The Department of Homeland Security recently evaluated the University of Montana on its cybersecurity, but only one person on campus can see the results.
Renae Scott, UM’s chief information officer, requested that DHS conduct a Cyber Resilience Review, a free service that evaluates an organization based on categories like incident management, training and awareness. But she had to receive clearance from DHS to see the assessment results.
“I take my job seriously,” Scott said. “As a new CIO, I felt obligated to understand what I was inheriting and where we stood.”
Scott said she was familiar with the service because she spent time in Houston, Texas, at Rice University, which she said used it extensively. She first came to UM as assistant CIO in January 2017, served as interim CIO beginning in August 2018 and became the permanent CIO last May.
Jason Sloat, UM risk and insurance manager, said cybersecurity is one of the biggest threats to the state of Montana in general.
“Within the state government and state agencies, the number of attacks that are attempted on a daily and weekly and monthly basis is astronomical,” Sloat said.
DHS partnered with Carnegie Mellon University’s Software Engineering Institute to create the service, according to the department’s website. DHS sends a representative to evaluate cybersecurity and provides an assessment on how the institution compares, in this case, to other universities.
Scott said the representative visited last September, met with staff and asked a lot of questions. She received a draft assessment in October, which she reviewed with DHS.
“It helped inform as to where we’re on the right path and where we had a little room for improvement,” Scott said.
Scott said one area of IT that needs improvement is communication. UM recently sent an alert about email phishing, and Scott said it plans to do more. She said the assessment could provide examples of best practices, like sending a monthly newsletter.
The Critical Infrastructure Information Act of 2002 exempts information shared in the assessment from disclosure laws, including the Freedom of Information Act, according to the DHS website.
UM is also in the process of hiring a chief information security officer. Scott said the officer would report to her and manage the other IT security staff. She initially advocated for creating the new position and UM provided additional funding for it.
“I think it’s my job to do the best I can with the team to protect the University’s assets, and those assets are data,” Scott said. “We do our best to keep it confidential, and that’s where these assessments come in.”