
  • The website address (URL) can provide clues as to whether you are about to be scammed. Keywords in the URL, such as verify or update, can be an indication that the URL is a scam site. So too can URLs that contain just numbers.

Security tips can also be accessed at:  http://security.uconn.edu/ and click on the security tip of the week icon located in the top right-hand corner of the screen.

For more information, contact: Information Security Office at security@uconn.edu

New UCONN-GUEST Wireless Network Available Now

The new UCONN-GUEST wireless network is now available.  For information on how to connect to the network, visit:  http://wireless.uconn.edu/ and select “UCONN-GUEST”.UCONN-PUBLIC will continue to be available until March 20, 2013, at which time the network and guests kiosks will be decommissioned.

For more information, contact: Information Security Office at uconniso@uconn.edu

Information Security Tip Of The Week: Password/Passphrase

Did you know that the Information Security Office has its own playlist on the UConn YouTube channel?

One of our talented security student workers has been hard at work creating short, yet engaging videos, to help communicate valuable information security tips. These tips are not merely for business use, but can also apply to your personal information security.

His very first video, “How to Create a Secure Password”, is available for viewing.  Take a moment to review the video to see how you can create secure passwords and/or passphrases.

http://www.youtube.com/watch?v=oH3WXJnhGd0

Security tips can also be accessed at: http://security.uconn.edu/ and click on the security tip of the week icon located in the top right-hand corner of the screen.

For more information, contact: Information Security Office at security@uconn.edu

UCONN-GUEST Wireless Network Info Booth at the SU

UCONN-GUEST, a new, self-provisioning service that allows guests to easily access wireless services while visiting UConn is going live on Tuesday, March 12. The new service streamlines the registration process and eliminates the need for kiosks.

To learn more about the new UCONN-GUEST wireless network, and the self-provising guest registration process, stop by our information booth in the Student Union.  The booth will be open:

Wednesday, March 6, 2013 – 11:00 a.m. – 1:00 p.m.
Friday, March 8, 2013 – 11:00 a.m. – 1:00 p.m.  (Session canceled.)

You can also visit www.wireless.uconn.edu for more information on the new wireless service. For more information, contact: Information Security Office at UConnISO@uconn.edu

(Please note: UCONN-PUBLIC and the kiosks currently used to obtain a guest registration, will remain in effect until they are decommissioned on 05.20.2013.)

Reconfigure Your Mobile Device To Access University Email

As of Monday, March 4, 2013, mobile devices accessing the University Exchange Mail Server will need to be configured with certain security settings before access is granted.

Reasons for Change:

  • To protect University data stored on mobile devices, as required in the University’s Access Control Policy: http://policy.uconn.edu/?p=2433
  • To address recent industry trends to which point to mobile devices as the top target for security threats in 2013.

After Monday, March 4, 2013, if you use your Android, Apple, or Windows mobile device to access the UConn Exchange Mail Server, you will be prompted with the additional security settings. For more details, please go to the previous post regarding this update.