Identity Finder Scans Begin Aug 1 – Reminder

3 07 2014

Information Security Officer Adam Edwards sent out a reminder email to all faculty this week about Identity Finder automated scans, which are set to begin for University-provided faculty desktop machines (Windows only) on August 1. Here’s his reminder:

Starting on Aug 1, 2014 the Information Security Office will begin conducting weekly scans of faculty PCs to locate restricted data. These scans will only be conducted on University provided machines. This is an effort to protect University data and prevent data loss as described in the email notice below.  If you have Human Research data, please ensure it is encrypted prior to Aug 1 2014. These weekly scans have already been rolled out to staff and TAG members.

If you have any questions please email security@scranton.edu

Thanks

Adam Edwards

You can take a look at TAG’s Identity Finder FAQ for Faculty to help prepare, and definitely refer to Adam’s instructions for encryption with 7Zip if you have sensitive or confidential data to protect!


Comments : Leave a Comment »
Tags: , , , ,
Categories : Announcements, Security

Encryption with 7-Zip – Instructions

3 07 2014

So there was a bit of internet shock earlier this summer when a surprise announcement came out that the widely used encryption utility TrueCrypt was no longer being developed. Previously, our Information Security Office had recommended TrueCrypt as a tool for encrypting personal and confidential information, like human subject data. Now that TrueCrypt has been discontinued, Security Officer Adam Edwards passed along some instructions (.docx) for using an alternative (also free and open source) encryption tool, 7-Zip.

Adam warns:

**One caveat with this option is that there is no central management.  This is important because if a user loses their password the data will be lost. Manual recovery procedures will need to be put in place to ensure there is alternative access in the event of an emergency.  If no manual recovery procedures are put in place and the password is lost the data will be lost.**

Please contact Information Security with questions or concerns. Thanks to Adam (and Information Security Engineer Scott Finlon) for watching out for us!


Comments : Leave a Comment »
Tags: , , , , , , ,
Categories : Announcements, Security

Identity Finder scans to begin Aug 1

29 05 2014

Reposting an all-faculty email from Information Security Officer Adam Edwards:

Starting on Aug 1, 2014 the Information Security Office will begin conducting weekly scans of faculty PCs to locate restricted data. These scans will only be conducted on University provided machines. This is an effort to protect University data and prevent data loss as described in the email notice below.  If you have Human Research data, please ensure it is encrypted prior to Aug 1 2014. These weekly scans have already been rolled out to staff and TAG members.

If you have any questions please email security@scranton.edu

You can also refer to TAG’s Identity Finder FAQ for Faculty.


Comments : Leave a Comment »
Tags: ,
Categories : Announcements, Security

TAG feedback on draft BYOD Strategy

21 05 2014

At our May TAG meeting, Calvin Krzywiec (Assistant Director of Network Security & Engineering) presented a draft version of a BYOD Strategy (Bring Your Own Device).  We promised Cal a written compilation of feedback to inform the next draft of the report.  Since the TAG meeting, I’ve also been discussing the draft Strategy with several other interested faculty members, and I’ve done my best to compile all of these conversations in an annotated copy of the draft. These notes represent a sampling of individual faculty members’ reactions and should not be considered an authoritative response from the faculty as a whole.

I believe the draft Strategy bears significant implications for teaching, learning, research, and the faculty work environment, and I’ve recommended that the document undergo careful review by the full Faculty Senate. (As the current Senate Liaison, Dave will share our feedback in a report to the Senate Executive Committee.)

I’d also like to invite additional comments and concerns from all faculty. If your exam week/senior week schedule permits, please take a look at TAG’s written response (annotated PDF) and let us know your thoughts.

[Update: Here’s a summarized comments view of the same annotated PDF.]


Comments : Leave a Comment »
Tags: , , ,
Categories : Announcements, Mobile, Security

TAG Meeting Notes 2014-05-07

7 05 2014

TAG Meeting May 7, 2014 12:00pm-1:00pm

Attendees:
Jeremy Brees, Tim Cannon, Teresa Conte, Kim Daniloski, Dave Dzurec, Tara Fay, Jim Franceschelli, Eugeniu Grigorescu, Calvin Krzywiec (guest), Andrew LaZella, Kristen Yarmey

TAG thanks Library Dean Charles Kratz for sponsoring lunch for our meeting today.

1. BYOD Strategy Draft

Calvin Krzywiec joined us as a guest to present and discuss a draft version of IR’s strategy for accommodating the BYOD (Bring Your Own Device) trend. Cal is Assistant Director of Network Security & Engineering and served as chair for the IR Strategy Group tasked with studying BYOD. The group is currently seeking feedback from campus stakeholders to incorporate into a final strategy.

Cal explained that the group’s objectives were driven by increasing demand among students and faculty for access to institutional services from personal mobile devices. The group’s top priority is supporting BYOD for teaching and learning, while a secondary priority is protecting the security of institutional data.

