UNIVERSITY PARK, Pa. — Penn State recently announced that Donald J. Welch has been appointed as Penn State’s new chief information security officer (CISO). Until Welch assumes his position on Dec. 5, Andrew Sears, interim CISO and dean of the College of Information Sciences and Technology, will continue to work with the Office of Information Security (OIS) to provide strategic guidance on issues related to online safety and security at Penn State.
More than one year after the formation of OIS and in recognition of National Cyber Security Awareness Month, Sears recently participated in a Q&A to discuss the mission of OIS; how students, faculty and staff members can keep personal and institutional information secure; and what lies ahead for the future of cybersecurity at the University.
Q: It has been a little more than a year since OIS was established. What are some of the changes the office has undergone during that time?
A: OIS was formed out of the Security Operations and Services group in Information Technology Services [now referred to as the Office of the Vice Provost for Information Technology]. Since that time, we have been focused on operational excellence, data protection and developing relationships across the University. We have also been reviewing the functions and services OIS was and should be providing and how we can most effectively structure the office to help ensure the security of Penn State’s information and infrastructure.
As a result, we recently restructured OIS to become more proactive and agile. We reduced the number of teams within the office and redefined their functions, resulting in three teams built around Consulting and Services, Enterprise Security, and Compliance:
- Consulting and Services will ensure that such services as sensitive data discovery, encryption and forensics continue to be delivered with a strong customer focus. Consulting is expected to be a key function as OIS seeks to become more involved in providing guidance to units early in the development and procurement cycles of technologies.
- Enterprise Security will continue to focus on providing core security functions. System and web application assessments and some elements of incident response have moved into this team. We expect this collection of activities will align with ongoing intrusion detection and prevention efforts to facilitate increased information sharing and improved responsiveness.
- Compliance will focus on a proactive approach in helping University stakeholders understand and meet compliance issues that impact academic, administrative and research computing.
Recently, the University’s Privacy Office became part of OIS. The Privacy Office was previously housed within Penn State’s Office of Ethics and Compliance, but we felt this was a natural fit for OIS as privacy continues to be an important consideration for the University and many of the data protection discussions coincide with OIS.
Finally, we recently moved aspects of identity management that focus on developing policy and procedures from the Office of the Vice Provost for Information Technology to OIS. Again, the goal is to help ensure that security-related concerns are effectively integrated into the process as we make sound, informed decisions about how we will deal with these critical access management issues.
Q: How does OIS collaborate with other units and departments throughout Penn State?
A: Collaboration is a key consideration for everything OIS does. We understand that the decisions we make and the actions we take impact many people, and we are committed to working with stakeholders across the University to ensure we are making the right decisions for Penn State. For example, we regularly meet with and update the Information Technology Leadership Council, we established an advisory board as a way to share ideas and get feedback from a broad cross-section of the University, and we work with Research Computing and Cyberinfrastructure to understand their concerns. We have also presented to University Faculty Senate committees, the Academic Leadership Council, the President’s Council and other groups and individuals. We also established security liaisons with every IT unit across the University to ensure we can communicate effectively with those groups.
We understand that for OIS to be successful we must actively engage with University stakeholders, share plans, make adjustments where necessary and work with local IT units as they seek to better secure Penn State’s information and infrastructure.
Q: What are some of the most common cybersecurity risks facing Penn State students, faculty and staff members?
A: Phishing still poses a significant threat. Approximately 75 percent of the detected system compromises since July 2016 can be traced back to users clicking links and attachments they received as part of phishing email campaigns. Ransomware also represents a growing concern, with many phishing campaigns leveraging this type of malware. You can learn more about phishing from this article on Penn State News.
Two other concerns are the reuse of passwords and not updating systems. The risks to individuals and the University increase when individuals reuse their Penn State passwords on external systems and sites. If one of these other sites is compromised, Penn State’s systems become vulnerable. You can learn more about passwords and system updates from this article on Penn State News.
