University Times

Have you heard the joke about those of us who work in information security in higher education?

We sleep like a baby.

You know — we wake up every hour and cry.

Target-rich environment

In the world of cybersecurity, universities are considered a “target-rich environment.” Universities run on very large, complex and fast networks for diverse and fluid populations and are, by their very nature, repositories for information.

All of that makes an enterprise like Pitt very attractive to hackers and identity thieves.

Our mission

CSSD’s security team is committed to safeguarding the confidentiality and integrity of Pitt’s systems by providing security expertise in a proactive manner. We understand our responsibility as guardians of sensitive information, and we know the severity and frequency of attacks against that information.

In addition to maintaining strong security at the enterprise level, we work continuously to foster a culture of security awareness with individuals and departments in order to maintain security at the local level.

Effective security is a team effort. You are an integral part of that team.

Security tailored to your circumstances

The CSSD security team works directly with faculty, staff and departments to provide security services and information at no cost. The more secure your area is, the more secure all other areas of the University will be.

• Consultation

— Security plans. We consult with units developing or updating security plans and initiatives. Each unit should have a general information security plan that follows University policy. But many units also have more specific security needs and develop plans to satisfy specific requirements.

Right now, for example, your department may be updating its customer information security plan as part of the University’s compliance efforts. Departments with significant engagement in financial activities need these security plans to protect customer information. We can help.

— Evaluation of new tools. Faculty members and departments often identify potentially valuable new technology tools or systems. CSSD Security can be effective initial evaluators of those systems to help determine whether the design of the system and its vendor meet security standards so that you don’t invest time and funding in a product that cannot pass a security review.

— Assessment. In addition to providing expertise during the development stage of a security plan for your area, we can be a verification resource to test your plan after controls are in place.

• Vulnerability scans

Mandatory vulnerability scans are part of standard operating procedure for many applications and systems. But in cases where a system does not have a built-in vulnerability scan, we can provide that service.

We will run the vulnerability scan for you, weed out any false positives and alert you to vulnerabilities. The scans can be done on a periodic basis; you will receive a report each time.

The vulnerability scan service allows departments to leverage CSSD security tools and expertise to proactively address any known vulnerabilities.

• Centralized antivirus

Symantec Endpoint Protection (SEP) is available at no cost to all University faculty, staff and students through the Software Download Service.

Many departments and schools, however, also maintain a SEP server to more effectively manage machines in their area and identify when there’s a need for active remediation.

We can do that for you on one of our servers. The department can choose to manage its clients or, if you prefer, we can do that for you, too, sending a report — or, when necessary, an alert — to a designated person in the unit so that the department is kept fully informed.

• Sensitive data discovery

A surprising number of people assume they have no personal information on their computer. Don’t assume. Identity Finder software scans your computer to locate sensitive information such as birth dates, passwords or Social Security numbers. Identity Finder can be downloaded through the Secure Your Data resource community in My Pitt.

The CSSD security team can help you understand how University information policies apply to your work and your situation. If you have sensitive data that needs to remain on your computer, we will help you address that with applicable security controls.

• Incident response

Despite the best efforts of a department IT team and individuals within the department, machines and systems can become compromised or infected.

Please call us.

If you try to fix this on your own and we don’t know about it, then we are not aware of information we need to assess greater risk. The infection that you assume is localized may be part of a larger issue or it may provide important evidence in a larger puzzle. Let us help.

• Security awareness training

We always welcome the opportunity to visit your school or research group for a tailored information session on security awareness.

The federal Department of Homeland Security designates October as National Cybersecurity Awareness Month. Consider celebrating it this year by inviting us to give a security awareness training session.

*

Please mark your calendar for a special presentation at noon on Oct. 21 on cybersecurity.

The event, which will be held in the William Pitt Union, will include talks by U.S. Attorney General David Hickton, who led the investigation against the individual emailing bomb threats against the University, and hacking expert David Kennedy.

Sean Sweeney is the University’s information security officer. He can be reached at 412/624-5595 or sweeney2@pitt.edu.