For teaching and learning (see p. 2-4 in the draft), IR’s BYOD objectives include:

  • Investigate and implement untethered teaching/learning solutions
  • Focus classroom upgrades on providing collaborative, flexible workspaces
  • Leverage virtual desktop/application technologies and client devices to reduce reliance on physical lab infrastructure
  • Leverage virtual desktop/application technologies to provide ubiquitous access to lab software resources
  • Investigate and implement secure electronic assessment solutions
  • Expand lecture capture to additional locations

The draft identifies several barriers to BYOD implementation that were also raised by faculty members in TAG’s informal survey on specialized software and computer labs.  These include:

  • Expensive licensing fees for specialized software
  • Potential disparities in student computer ownership
  • Inaccessible and/or limited power sources
  • Security for electronic assessment/computerized testing
  • High demand on wireless network

The draft strategy recommends partnership with CTLE to support faculty needs as well as engagement with faculty during the implementation of BYOD-related strategies. Jim said that IR will work with TAG to recruit faculty volunteers to test out tools and services. While the precise timeline for rolling out these changes isn’t yet determined, there are some pilot projects already in motion. Faculty members in KSOM are piloting software for securing a browser (for computerized testing) using lab computers running thin clients. Teresa noted that the Nursing department would be very interested in piloting computerized testing tools in McGurrin. IR also plans to pilot test untethered teaching/learning options in the fall – TAG will get more information on this in the summer. Tim volunteered to participate in this pilot. IR has already been piloting Panopto lecture capture and will be looking to add this capability to additional classrooms for Fall 2014. Mobile printing is also in process.

Regarding network and authentication issues: Cal said that IR will be replacing the Cisco NAC client with encrypted SSID authentication, so that users will be able to log in to the University network from their device without downloading and installing CNAC. Once a device has been logged in,  it will stay logged in – users won’t have to reauthenticate multiple times during the day to stay on the network.

The second half of the draft (p. 4-9) addresses faculty and staff devices. One issue addressed is primary computing devices (for most faculty, our desktop computer). While currently primary devices are purchased and provided by the University, alternative models such as reimbursement or stipends for equipment and software purchases could be discussed.

Secondly, in order to protect institutional data, the draft proposes a three-tiered mobile device management (MDM) system:

  • Mandatory: This tier applies to all University issued devices and requires an enrollment in a MDM system that enforces the implementation of technical controls on the device, such as lock code, lock when idle, remote wipe capabilities, device encryption, and potentially even location tracking for locating a lost device.
  • Optional: This tier applies to all non-­‐corporate owned staff, faculty, and affiliate devices connecting to University systems, including email. Enrollment in the MDM solution is optional but the expectations of minimal technical controls and the requirement to notify PIR of a lost/stolen device are defined in institutional policy. Employees must agree to allow the University to wipe the device when it is lost/stolen or the employee separates from the institution.
  • Exempt: This tier applies to student devices. This tier has no requirements but offers guidance to students on how to secure their devices.

The draft proposes that a remote wipe could be partial rather than complete, “removing only corporate data.”

Kristen raised concerns about the Optional tier, which would apply to many faculty-owned mobile devices. Firstly, the exact definition of “corporate data” may need to be clarified. According to Appendix VIII (“Copyright”) of the Faculty Handbook, in most (but not all) circumstances, faculty retain copyright over works created as part of their normal teaching, research, and service duties – including research data, lecture notes, videos of lectures, syllabi, etc.  Kristen will look into existing University policies and documents to better understand what types of records (email?) would fall under this policy. Kristen also raised concerns about references to wiping data (including email) upon “employee separation,” which for faculty may take different forms (emeritus, phased retirement, terminal sabbatical, etc).

The BYOD Strategy Group will be compiling feedback into the next draft of the report. Kristen will write up summarized feedback from TAG’s discussion as a formal response to the draft document.

2. Brief Updates 

(The BYOD discussion took up most of the meeting, so updates were rushed.)

Identity Finder automated scans (Kristen)

Kristen has been working with Adam Edwards and Scott Finlon in Information Security to answer faculty questions about Identity Finder automated scans. Kristen has updated the Identity Finder FAQ with clarifications from Information Security.  There are still some faculty concerns about the scanning and reporting process (which was approved by the President’s cabinet back in June 2013); however, we have addressed as many as possible.

Information Security would like to begin the automated scans. TAG members present at the meeting felt ready to move forward with scanning faculty machines. Dave will report at this Friday’s Senate meetings that scans will begin. Kristen will work with Adam to coordinate a schedule and an all-faculty email notification.

Test Scanning Services (Jim)

Jim reported that IR will be changing the hours of Test Scanning Services effective Monday, May 12, 2014.  The service will continue to be provided from Alumni Memorial Hall, Room 001. Tests may be dropped off and results picked up Monday through Friday, from 8:30 am to 4:30 pm.  Based upon demand and operational requirements, immediate service while you wait may not be available.  IR will continue to strive to meet the needs of our customers and will provide a 24 hour turnaround of test scanning results.  Jim asked that faculty please plan accordingly as we approach the end of the Spring term.  Jim will contact regular users of the test scanning service with more details.

Desire2Learn (Eugeniu)

Additional Desire2Learn workshops are being planned for the summer – see CTLE’s workshop calendar for the updated schedule. Eugeniu also reminded TAG members that faculty should back up any student data (including grades, discussion forms, and dropbox submissions) in Angel that they wish to keep. Step by step instructions have been emailed out, but CTLE staff will also hold workshops on this during Senior Week for anyone who needs assistance (see ). Student access to Angel will be turned off as of May 30, but faculty will have access until July 31. After that, data stored in Angel will no longer be available.

PR Department/Program Website Initiative (Dave/Teresa)

We ran out of time for in-person updates on this project. Lori had sent Kristen updates via email. Kristen will post these notes to the TAG site in a separate update.

4. Adjournment

The meeting adjourned at 1:05pm. TAG will not meet again as a full group until Fall 2014, but projects and communication (via email) will continue during the summer.

