Previous Announcements

November 28, 2023

Updates to TX-RAMP

The Texas Department of Information Resources (DIR) released version 3.0 of their TX-RAMP Manual. The publication goes into effect on 12/1/2023.

Noteworthy changes include the addition of a transitional grace period that enables state agencies to create and leverage a transition plan from a non-compliant solution to a compliant solution in the event a compliant solution’s TX-RAMP certification lapses or is revoked. The timeline for transition may not exceed 24 months from inception to execution. TWU is responsible for developing, documenting, and adhering to a transition plan that  meets the minimum criteria:

• Identification of Affected Services: Clearly list and describe the services affected by the lapse or revocation of certification.
• Timeline for Transition: Provide a realistic and achievable timeline for the migration to  a compliant solution, including key milestones and deadlines. The timeline for transition  may not exceed 24 months from planned inception to execution.
• Risk Assessment: Conduct a risk assessment to identify and mitigate potential security and operational risks during the transition.
• Selection of Compliant Solution: Detail the process for selecting a TX-RAMP compliant solution that meets the TWU's needs.
• Migration Strategy: Outline the methods and procedures for migrating data and operations to the new solution, ensuring data integrity and availability.
• Monitoring and Reporting: Establish ongoing monitoring and internal reporting  mechanisms to track progress and address any challenges or delays promptly.
• Contingency Planning: Include contingency measures to address unexpected issues or delays, ensuring uninterrupted service delivery.

The TWU Information Security team will review requests to continue using non-compliant cloud services and will work with the system owner to develop this plan. System owners should initiate the request by completing the TX-RAMP Transitional Grace Period form.

Other TX-RAMP Manual 3.0 revisions:

• State agency, DIR, and cloud service provider responsibilities are defined.
• State agencies are responsible for determining whether a cloud computing service is subject to TX-RAMP requirements and determining the minimum certification level of the cloud solution.
• DIR is responsible for assessing and certifying the cloud computing service. Cloud service providers are responsible for providing assessment information and responding to TX-RAMP inquiries.
• Cloud service providers must maintain TX-RAMP compliance requirements, notify the appropriate parties if the cloud computing service loses TX-RAMP certification, and notify customers of breaches to system security.

• A Fast Track Assessment process was introduced that allows cloud service providers to leverage existing DIR-approved third-party assessments or audit reports that provide evidence of security practices. Cloud service providers seeking the Fast Track process for a cloud service must complete the TX RAMP Fast Track Request Form with DIR.
• Additional details regarding provisional, Level 1 and Level 2 certification extension processes have been added.
• Additional clarification is given to cloud computing services that are out of scope.
• Cloud computer services operating on a cloud infrastructure/platform such as Amazon Web Services (AWS) do not inherit the underlying TX-RAMP certification from the cloud infrastructure provider.
• New and revised security controls are addressed. Cloud service providers must implement new or revised security controls within 18 months from the date the changes are adopted.
• Cloud service providers must now provide DIR with a Plan of Action and Milestones for each required security control that is deficient. DIR determines if the proposed solution addresses the failed control.
• The reporting of significant changes to cloud services is addressed with additional clarification and guidance. Cloud service providers must communicate significant changes to DIR within 30 days of the date the change was made, and DIR is responsible for completing an updated service certification review.

For any questions regarding TX-RAMP requirements, please contact D’Ann Jackson at sjackson47@twu.edu or (940) 898-3262.

August 31, 2023

Enroll in Google 2-Step Verification

Texas Woman’s University is strengthening its security posture by enabling multi-factor authentication (MFA) (also referred to as two-factor authentication (2FA) or two-step verification) for specific systems across the University. MFA adds an extra layer of protection when accessing accounts and requires users to enter more information than just a password. For example, along with the password, users might be asked to enter a code sent via voice or text message or tap a verification prompt via a secure app on their phone. 

A phased approach is being used so that groups can easily manage their enrollment into the MFA program. Google Workspace is the next system to require MFA through Google 2-step verification. To enable 2-step verification for your account, please follow the steps detailed in the “Turn on 2-Step Verification” help article provided below. Please copy and paste the link to open in your browser.

https://support.google.com/accounts/answer/185839 

TWU recommends setting up Google 2-step verification using one of the following options:

1. Google Prompt
2. Text (SMS) message
3. Phone call

More information and frequently asked questions can be found at https://twu.edu/technology/information-security/multi-factor-authentication-mfa/google-mfa/ 

December 1, 2022

Changes to TX-RAMP Provisional Certification

Effective 12/1/2022, state agencies can no longer request or sponsor a cloud service provider’s application for Provisional Certification. This process must be initiated by the cloud service provider. The cloud service provider may request an assessment for their cloud service(s) through the TX-RAMP Assessment Request Form.

This means that while TWU Information Security will still perform internal risk assessments for cloud providers, we can no longer submit a Provisional Certification request on the cloud service provider's behalf.

Addition changes to the Provisional certification process are as follows:

• Removes January 1, 2023, deadline for Provisional Certification requests
• Third-party audit/assessment requirement is replaced with Acknowledgement and Inventory questionnaire (this is completed by the cloud service provider)
• Provisional Certification granted after completing Acknowledgement and Inventory questionnaire
• Incorporates an extension process
• Changes agency-sponsored Provisional Certification to Interim Provisional Certification, good for 60 days only (TWU Information Security may exercise this only for "urgent" requests, yet DIR is not responsible for approving these requests quickly)

More details regarding the updated TX-RAMP Manual can be found at https://dir.texas.gov/information-security/texas-risk-and-authorization-management-program-tx-ramp. 

For questions related to how certifications may affect the length of the procurement process, please contact procure@twu.edu.

