IT Security & Policy

Mark Bruhn

Indiana’s Mark Bruhn says he’s heard nearly every song and dance about campus IT security. Check below: Is he playing your song?

Mark S. Bruhn is Indiana University’s CIO and chief IT Security and Policy officer, working in the Office of the Vice President for Information Technology, where he advises the university administration on technology deployment and usage, especially in the critical areas of policy and security. He is also associate director of the IU Center for Applied Cybersecurity Research (CACR) and chairs the CACR-sponsored annual Indiana Higher Education Cyber Security Summit (www.cacr.iu.edu). In addition to his work at IU, Bruhn is a member of the Executive Committee of the Educause/ Internet2 Task Force on Network and Systems Security, co-chairs the Task Force’s Security Awareness and Education Initiative, and is involved in various other efforts to improve IT security in higher education. In other words, if it’s about security and policy, Bruhn is there.

10 - Sensitive data: here, there, and everywhere

  • Get rid of sensitive data ASAP: not collected, not compromised.
  • If it must be collected/kept, store it on a secure, well-maintained computer.
  • Don’t store it on workstations; secure a central computer, not thousands.

9 - Before you accuse me…

  • Make everyone responsible for his own computer/account/password security.
  • Require them to ensure only appropriate people have access to their data.

8 - Communications breakdown?

  • Rethink sensitive e-mail not encrypted before it’s sent out as an open postcard.
  • Give users a method to communicate sensitive info (PGP, secure Web drop-off).
  • Require antivirus software on all workstations, servers, e-mail relays—anywhere e-mail and documents are handled.

7 - Just what I needed!

  • Help your organization realize: Security is a cost of doing business.
  • Recognize that poor management of systems (i.e., configuration errors or lack of maintenance) accounts for most security breaches.
  • Make sure techs are given adequate resources to manage and secure IT systems.

6 - The “seeker”

  • Remember: Crackers use readily available automated scanners to scan entire networks daily for vulnerable systems and services.
  • Determine: If crackers are doing this, your organization’s techs should, too.
  • Remove vulnerabilities: Where they could afford privileged access to the system, a complete rebuild is critical.

5 - Set them free

  • Understand all programs running on servers.
  • Stop programs/services not truly required, to reduce vulnerability exploitation.
  • Consult security guides and documents available at vendor Web sites.

4 - Silence is golden

  • Realize: Weak passwords are still a common route to compromised computers.
  • Require strong passwords (not dictionary words!) on every computer.
  • Remind users: Passwords shouldn’t be shared with anyone, even support techs.

3 - Change the locks

  • Don’t forget physical protection of IT systems—often overlooked, but critical to IT security plans.
  • Restrict physical access to critical servers; don’t, and logical security is useless.
  • Provide adequate climate control for all critical servers.

2 - Real, real gone…

  • Remove all traces of personal and business data from storage media (e.g., hard drives) before reassigning the device.
  • Accept it: Deleting files/reformatting a hard drive d'esn’t remove stored data.
  • Techs should use wiping utilities, degaussing, or destruction to securely remove all data remnants.

1- Show me the way

  • Remember: An organization can’t begin to protect critical systems and functions without first knowing what technologies have been deployed.
  • Once technologies and their interrelationships are clear, spot associated risks.
  • Once risks related to technology are identified and prioritized, put your money where the risks are.

Featured

  • network of transparent cloud icons, each containing a security symbol like a lock or shield

    Okta, OpenID Foundation Propose New Identity Security Standard

    Okta and the OpenID Foundation have announced the formation of the IPSIE Working Group — with the acronym standing for Interoperability Profiling for Secure Identity in the Enterprise — dedicated to a new identity security standard for Software-as-a-Service (SaaS) applications.

  • UIUC Study: AI Agents Can Exploit Cybersecurity Vulnerabilities

    In a new study from the University of Illinois Urbana-Champaign (UIUC), researchers demonstrated that large language model agents can autonomously exploit real-world cybersecurity vulnerabilities, raising critical concerns about the widespread deployment and security of these advanced AI systems.

  • IBM and Microsoft Partner on Cloud Security

    IBM and Microsoft have announced a "strengthened cybersecurity collaboration" aims at fortifying their joint customers' cloud environments.

  • scene in a cybersecurity operations center, showing an AI and a human competing head-to-head

    91% of CISOs Say AI Will Outperform Security Pros

    A new survey of CISOs by Bugcrowd indicates AI is already beating security pros in some areas and is expected to take on a larger role in the future.