IMPROVED IT SECURITY STANDARDS
In 2020, the university transitioned security standards from a technology configuration-focused approach known as “Minimum Security Standards” to the industry-recognized Cybersecurity Framework (CSF) with an emphasis on People, Processes, and Technology. The framework assesses each security control from the three perspectives using a 0-4 rating scale, with 3+ being compliant. The goal is to have all university organizational units (OUs) reach and maintain 90 percent compliance (meaning 90 percent of their controls reported at 3 or above). At the end of the fiscal year, the overall USC compliance rating was 26%. In April 2021, an external auditing service performed an assessment of the CSF implementation. The only finding was the lack of a remediation action plan for OUs not yet achieving the targeted 90 percent compliance rating. This remediation action plan was developed and implemented at the end of the fiscal year. It documents both the steps and resources required to achieve 90 percent compliance across the system over a three-year period.
INTRODUCTION OF MICROSOFT SECURITY SUITE
As part of maintaining the university’s best-in-class cybersecurity program, Microsoft A5 licensed security suite was introduced across the university system. The project touched all areas of the university, including students, faculty, staff, workstations, and cloud applications. Microsoft Defender products were deployed to help improve USC’s systems against attacks and coordinate defensive responses through signal sharing and automated actions. Since implementation, the A5 Security Suite has enabled the security team to perform detailed threat hunting across endpoint and Office data for USC systems, and automated responses to compromise by triggering self-healing for impacted assets through automated and manual remediation. It has also significantly improved the ability to narrate the full story of the attack across product alerts, behaviors, and context by joining data on alerts, suspicious events and impacted assets to “incidents.”
ASSET DISCOVERY AND VISIBILITY TOOLS RELEASED
New technologies were introduced to provide the Information Security Office visibility into modern attack methods. They have proven to be instrumental in stopping several phishing campaigns. The visibility into systems gained from this project are driving process improvements across the university from both a security and operational IT perspective. A companion technology to further improve IT asset discovery and visibility, ForeScout, was also deployed in 2021. Using a combination of ForeScout and Defender for Endpoint has more than halved the time spent by the security team identifying assets during a security incident. Quick and accurate asset identification is vital to responding to current attack speeds used by ransomware groups and other advanced attackers.
RESPONSE TO WORLDWIDE ATTACKS
In addition to significant CSF and technology deployment work, over the past year the university information security office has coordinated system-wide responses to several high impact cybersecurity incidents affecting the Internet as a whole. In late 2020 and early 2021 nation state attacks against Microsoft Exchange and SolarWinds software required investigations across all campuses that were handled quickly and thoroughly by the team. In December 2021 the university responded to the Apache log4j software vulnerability mentioned in the news media. The team coordinated efforts from both the Division of Information Technology and campus organizational units to mitigate the issue across the system.
SERVICENOW ROME UPGRADE COMPLETED
The Division of Information Technology uses the ServiceNow platform to automate workflows and create a more connected environment. It helps catalog customer service requests, incidents, problems, changes, and other IT functions. A major update was completed to the system this year that adds the ability to deliver cross-enterprise digital workflows, new layouts, and improved functionality.
SUCCESSFUL UPGRADES TO WINDOWS 10
All computers managed by Desktop Service Agreements were upgraded to a new version of Windows 10. The upgrade provided critical security updates and performance improvements. The upgrade was important to ensure ongoing support for Windows workstations.
ADDITIONAL AREAS JOIN IT SERVICE DESK
In order to provide a single point-of-contact for students and employees with technology issues, additional areas became partners in the USC IT Service Desk. The Division of Student Affairs and Academic Support and University Housing joined the Division of Information Technology, the College of Social Work, the College of Pharmacy, the College of Information and Communication, Honors College, Darla Moore School of Business, the School of Law, the College of Nursing, Athletics, the Institute for Families in Society, the College of Engineering and Computing, the Arnold School of Public Health, the College of Arts and Sciences, the School of Music, and University Libraries in using a single ticketing system and service desk to report IT issues and make IT requests. Students and employees no longer have to determine if their request should go directly to their college or area or to the Division of Information Technology. Once they contact the IT Service Desks, all routing takes place behind-the-scenes, making the process more efficient for end-users.
PROVIDED STANDARD PURCHASING PORTAL FOR PCs
The Division of Information Technology identified standard PC configurations that departments can order for employees. This action ensures continuity across the system and provides an easy-to-use way for busy staff to choose appropriate machines for the USC environment. In addition to standard configurations, an online portal was introduced that allows IT staff to order the equipment in one central location.
