Information Security Compliance - Information Technology
Select Page

Project Planning Team

Executive Sponsor: Anne Milkovich, CIO

Project Sponsor: Anne Milkovich, CIO

Project Managers: Victor Alatorre, Mark Clements, Laura Knaapen

Technical Team Members: Dan Petersen, Christian Beck, Eamon Bauman, Michael Brunn, Michelle Loker, Ricky Johnson, Michelle Loker

 Contact IT

  Phone: (920) 424-3020
  Email: helpdesk@uwosh.edu

Status: 2/22/19

  • The Oshkosh campus default is that computers do not have administrator rights.
  • Duo, multi-factor authentication, is being pilot tested by IT staff.
  • If you have not completed your Information Security training, your account will be locked.

Information Security Compliance

UW System has provided all UW campuses with five Administrative Policies and three Procedures on Information Security. These policies and procedures are mandatory for all UW campuses. The five policies and three procedures are listed on the IT Policies web page.

During the Spring semester IT completed the Authentication procedures regarding password requirements for the university NetID account. As part of the Legislative Bureau audit, several small projects were identified for IT to work on. The projects are listed below in priority order. Additional projects may be required based on the new UW System two-year Info Security plan.

Project/PolicySemester to Start WorkStatusRecentNext
Enforce mandatory security training.Spring 2018OperationalEmployees out of compliance will have their accounts lockedImprove system automation by connecting to Canvas
Student employees cannot use generic, shared accounts.Summer 2018OperationalAccount creation semi-automated.
Immediate access removal upon employee separation from university or role.Summer 2018OperationalProcess maps are set.Verify process is working appropriately.
Remove administrative rights from desktop computers.Fall 2018OperationalAdmin rights are no longer the default.Outline new request and annual renewal processes.
Auditing desktop computers for high risk data.Fall 2018In ProgressTechnical requirements have been metCommunicate rollout of service to campus
Move all high risk data to encrypted storage.Fall 2018In ProgressO365 is the current recommendation for storing high risk data that must be shared.Further progress depends on migration from Google to O365
Require multi-factor authentication to access high risk data.Spring 2019In ProgressTesting product and processes on IT staff.Prepare documentation, training, and campus communication.
Teach use of account delegation so email passwords are no longer being sharedSpring 2019In ProgressKnowledgeBase article created. Testing with IT Classroom Tech email accountReview test results.
Rollout to campus.
Review all enterprise applications to document security and dependenciesSpring 2019In Progress
Communicate with past emeriti to verify relationship with campus and need for accountsSpring 2019Not Started
No longer allow physical, wired attachment of non-university devices.Spring 2019Not Started
Bring Gmail into compliance for password policiesSummer 2019PlanningPlan migration to Office 365
Increase offering of security awareness education.Summer 2019In ProgressSecurity is included in employee orientations.Move from Lawroom to Canvas
Auditing employee data access through formal approval and renewal procedures.Fall 2019Not Started
Desupporting local hard drive storage.Fall 2019Not Started
Shift all full-time employees who maintained their student account to the employee account scheme.Fall 2019Not Started
Provide student accounts to employees taking classesFall 2019Not Started

Recent:

  • The Oshkosh campus default is that computers do not have administrator rights.
  • Duo, multi-factor authentication, is being pilot tested by IT staff.
  • If you have not completed your Information Security training, your account will be locked.

Next:

  • Contact shared, departmental email accounts to help them switch to email delegation rather than password sharing.
  • Information Security Training for UW Oshkosh retirees.
  • Respond to all audit concerns.