Skip to Search
Skip to Navigation
Skip to Content

University of Connecticut Information Security Office

New Information Security Policies

Tuesday - November 30, 2010 by Carrie Gray

The Information Security Office performed a review of the currently-published security policies.  The review included the development of a framework-based on the ISO27001 that aligns all of the Federal regulations and State laws, as well as industry standards with which the University must comply.

In an effort to address the compliance issues identified during our review and to strengthen the information security posture of the University, we have drafted a new set of Information Security policies. The new set of policies accomplishes the following:

  • Reduces the number of security policies from 25 to 12 (this number could change depending on the results of public comment).
  • New policies are clear and concise.
  • Includes supporting guidelines and standards.
    • Some of these have been published with the draft policies; however, many more are still needed.
  • Addresses regulatory requirements.
  • Decentralized areas no longer need to create their own policies.
  • Wherever possible, UITS is providing services to comply with the policies.  Examples include
    • Vulnerability assessment capabilities.
    • Risk assessment services.
    • Centralized logging and alerting.
    • Online Security Awareness Training.
  • We are also planning for future services such as encryption, Identity Finder, secure file transfer and many more.

In lieu of a formal policy vetting and approval process, we have posted the draft policies on the Information Security website (click here) for public comment prior to submission to senior administration for approval. The policies will be available for comment until 12/20/2010. After the comment period ends, we will review all of the comments and make changes to the policies as necessary.

We value your timely feedback and constructive comments as we work through this process together.

S6 Lunch & Learn Presentation

Thursday - November 18, 2010 by Lucy Valletta

Jason Pufahl gave a speech on the state agencies’ records retention schedule, S6 earlier this week on November 16th.  You can find the PowerPoint slides for his presentation here.  During the presentation he also handed out a draft schedule which can be found under this link.  Please review them and contact Jason with any questions you may have!

Researcher Demoted After SSN Data Exposed

Monday - October 25, 2010 by Jason Pufahl

The following article illustrates how seriously data breaches are being taken by some Universities.  The article doesn’t provide any specific details into what factored into the decision, or any IRB compliance issues.  The extreme risk off unintended data exposure across all of higher-ed will make this an interesting issue to follow.  I’ll post updates as I see them.

Chapel Hill Researcher Fights Demotion After Security Breach

An update to this:

Arguments Regarding Responsibility of Data Breach

HuskyCT Lunch and Learn Presentation

Wednesday - October 20, 2010 by Lucy Valletta

Elena Sevilla and Hengameh Vosough gave their presentation about HuskyCT at the Lunch & Learn session held on October 12th.

Here are the PowerPoint slides used during the presentation; please review the video below.

 
 Husky CT Presentation: Play Now | Play in Popup

FAMIS - Lunch and Learn Presentation

Tuesday - August 31, 2010 by Lucy Valletta

Terry McBrien’s presentation on FAMIS at the Lunch & Learn on August 17th.

FAMIS Lunch & Learn Slides

 
 FAMIS Lunch & Learn Presentation: Play Now | Play in Popup

Sharing Passwords

Thursday - August 19, 2010 by Mick DiGrazia

Many web sites allow you to share a username and password for a different web site in order to provide integration and interaction between the two sites. For instance, you may have noticed that many news web sites allow you to log into Facebook or Twitter in order to quickly share links to a story. However, when it comes to sharing your UConn usernames and passwords (for example, your NetID or PeopleSoft logins) the University does not endorse providing your logins to third parties.

Some web sites allow you to wager on the grades you’ll receive this semester. However, although these web sites may look legitimate, there is no guarantee that they are. The University does not have a contract in place with these vendors so if you share your UConn login information with these web sites, the University cannot guarantee that your account is not accessed for questionable purposes.

When you provide your UConn usernames and passwords to another person or web site, besides violating University policies, you may be forfeiting your own privacy!


Some general password reminders:

  • Keep your passwords private - No one needs to log into any system as you. Ever.
  • Make your passwords different - Vary the passwords you use on different systems. If one system is compromised (such as your email account) you won’t have to worry about your other accounts being compromised as well (such as your bank account).
  • Make it hard to guess - Use at least 8 characters for all of your passwords and mix in letters (capital and lowercase), numbers, and puncuation

UITS Applying Out of Band Patch

Monday - August 2, 2010 by Jason Pufahl

Malware leveraging the current .lnk vulnerability is actively attempting to exploit Windows clients and servers.   The Internet Storm Center recommends patching immediately (http://isc.sans.edu/diary.html?storyid=9313).

UITS will be patching all Windows Servers starting at 2:30 PM EST.  (http://itstatus.uconn.edu).

Please review post Friday’s post for additional information.

We recommend you patch your systems as soon as possible.

July 20th Lunch & Learn Content

Monday - August 2, 2010 by Jason Pufahl

The content from Jason Pufahl’s presentation of the Information Security Master Plan.

Presentation Materials

Information Security Master Plan Document

Master Plan Presentation - Slides

 
 Lunch & Learn - 7/20/10: Play Now | Play in Popup

Microsoft - Out of Band Patch Being Released on 8/2

Friday - July 30, 2010 by Jason Pufahl

Microsoft will release a patch on 8/2, to address the current .lnk vulnerability.  Please review the following sites for additional information:

July 16th - Microsoft Advisory

July 30th - Microsoft Advanced Patch Notification

CVE Notification (contains additional references)

We recommend applying this patch as soon as possible after it’s released.

Lunch And Learn Series

Monday - July 19, 2010 by Jason Pufahl

UITS has been presenting technical information sessions in the form of “Lunch & Learns” for the past year.  These sessions have proven to be informative and well-attended, but have lacked a few amenities (most notably the ability to conveniently eat lunch).  Going forward, we are expanding the scope of topics and opening them to a larger audience.  Please join us on the 3rd Tuesday of the month (except for October 12) in the Student Union Ballroom Room 331.

Here is a link for the Lunch and Learn sessions with a current list of topics and presenters, as well as a link to the UConn Events Calendar.   The topics are still evolving, and we hope to have that list completed soon.  If you have a topic you wish to present, or have an idea for topics, please contact Jason Pufahl.

This first session, “The Information Security Master Plan and Risk Matrix”  is described below.  It will be held 12:00Noon-1:00PM, Tuesday, July 20th in the Student Union Ballroom Room 331.

The Information Security Office will present the initial draft of the Information Security Master Plan and Associated Risk Matrix.  This will be an opportunity to see where the Security Office sees the most significant threats and outline the current proposed approaches for addressing these threats.  I will keep the presentation to 30 minutes so that there will be ample time for discussion, questions and feedback.  This will also be an opportunity to offer input into the current strategies and overall plan.

Please share this with anyone you think may be interested, and we hope to see you there.