Secure UD Initiative
In January 2014, UD Information Technologies (IT) launched the Secure UD initiative as a way to heighten the University community's awareness and understanding of computing and information security topics. Since then, the Secure UD initiative has expanded to include several programs and technologies, all of which help raise the University community's awareness of the need to keep personal and University information safe. UD IT has coordinated the improvement of the University's information security posture by working with departmental and college IT staff, directly with employees and students, and with selected third-party vendors.
Activity reports over the past three years have mentioned many of IT's security improvements—even before IT launched the Secure UD initiative. The information below summarizes the progress made in several initiatives since our last activity report and highlights some upcoming improvements.
Since the spring of 2014, IT has been offering Secure UD training—a modular online program that is now the University's primary information security awareness tool. Through education about key security topics, this program empowers faculty and staff to make security-conscious decisions to protect themselves, their work, the community, and the University as a whole.
This year, Secure UD training is being released in phases (one each in January, April, and September) to help reinforce security topics throughout the year. Employees will be able complete the training in three short work sessions rather than in one long session. The completion rate for the first phase of 2016 Secure UD awareness training exceeded that for the entire 2015 training program by 24%. Even though phase two has only been available for a month, its completion rate is 3% higher than that for the 2015 training. IT has received positive feedback about the new phased approach and the updates our vendor (SANS Institute) has made to the training modules.
Have you completed your Secure UD training yet?
Secure UD Threat Alerts
IT also maintains the Secure UD Threat Alerts blog, which provides bulletins about information security threats seen on campus, including phishing scams targeting the University community.
Since 1995, when new students create their email accounts, they have completed a brief course on cyber citizenship and responsible computing. Known as the Electronic Community Citizenship Examination (ECCE), this course was designed to ensure that all incoming students have a basic understanding of their computing responsibilities at the University.
In keeping with its ongoing mission to improve computer and information security awareness across the campus community, IT has retired the ECCE and is preparing to release the Secure UD Student Agreement. This improved, student-oriented responsible computing tutorial will reinforce key security topics and safe computing habits for all new students. Its content reflects the new direction of the University's policies and best practices for academic, professional, and personal computing.
IT will send email to students who created their UDelNet accounts after ECCE was retired. These students will be required to complete the Secure UD Student Agreement when it becomes available.
Desktop Security Training
IT hosted a half-day Desktop Security Symposium on April 27. Jason Cash, interim vice president for IT, began the event with a keynote for the nearly one hundred IT professionals in attendance. Sessions focused on the information security policies being developed as part of the Secure UD initiative and on how best to secure data, shield clients' desktops from attack, and increase overall security without hindering workflow.
A series of follow-up sessions are being planned based on feedback from a questionnaire distributed after the event. The series will start with LAPS (Local Administrator Password Solution), an Active Directory based utility that randomizes and stores local administrators' passwords. Other topics will include AppLocker and Bitlocker deployment, an open discussion of the information security policies currently being formulated, and a unified approach to managing security on Mac OSX-based machines.
Included in the Secure UD initiative are several security updates that improve the way members of the University community access their online accounts and UD services.
- PIN retirement
In April, IT rolled out a security update that required employees and students to update some of their security settings. PINs are being retired in favor of longer, stronger passwords, thereby enhancing the security of employee and student accounts. This update also makes it easier for members of the UD community to manage their own security settings and sets the stage for future security enhancements. As of May 10, approximately 30,000 UD community members have retired their PINs and completed this security update.
- Two-factor authentication (2FA)
Two-factor authentication (2FA) is a simple but powerful way to safeguard your UDelNet account and all the online information in your care. Over 1,800 UD employees have signed up for 2FA so far. Beginning on or about May 17, employees and faculty members who have not yet registered for 2FA will be reminded to do so when logging in via CAS. Employees will see periodic reminders until they have registered for 2FA.
Have you signed up for 2FA? Employees and faculty members are invited to follow this simple process to enroll and set their preferences. Using 2FA provides an extra layer of protection for UDelNet accounts, for an employee's personal information, and for any University information entrusted to that employee's care.
- New VPN security requirements
On June 15, the University will require that people use 2FA when signing in to UD resources using Virtual Private Network (VPN) connections. Additionally, on June 15, faculty, staff, and students who log in to Copland or Strauss from off campus will be required to use a VPN connection.
- New UDelNet password requirements
In April, the University strengthened the requirements for new UDelNet passwords; new passwords must now conform to the following rules:
- Passwords must include 12 to 30 characters (formerly 8 to 30 characters).
- Passwords must include at least one character from three of
the following categories:
- Lowercase letters
- Uppercase letters
- Special characters and punctuation.
- Passwords must not be based on a dictionary word or be an obvious variation of a word or phrase associated with the University. (New rules check for passwords like "BlueHens2020," which technically meet the length and character requirements but are too obvious at the University of Delaware.)
Beginning in November 2016, the University will also begin requiring that passwords be changed every 15 months.
These updates to UD's password requirements will make employee and student accounts more secure against hackers.
Secure UD branding
Moving forward, IT will use the Secure UD logo to increase the visibility of the Secure UD initiative and to make sure that security messages and offerings are delivered consistently. By increasing engagement with the University community, IT will ensure that University community members receive the tools and support they need to protect themselves, each other, and the University.