IT Risk Program

The IT Risk Program focuses on ensuring data and systems are managed in professionally-operated data center environments; laptops and desktops are managed with common standards and reporting practices; and University web properties are secure, accessible, and well-maintained. The IT Risk Program spans three broad areas:

 

Data Centers

Server rooms and their machines will be secured through a process of inventory, risk review, remediation, and in some cases, relocation. This work reduces the likelihood of data breaches, operational downtime, and data loss.

End-User Devices

End-user devices will be secured through common practices such as firewalls, antivirus software, encryption, and back-up. These practices guard against external breaches and protect the privacy of research and University data, especially in an era of zero-day exploits.

Web Properties

Web Properties will be secured through policies and resources which address site patching, upkeep, accessibility, and brand observance. These processes protect the online reputation of the University.

Reducing Risk for Data Centers and Information Systems

The Data Center Consolidation Initiative lowers the University’s overall technology risk by ensuring that computing infrastructure and institutional data is secure. Through this initiative, IT partners across campus gain support to inventory, assess, and secure the systems managed within their environment. The collective term used for these systems and servers in University policies and standards is “information systems”. The Data Center Consolidation Initiative includes an assessment based on a series of interviews, a survey that collected self-reported data about compliance with new data center and information systems management standards based on NIST 800-53r4, and the implementation of InsightVM, a vulnerability scanning tool that identifies security issues. Upon completion of the assessment, a final report containing the major risks identified, a maturity score, and recommendations for improvement is delivered to each unit participating in the Data Center Consolidation Initiative. Later efforts will ensure that the hosting facilities housing these information systems are appropriately located.

Standards

The Information Systems and Managed End-User Device Standards and the Information Systems Physical Environment Standards can be reviewed on Box.

Scope
System Role System Management In Inventory In InsightVM/In Scope for Physical Standards
Administrative Unit IT Staff Yes Yes
Research Unit IT Staff + Researcher Yes Yes*
Research Researcher Optional Optional

*discuss exceptions to InsightVM scanning with IT Security by emailing itrisk@uchicago.edu

Reducing Risk for End-User Devices

Through the End-User Device Initiative, IT Services is leading a collaborative process with unit IT partners across campus to socialize, clarify, and implement a set of end-user device standards and policies. The standards and policies are largely finalized and awaiting governance approval. As such, IT Services has begun to work with unit IT partners to assess their end-user device management practices. Data collected will be used to focus future efforts within units and provide a baseline understanding of the overall campus technology risk environment.

The IT Risk Program’s End-User Device Initiative worked with unit IT partners and faculty to revise and ratify the primary end-user device policy governing the configuration and upkeep of computers used for University business. When the revised policy is ratified, it will provide a current and common practice for keeping University computers secure. In order to provide an accurate answer to the question “How secure are the University devices?” IT Services and unit IT partners across campus that manage device fleets will be expected to regularly report on their device inventory.

In November 2019, IT Services began coordinating the monthly reporting of staff desktops and laptops. The initial goal of the effort is to determine the overall level of staff device encryption. (When devices are stolen or lost, encryption provides peace of mind about the data on those devices. Staff devices routinely contain more sensitive data than faculty devices and was made the initial focus.)  Moving forward, IT Services will broaden the reporting efforts to include encryption levels of faculty devices and more details on compliance with the baseline policy tenets.

Standards

The End-User Device Policy can be reviewed on the IT Services Polices website.
The Information Systems and Managed End-User Device Standards and the Information Systems Physical Environment Standards can be reviewed on Box.

Reducing Risk for Web Properties

The University has more than 5,000 web properties operated by schools, divisions, departments, centers, and individual faculty, staff, and students. The Web Properties Initiative is focused on developing a robust set of standards and policies in order to make sure that these websites and applications stay secured against malicious exploits, as determined by security standards, hosting standards, and website registration guidelines, keep at a baseline level of ADA accessibility, and follow University standards for the use of University domain names.

The initiative has completed an upgrade of the platform hosting key web properties and continues to remediate and retire platforms as needed. Additionally, IT Services has established a team to form the Center for Digital Accessibility, which will support unit IT partners on campus in improving the ADA accessibility of their web properties. The Center for Digital Accessibility has worked with a vendor to complete an accessibility assessment of the University’s key web properties. The team is currently reviewing the assessments and will work with site owners to determine appropriate remediation plans.

Further, University Communications and IT Services worked together to revise and develop streamlined, policy-friendly web development choices. This website, the UChicago Website Resource Center, provides valuable information to help campus community members set up a new website or update an existing website.

For more information related to any of the IT Risk Program, email: itrisk@uchicago.edu.