It is the mission of the UC Information Security Department to safeguard the sensitive data of our students, faculty and staff. To protect the Confidentiality, Integrity, Availability and Privacy of the business critical and regulated data needed by the University of Cincinnati in order to fulfill its mission. To protect the reputation of the University by proactively identifying existing vulnerabilities, by ensuring the remediation of those vulnerabilities and by investigation of Information Security incidents.
About UC's Information Security Department
Information Security reports directly to the Chief Information Officer(CIO) and the AVP of Public Safety. We are responsible for safeguarding the Confidentiality, Availability and Integrity of the information collected and maintained by the University.
Kevin McLaughlin is the Assistant Vice President for Information Security & Special Projects for the University of Cincinnati. He provides direction and leadership in regards to Information Security Awareness campaigns, Risk Management, Cyber Crime investigations and the establishment of Information Security Policies, Standards and Guidelines. Kevin holds certifications as a Certified Information Systems Manager (CISM), Certified Information Systems Security Professional (CISSP), a Project Management Professional (PMP), and holds a master level certification in ITIL. Kevin is also an adjunct for UC and teaches at the College of Engineering and Applied Science.
- Kevin L. McLaughlin
- Assistant Vice President for Information Security & Special Projects, University of Cincinnati
- University Hall
- 51 Goodman Drive
- PO Box 210085
- Cincinnati, Ohio 45221-0085
- E-mail: mclaugkl@uc.edu
Services
The Information Security office at UC offers both consulting and investigative services. If you would like to review a system or business process for security or if you believe there has been a violation of information security, please contact our offices. Requests for any of the following services should be sent to infosec@uc.edu
Services Offered:
Awareness - Web page development, Posters, Presentations and Consulting on Awareness Campaigns
Training - Short courses on a variety of topics targeted at various groups
Informal Audits - These policy and legal compliance checks must be requested by the Dean, Assistant Dean or a Director level person at the site to be audited
Consulting - Have your application, system or process reviewed.
Consulting for New Projects - If you are starting a project, get us involved early! The earlier, the easier and cheaper it will be to build in compliance.
Vulnerability / Risk Assessments - Code Evaluation, Penetration Testing, Consulting, more
Investigations - Forensic analysis of computer systems, Copyright, more
Request an SSL Certificate - This will allow for a secure connection from your web server
Identity Management
Request Access to the Mainframe - Online
Request Access to the Mainframe - If you do not have access to UC email (printable request form)
To request functions, use this link.
If you have any questions about mainframe access, contact mainsec@uc.edu for assistance.
If you have any further questions, you may contact Information Security
Policies
UC Information Security Policies
Information security policies underpin the security and well being of information resources. They are the foundation, the bottom line, of information security within any institution. The university Information Security policies are formal statements that specify a set of rules that all users must follow when gaining access to the UC’s information and information systems.