In addition, updating software is critical. Many updates or patches are either motivated by security concerns or have security-related items embedded. Machines that run unpatched or unsupported versions of operating systems and applications are often exploited to compromise systems. Some common examples include out-of-date versions of Java, Adobe Acrobat Reader and Adobe Flash.
Q: How does OIS help to mitigate cybersecurity risks?
A: OIS works with the central email team to improve spam rules and provides network monitoring services looking for malicious communications associated with malware and botnets. We also offer antivirus software to all Penn State users and work with individual units to identify and address vulnerabilities before they are exploited.
One other important resource from OIS is phishing.psu.edu, which provides information on how users can more effectively protect themselves from phishing scams. Penn State students, faculty and staff members can also forward suspected phishing emails to phishing@psu.edu. OIS analyzes all reported and suspected phishing emails for malicious content and works to block any network communication to malicious sites.
Q: On an institutional scale, what systems are in place to protect online information at Penn State?
A: Penn State is continuously engaged in a process of better understanding the information we house and are responsible for. We also focus on developing more effective policies, procedures and practices to safeguard this information. One key initiative is scanning Penn State’s environment to detect potential Personally Identifiable Information (PII) and working with individual units to understand what this information is, how to eliminate any PII that is not needed and how to ensure that any required PII is appropriately protected. This is a great example of collaboration across the University as it is something OIS could never accomplish by itself. With the support of campus leaders and IT units, we have made — and will continue to make — significant progress.
Q: How is OIS working with Penn State researchers to keep research data secure?
A: OIS is actively engaged in this conversation because it is important not only for protecting the data researchers produce but also for complying with requirements that often accompany external support for research. We offer encryption services, network threat monitoring and compliance consulting for researchers who handle data that falls under NIST 800-171 or other sensitive information requirements. OIS also offers risk assessments upon request if researchers want to better understand how they can ensure their systems and information are secure.
Q: How can students, faculty and staff members ensure personal and institutional information remains secure?
A: Students, faculty and staff members are all central to ensuring that personal and institutional online information is secure. This is a shared responsibility, and we need everyone to do their part. Some of what we need is straightforward. Everyone needs to use strong and unique passwords for each system they access, since reusing your Penn State password on other systems increases risks here at Penn State. We encourage everyone to use two-factor authentication (2FA) wherever it is available. Here at Penn State, sites protected behind WebAccess are secured using 2FA, and more information can be found at get2fa.psu.edu.
Everyone needs to make sure their systems and software are updated. These updates often include fixes for security-related items. Firewalls should be turned on, antivirus software should be installed, data should be backed up and USB storage devices should be secured to avoid loss of data or the installation of malware.
It is also important for each user to understand the kinds of data they are storing, the sensitivity of that data and how to secure it appropriately. Most operating systems offer native encryption — like FireVault for Mac and BitLocker for PC — which will help secure any data stored on those systems.
Finally, please remember: Penn State will never ask you for your username or password via email.
Q: What resources are available for Penn Staters wanting to learn more about cybersecurity and how to protect their information?
A: There are many resources available to Penn Staters who want to better understand cybersecurity and how they can protect their information, including:
- securepennstate.psu.edu, which provides information about online safety and security and links to other useful resources;
- phishing.psu.edu, which provides information about phishing, how to avoid scams and how to report suspected phishing emails;
- get2fa.psu.edu, which provides details on how to sign up for 2FA at Penn State;
- lockdownyourlogin.com, which provides information about a national initiative to increase 2FA usage; and
- security.psu.edu, which is the website for OIS. We are always happy to work with individuals if they have concerns about cybersecurity at Penn State.
Q: What do you see for the future of information security at Penn State?
A: Information security is an area that is constantly changing. As threats become more numerous and sophisticated, effectively addressing these issues will require a commitment by every member of the Penn State community. With that said, establishing OIS was an important step for Penn State, and I think we have made significant progress over the last year — not only in understanding where we stand, but also in building stronger relationships across the University and improving the security of Penn State’s infrastructure and information. I’m excited that Penn State has hired Don Welch to take over as the University’s CISO starting in December. Don brings a wealth of knowledge and experience, and I know the University will continue to make progress in this important area under his leadership.