Information Security Services (ISS) ensures the confidentiality, integrity and availability of the University’s IT resources and data, protecting them from intentional or unintentional compromise, misuse, loss or damage.
ISS approved a three year strategic plan in 2018 that focuses on: lowering WVU's risk exposure to network vulnerabilities, phishing URLs, malicious software, and loss of sensitive data; updating our identity and access management solution; ensuring that all students and staff are aware of cybersecurity best practices; effectively managing technology risks to the University; establishing technology governance for the University; and ensuring the privacy of personal information of students and employees.
FY20 accomplishments include:
- Information Security. Improved Work from Home security strategy; increased IDF scan coverage to include GLBA data on specific devices; Cleaned up 5,357 instances of malware; blocked 1,606 exploits on endpoints; and blocked 42,635 URLs; blocked 39.3 million spam emails from showing up in University inboxes (52% of total emails received). Assisted in implementation and monitoring of a VPN solution for COVID-19 work from home strategy. Migrated the network vulnerability system to a new more robust platform. Improved the purchase assessment process by embedding IAM and other essential parties where necessary. Changed from a general monthly reporting process to a more targeted and specific process where issues are directly discussed with the appropriate administrators.
- Identity & Access Management. Implemented federated access for dues paying alumni, retirees, and authorized high-school students to access specific University systems using school-provided credentials or personal email/social media accounts instead of being provisioned a WVU Login account. Added the InfoSec security quiz to all account claims and password resets. Worked with 20+ IT units and vendors to improve use of WVU Single-Sign-On. Implemented a maintenance procedure and started cleaning up account data in Sailpoint. Continuing to collaborate with Shared Services, Talent & Culture, MAP, and Banner teams to establish better access termination procedures as part of employee offboarding.
- Governance, Technology Risk, and Compliance. Implemented new policies designating the University as a HIPAA Hybrid Entity Designation and naming those University Health Care Components subject to compliance with HIPAA; established Identity Theft Detection and Prevention Program; and identified that the University will follow NIST Cybersecurity Framework to secure and protect is resources. Established Technology Risk Management program based on NIST Cybersecurity Framework and began campus-wide technology risk assessment. Worked with Student Financial Services and Payroll to completed Phase I remediation efforts for GLBA compliance.