Information Security and Assurance Service Portfolio
Fordham University is strongly committed to the protection of data assets and information technology resources that support the University’s academic, administrative, and research objectives. The following Information Security and Assurance services and activities facilitate Fordham reaching these objectives.
- Business Continuity/Disaster Recovery Planning
- Community Outreach and Liaison with Local and National Law Enforcement
- Data Destruction Services
- Data Handling
- Data Loss/Leakage Prevention
- Data Privacy
- Drive Encryption
- Electronic Discovery Service (eDiscovery)
- Email Security
- Endpoint Protection
- Information Security Awareness Training
- Information Security Risk Management and Assessment
- IT Auditing
- IT Security Incident Response
- IT Third-Party Risk Management
- Manage and Maintain SSDLC Compliance
- Multi-Factor Authentication
- Regulatory Compliance
- Threat Monitoring
- University Information Security Policies and Procedures
- Vulnerability Management
- Web Application Scanning
Business Continuity/Disaster Recovery Planning
What We Do
To prepare for outages and other significant disruptions, Information Security and Assurance helps its business partners identify the technology and systems critical to their business processes, build robust technical business continuity plans and communication strategies, and test them with departmental and university-wide exercises. As part of Business Continuity Planning, Information Security and Assurance also works with business partners and other Office of Information Technology groups to compose Disaster Recovery Plans to restore critical operations in anticipation of or after an event. Information Security and Assurance actively participates in Fordham Public Safety’s university-wide emergency preparedness tabletop exercises.
Why We Do It
The primary purpose of business continuity and disaster recovery planning is to minimize the effect of an outage or other significant disruption on critical Fordham operations.
Additional Info
Fordham uses Recovery Planner, RPX, accessible in the Administrative section under My Apps in our portal, to publish and maintain departmental business continuity plans created in partnership with business process owners.
Community Outreach and Liaison with Local and National Law Enforcement
What We Do
Information Security and Assurance partners with several groups, sharing experiences and gaining insight on worldwide security threats. These groups include Higher Ed organizations, REN-ISAC, the FBI, the U.S. Secret Service, and law enforcement agencies.
Why We Do It
As the threat landscape for information security continues to evolve and affect those around us, key partnerships are essential to staying ahead.
Additional Info
For more information, contact Information Security and Assurance at infosec@fordham.edu.
Data Destruction Services
What We Do
Information Security and Assurance provides data destruction services for various media and in a range of conditions. There are numerous data erasure and data wiping standards for the secure removal of data. The team has the technology and capability to erase or wipe data from a single low-level format to a 7-pass DoD (Department of Defense) 5220.22-M Wipe Standard.
Why We Do It
When disposing of a computer, mobile device, removable media, or other storage device, it is vital that the data has been completely erased or wiped clean. If data is improperly or not thoroughly wiped, it can be retrieved by hackers, putting Fordham assets at risk.
Additional Info
A request for data destruction (wiping) can be made as a service request using Tech Help on our portal or by contacting IT Service Desk at 718-817-3999 or HelpIT@fordham.edu.
Data Handling
What We Do
Information Security and Assurance provides guidance on how data should be classified and, based upon this classification, ensures that the data is stored on an appropriate platform that provides adequate data protection. This group also ensures that new solutions have appropriate data protections, either by technology, administrative controls, or contractual provisions before they are deployed.
Why We Do It
The identification and classification of data and the standards and policies to properly handle each type of data, help ensure proper protection, facilitates regulatory compliance, and increases the awareness of who should or shouldn’t have access to it.
Additional Info
Fordham University’s Data Classification and Protection Policy applies to all data produced, collected, stored, or used by the University, its employees, student workers, consultants, and agents during their relationship with the University. The Data Classification Guidelines can help you better understand the regulations and policies governing Protected and Sensitive Data and determine where to store your files.
Data Loss/Leakage Prevention
What We Do
Information Security and Assurance employs a variety of proactive and reactive tools to protect University data in print, in use, at rest, and in transit – both on site and on remote equipment. The tools include but are not limited to enterprise-class encryption software, personally identifiable information cataloging, shredding services, as well as data destruction, redaction, and obfuscation tools.
Why We Do It
Data loss/leakage prevention tools and techniques mitigate and, whenever possible, prevent the loss of, misuse of, or unauthorized access to University data.
Additional Info
Fordham uses Spirion™ (formerly Identity Finder) to identify unprotected sensitive data on desktops, laptops, servers, and other media (excluding mobile phones or tablets) issued by Fordham University. Any sensitive information found is masked and not visible in plain text. Click here to learn more about how Fordham uses Spirion.
