Your social security number will be more secure in UW-Madison’s system once the university unveils their new Cybersecurity Risk Management Policy, which looks to protect other vulnerable information like legal and health data and research.
The policy, which was approved in March 2018, will focus on sorting information currently stored in UW-Madison databases into categories that measure risk level. Once the data is organized, officials will be able to protect information from potential threats more efficiently.
“We need to know where our data lives, where it plays and who can play with our data,” explained UW-Madison Chief Informations Security Officer Robert Turner.
UW-Madison has dealt with breaches in cybersecurity in the past. In 2016, for example, a hacker infiltrated a database that held the social security numbers of a group of former UW-Madison law students.
There have been instances of hacking since technology became a widespread form of university data storage. In 2009, 40 computers in the Chemistry Department were hacked, even after a 2008 audit that called for UW System schools to create policies for keeping cyber data safe.
These, other instances and a push at the national level helped people understand the real demand for a cohesive cybersecurity policy, Turner said.
Under the new policy, university data will make the following journey: It will be sought out, sorted, analyzed and then necessary measures will be taken to monitor and protect it.
Students and faculty will not have to take direct action in response to the plan unless they work with systems that hold university data. In that case, they would partner with the Office of Cybersecurity and take action in compliance with the Risk Management Policy.
However, all students and faculty should take cybersecurity seriously, according to Nicholas Tincher, chief information officer in the Office of the Vice Chancellor for Research & Graduate Education.
“Cybersecurity is everyone’s responsibility; students and faculty should discuss systems and data they use with those who they know own them,” Tincher said.
The new policy will add structure to the security work that has previously been done by UW Madison IT and DoIT tech teams.
Data will be sifted into four categories — Restricted, Sensitive, Internal and Public — which denote the data’s level of risk. Risk can be conceptualized as the amount of damage that would occur if that information were to be compromised or lost, and the level is decided through a multi-step process that involves mathematical algorithms and reviews by various officers and executives.
The data is classified into risk levels so that security officials can determine who has access to the data and what security precautions should be taken to protect it, according to the Implementation Plan Faculty Document. Simply, classifying the data helps security officials decide where to focus their energy as they take measures to protect data from threats like hackers.
Restricted information could come in the form of students’ health records or social security numbers, faculty research or certain financial and legal information.
Since Restricted information is sometimes very personal, privacy issues have been a concern during the lengthy deliberation surrounding the policy’s implementation.
For example, faculty researchers may have specific aspects of their research that they do not wish to turn over to the Office of Cybersecurity, which some professors will be required to do so that their data can be filed within the risk management system.
However, the Office of Cybersecurity has strict expectations around the privacy of research, and focuses on broader systems, not specific data.
“For research data that is classified as restricted, the data won’t be handed over to the Office of Cybersecurity. Rather, the Office of Cybersecurity will work in partnership to protect the system in which the data is stored,” explained Tincher.
UW-Madison’s cybersecurity policy isn’t unique: Nine out of the 14 Big Ten schools have similar approaches, Turner estimated. In addition, the university’s risk management plan is similar to one that the federal government recently approved.
Although the framework is not a new idea, applying it to a diverse campus like UW-Madison is the challenge, said Secretary of the Faculty Steve Smith.
The new cybersecurity policy will be phased in over a period of years, Smith said. According to the Plan’s timeline, the sorting of Restricted Information should be complete by 2019.
“We have to be one step ahead of people with malicious intent, while using technologies that are often confusing,” Turner said. “That’s a pretty big burden on the cybersecurity team, but this policy is a big step in the right direction.”