Tuesday, April 30, 2019

To proactively enhance automate defenses for UI networks, systems, and accounts, both locally and in the cloud, potential email security solutions were identified and one of them (tagging emails from outside the UI as external) was implemented. Security alerting was expanded with the help of newly-ingested data feeds, and partners outside the security office are starting to take advantage of our data analytics capability. A process for threat-hunt prioritization was finalized, Tier 1 security services were integrated across Health Care Information Systems and OneIT, and the security office has moved to a single ticketing system. A monitoring solution was implemented for cloud services, while expansion of the solution is being explored.

To improve support and protection of campus activities that require compliance with applicable laws and regulations, IT policies were updated, and new versions and will be published and communicated. Audit remediation plans are being executed. The IT Accessibility Technical Standards committee is reconvening, and we are evaluating an improved capability for scanning the accessibility of websites.

To promote a security-aware community, requirements for security-awareness training are being reviewed, and employee-orientation materials are being assessed to ensure inclusion of security content. To protect personal and university devices via policy-based access controls, requirements for datacenter architecture have been identified, and detection mechanisms are now shared between Information Technology Services and Health Care Information Systems.

To assess enterprise risk and adopt systems to facilitate identification, acceptance, or mitigation of risk, emerging technologies that must be evaluated from a security perspective have been identified and prioritized. An assessment was conducted for compliance with the HIPAA privacy law, and penetration and vulnerability tests are being conducted on several university systems each year. To regularly update, improve, and test disaster-recovery and business continuity plans, lessons learned were collected from incidents and recommended updates to strategies were developed.