This Week’s Cybersecurity News, 05/18/2023

Share on

Good morning.

Today I don’t have any new threats that need to be discussed, so I want to focus on the UTK Classification Survey. This is not new, but classification was temporarily put on hold while the new NetReg was being implemented. Now that the surveys are being sent again, I want to answer some of the questions users are having.

Classification Survey Reminder

  • I have mentioned this a couple of times in previous newsletters, but it is definitely worth bringing up again because so many people are receiving these emails.
  • OIT has resumed the requirement that you must classify/reclassify your Institute-owned devices.
  • While these surveys were to begin going out in mid-March (after spring break), they didn’t start as quickly as expected and are being sent in large numbers at this time.
  • You are once again required to complete a classification survey for each Institute-owned device.
  • Identifying each device may be problematic, so here are some tips:
    • Any Institute-owned Dell computer set up by our regional IT professionals or by OIT’s Desktop Support will typically use the Service Tag number in the IP address.
      • If the Service Tag is ABC1234, then the IP address is abc1234.ag.utk.edu for the wired connection.
      • If the connection is wireless, the IP address is likely abc1234wifi.ag.utk.edu or possibly abc1234wifi.nomad.utk.edu.
      • If the device with this Service Tag is using a docking station, the IP address is likely abc1234dock.ag.utk.edu.
      • If you do have multiple devices to classify using the same Service Tag, this because each connection type has to have a separate NetReg entry, so please complete the survey for each and use the same responses for each.
    • If your device was set up by CVM Computer Operations, these same guidelines apply, but instead of using the Service Tag, CVM Computer Operations will generally use a room number and name (ex: g061sandy.vet.utk.edu or g061sandy.nomad.utk.edu).
    • If you registered a device yourself, then you probably chose an IP name that will help you identify that device.
    • You can also log into https://netreg.utk.edu and see the devices that are registered in your name as the Primary User.
      • Once you log in, you will see a list of each device you have as Primary User.
      • When you click the green “+” beside each entry it will show the location and OS of that device, as it was registered.
      • If you see a device for which someone else is now the Primary User, please let me know the device label and new Primary User and I can update that for you.
      • If you see a device that you know has been surplused, you can click the pencil under Edit and unregister that device…or you can email me the device label and I can unregister it for you.
      • You can also update the location of your device, if necessary.
    • If you still need help identifying a device, please call the OIT HelpDesk at (865) 974-9900.
  • You will be asked to identify, via checkboxes, the type of data stored, viewed, or processed on it.
  • Please refer to UTIA IT0115 – Information and Computer System Classification Policy to learn more about the classification of IT assets.
  • Please refer to UTIAIT0115P – Organizational Guidance for the Classification of Information and Systems if you have any questions about specific data and how it is classified, keeping in mind that data not listed here is likely classified as “low”.
  • Please take caution when you complete the survey(s) that you are responding for the appropriate device.
  • This is crucial…DO NOT INCLUDE DATA THAT IS YOUR OWN OR YOUR FAMILY’S.
    • While your own data is very important, the device is classified based on the Institute’s and University’s data that is stored on it.
    • Part of the purpose of classifying devices is that in the event of a breach, we know who must be contacted.
    • If the only PII stored on your devices is your own or your family’s, there is no contact that must be made and no State and/or Federal reporting that is required.
    • Including your own or your family’s data, such as personal credit cards, Social Security numbers, driver’s license numbers, etc., could cause the classification to be set at a higher level than it should and would create the need for a security plan to be written for that device when it really is not necessary based on the actual Institute’s data you are storing.
  • I will be regularly checking the responses for Institute-owned systems and will see how the classifications are looking.
  • If there the results are questionable (i.e., an inordinate amount of devices classified as “high”), I will begin contacting the primary users to find out more specific information about data being stored.
  • Then I can begin scheduling meetings with those whose devices should truly be classified as “moderate” or “high” so I can help create a system security plan for those devices.
  • Please complete the UTK classification survey within 30 days of notification, otherwise your devices will lose network access until the survey is complete.
  • Remember that there will be reminders sent from the first notice until the deadline until you complete the classification process.
    • Please know that, as with the Security Awareness Training reminders, no one is trying to harass you.
    • With the large numbers of people being asked to complete a task, it is easier to send reminders to everyone who has not completed it, as not all people set their own reminders and things can come up unexpectedly.
  • Since this is an annual event, I would like to repeat my best advice that it is far less bothersome to classify all your devices on the same day so they are all on the same schedule.

I thank you all so much for all you do to protect the Institute and its data. I am always happy to answer questions and concerns you may have.

Have a great rest of the week!

Sandy

Important Note: Thank you so much for sharing these e-newsletters with family, friends, clients, students, and anyone else who may benefit from the information. I would like to stress that you should keep your students in mind, as non-employee students will not get this information without someone sharing. If anyone has an email group for students who are not employees of your department, please let me know what that address is and I can include it. I do this as a blind copy so student names and addresses will not show up!