Service Portfolio

University Information Security Office (UISO) Service Portfolio

Fordham University is strongly committed to the protection of data assets and information technology resources that support the University’s academic, administrative, and research objectives. The following UISO services and activities facilitate Fordham reaching these objectives.

IT Security Incident Response

What We Do

The University Information Security Office (UISO) prepares for, responds to, and seeks to prevent information security incidents that could result in the theft, misuse, breach, or compromise of Fordham’s information assets or an interruption of its business operations. After an incident, the team helps prevent further damage to the University by working with departments and any outside support (such as law enforcement) to contain and remediate the incident.

Why We Do It

Effectively responding to information security incidents helps safeguard Fordham information assets and reduce disruption to business operations.

Additional Info

To make a confidential report about a known or suspected IT security incident, use the Fordham University Integrity Hotline (select “Information Technology” in the left panel) or contact the UISO at infosec@fordham.edu. Click here for more information on Confidential Incident Reporting.

Potential phishing and malicious emails can be reported with one click from your Fordham Gmail safely and in real-time with the Cofense Reporter Gmail add-on or email spam@fordham.edu.

Back to List

Vulnerability Management

What We Do

The University Information Security Office (UISO) uses vulnerability assessment tools, manual review, and penetration testing to detect and report on information security weaknesses of designated systems and networks.

Why We Do It

Using a formal vulnerability management process, the UISO coordinates remediation efforts with appropriate business units and Fordham IT assisting in the reduction of system and network vulnerabilities from hacking, denial of service, and other security risks from both inside and outside the University. 

Additional Info

A request for a vulnerability assessment of a Fordham University owned and managed resource (servers, workstations, applications) can be made as a service request using the Tech Help tab on My.Fordham.edu. If you do not have this tab, please contact IT Customer Care at 718-817-3999 or HelpIT@fordham.edu.

Back to List

Data Loss/Leakage Prevention

What We Do

The University Information Security Office (UISO) employs a variety of proactive and reactive tools to protect University data in print, in use, at rest, and in transit – both on site and on remote equipment. The tools include but are not limited to enterprise class encryption software, personally identifiable information cataloging, shredding services, as well as data destruction, redaction and obfuscation tools.

Why We Do It

Data loss/leakage prevention tools and techniques mitigate and, whenever possible, prevent the loss of, misuse of, or unauthorized access to University data.

Additional Info

Fordham uses Spirion (formerly Identity Finder) to identify unprotected sensitive data on desktops, laptops, servers, and other media (excluding mobile phones or tablets) issued by Fordham University. Any sensitive information found is masked and not visible in plain text. Click here to learn more about how Fordham uses Spirion.

Fordham uses CloudLock to scan Google Drive files in the Fordham domain to ensures that Fordham Protected and Fordham Sensitive data are stored and shared in an appropriate and secure manner. Click here for answers to frequently asked questions about CloudLock.

Contact the UISO at infosec@fordham.edu to learn more about data loss prevention processes at Fordham.

Back to List

Electronic Discovery Service (eDiscovery)

What We Do

In tandem with incident response, the University Information Security Office (UISO) provides eDiscovery through digital forensic analysis. Investigations and incident response are generally completed with or on behalf of the Office of Legal Counsel, Human Resources, the Office of Public Safety, and outside support such as law enforcement.

Why We Do It

IT Security provides the process, resources, and any electronically stored information as required for litigation holds, compliance regulations, or to aid in criminal or civil cases.

Additional Info

Contact the UISO at infosec@fordham.edu to learn more about eDiscovery processes at Fordham.

Back to List

Information Security Awareness Training

What We Do

The University Information Security Office (UISO) manages an immersive cybersecurity program for Fordham employees to help them identify and minimize cyber-related threats to the University, as well as make safer choices in securing their personal information while using technology in their daily activities. Comprehensive awareness campaigns are deployed 3-4 times a year and include interactive online courses reinforced with posters, newsletters, and postcards. The UISO actively uses social media to provide alerts and helpful tips for recognizing and better protecting the University and themselves from increasingly sophisticated cyber threats. 

Periodically, the UISO creates and delivers simulated phishing emails with an educational component to help employees learn how to spot a real phishing attempt to obtain sensitive information.