Fordham uses CloudLock® to scan Google Drive™ files and Office 365™ DLP to scan Microsoft OneDrive™, SharePoint®, and Office 365 files in the Fordham domain. This is done to ensure that Fordham Protected and Fordham Sensitive data are stored and shared appropriately and securely. Click here for answers to frequently asked questions about CloudLock and here about Office 365 DLP.
Contact the Information Security and Assurance at infosec@fordham.edu to learn more about data loss prevention processes at Fordham.
Data Privacy
What We Do
Data privacy involves the appropriate handling of data throughout the data’s lifecycle. Working with the Office of Legal Counsel, Information Security and Assurance evaluates how data is collected, shared, used, stored, disposed and ensures the University has adequate privacy controls in place. Data flows are mapped and maintained to identify data entry points and data usage.
Why We Do It
Assessments of business processes and data flows are done to ensure that data is obtained, processed, shared, retained, and disposed of in a manner that best protects the privacy of Fordham constituents.
Additional Info
For more information, contact privacy@fordham.edu.
Drive Encryption
What We Do
Information Security and Assurance provides full-disk encryption for Fordham-issued desktops, laptops, and removable media encryption for items such as thumb drives, to help safeguard data stored locally on those devices. Encryption involves the process of encoding data or plain text in such a way that only authorized parties can access it. The Disk Encryption Policy states Fordham employs disk encryption technologies on the University’s IT Resources to protect confidentiality of information.
Why We Do It
By encrypting devices such as desktops and laptops, Fordham ensures data confidentiality and integrity on the device as only the laptop owner can access the locally stored data. The data cannot be modified while “at rest” without credentials. If the device is lost or stolen, encryption safeguards the locally stored data from unauthorized access.
Additional Info
Fordham uses McAfee® Drive Encryption on all Fordham-issued desktops, laptops, and McAfee’s File and Removable Media Protection for devices such as thumb drives. A request for drive encryption or removable media encryption can be made as a service request using Tech Help on our portal or by contacting IT Service Desk at 718-817-3999 or HelpIT@fordham.edu.
Electronic Discovery Service (eDiscovery)
What We Do
In tandem with incident response, the Information Security and Assurance provides eDiscovery through digital forensic analysis. Investigations and incident response are generally completed with or on behalf of the Office of Legal Counsel, Human Resources, the Office of Public Safety, and outside support such as law enforcement.
Why We Do It
Information Security and Assurance provides the process, resources, and any electronically stored information required for litigation holds, compliance regulations, or to aid in criminal or civil cases.
Additional Info
Contact Information Security and Assurance at infosec@fordham.edu to learn more about eDiscovery processes at Fordham.
Email Security
What We Do
To augment the email protection features built into Gmail™, Information Security and Assurance employs three email protection services from Proofpoint®: email filtering, malicious URL blocking, and email encryption.
Emails are scanned and filtered for spam (junk email and unsolicited messages sent in bulk) and for matches to known patterns for malware and phishing. When a message is identified as potential spam or suspicious, it is quarantined. The recipient is sent a Quarantine Summary email and can view the messages and decide whether to release them to their inbox and mark them as not spam or leave them classified as spam to be deleted.
Fordham faculty and staff are also provided with Targeted Attack Protection (TAP), which analyzes and blocks malicious URLs that can be sent via email messages and in attachments
Fordham offers email encryption to secure messages sent to people outside of Fordham, that is, to non-Fordham email addresses. Email communication within the Fordham domains, fordham.edu and law.fordham.edu, is automatically secured while in transit.
Why We Do It
Email filtering helps reduce Fordham’s volume of intrusive and unsolicited spam emails. TAP helps protect Fordham employees from specific threats distributed via email, including phishing and access to malicious websites. Although these email protection services reduce email-borne security risks, caution must still be exercised when reviewing questionable emails.
Email encryption provides Fordham University employees a method for safeguarding the content of email messages from being read by unintended recipients while in transit. Encryption renders the content of your email (including any attachments) unreadable as it travels from origin to destination.
Additional Info
Potential phishing and malicious emails can be reported with one click from your Fordham Gmail safely and in real-time with the Cofense Reporter™ Gmail add-on or email spam@fordham.edu.
For more information on email security services, review portal webpages on spam filters, Targeted Attack Protection (TAP), and email encryption.
Endpoint Protection
What We Do
Endpoint Protection software is installed on all Fordham-owned and managed endpoint devices running Windows, Mac, and Linux operating systems. An endpoint is any remote device sending and receiving communications within Fordham’s network, such as desktops, laptops, tablets, smartphones, and servers.
Why We Do It
Endpoint protection or endpoint security software is designed to prevent endpoints from being breached and to safeguard against advanced security threats. Endpoint protection software includes antivirus (AV) functionality to detect and remove malware such as viruses, ransomware, trojans, and keyloggers.