[Updated immediately after posting with correction to Cal’s title]


Comments : Leave a Comment »
Tags: , , , , , , , , , , , , , , , , ,
Categories : Angel and Desire2Learn, Announcements, Classroom Mediation, Email, Minutes, Mobile, Network and Infrastructure, Security

TAG Meeting Notes 2014-04-09

14 04 2014

TAG Meeting April 9, 2014 12:00pm-1:00pm

Attendees:
Jeremy Brees, Teresa Conte, Paul Cutrufello, Kim Daniloski, Dave Dzurec, Tara Fay, Jim Franceschelli, Eugeniu Grigorescu, Katie Iacocca, Andrew LaZella, Lori Nidoh, Sandy Pesavento, Kristen Yarmey

TAG members thanked Eugeniu and the CTLE for sponsoring lunch for our meeting (and for hosting us!).

1. Brief Reports/Updates

Desire2Learn (Eugeniu)

CTLE and IR will jointly host Desire2Learn Day on April 24, 2014 (more details in all-faculty email). The event will include Open Office Hours with D2L staff, workshops on using blogs, social media, Wiggio, and Panopto with D2L, and a presentation by faculty member George Gomez (Biology) on his experiences piloting D2L in Spring 2014. All faculty are invited. Most of the sessions are walk-in, but please register if you plan to attend the luncheon.

Eugeniu also reminded TAG members that faculty should back up any student data (including grades, discussion forms, and dropbox submissions) in Angel that they wish to keep. Step by step instructions have been emailed out, but CTLE staff will also hold workshops on this during Senior Week for anyone who needs assistance (see CTLE’s workshop calendar for dates/times). Student access to Angel will be turned off as of May 30, but faculty will have access until July 31. After that, data stored in Angel will no longer be available.

Identity Finder automated scans (Kristen)

Kristen has been working with Adam Edwards and Scott Finlon in Information Security to answer faculty questions about Identity Finder automated scans. Kristen wrote up an Identity Finder FAQ that she will update after getting final confirmation on a few questions from Information Security.  Kim mentioned that her department also had questions about performance and scheduling. Kristen will accompany Dave to the next Faculty Senate meeting to invite further questions or concerns.

WordPress (Kristen)

Following the discussion of WordPress at our March TAG meeting, Kristen and Dave met with Interim CIO Robyn Dickinson and Jim Franceschelli for a TAG update. Robyn and Jim explained some of the time constraints on IR staff members. TAG, the Library, and CTLE will continue to work with IR on this question. In the meantime, a faculty request for a WordPress blog was approved (thank you!). Jim said that WordPress was not yet an option in the Technology Support Center’s Footprints Service Catalog (tsc.scranton.edu), but he will follow up on this.

PR Department/Program Website Initiative (Dave, Teresa, Sandy, and Lori)

TAG members Dave, Sandy, and Teresa attended a meeting of the Committee on University Image and Promotion (CUIP) on March 17 to discuss PR’s department and program website initiative (see Teresa’s notes from that meeting, with additional comments from Dave).

Vendor Converge Consulting has been hired to assist in the preparation of content of about 50 program and department web pages, selected at that meeting. (See PR’s project announcement letter for a full update and list of departments/programs.) Each program/department has been asked to identify a representative who will meet with Converge during their campus visit on April 23-24. Lori noted that as of April 9, all but 2 representative slots had been filled. Dave emphasized that departments and programs will still have ultimate control over the content on these academic pages.

2. Items for Discussion

TAG Communication with Deans (Dave and Kristen)

At the invitation of Dean of the Library and Information Fluency Charles Kratz, Dave and Kristen met with members of the Provosts’ Advisory Board on April 3 to follow up on recent discussions of WordPress (the Interim Provost herself was not present due to the Kane Competition). Charles proposed that formal lines of communication be established between the Deans and TAG, to keep the Deans informed about academic technology issues. The other Deans in attendance (Conniff, Mensah, and Welch) agreed, noting that they would like to be better prepared for meetings about academic technology with an understanding how the technology could impact their colleges. Charles suggested that TAG meet once a semester with the Provosts’ Advisory Board for information-sharing.

Kristen and Dave shared this proposal with TAG members, with no voiced opposition. Kristen further proposed that TAG invite the Deans to contact a TAG member from their college to accompany them at meetings about academic technology in the future. TAG members agreed; Kristen will pass this invitation back to the Provosts’ Advisory Board.

TAG Membership and Leadership for 2014-2015 (Dave and Kristen)

As previously discussed, Kristen will step down as TAG co-chair at the end of the semester. Teresa Conte (Nursing) volunteered to serve in this slot (thank you!). There were no other candidates, so Teresa will start a two-year term as TAG co-chair in Fall 2014. Kristen will work with Teresa during the Summer to ensure a smooth transition. Dave will continue as co-chair in Fall 2014, and Andrew LaZella (Philosophy) will serve in Spring 2015 while Dave is on sabbatical.

Kristen asked TAG members to let her know if they do not plan to serve in 2014-2015. She also invited new members to join if interested.

Kristen and Dave will nominate Paul Cutrufello (Exercise Science) to serve as TAG’s Senate liaison for 2014-2015.

