Every day, tens of thousands of attacks target computers, printers, and mobile devices at the UW-Madison. While firewalls prevent many of these malicious attempts, one web site per week and an average of 2-3 machines are hacked every day. Staff in the Office of Campus Information Security (OCIS) are working with campus IT personnel to develop a plan to stop even those few and help the campus community put security controls in place to protect personal data and intellectual property.
The IT Security Baseline Initiative helps departments and schools on campus identify and analyze what security gaps exist in their basic protections. They then devise a plan for which actions to take to mitigate the gaps and further protect the campus from attackers.
The goal of the Initiative is to get all machines on campus to implement a baseline of security measures to prevent intrusions According to Jim Lowe, Chief Information Security Officer at OCIS, less than 5% of the over 50,000 computers on campus are adequately protected. The first step is for OCIS to work with IT staff at schools and colleges to assess where they are vulnerable. Once the assessment is complete, OCIS will help the departments to plan what needs to be done to fully protect the computers and, if needed, help implement the proposed solution. Finally, OCIS will help the IT teams put into place an automated updating process that ensures the software is updated every 30 days at a minimum.
With a directive from the Provost, all schools and colleges will be required to take part in the Baseline. This includes those that have small, centralized IT teams and others that have dispersed IT staff that are hired individually by faculty for specific projects. Once all campus departments have done an assessment, the Security Baseline team will draft a plan to address campus-wide security gaps, including the time and resources needed to close them.
The focus on developing a campus-wide plan that identifies resources need is helpful to IT directors like Rhonda Davis of the School of Veterinary Medicine (SVM). Davis says that the staff at SVM has always been security conscious and has put a lot of security controls in place. “The biggest challenge is dedicating the staff resources to getting everything in place and going forward.”
The initial analysis takes about 90 minutes. When Eric Giefer, Director of IT at the Law School, went through the process, he found it was “helpful to gather a list of servers and web apps ahead of time as well as policies for those servers and web apps.” He adds, “(OCIS has) been a tremendous asset in helping us find and deploy the resources we need to keep Law School computers secure. Anything that helps them to provide those resources I’m happy to help with.”