Additional Info
Fordham uses CrowdStrike Falcon™, an endpoint protection platform that combines antivirus, threat intelligence, endpoint detection and response (EDR), and other IT hygiene products. Click here to learn more about the functions of CrowdStrike Falcon.
Contact the Information Security and Assurance at infosec@fordham.edu to learn more about endpoint protection solutions at Fordham..
Information Security Awareness Training
What We Do
Information Security and Assurance manages an immersive cybersecurity program for Fordham employees to help them identify and minimize cyber-related threats to the University, as well as make safer choices in securing their personal information while using technology in their daily activities. Comprehensive awareness campaigns are deployed 3-4 times a year and include interactive online courses reinforced with posters, newsletters, and postcards. Information Security and Assurance actively uses social media to provide alerts and helpful tips for recognizing and better protecting the University and themselves from increasingly sophisticated cyber threats.
Periodically, Information Security and Assurance creates and delivers simulated phishing emails with an educational component to help employees learn how to spot a real phishing attempt to obtain sensitive information.
Why We Do It
Information Security and Assurance is committed to creating and sustaining a security-aware culture where its community can recognize security and compliance risks and act or escalate as appropriate.
Additional Info
Fordham uses Terranova™ as its security awareness solutions provider. To access the courses, log in to Terranova-Security Awareness in the academic section under My Apps in the portal, fordham.edu.
For updates on recent phishing activity and other security issues, subscribe to the Information Security and Assurance’s blog, Fordham SecureIT, follow on Twitter™ (@FordhamSecureIT), and like our Facebook® Page.
Information Security Risk Management and Assessment
What We Do
Information Security and Assurance uses industry frameworks and best practices to identify, quantify, and track security risks affecting the University, and implements plans to address and manage them. When detected, the group reports the identified business process risks to the business owner and develops a remediation plan or documents the risk acceptance provided by the business unit. Some risks may require review and acceptance by the Information Risk Management Board (IRMB).
Why We Do It
A formal Information Security Risk Management and Assessment program consistently identifies and tracks information security risks, guides implementation plans for remediation, facilitates compliance with applicable state and federal regulations, and enables informed decisions regarding risk tolerance and acceptance.
Additional Info
Contact the Information Security and Assurance at infosec@fordham.edu or the Information Risk Management Board (IRMB) for more information on Information Security Risk Management.
IT Auditing
What We Do
Guided by internal and external auditors, Information Security and Assurance performs data and business process audits. At times, these audits are presented to the Audit Committee of the Board of Trustees for further discussion and possible remediation. In addition, Information Security and Assurance works with technical teams in and outside of Fordham to remediate, transfer, or accept critical findings and strengthen the University’s risk posture.
Why We Do It
Audit findings help uncover unintended exposure of sensitive data and identify risks to be mitigated, such as review of user and vendor access to University information assets.
Additional Info
Contact Information Security and Assurance at infosec@fordham.edu to learn more about IT auditing processes, scheduling, and findings.
IT Security Incident Response
What We Do
Information Security and Assurance prepares for, responds to, and seeks to prevent information security incidents that could result in the theft, misuse, breach, or compromise of Fordham’s information assets or an interruption of its business operations. After an incident, the team helps prevent further damage to the University by working with departments and outside support (such as law enforcement) to contain and remediate the incident.
Why We Do It
Effectively responding to information security incidents helps safeguard Fordham’s information assets and reduce disruption to business operations.
Additional Info
To file a confidential report on a known or suspected IT security incident, use the Fordham University Integrity Hotline or contact Information Security and Assurance at infosec@fordham.edu. Click here for more information on Confidential Incident Reporting.
Potential phishing and malicious emails can be reported with one click from your Fordham Gmail safely and in real-time with the Cofense Reporter Gmail add-on or email spam@fordham.edu.
IT Third-Party Risk Management
What We Do
Working with business partners across the University, Information Security and Assurance evaluates and works to reduce the inherent risks of third parties providing technology services to Fordham. This group evaluates and reports on the overall risk of working with the third party, places appropriate language in agreements to mitigate risk, documents business partner risk acceptance, and monitors third parties on an ongoing basis to ensure their technology risk profile has not changed.
Why We Do It
Effectively managing the risks presented by our expanded ecosystem of partners and providers is essential to reducing the associated compliance risks and downstream liability that could result in increased costs, outages, decreased revenue, and the diminished confidence of our stakeholders.
Additional Info
Transmission of data to or from the University to a third party must be reviewed and approved by the Information Security and Assurance. The review may be initiated as a service request using Tech Help on our portal or by contacting IT Service Desk at 718-817-3999 or HelpIT@fordham.edu.
For more information on IT Third-Party Risk Management, contact Information Security and Assurance at infosec@fordham.edu.