3. New Business

Royal News feedback (Lori)

PR is seeking feedback on Royal News, the weekly email/web newsletter for University students, faculty, staff, alumni, and community members. Lori asked TAG how best to solicit feedback from faculty. TAG members suggested coordinating a focus group with the Provost’s Office (perhaps as a Brown Bag session) as well as offering an online survey. Several TAG members noted that they liked Royal News and had no complaints or concerns. If PR puts out an online survey, Kristen will post it to the TAG site. Any faculty members who wish to share thoughts or comments (or participate in a focus group) on Royal News are encouraged to email royalnews@scranton.edu.

Heartbleed (Kristen)

Kristen shared Information Security’s update and recommendations regarding Heartbleed, a major OpenSSL vulnerability that has affected user privacy and security on many websites. The University’s main authentication service (CAS) was not vulnerable to this issue, and other servers and campus services are now all up to date. Information Security recommends, however, that users change their passwords for Internet sites and (especially if you reuse passwords) for my.scranton. Jim warned against reusing passwords and recommended KeePass as a password management tool.

IT Services Updates (Jim)

Jim provided a few brief updates on IT Services projects relevant to faculty:

  • Windows XP — IT Services aims to have all faculty desktop machines upgraded to Windows 7 before the end of the Spring semester. However, some faculty members aren’t returning calls to schedule and update. Kristen asked TAG members to remind their colleagues to respond to IT Services scheduling efforts.
  • Royal Cards — Old Royal Cards will expire on May 1, but there are still many faculty who have not gotten updated cards. TAG members will remind their colleagues to visit the Technology Support Center before the end of April to avoid being locked out of buildings, etc.
  • Internet Explorer 10 will be pushed out via KBOX before the end of the semester (upgrading from IE 8). Chrome and Firefox installations are currently up to date.
  • Java 7 has now been approved. Jim encouraged faculty to complete these updates in order to avoid security vulnerabilities or software incompatibility.
  • Funding for a campus-wide license for Panopto (a hosted lecture capture service) has been approved! IT Services is working with CTLE to integrate Panopto with Desire2Learn. TAG will work with IT Services in 2014-2015 to expand the availability of the service on campus. Kristen suggested that if IT Services knows approximately how much it will cost to add Panopto to a classroom, perhaps faculty members could apply for CTLE Technology Grants (or other funding) to speed implementation in their building/college.

As a follow-up question, Teresa asked Jim if student photographs could be integrated into Desire2Learn (for class rosters, seating charts, etc). Jim promised to look into this request.  [Post-meeting update from Jim (via email): “Unfortunately, I’ve been told this isn’t possible…  D2L does not have a provision to include photos in an automated upload from Banner. The D2L informed us that there was no way to do a bulk load of photos into D2L.  The only way to upload a photo into a student’s profile is for the student to upload it themselves. D2L is coming to campus later this month.  It might be a good question to broach to them… maybe we can get it on D2L’s development list.”]

4. Adjournment

The meeting adjourned at 1:00pm. TAG’s final meeting for Spring 2014 will be Wednesday, May 7 from 12pm-1pm in WML305. Network Engineer Calvin Krzywiec will join us to discuss IR’s drafted strategy for accommodating the BYOD (Bring Your Own Device) trend. Lunch will be provided (thanks to Library Dean Charles Kratz).


Comments : Leave a Comment »
Tags: , , , , , , , , , , , , , , , , , ,
Categories : Angel and Desire2Learn, Announcements, CMS and University Website, Minutes, Security, TAG Administrative

Heartbleed Update from Information Security

9 04 2014

For those that have been listening to the news about Heartbleed, here’s some information from Information Security Engineer Scott Finlon:

——————————————————

A major security vulnerability named Heartbleed was disclosed Monday night. The vulnerability affects a large portion of websites on the Internet and here at the University of Scranton that use OpenSSL to encrypt webpages (pages that start with https). SSL, or secure socket layer, is a cryptographic protocol which is designed to provide communication security over the Internet.

The security issue allows the stealing of information protected by SSL by stealing the private keys that protect the confidentiality of the information. Sites affected by the security vulnerability can have login credentials stolen as well as other data that would normally be protected by an SSL connection. In addition, once an attacker has the private key for a particular website, they can use the key to decrypt traffic previously sent to the server prior to the bug being disclosed.

Since Tuesday morning, the Information Security Office has been working with Enterprise Systems and other system owners across campus to ensure that their services are securely configured to mitigate risks associated with this issue.

The web servers that maintain CAS, the primary web-based authentication method used by campus services, were not vulnerable to this issue. Other campus services that utilize OpenSSL have been updated as quickly as identified, in order to mitigate the risk associated with the vulnerability.

Although we have no evidence that any University of Scranton sites have been compromised through this exploit, we do know that this bug has existed for 2 years before there was any knowledge of this specific vulnerability. We suggest you pay close attention to all your sensitive user accounts across the Internet and contact the owners of those related services if you have any questions.

Also, watch for fraudulent email claiming to be from companies with which you do business, as criminals will undoubtedly use this issue to create targeted phishing email messages to trick people into divulging their passwords.

If you have any questions or concerns about this issue, please feel free to contact the Information Security Office at <security@scranton.edu> or by calling the Technology Support Center at 570-941-4357.

Scott Finlon, CISSP GCIA GCIH
———————————–
Information Security Engineer
The University of Scranton
email : scott.finlon@scranton.edu
phone : 570-941-6168
———————————–

Comments : Leave a Comment »
Tags: , ,
Categories : CMS and University Website, Security

Identity Finder FAQ for Faculty

25 03 2014

[Note: Significant updates made on 2014-05-13, 2014-05-07, and 2014-04-24. Updates on scheduling and encryption on 2014-07-02.]

