Successful payment-card review, new training: Cyber security grows in importance

If you teach or work at UC Davis, you should have received an email from Provost & Executive Vice Chancellor Ralph J. Hexter on Oct. 16 announcing that UC now requires cyber security awareness training for all faculty, staff, and student employees.

Build  your  hack-free  zone

The change is just one of several that are improving the state of information security at UC Davis.

The training, mandated by the UC Office of the President, runs about 50 minutes and must be completed by Jan. 31, 2016. Look for an email from with instructions for accessing the materials via the UC Learning Center.

The other initiatives are not directly linked to the new mandate, but all step up the importance of cyber security in campus life. They range from lunchtime talks, to the new focus of the campus Information Security office on helping units across campus identify and manage their cyber-security risks. Here's a rundown:

Free information security talk/Q&A

We'll start this list with the panel talk/Q&A, because it happens soon. Information Security is pulling together an informal lunchtime presentation on the current state of information security, and what it means for all of us at UC Davis. The event runs from noon to 1 Oct. 27 in Kemper Hall, rooms 1127 & 1131. There'll be free pizza, until it runs out.

The speakers include Scott Springer, FBI supervising special agent in Sacramento, and campus Information Security Consultant Dewight Kramer.

The event, occurring during Cyber Security Awareness Month, adapts information presented at last June's sold-out IT Security Symposium on campus. Information Security plans similar cybersecurity presentations in 2016.

We passed the PCI test

To banks, UC Davis resembles one big merchant, with purchases occurring in venues as varied as the CoHo, the Mondavi, and small departments that accept online payments for event registrations. To guard payment transactions, the payment-card industry (PCI) has strict security standards that cover areas ranging from building and maintaining a security network, and protecting cardholder data, to controlling access and managing vulnerabilities.

The growing volume of payment-card transactions has moved UC Davis to a higher level of scrutiny, and this year the campus had to be thoroughly reviewed by a qualified security assessor to meet PCI standards. The review found several deficiencies. Information Security worked with campus vendors to fix them, and in late September the campus met its compliance obligation.

UC Davis will need to continue to meet PCI standards, of course, which leads to the next subject ...

The expanding focus of Information Security

Previously, Information Security's team of analysts and programmers functioned more as a manager of security tools. Under Chief Information Security Officer Cheryl Washington, it has re-focused on compliance, risk management, threat intelligence and detection. It still administers tech security systems, but spends more time consulting and working with campus departments to help them detect and manage their own risks.

Hackers like to target higher education, security consultant Kramer said, because the typical university is rich with intellectual property and "has a Swiss cheese network. It's easy to get into the network, and then sit and wait to strike."

"IT security used to emphasize defense, such as strong walls and borders," Kramer said. "That still matters, but the focus now is more about having good internal detection." UC Davis is working to improve its detection systems and procedures.

Kramer's job includes meeting individually with campus IT leads and directors, to discuss risks, needs, and how Information Security can help. "I'm halfway through the campus org chart," he said. His posts on the subject include "The Merits of Patching," a recent article on the UC IT blog.

Surveying the status quo

To know where to put its time and resources, the campus must understand current conditions. As part of this review, UC Davis has revived the annual Cyber Security Survey. IT leads across campus are now working on completing the survey for 2015; responses are due Dec. 1.

The answers will help the Information Security group identify trends and find the areas with the most risk, so they can offer their services to help reduce that risk.

Other cybersecurity events initiatives this year include the Security Symposium last June, the campuswide security assessment, and an awareness campaign that seeks to reach students through social media, events, and notices posted on Unitrans buses and at various campus locations (including the poster accompanying this article).

Look for more news about information security in the months ahead.