Information Security and Assurance Service Portfolio

To prepare for outages and other significant disruptions, Information Security and Assurance helps its business partners identify the technology and systems critical to their business processes, build robust technical business continuity plans and communication strategies, and test them with departmental and University-wide exercises. As part of Business Continuity Planning, Information Security and Assurance also works with business partners and other Office of Information Technology groups to compose Disaster Recovery Plans to restore critical operations in anticipation of or after an event. In addition, information Security and Assurance actively participates in Fordham Public Safety’s University-wide emergency preparedness tabletop exercises.

The primary purpose of business continuity and disaster recovery planning is to minimize the effect of an outage or other significant disruption on critical Fordham operations.

Fordham uses Recovery Planner, RPX, accessible in the Administrative section under My Apps in our portal, to publish and maintain departmental business continuity plans created in partnership with business process owners.

Information Security and Assurance partners with several groups, sharing experiences and gaining insight on worldwide security threats. These groups include Higher Ed organizations, REN-ISAC, the FBI, the U.S. Secret Service, and law enforcement agencies.

As the threat landscape for information security continues to evolve and affect those around us, key partnerships are essential to staying ahead.

For more information, contact Information Security and Assurance at [email protected].

Information Security and Assurance provides data destruction services for various media and conditions. There are numerous data erasure and data wiping standards for the secure removal of data. In addition, the team has the technology and capability to erase or wipe data from a single low-level format to a 7-pass DoD (Department of Defense) 5220.22-M Wipe Standard.

The data must be completely erased or wiped clean when disposing of a computer, mobile device, removable media, or other storage devices. If data is improperly or not thoroughly wiped, it can be retrieved by hackers, putting Fordham assets at risk.

A request for data destruction (wiping) can be made as a service request using Tech Help on our portal or by contacting IT Service Desk at 718-817-3999 or [email protected]. 

Information Security and Assurance guides how data should be classified and, based upon this classification, ensures that the data is stored on an appropriate platform that provides adequate data protection. This group also ensures that new solutions have appropriate data protections, either by technology, administrative controls, or contractual provisions, before they are deployed.

Identifying and classifying data and the standards and policies to properly handle each type of data help ensure proper protection, facilitate regulatory compliance, and increase awareness of who should or shouldn’t have access to it. 

Fordham University’s Data Classification and Protection Policy applies to all data produced, collected, stored, or used by the University, its employees, student workers, consultants, and agents during their relationship with the University. The Data Classification Guidelines can help you understand the regulations and policies governing Protected and Sensitive Data and determine where to store your files. 

Information Security and Assurance employs a variety of proactive and reactive tools to protect University data in print, in use, at rest, and in transit – both on-site and on remote equipment. The tools include but are not limited to enterprise-class encryption software, personally identifiable information cataloging, shredding services, data destruction, redaction, and obfuscation tools.

Data loss/leakage prevention tools and techniques mitigate and, whenever possible, prevent the loss of, misuse of, or unauthorized access to University data.

Fordham uses Spirion™ (formerly Identity Finder) to identify unprotected sensitive data on desktops, laptops, servers, and other media (excluding mobile phones or tablets) issued by Fordham University. Any sensitive information found is masked and not visible in plain text. Learn more about how Fordham uses Spirion here.

Fordham uses CloudLock® to scan Google Drive™ files and Microsoft 365™ DLP to scan Microsoft OneDrive™, SharePoint®, and Microsoft 365 files in the Fordham domain. This ensures that Fordham Protected and Fordham Sensitive data are stored and shared appropriately and securely. View frequently asked questions about CloudLock and Microsoft 365 DLP.

Contact the Information Security and Assurance at [email protected] to learn more about data loss prevention processes at Fordham.

Data privacy involves the appropriate handling of data throughout the data's lifecycle. Working with the Office of Legal Counsel, Information Security and Assurance evaluates how data is collected, shared, used, stored, and disposed of and ensures the University has adequate privacy controls in place. In addition, data flows are mapped and maintained to identify data entry points and data usage. 