Back in April 2013, IT Services Director Jim Franceschelli and Information Security Director Adam Edwards came to TAG with a proposal to automate Identity Finder scans on faculty desktop computers. In June 2013, the President’s Cabinet approved the use of automated scans with Identity Finder on University-owned desktops as part of an overall Information Security Data Loss Prevention program. Then-CIO Jerry DeSanto sent an email announcement about the program to all faculty and staff on June 21, 2013, projecting implementation in December 2013.

Since then, Information Security has been working with TAG to pilot test the scans and try to smooth the process as much as possible for faculty. Automated scans have already started for staff, and Information Security would like to move forward with implementation for faculty machines. Currently, automated scans are scheduled to begin on August 1, 2014. Here’s what faculty need to know:

Why is the University doing this?

  • Data security is serious business for higher ed — we have ethical, legal, and financial obligations to protect the personally identifiable information that we have collected from students, faculty, staff, human subjects, etc.
  • If your computer or external media contracts a computer virus, is lost, stolen, or broken into over the network, files containing restricted information are at risk for theft. This information can be used to steal not only your money and identity, but also the money and identities of anyone else who either shares your computer or whose restricted information you store.
  • If you store restricted information for University work, the University would be obligated under state law to notify everyone affected by the breach and could potentially be legally liable.

Does this benefit me at all?

  • Identity Finder can help you protect yourself — use it to search for sensitive, unprotected information on your computer and then take an action (Shred, Scrub, Secure, Quarantine, etc) to secure that information. (Personally, an Identity Finder scan I ran on my machine found old documents containing my SSN that I had stored unencrypted in Google Drive… not smart.)
  • If your computer gets a virus, IT Services can clean and return it to you much more quickly and easily if they have a recent Identity Finder report for your machine.

What is Identity Finder?

  • Identity Finder is security software that scans your (Windows) computer for sensitive, unsecured Personally Identifiable Information (PII) stored in unprotected files.
  • If you run a scan on your machine, Identity Finder will give you a report showing what it found and where. It then gives you options to take action – you can shred the file, scrub (redact) information, secure the file, or move it to a quarantined location. You can also ignore false positives.
  • It works by looking for patterns – for example, a nine-digit number in the pattern ###-##-#### would be picked up as a possible Social Security number. If it picks up something that looks like a Social Security number but isn’t (a false positive), you can tell it to Ignore that result.
  • Identity Finder has been installed on all University Windows machines (via KBOX) since about 2009.

What kind of sensitive/restricted information are we talking about?

  • Restricted information is any piece of information which can potentially be used to uniquely identify, contact, or locate a single person. Restricted information is generally regulated by law or contract and often used for financial, medical, or research identification. (See the Information Classification Policy for additional info.)
  • Identity Finder looks for most types of Personal Identifying Information:
    • Bank Account Numbers
    • Credit Card Numbers
    • Dates of Birth
    • Driver’s Licenses
    • Passwords
    • Passport numbers
    • Social Security Numbers
  • Identity Finder is NOT looking for:
    • Email addresses
    • Mother’s maiden name
    • Personal addresses
    • Phone numbers
    • United Kingdom National Heath Service Numbers, United Kingdom National Insurance Numbers, Canada Social Insurance Numbers, Australia Tax File Numbers
  • If you’d like to get a better understanding of what kind of information Identity Finder picks up, you can run a non-scheduled Identity Finder scan on your machine whenever you’d like.

What are automated scans? 

  • Right now, Identity Finder only scans your machine when you tell it to.
  • Information Security and IT Services plans to run weekly, automated Identity Finder scans (see the proposal for details) on all University (Windows) computers. The idea is that every Friday at noon, all University computers will automatically initiate an Identity Finder scan.

Where is Identity Finder looking? What folders/locations are scanned?

  • Automated scans include:
    • Local filesystems (like your C: drive) and local registry
    • Browsers
    • Attached devices
    • Email —  If you use a local email client (e.g. Outlook or Thunderbird), Identity Finder will scan through your mailboxes that are cached on your computer, however, if you mainly use OWA or other method through a browser, you don’t have a local cached copy, and Identity Finder won’t be able to scan it.
  • Scans do not include the R: drive or most other remote connections.
  • If you’d like to get a better understanding of what the automated scans will include, you can run a non-scheduled Identity Finder scan on your machine whenever you’d like.

What if I have sensitive/restricted/confidential information saved on my computer?  Like confidential human subject research data or client files?

  • ANY sensitive/restricted/confidential information that you are storing ANYWHERE should be encrypted! Without encryption, your data is vulnerable to attack, misuse, and all sorts of other bad things.
  • Information Security recommends using TrueCrypt (which is free and open source) to encrypt your data. Scott Finlon in Information Security wrote up some brief  instructions (PDF) for encrypting a folder of files using TrueCrypt. Update 2014-07-02: Support for TrueCrypt was discontinued in 2014-05, so Information Security now recommends using 7Zip – see instructions (.docx).
  • Information Security has been in ongoing conversations with the IRB about ensuring confidentiality of human subject research data and client files. Members of the IRB had expressed concerns that Identity Finder scans would violate the confidentiality of human subject data. The good news is that data encryption resolves this concern — encryption protects sensitive data from Identity Finder scans as well as from external malicious attacks.
  • Please contact Information Security if you have any questions about protecting confidential data.

How long do the scans take? Will this affect my computer or my work?

