Information Technology

The nature of being a higher education and research institution means that universities have a lot of information to manage—everything from grades and tuition payments, to employment records and research data. Protecting the confidentiality and integrity of the information we collect is essential and, in many cases, required by law.

Ironically, the tech that has transformed the way we work also means that data security and privacy are now more important considerations for researchers than ever. When people can access data on any device from any location, it’s much harder to ensure proper security precautions are being taken. In a remote work environment, that means device security is the key to data security.

University Owned, University Managed

The University is responsible for protecting the sensitive data it collects. Therefore, to prevent unauthorized access, devices that are used to access, work with, and store the data must adhere to strict security protocols and have the most up-to-date software. After all, if the device cannot be secured, then its access to the University's sensitive data cannot be secured either.

Only University-owned and managed computers should be used to store or access any sensitive University data or critical systems. A work computer that is centrally managed by your IT department or by Pitt IT’s device management service are guaranteed to have the latest security patches and updates, with all security settings enabled.

Why can’t you just use your own laptop at home? Because, if we’re being honest, we aren’t so careful with a personal device. We don’t always check for and install every security and software update as soon as it comes out. We sometimes turn off security settings that we find annoying. We sometimes let a spouse, child, or visitor use our computer. All of those are security risks, and violate the requirements for dealing with the highest-risk data, like HIPAA-protected information.

What Does “Sensitive Data” Mean?

Data can be put into three buckets: public, private, and restricted.

Public data is intended for public disclosure, so the loss of confidentiality would have little to no adverse impact on Pitt. Much of this data is already easily available—for example, directory information or job postings. If you work with anonymous, non-sensitive research data that could be in a published paper, that’s public. Public data may be stored on your computer or in your cloud account, does not require encryption in transit, and has no specific access restrictions.
Private data is generally internal to your department or the University. A confidentiality breach could negatively impact Pitt’s mission, safety, finances, or reputation. Examples include student records, employment applications, personnel files, salary information, contracts, internal correspondence, financial information, and moderate-risk intellectual property. Private data should be stored on Pitt owned/maintained devices or approved cloud accounts, requires encryption in transit, and can be accessed only by authorized Pitt personnel.
Restricted data must be protected in accordance with legal or regulatory requirements (e.g. HIPAA, FERPA, and the like). The loss of confidentiality or accessibility of the data could have a severe impact on our mission, safety, finances, or reputation. This includes social security number, driver’s license number, bank or credit card number, protected health information, high-risk intellectual property, and identifiable sensitive research information. Restricted data may only be stored on a computer that is University-owned/maintained and is registered with Pitt IT. It requires encryption in transit, and access is limited and controlled by the relevant regulations.

Proceed with Care

So you work with private or restricted data … now what? If you have a University-owned and maintained computer, use it—and only it—when working with sensitive data. Connect to secure systems with PittNet VPN (Pulse Secure), don’t let others use the computer or reveal your password, and maintain good cybersecurity habits.

If you don’t have a University-owned and maintained computer at home, contact your IT department or Pitt IT. They can help you ensure a secure environment to keep your device and data safe and compliant with relevant laws and regulations.

Device security and data security go hand in hand. Make sure you are using a University-owned and maintained computer when you work with sensitive data so what’s private stays private!

-- By Karen Beaudway, Pitt IT Blogger

EMAIL AND ACCOUNT SECURITY

Keep Your Accounts, Yours

The Account Administration service enables the University to manage its account services in an effort to securely verify and protect its identity with tools, such as Multifactor Authentication and Federated Authorization Process (Student Mart Access).

Those who utilize our Pitt Email (Outlook) service are also provided with access to select services to securely manage email communications with Advanced Threat Protection and Enterprise Spam and Virus Filter Service with Exchange Online Protection (EOP).

IT GOVERNANCE

Practice Good Governance with Our Guidance

Pitt IT regularly updates its security knowledge base with the latest governance standards, while also ensuring the University’s safety against external attacks and internal accidents with industry-leading security methods and best-practices. Request guidance or support from Pitt IT or learn more with the resources below.

