As an institution that has 115,000 students, 9,000 faculty members and 11,000 staff members across eight campuses, IU is full of online targets.
The University is constantly in need of a more complex, multi-layered cybersecurity policy, one that adapts to the ever-changing landscape of information technology, said Eric Cosens, University information policy officer.
A significant sector of Protect IU, a group focusing on all areas of campus public safety, is concerned with online security.
“Technology continues to be a permeating force, and the scope of our work has grown, it feels, at an exponential rate,” Cosens said. “The resources we provided have not kept pace, and we are working on multiple projects to reverse this.”
The offices of information security and policy work together to implement administrative changes, as well as make IU safer digitally.
A recent development includes a policy draft that requires the intense vetting of all third parties that have expressed interest in exchanging information with the University.
“We’re primarily documenting a process we’ve been using for some time, as it is on the cusp of being approved,” Cosens said. “We want to solidify IU’s relation with cloud providers, so we ensure the information we’re sharing with these groups is secure and protected.”
Another area of focus is the Cyber Risk Mitigation Responsibilities Policy, or IT-28.
The policy, which was implemented in May 2013, outlines the University’s efforts to minimize the ability of outside threats to target IU’s servers, or the systems of devices that help IU’s networks function.
Initiatives of IT-28 include centralizing systems, reducing the number of servers on campus and rearranging departments for efficiency.
Cosens said the more servers the campus houses, the greater chance hackers and outside threats have to breach the system and target the campus.
The offices are constantly working to decide which databases and programs can be run locally or centrally, he said, and which units can be shut down altogether.
“There is no way you can ever eliminate risks entirely,” said Daniel Calarco, chief of staff of the Office of the Vice President for Information Technology. “We can, however, have University-wide policies like IT-28 that significantly reduce the likelihood of cyberattacks.”
Cosens said a persistent threat to students, faculty and staff is phishing, or attempts to solicit sensitive information — often personal information — typically for self-serving purposes.
For example, a student may receive a seemingly official email sent by a scammer, asking for his or her credit card information and IU passphrase, or informing them their passphrase is no longer secure and needs to be changed.
The offices take reports of phishing seriously and respond to the risks by examining the attacks.
“We sinkhole the phishing link, so it redirects to one of our pages,” Cosens said. “We also look through the logs to see who may have posted their credentials, so we can message them and tell them to change their passwords.”
Falling for online scams and clicking on bad links are common mistakes and can be easily prevented, Cosens said.
He said preventative measures are one of the most effective ways to maximize campus cybersecurity.
The Committee of Data Stewards, a group responsible for developing guidelines on IU’s data, recently launched Data Management at IU, a website that details cybersecurity efforts, policies and advice.
The website has been well-received, Cosens said, and provides an invaluable resource for students who want better understand what they can be doing to make themselves feel safer online.
“It’s important to remember that a good security posture protects both you and the University,” Cosens said. “Configure your mobile devices, don’t open questionable files and keep your software updates patched.”
Cosens said the technology sector has seen great change, more so than most other fields.
From the increase of mobile device usage to the sophistication of the University’s server system, this series of advancements has arrived with both benefits and challenges that must be dealt with.
“Developing new security standards for devices and drafting policy for recurring and future problems are just some of the concerns in our office,” Cosens said. “With the way technology is evolving, however, we’re working to keep up with whatever comes next.”
For more information on cybersecurity, in-depth terminology and data management governance, visit datamgmt.iu.edu.
