Information Security Office
The Office of Information Technology Information Security Office leads a robust cybersecurity program to support the university mission of research, teaching and outreach, and securely enable faculty, student and administrative needs. This includes support for university IT compliance efforts across regulatory and contractual agreements including GLBA, HIPAA, FERPA, PCI, NIST 800-171, CMMC, NSPM-33 and others.
Key elements of the cybersecurity program include:
- Annual security awareness training and monthly phish training for all employees, and supplemental cybersecurity training for select groups.
- Annual Risk Assessment and testing processes to identify and prioritize remediation for reasonably foreseeable internal and external risks to the security, confidentiality and integrity of university data.
- Data Classification program, per APM 30.11 to track and apply appropriate controls based on data classification and risk.
- Initial and periodic assessment of service providers through Vendor Security Assessments.
- Implementing the incident response plan including tools, services and timely response and recovery from any material security events, as authorized by APM 30.14, Cyber Incident Response and Reporting.
- Implement policies, standards and procedures to enable ongoing success of the security program and all compliance goals.
- Facilitate the creation, tracking and auditing of individual System Security Plans (SSPs) when required for specific compliant systems or enclaves.
- Review and approve secure IT architectures, including required processes, safeguards, controls and mitigations to meet security and compliance requirements.
This security program is implementing controls and is monitoring for finalization of technical standards related to NSPM-33 cybersecurity requirements. See also:
- NSPM-33 FAQ for Department Grant Administrators
- Export Control and related training
- University International Travel
- Effective in 2022, Insider Threat training was incorporated into all employee cybersecurity training requirements. Additional relevant training is available through the Office of Research Assurances
- For general security assistance
- For Research Cyber Support, including System Security Plans. Or email firstname.lastname@example.org
- To report a suspicious or malicious email, use the “Report Phish” button in Outlook.
- To report a security incident, email email@example.com or Open an Incident
Watchful UI is a newsletter from the Information Security Office discussing the latest vulnerabilities, alerts and patches. While designed primarily for IT professionals, it may be of interest to other computing users.
To subscribe, visit the University Communication and Marketing Email preferences page, under University Communications – Watchful UI.
The U of I Information Security Office and security program is overseen by Chief Information Security Officer, Mitch Parks (CISSP), since 2014. This includes designation as the qualified individual per GLBA 16 CFR 314.4(a), and HIPAA Security Officer per 45 CFR 164.308.