SYSTEMWIDE CHAT SOFTWARE ADOPTED
The Service Management Office led the transition to LiveChat as the preferred chat software used by the entire system. LiveChat is an online customer service software that allows individuals to send personalized real-time chats with various departments and areas across the system. The software meets the privacy standards set forth by the State of South Carolina.
TRB PRODUCT REVIEW AND ASSESSMENT
The Technology Review Board (TRB) provides consultation, guidance and cost-effective resource management for potential additions, changes or enhancements to technology hardware, software and services at the University of South Carolina. The group reviews project proposals from areas across the university to ensure that services that already exist across the university are not replicated, that new IT requests will operate within current systems at the university and determine if multiple areas are requesting the same service, which could allow for cost-sharing. During the last fiscal year, the TRB reviewed more than 175 requests and saved the university more than $100,000 on a five-year contract regarding an event management system at a system campus.
WORK TOWARD INFORMATION PRIVACY
USC does not currently have an Information Privacy Program. Recognizing that there are growing and increasingly urgent privacy requirements that can and will impact university operations, the division began work in 2021 to help USC start “operationalizing” information privacy practices. Privacy program operationalization is the practice of embedding privacy safeguards throughout the entire lifecycle of business decisions, processes, and technologies. It is accomplished through obtaining buy-in from key stakeholders, incorporating privacy safeguards at the front end and throughout policies and processes, leveraging existing tools and resources to automate privacy into day-to-day operations, and providing continuous training and reminders. The division partnered with the USC Office of General Counsel and external privacy consultants to assess the system’s information privacy posture and produced a report of findings and recommendations. Employees in the division also supported the Darla Moore School of Business towards achievement of General Data Protection Regulation compliance within the context of international programs and studies in the European Union.
TRAINING FOR DATA STEWARDS
To assist university Data Stewards perform their responsibility to “oversee the capture, maintenance, storage, use, and dissemination of university data and information for a particular function or operation” (UNIV 1.51), a training module was developed in Blackboard. The training provides structured instruction pertaining to the goals, benefits, and activities of data stewardship. It also provides data stewards a more complete understanding of data governance and some practical guidance on how to execute their data stewardship responsibilities. The mandatory training is broken into several easy-to-digest modules that allow stewards to learn on their own time. Each module is designed to take 10-15 minutes to complete.
UPDATES TO ANALYTICS COMMUNITY OF PRACTICE WEBSITE
The Analytics Community of Practice website was updated and expanded to include important announcements and information for individuals across the eight campuses who have a responsibility or interest in university analytics. The website promotes engagement and collaboration among members, which leads to greater productivity.
INCORPORATION OF DATA DICTIONARY INTO CAROLINA DATAWORKS
The USC Data Dictionary is a collection of names, definitions, and attributes about data elements that are used across the system. It describes the meanings and purposes of the data and provides guidance on interpretation and accepted meanings and representation. Last year, the Data Dictionary was incorporated into the CarolinaDataWorks platform, allowing those who create data sharing agreements to find the data classification and speed up the process for security checks and granting access by the data steward.
DATA SHARING AGREEMENTS IN SERVICENOW
The process to approve Data Sharing Agreements and grant access to the CarolinaAnalytics system was improved. Instead of making requests via email, approvals are now automated through integration with the ServiceNow platform. The integration streamlines the processes for Data Stewards and provides a reliable audit trail regarding the access to data in university systems.
ADOPTION OF SYSTEM-WIDE FORM CREATOR
The Strategic Initiatives area worked with IT leaders across the system to select and procure a software that allows paper forms to be turned into interactive, electronic forms. Non-technical users can now customize, design, and publish professional-looking forms without the need for programming knowledge by using Dynamic Forms.
ADVANCING TECHNICAL KNOWLEDGE
The Analytics Community of Practice, the local Tableau Users Group, and Research Computing became actively involved in the Virtual Reality Interest Group, sponsored by the Center for Teaching Excellence. The group works to bring 360° video, virtual reality, augmented reality, and mixed reality into teaching and learning environments at USC. The Research Computing group was also active in the Humanities Collaborative, that works to advance interdisciplinary humanistic inquiry by initiating new collaborations and supporting ongoing programs among faculty, students, and members of the public.
ANALYTICS USER MANAGEMENT INTERFACE
A User Management Interface was launched for CarolinaAnalytics to provide faster access to analytic dashboards. Previously, users who requested access to CarolinaAnalytics had to submit a ticket to Helio Campus, which could take several days to be resolved. The new interface allows the university to control access.