Manage and Maintain SSDLC Compliance
What We Do
A software development life cycle that includes formally defined security activities within each of its phases is known as a Secure Software Development Life Cycle (SSDLC). Information Security and Assurance provides thought leadership and subject matter expertise in SSDLC controls, policies, and standards. They partner with Application Development and Operations teams to develop and implement application security strategies and provide recommendations for mitigation and remediation of risks, issues, and deficiencies.
Why We Do It
Use of secure software development techniques and architectures reduces the likelihood and downstream effects of security-related risks and facilitates compliance with best practices, industry standards, and regulatory requirements.
Additional Info
For more information, contact the Information Security and Assurance at infosec@fordham.edu.
Multi-Factor Authentication
What We Do
Multi-factor authentication (MFA) provides password-protected online accounts at Fordham with an additional layer of security. This security enhancement requires you verify your identity with a 2nd factor, in addition to your password, when logging in to your account. A smartphone, landline, cell phone, tablet, or hardware token may be used to verify your identity.
Why We Do It
Passwords that are short, simple, and reused for multiple sites and accounts do not provide adequate protection. Verifying user identity using MFA reduces the risk associated with unauthorized access to accounts, should passwords ever be compromised.
Additional Info
Fordham’s MFA service is provided by Duo Security®, a trusted company used by many higher education institutions. Click here to learn more about how MFA works.
Regulatory Compliance
What We Do
Information Security and Assurance guides Fordham University’s data compliance with regulatory requirements including, but not limited to, PCI, HIPAA, FERPA, and GDPR. This group identifies and reports process deficiencies to compliance stakeholders and coordinates remediation efforts with appropriate business units and the Office of Information Technology.
Why We Do It
Maintaining a clear view of regulatory compliance risks and coordinating data compliance activities across the University is critical to avoiding the financial penalties, negative public perception, and possible restrictions to programs and resources resulting from compliance failures.
Additional Info
For more information on data-related regulatory compliance, contact Information Security and Assurance at infosec@fordham.edu.
Threat Monitoring
What We Do
The Information Security and Assurance continuously monitors and aggregates real-time and logged data from multiple sources and uses automated tools to help identify potential threats to Fordham’s information security. When a threat is identified, an alert is sent to the security team for mitigation or incident response.
Why We Do It
Threat monitoring, through the continuous collection and both automated and manual analysis, enables Fordham to identify previously undetected threats such as external network intrusion and compromised internal accounts. This fuller visibility yields greater protection of Fordham assets and sensitive data from breaches, vulnerabilities, and cyber threats.
Additional Info
For more information, contact Information Security and Assurance at infosec@fordham.edu.
University Information Security Policies and Procedures
What We Do
Information Security and Assurance develops, maintains, and publishes information regarding security policies, procedures, standards, and guidelines and may include the Office of Legal Counsel in the review and approval process based upon the scope of the policy. In addition, the Associate Vice President/Chief Information Security Officer has developed and chairs a University-wide Information Risk Management Board (IRMB) to provide guidance and advocacy on information security standards and security investments.
Why We Do It
Providing the University community with policies, procedures, standards, and guidelines regarding information security identifies established rules and appropriate user behaviors, which in turn, minimizes risks to University assets and facilitates compliance with applicable state and federal regulations.
Additional Info
Information Security and Assurance maintains a repository of policies, procedures, and guidelines regarding technology resources and services. Click here to access the IT Policy Library.
The Information Risk Management Board (IRMB) meets monthly and is empowered to manage technology risk for the University. Click here to learn more about its scope and objectives.
Vulnerability Management
What We Do
Information Security and Assurance uses vulnerability assessment tools, manual review, and penetration testing to detect and report information security weaknesses of designated systems and networks.
Why We Do It
Using a formal vulnerability management process, the Information Security and Assurance coordinates remediation efforts with appropriate business units and the Office of Information Technology to reduce system and network vulnerabilities from hacking, denial of service, and other security risks from both inside and outside the University.
Additional Info
A request for a vulnerability assessment of a Fordham University-owned and managed resource (servers, workstations, applications) can be made as a service request using Tech Help on our portal or by contacting IT Service Desk at 718-817-3999 or HelpIT@fordham.edu.
Web Application Scanning
What We Do
Using manual and automated tools, the Information Security and Assurance assesses web-based applications to detect security vulnerabilities and risks in web applications and server configurations so that development teams can remediate identified issues.
Why We Do It
Detecting security flaws in web-based applications enables development teams to address security loopholes and prevent would-be hackers from gaining unauthorized access to Fordham data.
Additional Info
A request for a web application assessment can be made as a service request using Tech Help on our portal or by contacting IT Service Desk at 718-817-3999 or HelpIT@fordham.edu.