Why We Do It

The UISO is committed to creating and sustaining a security aware culture where its community can recognize security and compliance risks and act or escalate as appropriate.

Additional Info

Fordham uses Terranova as its security awareness solutions provider. To access the courses, log in to Terranova-Security Awareness from the My Apps tab in the portal, My.Fordham.edu.

For updates on recent phishing activity and other security issues, subscribe to the UISO’s blog, Fordham SecureIT, follow on Twitter (@FordhamSecureIT), and like the UISO Facebook Page.

Back to List

Data Destruction Services

What We Do

The University Information Security Office (UISO) provides data destruction services for various media and in a range of conditions. There are numerous data erasure and data wiping standards for the secure removal of data. The IT Security team has the technology and capability to erase or wipe data from a single low-level format to a 7-pass DoD (Department of Defense) 5220.22-M Wipe Standard.

Why We Do It

When disposing of a computer, mobile device, removable media or other storage device, it is vital that the data has been completely erased or wiped clean. If data is improperly or not thoroughly wiped, it can be retrieved by hackers, putting Fordham assets at risk.

Additional Info

A request for data destruction (wiping) can be made as a service request using the Tech Help tab on My.Fordham.edu. If you do not have this tab, please contact IT Customer Care at 718-817-3999 or HelpIT@fordham.edu.

Back to List

Community Outreach and Liaison with Local and National Law Enforcement

What We Do

The University Information Security Office (UISO) partners with several groups, sharing experiences and gaining insight on worldwide security threats. These groups include Higher Ed organizations, REN-ISAC, the FBI, the U.S. Secret Service, and law enforcement agencies.

Why We Do It

As the threat landscape for information security continues to evolve and effect those around us, key partnerships are essential to stay ahead.

Additional Info

For more information, contact the UISO at infosec@fordham.edu.

Back to List

Manage and Maintain SSDLC Compliance

What We Do

A software development life cycle that includes formally defined security activities within each of its phases is known as a Secure Software Development Life Cycle (SSDLC.) The University Information Security Office (UISO) provides thought leadership and subject matter expertise in SSDLC controls, policies, and standards. They partner with Application Development and Operations teams to develop and implement application security strategies, and provide recommendations for mitigation and remediation of risks, issues and deficiencies.

Why We Do It

Use of secure software development techniques and architectures reduce the likelihood and downstream effects of security-related risks as well as facilitate compliance with best practices, industry standards, and regulatory requirements.

Additional Info

For more information, contact the UISO at infosec@fordham.edu.

Back to List

Web Application Scanning

What We Do

Using manual and automated tools, the University Information Security Office (UISO) assesses web-based applications to detect security vulnerabilities and risks in web applications and server configurations so that development teams can remediate identified issues.

Why We Do It

Detecting security flaws in web-based applications enables development teams to address security loopholes and prevent would-be hackers from gaining unauthorized access to Fordham data. 

Additional Info

A request for a web application assessment can be made as a service request using the Tech Help tab on My.Fordham.edu. If you do not have this tab, please contact IT Customer Care at 718-817-3999 or HelpIT@fordham.edu. 

Back to List

Multi-Factor Authentication

What We Do

Multi-factor authentication (MFA) provides password protected, online accounts at Fordham with an additional layer of security. This security enhancement requires you verify your identity with a 2nd factor, in addition to your password, when logging in to your account. A smartphone, landline, cell phone, tablet, or in some situations, a hardware token, may be used to verify your identity.

Why We Do It

Passwords that are short, simple, and reused for multiple sites and accounts do not provide adequate protection. Verifying user identity using MFA reduces the risk associated with unauthorized access to accounts, should passwords ever be compromised. 

Additional Info

Fordham’s MFA service is provided by Duo Security, a trusted company used by many higher education institutions. Click here to learn more about how MFA works. 

Back to List

IT Auditing

What We Do

Guided by internal and external auditors, the University Information Security Office (UISO) performs data and business process audits. At times, these audits are presented to the Audit Committee of the Board of Trustees for further discussion and possible remediation.  In addition, the UISO works with technical teams in and outside of Fordham to remediate, transfer, or accept critical findings and strengthen the University’s risk posture.

Why We Do It

Audit findings help uncover unintended exposure of sensitive data and identify risks to be mitigated, such as review of user and vendor access to University information assets.

