Information security initiatives highlighted at March IT Leadership Team meeting

    April 13, 2023

    The following highlights were provided by IT Leaders on March 23, 2023:

    Cybersecurity Awareness Journey

    Jessica Flower, Associate Director for ISO Policy and Awareness, reviewed how her team has increased awareness and inspired action around Cybersecurity at Yale.

    From an initial assessment by Accenture in 2019 to a subsequent one in 2022, Yale has exceeded its peers in its ability to drive cybersecurity accountability across the business. How did the team make this happen? Flower outlined the steps her team took to make progress, including:

    • Launching a Cybersecurity website to provide information including four evergreen topics.
    • Creating an advisory board to weigh in on the strategy and inform the overall approach.
    • Sending targeted communications with clear calls to action.
    • Initiating multi-media campaigns with guest presentations, interactive toolkits, gamification, and more.
    • Creating the Bee Cyber-Fit Series, including a monthly tip, newsletter, and podcast.
    • Establishing an ambassador program to identify a cybersecurity champion within Yale departments.

    These actions have allowed them to build their capabilities, provide general awareness, introduce a shared responsibility model, and reintroduce ISO “as partners, not police,” according to Flowers. Next up, the team plans to launch a campaign to combat risk.

    Not if, When

    In John Coleman’s experience, it’s not a matter of “if you’re going to experience a security incident, but when you are.” As the Director of Risk and Engineering at Information Security, he felt it would be helpful to review some of the problems related to incidents or breaches, tips on how to respond, and what to expect.

    Services are periodically impacted or interrupted due to several events that have the potential to become a system or data compromise. They include phishing emails, ransomware messages, unusual traffic or activity, or a system crash. These problems can be categorized as:

    • A security incident: An incident that could jeopardize the confidentiality, integrity, or availability of systems. Incidents need to be declared by a security engineer and, in most cases, they are routine and easily resolved. However, in some cases, these events are considered significant because they are higher risk, involve high risk data, have legal or criminal implications, and more.
    • A breach: When attackers have accessed sensitive information. At Yale, breaches are declared by the Office of the General (vs. a security engineer), and require notifying regulators, law enforcement, and others by a certain time frame.

    In a security incident, service owners are encouraged to contact a security engineer (email information.security@yale.edu), who will follow multiple steps before recovering data. During the step involved in containing the data, the following will happen:

    • Your service will be down.
    • You should refrain from taking any actions before consulting the Chief Information Security Officer (CISO) or their designate.
    • You should refrain from adding people to the team without consulting the CISO.
    • You should refrain from describing it as a security incident before consulting the CISO (in the interim, it will be described as an unplanned outage or unplanned maintenance).

    During the Recovery phase, your disaster plan will speed recovery. Expect to have to rebuild systems from scratch, restore data from backup, consult with security engineers on your recovery plan, seek approval from the CISO on your plan.

    In conclusion, Coleman emphasized the importance of focusing on what matters most:

    • Accept that something bad happened.
    • Do not make it worse.
    • Do not worry about blame or attribution.
    • Do focus on containment and recovery.

    For additional questions about incidents or breaches, contact John Coleman (john.coleman@yale.edu).

    Device Posture Checking

    Brad Hajzak, Director of Security Infrastructure, spoke about the importance of a device’s security posture—a.k.a. how well it holds up to common threats—and advocated for the use of a forthcoming app, DUO Device Health.

    It is important that Yale devices (including laptops, desktops, and portable storage devices) are encrypted using Yale’s Minimum Security Standard (MSS). Doing so prevents the loss of confidential data from missing or stolen devices. The use of Managed Workstations also assist Hajzak’s team in protecting data. Adding to these protocols, a forthcoming tool will assist in security Yale device’s with PHI–DUO Device Health.

    DUO Device Health assesses a devices security posture and denies access when the posture is not met. The app offers three modes (Agent not required, Agent required with reporting only, and Agent required and enforced) and three installation methods (delivered to managed endpoints, self-enrolled, and just-in-time installation). When launched, the app will be promoted to targeted users, based on their access to high-risk data.

    Hajzak’s team will take advantage of the use of Managed Workstations, leverage lessons from the DUO Everywhere rollout, and continue to socialize the launch and garner support. For questions about DUO Device Health, contact Brad Hajak (bradley.hajzak@yale.edu).

    Ask John Anything

    As you connect with IVY+ peers at conferences and events, how do we compare?

    I just came back from conference with many of our research university peers and noted that we are in a much better position than we were five to six years ago. In many areas, we are doing very well. I also see opportunities for us to grow in the areas of research support, particularly related to research computing, and data and analytics, including how we use, evaluate, and question the use of that data.

    Is there any discussion about a hybrid parking rate?

    I encourage you to visit the Parking webpage for more information, including alternatives to monthly parking (such as daily parking). I recognize that it’s hard and we’ve tried over the last few years to reduce these costs, but everyone needs to make the best choice based on their current needs.

    Do you have any updates on the June 8 team day at Lighthouse Point Park?

    A save-the-date was included in our last issue of IT Update and a Microsoft Outlook calendar invitation has been distributed.

    I am hearing feedback that there aren’t enough electric charging stations. Have you heard about that?

    I haven’t, but I encourage you to visit the ECVS webpage for more detail and/or contact Parking and Transit for additional questions related to charging stations on campus.

    Can you share information about how we’re doing with hiring?

    The market is starting to soften, and our hiring is continuing along with good results. In fact, we have the fewest number of openings that we’ve ever had since I’ve been at Yale, which is a great sign. This is, in part, due to IT leaders who have supported our hiring efforts, including the early career programs. We have also been supported by the New Haven Hiring Initiative (NHHI) and our HR partners, who have helped to transition interns to employees. I appreciate the way many of you are “leaning in” on our new approach to hiring, which creates movement in the organization by promoting from within.

    How do we compare to peers in terms of the balance of contractors to staff?

    When I first started at Yale, the ratio of contractors to full time employees (FTEs) was much higher. We still rely on contractors for project-based/temporary work because project work comes and goes, and it is hard to determine if we will need FTE assistance in the long run. We have been thoughtful about how we use resources, and I don’t think it’s out of line with how our peers are managing the balance.

    The next IT LT meeting is scheduled for April 26, from 9-10:30 a.m.

    Service Quality