  • Identity Finder scans can take several hours if you have a large number of documents.
  • Thankfully, Identity Finder uses a search history to keep track of what files do and do not have matches. Because of this, the initial scan is much slower than subsequent scans, as it has to scan your entire hard drive. Each subsequent scan will only look at new files, changed files, and files that previously reported matches.
  • TAG members have been piloting automated scans since September 19, 2013. We ran our own scans first, and these often took quite a while. After the initial scan, however, subsequent automated scans have been speedy. So far, none of us have experienced any performance issues – the scans are essentially invisible to the user.

My computer went to sleep during the scan. What happens now? Can Identity Finder wake my computer up to scan?

  • Identity Finder scheduled scans are set locally, so they will only be invoked while the computer is on and running — they can’t wake up your computer.

What if I’m not on campus on Fridays and my desktop machine is turned off? What if I’m not on campus on Fridays but am using my laptop? 

  • Automated scans are currently scheduled in batch for Fridays at noon. They will run as long as your computer is turned on – whether or not you’re on campus (or on the University network).
  • If you are offline, the scan will run as scheduled. The report will be sent to Information Security once you reconnect to a network.
  • If your computer is turned off at 12pm on Friday (that is, if the scheduled scan is missed), it will begin with a randomized start time between 30 minutes and 120 minutes after the computer is back up and running.

What happens after the scan is done?

  • When the scan is done, Information Security will get a report from Identity Finder indicating the level of risk for that machine. The report includes the number of hits, but NOT the actual information that was marked as potentially sensitive – that is redacted. The reports show only a masked version of a potentially problematic file and the location where it was found. Reports are only viewable by the Information Security Director (Adam Edwards) and the Information Security Engineer (Scott Finlon).
  • Based off of these reports, Information Security then works one-on-one with users, recommending that users delete the files (if they’re no longer needed) or move them to a more secure, encrypted location. (Adam said that he is working with staff with the most risk first — e.g., people with 1,000 hits or more.)

What if I have a Mac or Linux machine? 

  • Automated Identity Finder scans will only run on Windows machines.

When is this happening?

  • Automated scans are scheduled to begin on University-provided faculty desktop machines on August 1, 2014. (Information Security Officer Adam Edwards sent out a notification to all faculty on May 28, 2014 and a reminder on June 30, 2014).
  • Automated Identity Finder scans are already running on staff machines (and on TAG members’ machines).

What should I do to prepare?

Questions or concerns?

 


Comments : Leave a Comment »
Tags: , , , , ,
Categories : Announcements, Security

TAG Meeting Notes 2014-03-12

12 03 2014

TAG Meeting March 12, 2014 12:00pm-1:00pm

Attendees:
Tim Cannon, Paul Cutrufello, Kim Daniloski, Dave Dzurec, Tara Fay, Jim Franceschelli, Eugeniu Grigorescu, Katie Iacocca, Charles Kratz (guest), Sandy Pesavento, Kristen Yarmey

1. Lunch

TAG members thanked CAS Dean Brian Conniff for sponsoring lunch for our meeting. Dave thanked Mary Ann Maslar in the CAS Dean’s office for making the arrangements. Charles noted that he is willing to sponsor lunch at one of TAG’s remaining Spring 2014 meetings.

2. Items for Discussion

WordPress

Dean of the Library and Information Fluency Charles Kratz asked to come to a TAG meeting to speak about the campus WordPress network (sites.scranton.edu), which has been a topic of TAG discussion since 2011. (In preparation for today’s meeting, Kristen emailed TAG members notes summarizing the history of the campus WordPress network as well as a justification for the academic use of WordPress that former TAG co-chair Jeremy Sepinsky had composed for IR in Spring 2013.)

At our last meeting in February 2014, we received word from Jim that IR would not be expanding support for sites on the campus WordPress network until at least 2015. Subsequently, at the February 14 Faculty Senate meeting, Senator Terry Sweeney expressed concerns about access to the campus WordPress network. There was seemingly some confusion at the Senate meeting about CTLE’s role in the WordPress network and a misunderstanding that CTLE staff were responsible for determining which requests for WordPress sites would be approved, when this decision actually rests with IR staff.

Charles (who oversees both the Library and CTLE) has since met with IR and CTLE staff in order to seek clarification on the criteria and process for WordPress site requests, as well as to ascertain whether there might be a middle ground for supporting faculty use of the campus WordPress network. Charles noted that the CTLE, while currently very busy with the Desire2Learn transition, is interested in supporting faculty use of WordPress and would be willing to support a few pilot sites in fall 2014. He suggested that TAG might identify faculty who would be interested in a WordPress pilot in the near future, and advocated for transparency for faculty regarding the criteria and process for site requests.

Prior to today’s meeting, Kristen had asked Jim for IR’s criteria for reviewing requests for WordPress sites, which she then emailed to TAG members. These are as follows:

Blogs are available to the University community to provide an area for discussion and collaboration. The following criteria will be applied to these requests:

  • Blogs can augment University web sites on www.scranton.edu which are built in the Web Content Management System (CMS). They cannot be used as a replacement for a department or organization’s www.scranton.edu site.
  • Blogs are only for University-related purposes, not personal interests.
  • Only faculty & staff members of the University community can be given access to post to the blog site.
  • All blogs will be accessible for public view access.
  • The URL for the blogs will be in the form of http://sites.scranton.edu/blogname/
  • No redirects of the form www.scranton.edu/xxxx will be set up for blogs so they are not confused with University web site(s).

