DCE101: Cybersecurity and Data Protection at U-M

Welcome to Cybersecurity and Data Protection at U-M

In this course you will learn about:

• Your role in protecting the university's digital resources
• Recognizing, classifying, and protecting U-M data
• Staying safe online and avoiding scams
• Protecting your devices and accounts
• Reporting IT security incidents.

Let's get started.

Protecting university data is a shared responsibility

The University of Michigan has a multi-faceted mission to "serve the people of Michigan and the world" and to develop "leaders and citizens who will challenge the present and enrich the future." This mission is powered by an ever-expanding information technology ecosystem, which is increasingly under attack.

You work with data as part of your job. This means you share in the responsibility of safeguarding the university's digital resources, as well as the privacy of others.

You could encounter sensitive university data when you:

• Teach a course
• Work in a lab
• Attend a work meeting
• Email with colleagues

Protecting university data is a daily shared responsibility. Fortunately, across U-M there are resources, tools, and processes to help you handle U-M data appropriately and securely - like this course!

Sensitive Data at U-M

U-M has four data classification levels that help determine the level of protection needed to access and work with sensitive data.

• Low: Publicly available information on websites and directories
• Moderate: Sensitive data, such as non-public personal information, student education records, building plans, and more.
• High: Highly regulated data, such as protected health information, Social Security Numbers, and student loan applications.
• Restricted: Data subject to the most stringent regulatory requirements, such as credit card information, and information regulated by the Federal Information Security Management Act (FISMA).

Knowledge Check

Question: What type of classified data includes protected health information, Social Security Numbers, and student loan applications?

• Low
• Moderate
• High
• Restricted

Answer: The correct answer is High.

Each type of institutional data requires varying security measures. The university has policies, standards, and data protection programs that define the safeguards to be used, including the actions you should take.

You can protect the university in your daily work

As a member of the U-M Community, you have an explicit responsibility to protect the university's data and digital resources. The following guidance can help you fulfill this responsibility:

• Access data only if you need it to do your job at U-M.
• Share data only with those authorized, who need it to do their job at U-M. If a request for access to a Google Doc or data comes from someone you don't know, do not share it.
• Use the Sensitive Data Guide to find approved IT services for collecting and storing specific data types, like student records, Social Security Numbers, and personally identifiable information.
• Use U-M devices for work. If you must use a personal device, secure it appropriately and minimize the institutional and research data on it. Consult the Sensitive Data Guide to ensure you only work with data permitted for use on personal devices.
• Follow guidance on the Safe Computing website to comply with U-M IT Policies and Standards, such as Information Security (SPG 601.27) and Responsible Use of Information (SPG 601.07).
• Remove data and dispose of devices safely and securely when no longer needed.
• Report security incidents via email to security@umich.edu. This includes actual or suspected security incidents, such as stolen login credentials, lost devices containing sensitive U-M data, and unauthorized access to U-M systems.

After your completion of this course is recorded in My LINC, you will be emailed links to important resources.

Knowledge Check

Question: What resource should you consult before storing or working with sensitive data on a system or service?

• Sensitive Data Guide
• Registrar's Office
• Procurement Office

Answer: The correct answer is the Sensitive Data Guide.

Question: To whom do you send an email to report a security incident?

• ITS Service Center
• security@umich.edu
• Office of the Vice President and General Counsel

Answer: The correct answer is security@umich.edu.

Way to go! Now you are familiar with the classification levels for institutional data, along with important practices for safeguarding it.

Next, let's dive into how to stay safe online and protect your devices.

Stay safe online

You may not think that your U-M account is a target for threat actors, but it is! Your university login credentials provide access to important university services and assets, such as:

• Institutional data, and information about yourself and others at the university.
• Data storage and collaboration services (Google Drive, Dropbox, etc.) that contain sensitive information.
• Your email account and information which can be used to gain further access into U-M systems.

It's important to learn how to keep yourself, and the information you work with, safe online. This includes being aware of the tactics threat actors use, and knowing how to avoid getting tricked.

Beware of phishing and scams

Threat actors seek to profit from U-M digital resources, disrupt university operations, and cause reputational damage to the institution. They invent increasingly sophisticated ways to steal valuable assets like passwords, sensitive personal information, and even research data.

How do threat actors try to trick you?

Threat actors often use psychological persuasion or tricks to lure you into sharing sensitive information, downloading malicious software, allowing remote access to your device, or sending money. Scams are designed to manipulate your emotions and take advantage of how busy you are, so you will be caught off guard.