Additional Info

Contact UISO’s IT Risk and Data Integrity group at infosec@fordham.edu to learn more about IT auditing processes, scheduling, and findings. 

Back to List

Business Continuity/Disaster Recovery Planning

What We Do

To prepare for outages and other significant disruptions, the University Information Security Office (UISO) helps its business partners identify the technology and systems critical to their business processes, build robust technical business continuity plans and communication strategies, and test them with departmental and university-wide exercises. As part of Business Continuity Planning, the UISO also works with business partners and other IT groups to compose Disaster Recovery Plans to restore critical operations in anticipation of or after an event. The UISO actively participates in Fordham Public Safety’s university-wide emergency preparedness tabletop exercises.

Why We Do It

The primary purpose of business continuity and disaster recovery planning is to minimize the effect of an outage or other significant disruption on critical Fordham operations.

Additional Info

Fordham uses Recovery Planner, RPX, accessible on the My Apps tab of the portal, My.Fordham.edu, to publish and maintain departmental business continuity plans created in partnership with business process owners. 

Back to List

Information Security Risk Management and Assessment

What We Do

The University Information Security Office (UISO) uses industry frameworks and best practices to identify, quantify, and track security risks affecting the University, and implements plans to address and manage them. When detected, the group reports the identified business process risks to the business owner and develops a remediation plan or documents the risk acceptance provided by the business unit. Some risks may require review and acceptance by the Information Risk Management Board (IRMB).

Why We Do It

A formal Information Security Risk Management and Assessment program consistently identifies and tracks information security risks, guides implementation plans for remediation, facilitates compliance with applicable state and federal regulations, and enables informed decisions regarding risk tolerance and acceptance.

Additional Info

Contact the UISO’s IT Risk and Data Integrity group and/or the Information Risk Management Board (IRMB) at infosec@fordham.edu for more information on Information Security Risk Management. 

Back to List

University Information Security Policies and Procedures

What We Do

The University Information Security Office (UISO) develops, maintains, and publishes information regarding security policies, procedures, standards, and guidelines and may include the Office of Legal Counsel in the review and approval process based upon the scope of the policy. In addition, the Associate Vice President/Chief Information Security Officer has developed and chairs a University-wide Information Risk Management Board (IRMB) to provide guidance and advocacy on information security standards and security investments.

Why We Do It

Providing the University community with policies, procedures, standards, and guidelines regarding information security, identifies established rules and/or appropriate user behaviors, which in turn, minimizes risks to University assets and facilitates compliance with applicable state and federal regulations.

Additional Info

The UISO maintains a repository of policies, procedures, and guidelines regarding technology resources and services. Click here to access the IT Policy Library.

The Information Risk Management Board (IRMB) meets monthly and is empowered to manage technology risk for the University. Click here to learn more about its scope and objectives. 

Back to List

Data Handling

What We Do

The University Information Security Office (UISO) provides guidance on how data should be classified and, based upon this classification, ensures that the data is stored on an appropriate platform that provides adequate data protection. This group also ensures that new solutions have appropriate data protections, either by technology, administrative controls, or by contractual provisions, before they are deployed.

Why We Do It

The identification and classification of data, as well as the standards and policies to properly handle each type of data, helps ensure proper protection, facilitates regulatory compliance, and increases the awareness of who should or shouldn’t have access to it.

Additional Info

Fordham University’s Data Classification Policy applies to all data produced, collected, stored, or used by the University, its employees, student workers, consultants and agents during their relationship with the University. The Data Classification Grid can help you better understand the regulations and policies governing Protected and Sensitive Data and determine where to store your files. 

Back to List

Data Privacy

What We Do

Working with Legal Counsel, the University Information Security Office (UISO) evaluates that data stored at the University has adequate privacy controls in place. Data flows are mapped and maintained to identify data entry points and data usage. 

Why We Do It

Assessment of business processes and data flows are done to ensure that data is obtained, processed, shared, retained, and disposed in a manner that best protects the privacy of Fordham constituents.

Additional Info

For more information, contact privacy@fordham.edu. 

Back to List

Regulatory Compliance

What We Do

University Information Security Office (UISO) guides Fordham University’s data compliance with regulatory requirements including, but not limited to, PCI, HIPAA, FERPA, and GDPR. This group identifies and reports process deficiencies to compliance stakeholders and coordinates remediation efforts with appropriate business units and Fordham IT. 