Related information:

  • Desire 2 Learn (D2L), the University’s Learning Management System, has blogging functionality that can be used as part of a course offering.
  • Faculty & staff desiring to use wordpress.com for other blogging services should refer to our policy website (www.scranton.edu/pir/policies.shtml) for the Guidelines for the Use of Cloud Computing Services.

Jim noted that IR has limited resources and has to weigh what services they can support. He also explained that since this is a new service, it has taken some time to develop the criteria for what requests could or could not be accommodated. For example, individual student blogs (as one faculty member requested) could not be accommodated due to the difficulty of maintaining an accurate user list for that class within WordPress – while the campus network is integrated with Active Directory authentication, it is not integrated with Angel or Desire2Learn, so class lists must be manually added and maintained for WordPress sites. (As a side note, Charles mentioned that CTLE is working with a few faculty members to test Desire2Learn’s blogging function for student blogs. Results have not been encouraging so far, but testing continues.)

Charles and Kristen asked for clarification on the site request and decision-making process. Jim said that WordPress site requests could be submitted via Footprints (tsc.scranton.edu) and promised to add a request to the service menu within Footprints. He said that Connie Wisdo, director of IT Development & Applications (ITDA), will review the requests and make a decision based on the above criteria. If the decision is clear-cut, the response will be immediate, but if a request falls along the edge of the criteria, there might be some delay to allow IT staff members to discuss it first. Charles asked if there would be an appeal process for a faculty member whose request was denied. Jim answered that appeals could be directed to him.

Sandy asked if faculty could use third-party (external) blogging or web development sites (e.g., Blogger or WordPress.com). Jim said that faculty were free to use whatever tools they liked, on the condition that they review IR’s Guidelines for the Use of Cloud Computing Services and consider potential threats to privacy or security of students or other participants. Kristen said that as a librarian she had significant concerns about the privacy implications of requiring students to use third-party cloud services for class projects. An advantage to the on-campus WordPress network is that site data remains on campus and under University administration rather than entering the commercial data tracking and aggregation marketplace.

Tangentially, IR now offers server space to faculty and academic departments, with roles and support responsibilities enumerated in a service-level agreement. IR provides the server environment, while the faculty member/department is responsible for installing/maintaining the applications they wish to use on the server. There is a one-time licensing fee charge for this service. Kristen asked Jim for more information about this service, as TAG had been previously unaware of it.

Discussions about WordPress and related service offerings will continue. Kristen and Dave will meet with Jim and Robyn Dickinson (Interim VP for Planning and Information Resources) on Monday, March 17, and separately will meet with Interim Provost Pat Harrington and the academic Deans (date TBD). Charles suggested that, in addition to working with Jim and IR directly and reporting to the Faculty Senate,  TAG should also communicate with the Deans and Provost to keep them informed of technology needs on campus.

To further facilitate communication among all stakeholders, Katie suggested that TAG remind the Faculty Senate and the rest of the faculty to share their concerns about academic technology with TAG, such that TAG members can continue to work constructively with IR staff. Dave will include this reminder (as well as an update and clarification on WordPress) in his report to the Faculty Senate this week.

Faculty Specialized Software/Computer Lab Questionnaire

Back in November, TAG sent out a questionnaire to all faculty to ask for input on their use of specialized software, computer labs, lecture capture, and learning management systems (Angel/Desire2Learn).

Kristen apologized for the delay in sharing results, but has finally finished a qualitative summary of faculty responses, shared here for preliminary review by TAG members. Only 52 responses were received, and respondents tended to be faculty interested in software/lab issues, so the sample did not seem representative. The summary is almost entirely qualitative, so anyone interested in performing a quantitative analysis should contact Kristen for access to the full data set.

Kristen asked that TAG members review the results and identify any action steps or areas for further research. 

3. Brief Updates

Identity Finder Automated Scans

Back in April 2013, Information Security Officer Adam Edwards brought a proposal for automated Identity Finder scans to TAG for consideration. At our February meeting, Adam Edwards and Scott Finlon from Information Security came to the second half of the TAG meeting to demonstrate the administrative side of Identity Finder automated scans, which non-Mac-using TAG members have been piloting since September. They also demonstrated TrueCrypt as their recommended tool for encrypting sensitive data (including confidential human subject research data, as Adam has discussed with the IRB).  Scott has since shared step-by-step instructions for TrueCrypt, which Kristen posted to the TAG site. Update 2014-07-02: Support for TrueCrypt has been discontinued, so Information Security now recommends using 7Zip for encrypting sensitive or confidential data.

Adam and Scott would like to begin the roll-out of automated Identity Finder scans for faculty desktops, starting with departments that would be unlikely to have confidential subject data stored on their computers. Scott sent Kristen a list of departments as they appear in Identity Finder (based on Active Directory groups) as a starting point. Kristen asked at today’s meeting for TAG member volunteers who were willing to confirm their department’s readiness to begin automated scans. Dave has already spoken to the History Department, and Kristen will speak with Library faculty at their next department meeting. Kim and Paul were willing to speak with their departments (Management/Marketing and Exercise Science) but asked for some additional information that they could refer colleagues to. Kristen will write up a summary/FAQ on Identity Finder for faculty and post to the TAG site for reference.

Kristen suggested that faculty members run their own Identity Finder scans  to understand the software and results (the software is already on all faculty PCs, via KBOX). Any sensitive data can and should be encrypted with TrueCrypt. Jim reminded the group that Identity Finder also helps IT Services deal with faculty computers that have been infected by malware — a recent scan confirming the absence of confidential data makes it much easier and faster for them to clean and return the machine.