Assess business processes and data flows to ensure that data is obtained, processed, shared, retained, and disposed of in a manner that best protects the privacy of Fordham constituents.

For more information, contact [email protected].

Information Security and Assurance provides full-disk encryption for Fordham-issued desktops, laptops, and removable media encryption for items such as thumb drives, to help safeguard data stored locally on those devices. Encryption involves the process of encoding data or plain text in such a way that only authorized parties can access it. The Disk Encryption Policy states Fordham employs disk encryption technologies on the University's IT Resources to protect the confidentiality of information. 

By encrypting devices such as desktops and laptops, Fordham ensures data confidentiality and integrity on the device, as only the laptop owner can access the locally stored data. The data cannot be modified while “at rest” without credentials. Additionally, if the device is lost or stolen, encryption safeguards the locally stored data from unauthorized access.

Fordham uses McAfee® Drive Encryption on all Fordham-issued desktops, laptops, and McAfee's File and Removable Media Protection for devices such as thumb drives. A request for drive encryption or removable media encryption can be made as a service request using Tech Help on our portal or by contacting IT Service Desk at 718-817-3999 or [email protected]. 

Information Security and Assurance provides eDiscovery through digital forensic analysis in tandem with incident response. Investigations and incident responses are generally completed with or on behalf of the Office of Legal Counsel, Human Resources, the Office of Public Safety, and outside support such as law enforcement.

Information Security and Assurance provides the process, resources, and any electronically stored information required for litigation holds, compliance regulations, or to aid in criminal or civil cases.

Contact Information Security and Assurance at [email protected] to learn more about eDiscovery processes at Fordham.

To augment the email protection features built into Gmail™, Information Security and Assurance employs three email protection services from Proofpoint®: email filtering, malicious URL blocking, and email encryption. 

Emails are scanned and filtered for spam (junk email and unsolicited messages sent in bulk) and match known malware and phishing patterns. When a message is identified as potential spam or suspicious, it is quarantined. The recipient is sent a Quarantine Summary email and can view the messages and decide whether to release them to their inbox and mark them as not spam or leave them classified as spam to be deleted.

Fordham faculty and staff are also provided with Targeted Attack Protection (TAP), which analyzes and blocks malicious URLs sent via email messages and attachments.

Fordham offers email encryption to secure messages sent to people outside of Fordham, that is, to non-Fordham email addresses. In addition, email communication within the Fordham domains, fordham.edu and law.fordham.edu, is automatically secured while in transit.

Email filtering helps reduce Fordham’s volume of intrusive and unsolicited spam emails. In addition, TAP helps protect Fordham employees from specific threats distributed via email, including phishing and access to malicious websites. Although these email protection services reduce email-borne security risks, caution must still be exercised when reviewing suspicious emails.

Email encryption provides Fordham University employees a method for safeguarding the content of email messages from being read by unintended recipients while in transit. Encryption renders the content of your email (including any attachments) unreadable as it travels from origin to destination.

Potential phishing and malicious emails can be reported with one click from your Fordham Gmail safely and in real-time with the Cofense Reporter™ Gmail add-on or email [email protected].

For more information on email security services, review webpages on spam filters, Targeted Attack Protection (TAP), and email encryption. 

Endpoint Protection software is installed on all Fordham-owned and managed endpoint devices running Windows, Mac, and Linux operating systems. An endpoint is any remote device sending and receiving communications within Fordham's network, such as desktops, laptops, tablets, smartphones, and servers.
Endpoint protection or endpoint security software is designed to prevent endpoints from being breached and to safeguard against advanced security threats. Endpoint protection software includes antivirus (AV) functionality to detect and remove malware such as viruses, ransomware, trojans, and keyloggers.

Fordham uses CrowdStrike Falcon™, an endpoint protection platform that combines antivirus, threat intelligence, endpoint detection and response (EDR), and other IT hygiene products. Learn more about the functions of CrowdStrike Falcon.

Contact the Information Security and Assurance at [email protected] to learn more about endpoint protection solutions at Fordham.