Why We Do It

Maintaining a clear view of regulatory compliance risks and coordinating data compliance activities across the University is critical to avoiding the financial penalties, negative public perception, and possible restrictions to programs and resources resulting from compliance failures.

Additional Info

For more information on data-related regulatory compliance, contact the UISO’s IT Risk and Data Integrity group at infosec@fordham.edu. 

Back to List

IT Third Party Risk Management

What We Do

Working with business partners across the University, University Information Security Office (UISO) evaluates and works to reduce the inherent risks of third parties providing technology services to Fordham. This group evaluates and reports on the overall risk of working with the third party, places appropriate language in agreements to mitigate risk, documents business partner risk acceptance, and monitors third parties on an ongoing basis to ensure their technology risk profile has not changed.

Why We Do It

Effectively managing the risks presented by our expanded ecosystem of partners and providers is essential to reducing the associated compliance risks and downstream liability that could result in increased costs, outages, decreased revenue and the diminished confidence of our stakeholders.

Additional Info

Transmission of data, to or from the University to a third party, must be reviewed and approved by the University Information Security Office (UISO). The review may be initiated as a service request in Easy Vista from the Tech Help tab on My.Fordham.edu. If you do not have this tab, please contact IT Customer Care at 718-817-3999 or HelpIT@fordham.edu.

For more information on IT Third Party Risk Management, contact the UISO’s IT Risk and Data Integrity group at infosec@fordham.edu. 

Back to List

Drive Encryption

What We Do

The University Information Security Office (UISO) provides full-disk encryption for Fordham-issued desktops, laptops, and removable media encryption for items such as thumb-drives, to help safeguard data stored locally on those devices. Encryption involves the process of encoding data or plain text in such a way that only authorized parties can access it.

Why We Do It

By encrypting devices such as desktops and laptops, Fordham ensures data confidentiality and integrity on the device as only the owner of the laptop can access the locally stored data. The data cannot be modified while “at rest” without credentials. If the device is lost or stolen, encryption safeguards the locally stored data from unauthorized access.

Additional Info

Fordham uses McAfee’s Drive Encryption on all Fordham-issued desktops, laptops and McAfee’s File and Removable Media Protection for devices such as thumb-drives. A request for drive encryption or removable media encryption can be made as a service request using the Tech Help tab on My.Fordham.edu. If you do not have this tab, please contact IT Customer Care at 718-817-3999 or HelpIT@fordham.edu. 

Back to List

Email Security

What We Do

To augment the email protection features built into Gmail, the UISO employs two email protection services from Proofpoint, email filtering and malicious URL blocking. 

Emails are scanned and filtered for spam (junk email and unsolicited messages sent in bulk), and for matches to known patterns for malware and phishing. When a message is identified as potential spam or suspicious, it is quarantined. The recipient is sent a Quarantine Summary email and can view the messages and decide whether to release them to their inbox and mark as not spam or leave them classified as spam and be deleted.

Fordham faculty and staff are also provided with Targeted Attack Protection (TAP), which analyzes and blocks malicious URLs that can be sent via email messages and in attachments

Why We Do It

Email filtering helps reduce Fordham’s volume of intrusive and unsolicited spam email. TAP helps protect Fordham employees from specific threats distributed via email, including phishing and access to malicious websites. Although these email protection services reduce email-borne security risks, caution must still be exercised when reviewing questionable emails.

Additional Info

For more information on email security services, review portal webpages on spam filters and Targeted Attack Protection (TAP). 

Back to List

Threat Monitoring

What We Do

The UISO continuously monitors and aggregates real-time and logged data from multiple sources and uses automated tools to help identify potential threats to Fordham’s information security. When a threat is identified, an alert is sent to the security team for mitigation or incident response.

Why We Do It

Threat monitoring, through the continuous collection and both automated and manual analysis, enables Fordham to identify previously undetected threats such as external network intrusion and compromised internal accounts. This fuller visibility yields greater protection of Fordham assets and sensitive data from breaches, vulnerabilities, and cyber threats.

Additional Info

For more information, contact the UISO at infosec@fordham.edu. 

Back to List