Common scam tactics

Examples of common scams tactics include:

• Urgent opportunities: "Urgent! Limited time opportunity." Threat actors apply pressure hoping that you make a bad decision to give them what they want.
• Threats or accusations: "I should warn you that you are now complicit..." To prevent outside action on your part, threat actors try to isolate you from others by making you feel complicit in their activity.
• Requests for payment: "I need a gift card for an expense." Threat actors frequently ask for gift card numbers, payment using nonrefundable services like Zelle, or they try to trick people into paying a refund for a check overpayment.
• Repeated attempts: "Checking in again..." Threat actors work to wear you down so you eventually give in to their requests.
• Impersonation: "Paid research opportunity from Prof. Smith" Threat actors mimic the branding and messaging of U-M or popular vendors to gain trust.

Common scam examples

Scammers regularly send phishing emails to target faculty, staff, and students at universities, including the University of Michigan. You can look up recent Phishes and Scams on the Safe Computing website. Examples and tips to avoid them include:

• Fake invoice scam:
• Check the sender's email address; also, unfamiliar email endings are suspicious.
• Familiar brands and logos are used to try to gain trust.
• Watch out for unexpected notices of invoices, shipping or payment.
• Don't call the number - they try to steal your personal or bank information, or your login credentials. If you aren't sure, use the contact info on the official company website.
• Fake login scam:
• The real U-M login page begins with weblogin.umich.edu/.
• Invitations to access a "secure document" sent using a legitimate service, such as DocuSign may include a link to a fake login page.
• If an individual enters credentials into the login page, they are received by the threat actor and can be used fraudulently.
• Fake form:
• Designed with U-M branding to gain trust.
• Only enter your U-M Login ID (uniqname) and UMICH password on the official U-M Weblogin screen (begins with weblogin.umich.edu/) or UM-managed Microsoft Office 365.
• Do not enter Duo passcodes into any forms other than the official Duo screen.
• Google warns you not to enter login credentials in Google Forms. Pay attention to warnings.
• Tech support scam:
• Don't give anyone remote control of your computer unless you know who you are dealing with.
• They impersonate tech support representatives to gain access to your computer and accounts where they can steal data, install malicious software, or change settings to maintain device control.
• Scammers call, text, or send popup alerts to your computer instructing you to call a telephone number and "get help" with a fictitious problem with your device or account.

Report phishing and scams

If you receive a suspicious email, text, or voice message, send the entire message, or a description of the message, to ReportPhish@umich.edu. When you report phishing, you help ITS Information Assurance update anti-phishing defenses, including threat intelligence, to protect others at the university.

Next, let's look at some best practices for protecting your devices and accounts.

Best practices to protect yourself and the U

Now that you have a better understanding of the manipulative tactics used by threat actors, be sure to follow these best practices when working with data at U-M:

• Use U-M-managed devices for work whenever possible.
• Protect your device and connection if you use a self-managed or personal device for work. Minimize the amount of institutional data on the device, and delete it as soon as it is no longer needed.
• Do not allow a third party to have remote access to your U-M device. Only allow known support providers (U-M IT staff, the ITS Service Center, or the HITS Service Desk at Michigan Medicine) to use remote access to assist you.
• Don't install software, plugins, drivers, etc. of unknown or untrusted origins.
• Beware of unexpected shared docs, especially if they link to a website that asks you to enter your login credentials.

Test Your Knowledge

Question: What should you avoid downloading if you use a personal device to do some of your work?

• personal information
• annual performance reviews
• institutional data

Answer: The correct answer is institutional data.

Question: Do not allow a third party, other than a known U-M IT support provider, to do what to your U-M device?

• to have remote access
• to send promotional material
• to send email newsletters

Answer: The correct answer is to have remote access.

Let's look at more ways you can protect your devices and accounts.

Protect your devices and accounts

Disclosure of sensitive information is often unintentional. Data breaches are caused by common mistakes, such as lost portable devices or stolen login credentials. Therefore, putting best practices in place and maintaining them is an important part of protecting devices and accounts.

What can I do?