To sort by a column just click on the appropriate column header
| Policy # | Policy Name | Policy Text | Status |
|---|---|---|---|
| Policy 9.1.6 | Acceptance of Risk Policy For forms and more click here |
Proposed | |
| Policy 9.1.7 | Clean Desk Policy Policy | Proposed | |
| Policy 9.1.25 | Data Center Visitor Tours | Proposed | |
| Policy 9.1.1 | Data Protection Policy Data Classification & Data Types Minimum Safeguards Data Protection and Encryption at UC Printer Trade-in and Disposal Advice |
Approved | |
| Policy 9.1.5 | ASP Programming Security Implementation | Proposed | |
| Policy 9.1.8 | Email Retention Policy | Proposed | |
| Policy 9.1.9 | Employee Verification Policy | Proposed | |
| Policy 9.1.1 | Full Disk Encryption Policy | Proposed | |
| Policy 9.1.10 | HIPAA Coverage Policy | Proposed | |
| Policy 9.1.11 | Information Security Emergency Response Policy | Proposed | |
| Policy 9.1.12 | Information Security Forensic Investigation Policy | Proposed | |
| Policy 9.1.23 | Password Policy | Proposed | |
| Policy 9.1.27 | Information Security Design & Architecture Review | Approved | |
| Policy 9.1.13 | Password Reset Policy | Proposed | |
| Policy 9.1.4 | PII Production Data Use | Proposed | |
| Policy 9.1.14 | Privileged Access Policy UC InfoSec F41 Privileged Access Agreement |
Proposed | |
| Policy 9.1.15 | Remote Authentication into Sensitive Accounts Policy | Proposed | |
| Policy 9.1.16 | Security Awareness and Education Policy | Proposed | |
| Policy 9.1.17 | Security Data Retention Policy | Proposed | |
| Policy 9.1.18 | Suspension of Accounts Policy | Proposed | |
| Policy 9.1.19 | System Level Account Policy | Proposed | |
| Policy 9.1.20 | Trusted Entity Policy | Proposed | |
| Policy 9.1.21 | Umbrella Information Security Policy | Proposed | |
| Policy 9.1.2 | Vulnerable Systems Policy | Approved | |
| Policy 9.1.31 | Computer Locking Policy | Approved | |
| Policy 9.1.48 | Server Security Baseline Standard | Proposed | |
| Policy Number | Policy Name | Policy Text | Status |
What is necessary for the success of Security Policies:
For the above security policies to succeed they must follow these guidelines:
- Management must support the policies.
- The policies must be technically feasible.
- The policies must be implemented globally throughout the institution.
- The policies must clearly define responsibilities for users, faculty, administrators and management.
- The policies must be flexible to adapt to changing technologies and institution goals.
- The policies must be understandable.
- The policies must be widely distributed.
- The policies must be enforceable.
- The policies must provide sanctions for users violating the policies.
- The policies must contain a response plan for when security breaches are exposed.
Upcoming Events
Coming in October: Information Security Awareness Week
Details:
- When: October 25-29
- Where: Main Lobby of TUC
- Time: 11am to 1pm
- Presentations every day, 2 most days
Some of the demonstrations that will be offered:
- Wi-Fi Cracking - Breaking through the airwaves
- Who needs a password? Bypassing Windows Authentication
- BaDroid – Hacking with a Rogue Android Smartphone
- Social Engineering – Deception…The all–time best hacking tool
- Sniffing online traffic – Stealing your online bank, e–main and Facebook accounts
- BackTrack Mobile – Hacking into your computer from a smartphone near you
Shred It Event – 9am to 1pm on McMicken Commons!
NOTE: If you have an Android SmartPhone, stop by the booth all week to learn how to secure your device
For pictures of last years event, click here
InfoSec Projects at UC
UCit/InfoSec Projects - Identity Management (IDM)
UCit is working on a series of projects to enhance identity management at UC. These projects will bring strong wins for those who use IT systems at UC — and those who support those systems.
Future phases of the IDM project
- IDM Connectors are being offered to individual UC colleges to allow the college to keep their local student directories in sync with the central system. This allows colleges to sync the passwords for their local applications with the passwords used in other central systems like One Stop, Student Email and Blackboard, as well as reducing the administrative overhead currently spent by the colleges to maintain student data on their local systems.
As this project progresses, UCit will initiate more efforts in the overall IDM project. This site will be kept up to date with information you need to know, so please check back.
The University of Cincinnati is constantly working to improve the online campus experience for everyone at UC. In the past few years, several projects have been implemented to improve identity management.
Central Login and Blackboard updated to enforce case sensitivity - April 15, 2009
A few years ago, UCit implemented the ability for users to use strong passwords across all the systems connected to the IDM ring. A person could then use PSS to change their password to something strong (minimum of 8 characters with at least one upper-case, one lower-case and one number) and expect their strong password to properly synchronize to all connected systems.
Previously, the system enforced at the 8 character minimum and the requirement that at least one number be used, but it was not enforcing the use of both upper- and lowercase. Because of this, many people at UC had been logging in to CLS systems and Blackboard with an all-lowercase version of their password.
