Q3 -- awaiting content

Information Services &Technology

 IT Security Services Team Quarterly Report  - Q3 FY09
 

I. Accomplishments/Continuing Work

Basic RT Metrics

-          Security : 380 Tickets
-          DMCA : 443 Tickets
-          Stopit : 73 Tickets
-          Infoprotect : 20 Tickets
 

Customer Care Activities -- Awareness / Outreach / Communications

-          Collaborated with VPF area on options for file service (Windows Server 2k8)
-          Developed Information Security Road Show materials
-          Met with full staff of DITR to discuss Procedures for Malware Infected Machines (where sensitive data might be present).
-          Drafted information on Electronic Communications Risks (request from VP IST and Ombuds Offices)
-          Initiated review of revised Infoprotect web pages
-          Presented MIT's experience during National Cyber Security Awareness Month to the Boston College Security Camp meeting.
-          Advised MIT students/alum on activity related to IvyAnalytics and their beatingcollegeadmissions.com efforts [external complaints from IT Sec and Admissions Offices around the country].
-          Began content development & design structure of IS&T Security & Privacy web pages
-          Archived Security-FYI Newsletter within Hermes
-          Met with Computing Help Desk to discuss our forensics process and other security measures
 

Computer Security / trusted technical resources

-          Continuation of high-priority vulnerability scans, notably of MS08-067 prior to, and after, the release of Conficker-C, etc.
-          Met with Lincoln Lab Security group to discuss areas of mutual interest and identify areas for collaboration.
-          Met with subset of LL security as part of their encryption product selection efforts related to PGP.  [In the end, LL did not choose PGP.]
-          Presented to HR course "Essentials of Managing" on IS&T Services as well as on various computer and information security topics.
-          Provided technical assistance to OGC on preservation/imaging related to patent infringement suit.
-          Continued to refine the notion of a Security Risk Assessment "service" still lacking key business models piece.
-          Participated in PCI project team evaluations of a) SolidCore product, decision to not acquire;  b) McAfee product, decision to recommend.
-          Spoke at IvyPlus IT Security Officers meeting on promoting security during difficult financial times

Data

-          Provided detection, initial response, analysis and/or machine forensics for data incidents in DUE, DSL, CEE, IS&T SAIS.
-          Facilitated Data Incident Response Team (DIRT) review outcome of two difficult cases, ultimately determined to NOT have resulted in data breach
-          As directed by OFC, began to compile a set of principles to be used in future data incidents where forensic analysis seems to be indeterminate.
-          With OGC and Audit, co-presented three IAP sessions to MIT community on Handling Sensitive Data (~200 persons attending)
-          Attended public hearing on Mass. Data Breach Law and Regulations

Copyright

-          Met with senior MIT leaders to map out a new communications strategy for MIT community and students on this topic in light of changes in Federal Law (HEOA), MIT's Office of Student Citizenship, etc.

Stopit

-          Met with Ombuds Office to discuss developments related to cyberstalking and related harassment cases, and MIT's possible responses to these.

Policy

-          Provided assistance to ISDA team developing Collaboration Accounts Policy related to TouchstoneNetwork.Net.

Compliance

-          HIDP project wrapped up with software acquisition for PGP Desktop, software release project and stabilization of operational environment for PGP Universal Server
-          With cross-MIT team, completed FTC Red Flags compliance efforts
-          With cross-MIT team, continued to work on analyzing how MIT should approach creation of a comprehensive, written information security program, most recently mandated by State of Massachusetts (but previously required by GLBa, PCIDSS, etc.)
-          Met with Offices of General Counsel and Student Financial Services to develop plan for compliance with information dissemination elements of HEOA amendments to the HEA law.
  
 

II. Predictions / Possible Items to Docket

Customer Care Activities -- Awareness / Outreach / Communications

-          Complete content development and rollout of IS&T Security & Privacy web pages in preparation for site's July 1 launch

-          Develop a strategy to reach a wider audience (get more subscribers) for the SFYI Newsletter

-          Develop a plan to roll out a "Protecting MIT Data" course in next 6 months

-          Improvement of InfoProtect website based on new regulations information

-          RT Followup: Using RT as a gauge for awareness and method to provide education to clients

-          Develop a process for recommending security software to the MIT community

Computer Security

-          Determine what we're doing, put it into writing - totally transparent privacy policy!
-          Review the goals of IT Security Services - what we do , why we do it, and what resources and authorizations we need, with particular attention to cross-directorate dependencies
-          Follow up with clients receiving security alerts through RT in response to vulnerabilities detected on their machines to make sure they are taking the correct measures.

Data

-          Select and recommend Sensitive Data Finder tool for MIT
-          Select and recommend Secure File Erasure tool for Windows platform

Copyright

-          Complete content for SFS consumer information on copyright
-          Review HEOA requirements for technological methods
-          Implement the sending out of 2nd and 3rd offense letters
-          Re-establish network blocks for non-responders according to MIT policy
-          Evaluate copyright/P2P quiz tool for awareness/educational purposes

Stopit

-          Continue conversation with MIT Ombuds, and other key stakeholders, on the long-term goals of the Stopit service

Policy

-          Modify/enhance existing MIT policy 13.2 regarding encryption, and augment with IS&T standards and guidelines on implementation
-          Begin drafting policy for forensic evidence

Compliance

-          Assist in advancing MIT's effort toward a sustainable comprehensive written information security program.

III. Issues

 We have started to collect known and emerging issues in our operational activities in Jira.  Most of these are not surprises to other teams in IS&T that are involved, but in most cases, only informal conversations have occurred.  We need to begin to address these more formally, and either remediate them, or document the causes for no remediation.
 

Q2 -- already submitted

(this space evidently left blank)