It’s hard to believe that we have been working remotely since the middle of March. It is wonderful, however, that everyone has been adapting so well and continuing to be so security-minded. The Institute sure does have amazing people from one end of the state to the other!

Since hackers have been working hard to take advantage of the chaos in the world today, I have been giving a lot of thought as to how I may better communicate trending scams, while helping everyone know what to do depending on the attack vector involved with these scams. I often use the UTIAsecurity front page to post information like how to spot spear phishing attacks, when it’s time for training, and other important information. I have decided that in the next few days I will be updating the UTIAsecurity site to keep this information available at any given time. Sometimes the email scams make the rounds all at once, while sometimes it hits sporadically. I will continue to email everyone on the UTIA list when there is a large issue that I need to immediately warn everyone about.

Please keep emailing me when you have questions about a possible scam. It will help me know when something is more widespread because I don’t always get the same emails. Feel free to email me anytime, however, you can also call anytime. If I can’t answer, please leave me a voice mail and I will get back with you as soon as I can. We can better deal with security when we work together!

Finally, I want to make sure I keep people informed about updates to our IT Security policies and procedures. Each month I will add some information about the latest updates. For instance, last month four policies were updated and approved. Here are two of them:

• UTIA IT01xx – Information Technology Access Control Policy

1. Added that departments are responsible for officially terminating employees so that accesses may be taken away as soon as possible.
2. Replaced “reasonable amount” of time with “15 minutes” of idle time before a session lock is initiated.

• UTIA IT0312 – Payment Card Industry (PCI) Security Awareness Program

1. Added “including students” in the scope.
2. Added that the attestation for employees can be emailed.
3. Added that the merchant Primary Point of Contact must collect and store these attestations; and must provide to the Institute’s CISO, Treasurer’s Office, auditor, or PCI official when asked.
4. Added that the PCI training is now offered by UT System Administration (through K@TE).

Thanks to all those who email with questions or comments. I appreciate hearing from each of you. I am here to help, so don’t ever think a question is too small.

Please continue to stay safe and healthy.

Sandy