Information Security and Assurance manages an immersive cybersecurity program for Fordham employees to help them identify and minimize cyber-related threats to the University and make safer choices in securing their personal information while using technology in their daily activities. Comprehensive awareness campaigns are deployed 3-4 times a year and include interactive online courses reinforced with posters, newsletters, and postcards. Information Security and Assurance actively uses social media to provide alerts and helpful tips for recognizing and protecting the University from increasingly sophisticated cyber threats. 

Periodically, Information Security and Assurance creates and delivers simulated phishing emails with an educational component to help employees learn how to spot a real phishing attempt to obtain sensitive information.

Information Security and Assurance is committed to creating and sustaining a security-aware culture where its community can recognize security and compliance risks and act or escalate as appropriate.

Fordham uses Terranova™ as its security awareness solutions provider. To access the courses, log in to Terranova-Security Awareness in the academic section under My Apps in the portal, fordham.edu.

For updates on recent phishing activity and other security issues, subscribe to the Information Security and Assurance blog, Fordham SecureIT, follow us on Twitter™ (@FordhamSecureIT), and like our Facebook® Page.

Information Security and Assurance uses industry frameworks and best practices to identify, quantify, and track security risks affecting the University, and implements plans to address and manage them. When detected, the group reports the identified business process risks to the business owner and develops a remediation plan or documents the risk acceptance provided by the business unit. Some risks may require review and acceptance by the Information Risk Management Board (IRMB).

A formal Information Security Risk Management and Assessment program consistently identifies and tracks information security risks, guides implementation plans for remediation, facilitates compliance with applicable state and federal regulations, and enables informed decisions regarding risk tolerance and acceptance.

Contact the Information Security and Assurance at [email protected] or the Information Risk Management Board (IRMB) for more information on Information Security Risk Management. 

Guided by internal and external auditors, Information Security and Assurance performs data and business process audits. At times, these audits are presented to the Audit Committee of the Board of Trustees for further discussion and possible remediation.  In addition, Information Security and Assurance works with technical teams in and outside of Fordham to remediate, transfer, or accept critical findings and strengthen the University’s risk posture.

Audit findings help uncover unintended exposure of sensitive data and identify risks to be mitigated, such as a review of user and vendor access to University information assets.

Contact Information Security and Assurance at [email protected] to learn more about IT auditing processes, scheduling, and findings.

Information Security and Assurance prepares for, responds to, and seeks to prevent information security incidents that could result in the theft, misuse, breach, or compromise of Fordham’s information assets or an interruption of its business operations. Additionally, the team helps prevent further damage to the University after an incident by working with departments and outside support (such as law enforcement) to contain and remediate the incident.

Effectively responding to information security incidents helps safeguard Fordham's information assets and reduce disruption to business operations.

To file a confidential report on a known or suspected IT security incident, use the Fordham University Integrity Hotline or contact Information Security and Assurance at [email protected]. View more information on Confidential Incident Reporting.

Potential phishing and malicious emails can be reported with one click from your Fordham Gmail™ safely and in real-time with the Cofense Reporter Gmail add-on or email [email protected].

Working with business partners across the University, Information Security and Assurance evaluates and works to reduce the inherent risks of third parties providing technology services to Fordham. This group evaluates and reports on the overall risk of working with the third party, places appropriate language in agreements to mitigate risk, documents business partner risk acceptance, and monitors third parties on an ongoing basis to ensure their technology risk profile has not changed.
Effectively managing the risks presented by our expanded ecosystem of partners and providers is essential to reducing the associated compliance risks and downstream liability that could result in increased costs, outages, decreased revenue, and diminished confidence in our stakeholders.

Transmission of data to or from the University to a third party must be reviewed and approved by the Information Security and Assurance. The review may be initiated as a service request using Tech Help on our portal or by contacting IT Service Desk at 718-817-3999 or [email protected]. 

For more information on IT Third-Party Risk Management, contact Information Security and Assurance at [email protected]. 

