Two people working at a computer in a research lab.

Protecting our shared IT environment while preserving CU Boulder’s mission

Submitted by stauffeg
on

In the summer of 2022, our campus adopted Secure Computing Standards to ensure the sustainability and integrity of CU Boulder’s shared information technology (IT) environment. These standards are similar to the security standards adopted by many of our peer higher education institutions. This work, in addition to training and awareness, ensures that university data is protected while helping achieve the campus mission. In support of this work, there are a couple things you should do to strengthen the security of your university-owned computer(s) before the start of the fall semester.

To follow up the April Provost Post message about IT steps we all must take to protect campus resources, Vice Chancellor for Information Technology Marin Stanek answered the following questions from the Provost Post to help explain the security requirements, why they are necessary, and how they balance privacy with protection of the university’s teaching, learning and research activities.

What are the required next steps all faculty and staff must take to protect university data and devices?

Our campus has made great strides toward making sure that faculty and staff who need a new computer receive a device from the CU Marketplace that is loaded with the settings and software needed to protect the data of our students, instructors, researchers and staff. Our campus IT support staff have helped many others enroll their current computer in the Secure Computing Framework to provide these protections. More information about these efforts is available on the OIT website. Still, many employees are using computers that don’t provide baseline security protection which puts their work, data and campus IT environment at risk.

Here are the steps that you should take to help us close this security gap:

  • Update your operating system: Microsoft will stop supporting Windows 10 on Oct. 15, and it is imperative that campus computers are updated to Windows 11, as Windows 10 will become increasingly vulnerable to threats. Mac users whose computers are running Ventura (macOS 13) will need to take similar steps by mid-fall and update to macOS 15 Sequoia or the newest recommended operating system.
  • Install Endpoint Detection Response (EDR) software: EDR software monitors devices for threats like ransomware and malware, and is a more proactive approach to detecting advanced security threats compared to antivirus solutions, which typically address only known threats. The campus offers EDR options that provide the kind of responsive protection that is needed to address today’s and tomorrow’s security threats.
  • Install Microsoft 365 Office Apps: Microsoft Office 2016 and Office 2019 will stop receiving security updates, software updates and technical support starting this fall. In the coming days, OIT will share tips and instructions to uninstall older versions of Office and install Microsoft 365 Office Apps.

If your department has an IT support technician, you should check with that person before updating to Windows 11 or Microsoft 365 Office Apps as they may have a plan to coordinate these updates.

Why is it important that everyone complete these updates?

Like the security protections for any large institution, CU Boulder’s security net is only as strong as its weakest link. The complexity, speed and number of cyber threats are increasing and colleges and universities are increasingly being targeted by aggressive cyberattacks. The Privacy Rights Clearinghouse provides a log of reported data breaches that reflects the sheer magnitude of these increasing threats.

We are not alone in the higher education sphere when it comes to requiring the use of EDR and supported software and operating systems. This is just a small sampling of our peer universities that require EDR be installed on employee computers:

University of Michigan
University of Washington
University of Wisconsin
University of California (all campuses)
University of Illinois
Harvard University
Princeton University
Northwestern University

Updating now will help ensure that your computer and data are protected by the most up-to-date security protocols. If you wait until the fall to update, it could be harder to get support due to IT support providers being stretched thin by start-of-semester activities.

How do these security measures balance the protection of university resources without intruding upon privacy and the university’s teaching, learning and research missions?

Striking the right balance between the protection of the university’s shared IT environment while ensuring we can all meet the CU Boulder’s mission is the guiding value of the Standards and Secure Computing initiative. The Standards, and requirements that help meet them, were developed with the following guiding principles:

  • Effective security measures shouldn’t be intrusive.
  • University intellectual property must be protected.
  • Our solutions must drive enterprise effectiveness and provide support to a broad set of employees.
  • Reduce the security disparity that exists between those whose devices are managed by campus IT professionals and those that are not.
  • Our security posture must be appropriate for the needs of an R1 institution and satisfy the requirements of our government contracts now and in the future.
  • We need to better support hybrid teaching, learning and work in a secure manner.
  • We must advance campus technology in a manner that keeps a CU Boulder education affordable and attainable for students of all backgrounds.
  • Effective security must maintain employee flexibility in their technology to conduct their teaching, research, and creative work.

In addition to doing all of the above, our security solutions have been chosen to provide you with the privacy and security you would expect of any modern-day enterprise security system. You can learn about the circumstances under which information is logged by our security tools on the Secure Computing Privacy & Software Transparency page.

What should I do if I have questions or need help with the updates?

If you have questions about any of these security requirements or how to implement them, please contact your IT support technician or the Buff Techs. You might also find answers to your questions or concerns on the Secure Computing FAQ page.

Thank you for your continued support of this effort to make our campus a safer environment for teaching, learning and research.