Securing devices and accounts means more than just keeping them in a safe place. Best practices for protecting your devices and accounts include:

• Store your passwords securely:
• Don't write your passwords on a sticky note at your desk. If you need to write down or store passwords, do it securely. Do not leave them where others can see them or find them.
• Consider a password manager to store your passwords in an encrypted file so that you don't need to remember them.
• Apply software updates as soon as possible:
• Software and browser updates are essential because they often include fixes to vulnerabilities that can be exploited.
• Review security settings and preferences for the browsers and software you use. If possible, set them to update automatically.
• Use secure networks:
• Secure your connection by using the U-M Virtual Private Network (VPN). Depending on your campus:
• Please contact the ITS Service Center if you need help connecting to a VPN on your device.
• The Michigan Medicine network has its own VPN server. Visit the Health Information Technology & Services (HITS) website to learn more about using the Michigan Medicine VPN.
• UM-Flint also has its own VPN.
• Back up your data:
• All U-M units and research programs are required to back up university data to ensure that no data is lost in a security incident.
• Backups are highly recommended for faculty and staff, particularly if workstations contain intellectual property and cannot be recreated in a satisfactory timeframe.
• Backups are recommended for all systems and workstations handling university data.
• Desktop Backup, powered by CrashPlan, is available to all MiWorkspace customers and all non-MiWorkspace supported faculty on the UM-Ann Arbor campus at no charge. Temporary employees, non-uniqname (i.e., shared) accounts, and non-MiWorkspace support staff are eligible to use Desktop Backup through their unit as a toll service.
• Keep your UMICH password unique:
• The UMICH password creation tool helps you create a strong password with length and complexity requirements, but there are steps you should take on your own to protect it:
• Don't reuse it with any services outside of the university. This is crucial because a data breach on an external service would be a vulnerability for U-M if you used the same password.
• Make it easy to remember with a passphrase. Or use a password manager to keep track of the different passwords you are asked to create.

Stay up to date on best practices

See Secure Your Devices on the Safe Computing website for a complete list of best practices for keeping your devices and accounts secure.

Test Your Knowledge

Question: What should you use if you are accessing sensitive data while working off campus?

• free WiFi
• a personal device
• the U-M VPN

Answer: The correct answer is the U-M VPN.

Question: Which two of the following are best practices when protecting your devices and accounts at U-M?

• Always keep extra batteries on hand.
• Set software and browsers to automatically update.
• Set software and browsers to update when you go on vacation.
• Keep backups for individual workstations.

Answer: The correct answers are to set software and browsers to automatically update and keep backups for individual workstations.

Report IT security incidents

All users of university IT resources must report all suspected or actual IT security incidents, regardless of severity, to security@umich.edu.

An IT security incident is attempted or actual:

• Unauthorized access, use, disclosure, modification, or destruction of information.
• Interference with information technology operations.
• Violation of explicit or implied acceptable use policies.

Examples include:

• Stolen UMICH login and password.
• Ransomware and computer virus infection.
• Changes made to university systems or data without permission.
• Loss or theft of equipment with sensitive university data.
• Disruption of the proper functioning of technology resources.

You're almost done! Next is the course summary.

Course summary

You should know how to:

• Describe your responsibilities as a steward of the university's most important digital assets.
• Recognize sensitive institutional data and protect it appropriately.
• Stay safe online by maintaining awareness of scams, and leverage best practices to secure devices and information.

Now it's time to review a summary of your data protection responsibilities.

Understanding Your Data Protection Responsibilities

As a member of the U-M community, you work with important digital resources and have a shared responsibility for ensuring the security, integrity, and confidentiality of university data.

Here is a summary of your data protection responsibilities that are a key part of your job at U-M:

• Comply with all applicable University of Michigan IT policies and standards, and state and federal laws and regulations, such as FERPA and HIPAA.
• Follow U-M security guidance to ensure the adequate protection of university data from unauthorized access, disclosure, or destruction.
• Preserve and strengthen the integrity of the university's digital assets and actively discourage unsafe digital practices.
• Maintain the highest ethical standards for handling university data in a manner that is consistent with the values and primary missions of the university.
• Report actual or suspected IT security incidents to security@umich.edu.

By completing this training course and the following assessment, I attest that "I understand my responsibilities for protecting university data."

Assessment

Next up is a ten-question assessment. You need to score 80% to pass. You may retake it as many times as you need. Note that course completions for the accessible assessment are recorded in My LINC on a weekly basis. If you receive an automated My LINC email within the week reminding you to complete the training, you may disregard the notice. After your completion is recorded in my LINC, you will receive an email containing links to the resources mentioned in this course (plus a few more!), so that you can bookmark them for future reference.

Take the course assessment now.

Please fill out a short course evaluation to tell us about your experience with this eLearning course.