Skip to main content

Collaborating to defend IU from cyber threats

How the new Cyber Risk Mitigation Responsibilities policy (IT-28) process will strengthen teaching, learning, and research activities

Security and privacy Apr 15, 2021

Just how big is the cybersecurity threat to IU and how should we defend against it?

The recent phishing email that affected over 9,000 users is just one incident—and there are many more. For example, in February, Indiana University’s University Information Policy Office:

  • Received 154,094 incident reports—including four Zoombombing attacks and four reported data exposures
  • Secured 22 compromised accounts
  • Responded to 22 distributed denial of service (DDoS) attacks
  • Processed 1,074 phishing reports relating to 33 phishing campaigns
  • Blocked 119,358 IP addresses for port scanning

 

Our best defense against attacks is to work together.

Von Welch

Clearly, it takes a collaborative, team effort to defend IU against that kind of attack volume. One way is through policy and its implementation, and that’s where the Cyber Risk Mitigation Responsibilities policy (IT-28) comes in, along with a new approach from the University Information Security Office (UISO).

A new way of doing business—working more collaboratively

As the 2021 IT-28 cycle begins, the UISO is taking a more consultative and collaborative approach with departments to help them succeed in ensuring the confidentiality, integrity, and availability of their systems and data in the face of ongoing cyber threats.  This approach will also help units better meet internal audit compliance requirements.

“Our best defense against attacks is to work together,” said Von Welch, IU associate vice president for Information Security. “Departments understand well their research and business practices and risks, and the UISO has the cybersecurity acumen. When we collaborate, we provide a much greater level of cybersecurity and reduce the impact of these attacks on the ability of faculty, students, and staff to teach, learn, and conduct research,” he said.

 

Our goal is to create an environment of continuous engagement, move from a two-year cyber risk review, and be more available to individual units.

Ian Washburn

Welch went on to point out another example of a successful cybersecurity collaboration: “the OmniSOC, led by IU and serving IU, Rutgers, Northwestern, University of Nebraska, three major National Science Foundation facilities, and their newest member Santa Clara University, is a great case in point. OmniSOC operates collaboratively across member institutions, reducing the time from first awareness of a cybersecurity threat anywhere to mitigation everywhere for our higher education institutions and research facilities members.”

Welch summed up with, “Together, we’re accomplishing what we could not accomplish separately.  The same is true for our internal cybersecurity efforts, and our new approach to IT-28 is a step in that direction.”

 

We can establish a rapport and we can start to build that kind of program improvement. We can help identify the risks that units want to mitigate, rather than just saying ‘follow IT-28.’

Charles Escue

Risk mitigation efforts will now focus on three core activities: 

  • Continuous engagement: UISO will reduce the “transactional” feel of past efforts, moving from multi-year cycles to appropriate intervals based on unit needs.
  • Relationship building. Consulting engagement participants will remain consistent to better match expectations to reality. UISO will be a reliable resource for IT Managers and IT Pros to provide guidance and expertise to ensure units are well supported.
  • Program improvement: The focus will be mitigating the most significant risks and define and collect metrics to support decision-making efforts. UISO will help with policy compliance, IT best practices, risk assessment training, metrics, frameworks, and effort prioritization.

Ian Washburn, systems risk mitigation manager in the UISO, shared his perspective on the change.

“Our goal is to create an environment of continuous engagement, move from a two-year cyber risk review, and be more available to individual units. Traditionally, IT-28 has been a one size fits all, but units have different considerations and different risks,” he said.

“We want to build relationships and be available so that you can reach out to us when you have questions,” Washburn continued, “and we can provide guidance to help you find the expertise that’s needed whether it’s us or somewhere else. That’s going to be more valuable and a better use of everyone’s time.”

One of the key features of the more collaborative IT-28 approach is the assignment of specific analysts to specific units. 

Charles Escue, manager of extended information security, commented on the strategy behind this change. 

“We think that we can provide more value by attaching or assigning an analyst to a unit, by giving them a dedicated person to work with and talk to on a continuous basis. Our analysts will get to know the unit, understand the nuances of their business process, and perhaps understand struggles in their IT area and their business process.

“By doing that, they’ll really be able to get to know the IT Pros and the researchers, build relationships with them, and help them understand the environments that they’re in—and perhaps provide insight into resources that might be available or expertise of other folks in the university who might be doing similar work,” Escue said. “We can establish a rapport and we can start to build that kind of program improvement. We can help identify the risks that units want to mitigate, rather than just saying “follow IT-28.’”

Risk mitigation efforts will now focus on three core activities: continuous engagement, relationship building, and program improvement.

What is IT-28?

The purpose of IT-28 is to ensure that the IU community minimizes, to the greatest extent practicable, the unnecessary creation of cyber risks, while also enabling the productive work of all students, faculty, and staff. This requires a balanced approach to activities that create cyber risks and activities that can help mitigate them. Both enabling and mitigating are essential for the diverse IT services required for the university’s research, education, and service mission.

A good place to start to learn more about IT-28 is the KB document About the Cyber Risk Mitigation Responsibilities policy (IT-28) at IU or the Information Security and Policy webpage What is Cyber Risk Review.

More stories

Headshot of Rob Lowden
UITS