You’ve Been Hacked!
If you haven’t heard those words before, you’re one of the smart …or maybe just lucky ones! It’s
hardly news the security of personal and organizational data is challenged daily and often
successfully. This only strengthens our commitment in IS to protect the College’s data. Whether
College financial records or an individual’s emails, the highest priority is to provide
infrastructure, technologies, policies, practices, staff, and training to provide the best data
protection.
Reading about information security, as I do, and worrying about it, as I do as well, here are
leading best practices:

1. Talk about information security often… make people aware of the threats and the best

behaviors to safeguard data.
October is National Cybersecurity Month! Heather Romanski’s article in this newsletter details
activities and events on campus designed to improve your data protection awareness and
training. IS also regularly sends Information Security Alerts and offers workshops on best
information security practices throughout the year. In addition, staff contribute to the
“Information Security-A Shared Responsibility” blog.

2. Realize data protection awareness is about the traditional weakest link: people.

It’s College policy that all new employees and those with access to Personally Identifiable
Information (PII) complete information security awareness training. The simulated phishing
messages you’ve seen in the last few months help reinforce that training. (And we all can get
“caught”… free Dunkin’ Donut holes anyone!?!) Data protection systems such as Druva Insync,
Malwarebytes, and Meraki Mobile Device Management are required on all College machines to
protect against ransomware and human lapses. In addition, there are criteria for secure network
access from off-campus work environments, a part of the FlexWork Policy.

3. Investment is required. If data protection is a priority… putting resources and effort

behind safeguarding proves it.
Fortunately, the College has technology replacement funding for key network hardware
upgrades on a planned and regular cycle. System monitoring software is provided and
maintained. The College’s dedicated information security staff are excellent, and continued
professional development is encouraged. Moving Banner and other systems to the cloud this year ensures College data is encrypted at rest, not just in transit; an important best practice.
Cybersecurity insurance standards are reviewed and requirements addressed annually.

4. Information security is not the responsibility of any single department. It’s not an

“IS” thing…it’s an everybody thing! Information security takes commitment across all
departments. The Data Governance Policy and Stewardship Committee, led by the College’s
Chief Information Security Officer (CISO) John Schaeffer, is working to ensure responsibility for
data protection is understood and shared across the College.

5. Monitoring performance and continuously improving a data protection environment

is the key to success.
Systems are automatically monitored for threats or potential attacks and IS staff members
quickly respond to threats. The Information Security Team meets bi-weekly for a robust
discussion of threats, practices, and possible environmental improvements. College information
security policies are public and enforced. The next biennial external review of the Conn
information security environment is planned for spring 2023.
Finally, though IS is committed to institutional information security, individuals should regularly
inventory their data protections, such as adopting strong passwords, using a password
manager, and taking advantage of two-factor authentication whenever possible.
Be smart and be safe!

W. Lee Hisle, Ph.D.
Vice President of Information Services and Librarian of the College