On April 15, 2009 the system began enforcing the use of the mixed case on all CLS pages and on Blackboard.
Remember that you need to use a password that has both the upper- and lowercase letters. If you cannot remember your password, go to PSS forgotten password page, answer your questions, and choose a new password that meets the standards. That password will synchronize to all connected systems and be immediately usable.
If further help is needed, please refer them to the UCit Helpdesk at 556-HELP.
Blackboard Joined IDM - December 22, 2008
After December 22, you will use the same password for Blackboard that you use on One Stop, Central Login (CLS) and other synchronized systems. When you need to change your password, use PSS, One Stop or Central Login and your password will change in all other connected systems.
Please note that this change does not affect Blackboard users using visitor accounts or guest accounts. Visitor and guest accounts will continue to log in to Blackboard using their current username and password.
UC Embraced Strong Passwords - July 29, 2008
Security of central systems at UC was significantly enhanced now that the university requires strong passwords. A strong password uses more than just the standard lowercase alphabet, is not a word found in any dictionary, and is at least eight characters long. An audit of passwords in use at UC showed that it was common for a password to be a standard English word of only four or five characters. Such passwords can be broken in less than a minute by someone using password cracking software that is freely available.
For tips on selecting a strong password that is easy to remember, please visit InfoSec's How to Choose a Password webpage.
We highly recommend that you administer your password through the new Password Self-Service (PSS) tool at https://www.uc.edu/PSS For instructions on how to use pss, go to the PSS Help page
InfoSec Update: Current and Archived Issues
Current Information Security Update
Click Here to Subscribe to the Information Security Update
Information Security Update Archives:
End of Archive
Current and Future State of InfoSec at UC
What are the Responsibilities of the InfoSec Dept?
- Educate the user community in the ethical use of Computer and Network Resources.
- Assist in the development and implementation of university-wide policies, standards, guidelines, best practices, controls and procedures to protect UC network & systems resources from intentional or inadvertent modification, disclosure or destruction.
- Authorize security maneuvers, including security scans and penetration testing affecting computer and network resources (except for those responsibilities specifically accorded to system administrators in this policy).
- Coordinate response to computer and network security incidents to include, but not be limited to, notification of incidents to UC offices as appropriate, contact with Incident Response teams external to UC, and the University Police Department. The response may draw upon the authority of UCit to disconnect a computer on any UC system(s) that poses a threat to that system or other systems within the UC network.
- Provide consultation services, risk assessments and guidance in the area of information security.
Articles by Team Members
How to Link to Our Site
Our department welcomes anyone to link to our site. We do want people to be aware, though, that certain links are considered to be "permanant" while others are subject to change. The following are permanant links:
- www.uc.edu/infosec/ - This is the homepage, has links to podcasts and special sections of the website
- www.uc.edu/infosec/student.html - student portal to the infosec site
- www.uc.edu/infosec/compliance/ - law and compliance section
- www.uc.edu/infosec/infosecdept/ - includes about us, risk assessment, services, meet the team etc
- www.uc.edu/infosec/infosecdept/policies.html - Information Security Policies
- www.uc.edu/infosec/infosecdept/services.html - Information Security Services
- www.uc.edu/infosec/education/ - All education sections and materials
- www.uc.edu/infosec/password/ - how to setup new accounts, pick a password, etc.
- www.uc.edu/infosec/password/setupnewaccounts.html - How to setup new UC Account
- www.uc.edu/infosec/password/chooseapassword.html - How to choose a password
- www.uc.edu/infosec/password/psshelp.html - Password Self Service Help
- www.uc.edu/infosec/password/pwnotification.html - What the Help Desk Password Notification e-mails look like
- www.uc.edu/infosec/software/ - All software help, including setting up systems and mobile phones securely
- www.uc.edu/infosec/software/pgp.html - Link for faculty and staff to download pgp
- www.uc.edu/infosec/free/ - Link to free McAfee Antivirus for faculty, staff, and students
Contact Us
Via E-mail: infosec@uc.edu
Via Phone: 513-558-ISEC(4732)