Information Assurance

FY2024 Accomplishments

Worsening cyberthreats, more abundant and distributed data, changing regulations, and the advent of AI are all good reasons to pay further attention to cybersecurity in 2024. Incorporating effective cybersecurity into the institutional DNA by making it a core institutional competency can instill the needed continuous investments and practices.

2024 EDUCAUSE Top 10: Institutional Resilience

Improving U-M Security Posture

“Information assurance is a shared responsibility and every member of the U-M community has an important role to play in protecting U-M's digital assets,” said Sol Bermann, ITS’ former Executive Director of Information Assurance and Chief Information Security Officer.

Throughout FY2024, the ITS Information Assurance team (IA) actively partnered with unit IT colleagues to protect the university’s valuable IT resources and data. The team also began aggressively blocking systems with critical vulnerabilities that had not been remediated within established timeframes.

In addition, IA continued identifying and blocking insecure remote access protocols that had the potential to open U-M systems, data, and individuals, to a cyberattack.

IA worked closely with Health Information Technology & Services (HITS) to begin the process of moving Michigan Medicine users to one common password in FY2024, making their work simpler and U-M data more secure. Over 19,667 Michigan Medicine users are now using one common password.

In spring 2024, IA deployed a self-service open-source tool, PlasmaPup, that supports review and cleanup of Active Directory accounts.


Evolving Security and Privacy Technology

Cosign, a web-based single-sign-on solution, developed at U-M in 2001 and widely adopted across academia, was officially retired in fall 2023. In partnership with all U-M units and many ITS colleagues, tens of thousands of sites were transitioned away from Cosign. “Cosign retirement is a significant milestone that paves the way for the implementation of advanced IAM functionality in the future,” said DePriest Dockins, Director of Identity and Access Management.

Following the university’s 2020 adoption of CrowdStrike Falcon as the enterprise enhanced endpoint protection service for U-M devices, IA continued to add capabilities, such as CrowdStrike Falcon Complete. This capability provides 24/7 managed detection and response support from CrowdStrike, with their analysts acting as an extension of the IA Security Operations Center. The CrowdStrike service has been deployed on over 120,000 machines across all U-M campuses, including Michigan Medicine.

In February 2024, IA completed a smooth transition to enable U-M Weblogin to use the Duo Universal Prompt for two-factor authentication. The new prompt delivers a more streamlined, intuitive, and accessible login experience.

In line with U-M’s commitment to protecting and respecting privacy, IA, in collaboration with The Office of the Vice President for Communications (OVPC), released a new cookie consent and preference management solution for U-M websites in February 2024. The solution allows users to opt in or out of analytics and advertising cookies and has been deployed on a number of U-M websites.


Continuous Community Engagement

IA is committed to spreading the message of shared responsibility for protecting IT resources and data, and creating cybersecurity and privacy awareness across the U-M community and beyond.

The annual celebration of Data Privacy Day spanned the winter term and included a keynote by Carnegie Mellon University Professor Alessandro Acquisti and a 40th-anniversary screening of the film adaptation of George Orwell’s 1984 with a U-M faculty panel discussion at the Michigan Theater.

The annual Cybersecurity+Privacy Challenge for U-M students was held in January 2024 with the goal of promoting IT security and privacy best practices. Nearly 6,000 students across all U-M campuses participated. Forty students won awards ranging from $30 to $300.

In addition to hosting events, IA publishes content and curates news on cybersecurity and privacy topics in service to the U-M community, higher education, and the general public. In FY24, the team published 19 security alerts, advisories, notices, and 9 phishing alerts, over 30 Michigan IT News articles, and 3 Safe Computing newsletters with over 40 articles. In addition, we posted over 2,000 curated articles from global media outlets.


Reinforcing Focus on Information Assurance

In February 2024, IA organized and hosted an ITS-wide Disaster Recovery Tabletop exercise. This all-day working session tested how well ITS can organize failover and recover its systems in an emergency situation. “Over 50 people from across ITS participated, and I have heard nothing but positive feedback from those who attended,” said Ravi Pendse, Vice President for Information Technology and Chief Information Officer.

In April 2024, IA welcomed more than 50 Security Unit Liaisons, unit IT Directors and friends of IA for an Open House event to showcase IA capabilities and reconnect the security community.

In the spring of 2024, IA also released a Cybersecurity Checklist for IT Professionals, which outlines security and privacy best practices for Michigan IT staff and curated a Secure Coding curriculum for developers across U-M.

Safe Computing, the go-to website for IT security and privacy information for the U-M community and the general public, was refreshed and reorganized in FY24. “The Safe Computing website is a huge resource for getting information and staying compliant,” says Sonam Yadav, Data Security Analyst/IT Security Specialist, U-M Facilities and Operations.


IA Looks to the Future

In FY25, IA will focus on:

  • Embarking on a transformation of the university’s Identity and Access Management ecosystem.
  • Emphasizing security-first mindset for ITS and Michigan IT through new educational resources and enhanced engagement.
  • Driving even wider spread adoption of security tools, such as CrowdStrike, Tenable, and InfoAssure (OneTrust).
  • Improving alignment with security requirements, such as vulnerability remediation and risk mitigation.
  • Continuing to engage in public programming to provoke thought and conversation on security and privacy topics.
  • Continuing to be a leader in internship program coordination and engagement.