There were a few remaining questions about the automated scan process, which Kristen and Jim will review with Adam:

  • Who exactly is included in a department group? Full time faculty, adjuncts, department staff (e.g., departmental administrative assistants)? Jim believes that the groups include *only* faculty members (including part time/adjuncts), but we will confirm this with Adam.
  • Automated scans are currently scheduled in batch for Fridays at noon. What happens for faculty members who are never/rarely on campus, with their laptop, at that time? (Katie noted that this is common among KSOM faculty.) Could an alternative scan time be scheduled? Or do scans begin the next time you turn on your computer?
  • What happens if you turn off your computer during a scheduled scan? Does it pick up where it left off when you turn your computer back on?

Departments that are ready to begin automated scans should contact Kristen and/or Adam. Adam and Scott are also available to answer questions about Identity Finder, TrueCrypt, or other information security issues.

Lecture Capture – Panopto Pilot

On Wednesday, March 5, Dave and Kristen attended a meeting with Jason Wimmer, Jason Oakey, Jim and Eugeniu for an update on lecture capture and the pilots taking place in PCPS this semester with Panopto. (Full notes from that meeting, summarized here, are on the TAG site.) 

IT Services began piloting lecture capture back in Fall 2012 with two installations of MediaSite (LSC334 and LSC433). TAG members Jeremy Sepinsky and Tara Fay tested out the technology in their classes. While there were some good things about MediaSite, IT Services discovered lots of complications that would make it difficult to scale and expand across campus (see Jason’s article in the Winter 2013-2014 IT Matters for more details).

As of Fall 2013, IT Services has been working with faculty in PCPS (Counseling, Nursing, and Education – including TAG member Sandy Pesavento) to pilot a different lecture capture technology – Panopto.  Panopto is a hosted service, which makes installation faster and easier in comparison to MediaSite. IT Services set up 13 rooms in McGurrin, and already over 790 sessions/interviews/classroom scenarios/nursing simulations have been recorded. Feedback to date from faculty and students has been very positive – even enthusiastic. Sandy has been using Panopto in her education classes to record students teaching sample lessons. She invited interested faculty to visit one of her class if they would like to see it in action. (As a reminder, on last spring’s ECAR survey on undergraduate students and information technology, 63% of our student respondents said they wanted their professors to use lecture capture.)

Our current license for Panopto only covers PCPS (where the pilots were taking place), but IT Services has put in a request to the FMC for a full campus license. IT Services plans to expand access to lecture capture across campus (potentially enabling 5-6 additional classrooms next year) and to integrate Panopto with Desire2Learn. Jason Wimmer will be giving a presentation on Panopto at an IT Forum on March 27 at 11:30am – all faculty and staff are welcome to attend (please register).

PR Department/Program Website Initiative

This project is on the agenda for the next meeting of the Committee on University Image and Promotion (CUIP), scheduled for Monday, March 17 from 2pm-3pm. In addition to regular CUIP faculty representatives Terry Sweeney, Abi Roy, Jack Beidler, and George Gomez, PR has also invited TAG to send representatives — Dave, Teresa, and Sandy will be there (and maybe Kristen).

It is not yet clear which department/program pages will be in the first wave of updates, nor is it clear who will make that decision. Katie noted that from KSOM, OIM department chair Nabil Tamimi was interested in participating in a department website update, particularly since OIM is a growing program and the home of the E-Commerce major.

TAG Leadership for 2014-2015

Kristen will be rotating off as TAG co-chair at the end of Spring 2014. Dave will continue as co-chair for 2014-2015, but will be on a Fulbright sabbatical in Slovakia (congratulations!) in Spring 2015. Andrew LaZella has volunteered to serve in Spring 2015 while Dave is away, but we are still looking for someone to begin a full two-year term as co-chair. Please contact Kristen or Dave if you are interested/willing. Dave noted that, pending the results of the Faculty Senate election, we should make sure that we have a Senate liaison for 2014-2015 as well.

Adjournment

The meeting adjourned at 1:10pm. TAG’s next meeting will be Wednesday, April 9 from 12pm-1pm, location TBA.


Comments : Leave a Comment »
Tags: , , , , , , , , , , , ,
Categories : Angel and Desire2Learn, Announcements, CMS and University Website, Minutes, Security

Encryption with TrueCrypt

8 03 2014

Update 2014-07-02: Support for TrueCrypt has been discontinued! Information Security recommends using 7Zip instead – see instructions (.docx).

——————————————————————————-

At our last TAG meeting, Adam Edwards and Scott Finlon from Information Security demonstrated automated Identity Finder scans as well as encrypting files with TrueCrypt (which is free and open source :). At our next TAG meeting, we’ll be starting to identify which departments can move forward with automated scans — so as a reminder, you’ll all want to make sure that any confidential or sensitive information stored on your desktop is safely encrypted.

Scott has sent along some brief  instructions (PDF) for encrypting a folder of files using TrueCrypt — the first page is set up and the second is everyday usage.  Please contact Information Security if you have any questions about encryption.

You can also run your own Identity Finder scan in the meantime – see IR’s Quick Guide if you need help getting started.

Many thanks to Adam and Scott for their guidance on this issue!

 


Comments : Leave a Comment »
Tags: , , , , ,
Categories : Announcements, Security, Technology Training, Tutorials

« Previous Entries