IT Governance and Regulatory Compliance

Maintain compliance with applicable laws and regulations for restricted data (e.g., DFARS/CMMC, FERPA, GDPR/PIPL, GLBA, HIPAA, NIST 800-171, PCI)

Data Classification & Compliance

Protect the privacy of students, alumni, faculty, and staff through precautions and data classifications measures that guard against unauthorized access.

Governance & Policy Security Guides

Maintain safety practices around policies and standards with our easy-to-follow guides — developed and maintained for accuracy by Pitt IT Security and organized below.

GOVERNANCE GUIDES

Google Drive Security Guide

Microsoft Outlook Email Encryption Guide

Microsoft Teams Security Guide

OneDrive Security Guide

Qualtrics Security Guide

Sharepoint Security Guide

Workstation Standards Guide

Zoom Security Guide

eSignature Sevice (DocuSign) Security Guide

IT POLICIES AND PROCEDURES

Master University Guidelines

Pitt IT has partnered with University communities to establish security policies that help protect computers and information from security threats — such as viruses, Trojan horses, hackers, and other forms of cybercrime.

Review these policies to help your department protect its data, while also adhering to state and federal regulations regarding technology.

View IT Policies & Information

IT SECURITY AUDIT SUPPORT

Manage Security Audits with Our Help

Pitt IT Security is available to assist departments and schools in all IT security audit needs — including regulatory requests. Contact us for expert guidance in managing and executing audit processes through risk identification, evaluation, and mitigation.

IT Audit Guidance

Request risk-based security audits from Pitt IT Security to determine if your University data is adequately protected. Assistance is also offered in cases where departments are requested to perform and report internal IT audits.

IT Risk Management

Improve your departmental risk identification, evaluation, and mitigation capabilities by working with Pitt IT Security to identify risks, assess any potential impacts, and lessen risks by implimenting mitigation controls.

IT Contract & Agreement Review Service

Review contracts and agreements with our guidance to determine if your department and the University can meet contractually obligated data-security requirements.

AUDIT & RISK RESOURCES

dbGaP (Database of Genotype and Phenotype) Reviews

E-Business Solution Risk Assessments

General Security Risk Assessments and Consultations

Institutional Review Board (IRB) Risk and Research Assessment

Security Vulnerability Assessment

System Security Plan Development

Third-party Vendor Risk Assessments

THREAT AND INCIDENT MANAGEMENT

Identify Risks Before They Become Threats

Pitt IT Security can help you identify potential threats before they become issues for your department. Are you concerned that your data has already been compromised? Pitt IT Security will help you assess the situation, manage the incident, and respond to University stakeholders and legal partners.

Learn More

it professional considering help options

Access Management

Ensure appropriate access for network users through network security controls, ID management, authentication measures, physical security, remote support tools, and encryption management.

Incident Management

Request our help to quickly restore normal service operations after an incident and minimize the impact on business operations — ensuring service quality and availability are maintained.

Investigations and Forensics

Partner with us to investigate your networks and systems when requests are submitted to you by OUC or Law Enforcement.

Threat Detection and Response

Proactively search for cyber threats and use the latest practices to find malicious actors in your environment that have slipped past your initial endpoint security defenses.

Vulnerability Management

Identify vulnerabilities in managed systems, evaluate the severity of risks, and take planned actions for correcting these issues with our guidance and support.

Security Operations

Safeguard your systems by having our Threat and Incident Management Team triage potential University network threats by evaluating inputs from many security, network, and system tools.

IT SECURITY ARCHITECTURE AND ENGINEERING

Build a Security Strategy that Fits Your Needs

Security architecture can help you design and document key elements of your overall security program, which ensures that your department and users can understand and utilize methods for creating safe, collaborative digital environments. Pitt IT Security will work closely with you to create a well-defined strategy that fits your needs and uses industry-leading best practices to enable your department’s security and success.

Learn More

Strategy and Design

Plan and create your IT environment with security as a top priority.

Security Tooling

Implement the proper tools and security measures for your needs.

Solution Engineering

Design and develop secure solutions that fit your unique work processes and data needs.