Securing the availability, confidentiality and integrity of institutional data is critical to UB’s vision. That’s why the university’s standards for, and approach to, information security are evolving.
Information security risks are complex and ever evolving. UBIT tackles these risks through educational outreach, technical safeguards and policy implementation. In order to align business functions with best practices for information security, the Provost directed the VPCIO to oversee a coordinated, institution-wide effort.
As a result, the Minimum Security Standards for Desktops, Laptops, Mobile and Other Endpoint Devices and the Minimum Server Security and Hardening Standards were developed and implemented in Fall 2017.
David Costello, Assistant Dean with UB’s School of Management heads up the Endpoint Security Committee (subcommittee of the Device Standards Group), which serves as a resource for the distributed IT community. With central investment and resources from the VPCIO area, the Endpoint Security Committee’s goal is to educate the distributed IT staff on certain tools, share knowledge between departments and bring forward new ideas for consideration.
The School of Management beta tested storing Category 1 Restricted Data in the UBbox environment. This project included the creation of the administrative account, assigning appropriate permissions, using Splunk for monitoring file changes, folder management and changing the workflow of business office customers to ensure appropriate controls and handling of information.
UB’s security standards help ensure the availability, confidentiality and integrity of university data and the network infrastructure. The university’s shared commitment to information security also provides faculty with a competitive advantage when seeking research funding. Many organizations expect federally-compliant information security measures, such as NIST, to be demonstrable at the point of contract funding. Therefore, adopting these standards proactively supports the university’s vision for impactful research.
UBIT continues its outreach with schools and administrative units to inventory equipment, understand needs and impact and develop a plan for compliance. This process aims to balance appropriate security practices with customers’ needs. UB schools and administrative units are given the authority to develop and manage security standards compliance exceptions to suit their unique needs and environments. In addition, UBIT is working with the distributed IT leadership to pre-approve software in order to allow updates to run without administrative rights. Doing so will reduce the need for customers to request software updates and experience downtime. We also expect that automatic software updates should help reduce the Help Center requests fielded by both UBIT and the distributed IT community.
With the continued growth of the research and medical environments at the university, UBIT recognized the need to provide centrally-supported, HIPAA compliant services for our customers. UBIT has worked to meet technical and procedural requirements needed to become HIPAA compliant, with a focus on adequately safeguarding electronic protected health information (ePHI).
Effective December 2017, the VPCIO area is designated as a HIPAA covered function operating under SUNY’s HIPAA covered entity. As a covered function, UBIT supports the School of Dental Medicine’s EHR system and UBbox environment. Additionally, UBIT supports the College of Arts and Sciences’ Speech Language and Hearing Clinic’s effort to be designated as a HIPAA covered function.
UBIT staff who work with the systems that store, process or otherwise manage ePHI are trained in order to ensure that proper protocols and regulations are followed. This training is offered using the UB EDGE online training class.
The Information Security Office provides required training to all new UBIT staff and student assistants. The training is also available by request to other administrative and academic units. As of Fall 2018, training is offered through Inspired eLearning’s security awareness product hosted on UB EDGE as a self-paced, fully interactive online module. This training is customized for UB and includes our policies, terminology, data access roles and campus-specific information. The training is very adaptable, allowing a learner to begin at a level that suits their current skills and knowledge.
The Information Security Office engages with the campus in order to promote the importance of keeping the university’s information and systems safe and secure. The ISO offers information security and security awareness presentations to any unit upon request. The ISO frequently participates in outreach at events such as Orientation for New Hires, WellFest, and UB Business Days for faculty and staff. The ISO also provides awareness materials during annual new student orientations and move-in. Posters, bus headliners and information cards are posted and distributed throughout the campus to build greater awareness of phishing and how to avoid having personal information stolen.
In April 2017, at the request of the Provost, VPCIO Brice Bible established the Information Security and Privacy Advisory Committee (ISPAC). ISPAC’s goal is to address information security and data privacy concerns in order to manage sensitive data areas throughout the university.
ISPAC evaluates, develops and recommends information security and privacy policies, procedures, and operations vital to protecting and sustaining UB’s mission. ISPAC’s members represent a majority of the functional units throughout the university.