A software development life cycle that includes formally defined security activities within each of its phases is known as a Secure Software Development Life Cycle (SSDLC). Information Security and Assurance provides thought leadership and subject matter expertise in SSDLC controls, policies, and standards. In addition, they partner with Application Development and Operations teams to develop and implement application security strategies and provide recommendations for mitigating risks, issues, and deficiencies.

Using secure software development techniques and architectures reduces the likelihood and downstream effects of security-related risks and facilitate compliance with best practices, industry standards, and regulatory requirements.

For more information, contact Information Security and Assurance at [email protected].

Multi-factor authentication (MFA) provides password-protected online accounts at Fordham with an additional layer of security. This security enhancement requires you to verify your identity with a 2nd factor, in addition to your password, when logging in to your account. A smartphone, landline, cell phone, tablet, or hardware token may be used to verify your identity.

Passwords that are short, simple, and reused for multiple sites and accounts do not provide adequate protection. Verifying user identity using MFA reduces the risk associated with unauthorized access to accounts, should passwords ever be compromised. 

Fordham's MFA service is provided by Duo Security®, a trusted company used by many higher education institutions. Learn more about how MFA works.

Information Security and Assurance guides Fordham University’s data compliance with regulatory requirements including, but not limited to, Family Educational Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standards (PCI DSS), General Data Protection Regulation (GDPR), Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).

In addition, this group identifies and reports process deficiencies to compliance stakeholders and coordinates remediation efforts with appropriate business units and the Office of Information Technology. 

Maintaining a clear view of regulatory compliance risks and coordinating data compliance activities across the University is critical to avoiding the financial penalties, negative public perception, and possible restrictions to programs and resources resulting from compliance failures.

For more information on data-related regulatory compliance, contact Information Security and Assurance at [email protected].

Information Security and Assurance continuously monitors and aggregates real-time and logged data from multiple sources and uses automated tools to help identify potential threats to Fordham’s information security. An alert is sent to the security team for mitigation or incident response when a threat is identified.

Threat monitoring, through the continuous collection and both automated and manual analysis, enables threat monitoring  Fordham to identify previously undetected threats such as external network intrusion and compromised internal accounts. This fuller visibility yields greater protection of Fordham assets and sensitive data from breaches, vulnerabilities, and cyber threats.

For more information, contact Information Security and Assurance at [email protected].

Information Security and Assurance develops, maintains, and publishes information regarding security policies, procedures, standards, and guidelines and may include the Office of Legal Counsel in the review and approval process based upon the scope of the policy. In addition, the Associate Vice President/Chief Information Security Officer has developed and chairs a University-wide Information Risk Management Board (IRMB) to provide guidance and advocacy on information security standards and security investments.

Providing the University community with policies, procedures, standards, and guidelines regarding information security identifies established rules and appropriate user behaviors, minimizes risks to University assets, and facilitates compliance with applicable state and federal regulations.

Information Security and Assurance maintains a repository of policies, procedures, guidelines, resources, and services. View the IT Policies, Procedures, and Guidelines page.

The Information Risk Management Board (IRMB) meets monthly and is empowered to manage technology risk for the University. Learn more about its scope and objectives.

Information Security and Assurance uses vulnerability assessment tools, manual review, and penetration testing to detect and report information security weaknesses of designated systems and networks.

Using a formal vulnerability management process, the Information Security and Assurance coordinates remediation efforts with appropriate business units and the Office of Information Technology to reduce system and network vulnerabilities from hacking, denial of service, and other security risks from inside and outside the University. 

A request for a vulnerability assessment of a Fordham University-owned and managed resource (servers, workstations, applications) can be made as a service request using Tech Help on our portal or by contacting IT Service Desk at 718-817-3999 or [email protected]. 

Using manual and automated tools, the Information Security and Assurance assesses web-based applications to detect security vulnerabilities and risks in web applications and server configurations so that development teams can remediate identified issues.

Detecting security flaws in web-based applications enables development teams to address security loopholes and prevent would-be hackers from gaining unauthorized access to Fordham data. 

A request for a web application assessment can be made as a service request using Tech Help on our portal or by contacting IT Service Desk at 718-817-3999 or [email protected].