July 26, 2022

Request Provisional Certifications for TX-RAMP before January 1, 2023

Senate Bill 475, passed by the Texas Legislature, requires the Texas Department of Information Resources (DIR) to establish a Texas Risk and Authorization Management program (TX-RAMP) that provides “a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency.”

As of January 1, 2022, Texas Government Code § 2054.0593 mandates that state agencies (including Texas Woman’s) must only enter or renew contracts to receive cloud computing services that comply with TX-RAMP requirements. Current requirements state that these cloud services must have valid Provisional, Level 1 or Level 2 certification before a cloud service may be implemented. Certifications are granted by DIR after a valid state risk assessment is performed.

During this year of transition, TX-RAMP offers state agencies the ability to request a Provisional certification, which allows the agency to perform an internal risk assessment as evidence of compliance. This has allowed Texas Woman’s to expedite many TX-RAMP requests that have already been processed since January. However, Provisional certification requests will not be available after this year. Per the TX-RAMP manual, TX-RAMP Provisional status may not be requested after January 1, 2023. This means that, beginning January 1, 2023, all cloud services must obtain a full Level 1 or Level 2 certification prior to contract initiation or renewal. While Texas Woman’s will continue to do internal risk assessments to assess product risk to the University, DIR will be required to perform their own risk assessment in order to grant Level 1 or Level 2 certification. This process is extensive and will significantly increase the amount of time to procure cloud services.

TWU Information Security encourages all academic components and departments to review their current cloud service contracts now to determine when their renewals will take place. If a renewal is in the near future, TWU Information Security may be able to request Provisional certification for the cloud service, if an internal risk assessment is completed before January 1, 2023. To initiate a service evaluation and risk assessment, please fill out the request form.

While a Provisional certification request may decrease the time to procure cloud services compared to other certification levels, it is important to note that TX-RAMP Provisional status is effective until 18 months from the date the Provisional status is granted by DIR. It is a temporary certification, and the cloud service must undergo a full assessment with DIR to obtain a Level 1 or Level 2 certification within the 18-month provisional period to remain in compliance. It is important for academic components and departments to have this conversation with their cloud service providers so that all parties are prepared for the certification process. Cloud service providers may learn more at the TX-RAMP website: https://dir.texas.gov/information-security/texas-risk-and-authorization-management-program-tx-ramp

For questions related to how certifications may affect the length of the procurement process, please contact procure@twu.edu.

February 2, 2021

Multiple Vulnerabilities in Apple Products - Update and Patch Now

Multiple vulnerabilities have been discovered in Apple Products, the most severe of which could allow for arbitrary code execution. This could allow an attacker to access your systems and then install programs; view, change, or delete any data.

Affected systems

• macOS - operating system for Apple desktops and laptops
• iOS - iPhone operating system
• iPadOS - iPad operating system
• tvOS - Apple TV operating system
• watchOS - Apple Watch operating system
• Xcode - Apple's integrated development environment (IDE)

Recommendations

For TWU Assets:

• IT Solutions will address vulnerabilities and apply appropriate patches provided by Apple to vulnerable systems immediately after appropriate testing.

• Run all software as a nonprivileged user (one without administrative privileges) to diminish the effects of a successful attack.
• Evaluate read, write, and execute permissions on all newly installed software.
• Apply the Principle of Least Privilege to all systems and services.

For Personal Devices:

• Personal devices should have automatic updates turned on. If automatic updates are not applied, update affected system to the latest version.
• Do not download, accept or execute files from untrusted and unknown sources.
• Do not visit untrusted websites or follow links provided by untrusted or unknown sources.

April 3, 2021

Facebook Data Breach

Facebook announced it was breached in 2019 resulting in personal records of over 500 million Facebook users being obtained by cyber criminals. Those 500 million records were recently publicly released; now anyone in the world could have access to them. If you had a Facebook account on or before 2019, your data may have been included in that breach and public release. Examples of your information that could have been released include your name, home address, phone number, email address, birth date or any other information you provided to Facebook.

If you are concerned that your data was obtained and released, here are several steps you can take to help protect yourself.

• Change the password that you use for your Facebook account. The new password should be strong, long (we recommend a passphrase) and different than any other password you use for any other account. All of your accounts should use a unique password.

• Enable two-factor authentication (often called 2FA, MFA or two-step verification) on Facebook and all other accounts, especially for personal email accounts and any financial or retirement accounts.

• Protect your privacy and be mindful of what information you share with websites. If you have an account with a website that is hacked and your data is stolen, assume your data could be sold or shared with other companies. 

• Understand that there is no way to 100% protect yourself from a data breach. There is only so much you can do to protect your data. Because many companies and organizations collect, share and sell your data, it can be assumed that cyber criminals can find information about you. They may use your personal information to trick or fool you into making a mistake, using a technique called . Be very careful and suspicious of emails or phone calls asking you to share personal information (such as your password, bank account or credit card) or pressuring you to take actions that seem odd or suspicious (such as paying a fine).

June 30, 2021

Information Security Training moving to Bridge

Information Security Training is moving to Bridge, the university’s new employee learning system.

What does this mean for you?

• Annual cybersecurity training will be conducted in Bridge. As of July 2, the previous course in Canvas will be closed.
• If you are actively taking the Canvas course during cutover, your progress will not migrate since the course in Bridge is new. Log into Bridge to complete the new training course after July 2.
• If you have any training materials or documentation that reference Information Security Training in Canvas, please update to refer to Bridge.
• If you employ student assistants, please notify them that training is moving to Bridge.

After the July 2 cutover:

• Log into Bridge to verify whether your training is completed, due or past due. Your previous completion date will be imported into Bridge.
• If your training is due or past due, complete the training in Bridge.
• If you have required Information Security Training but believe you have already completed it this year, contact twutraining@twu.edu to verify your course enrollment.

Information security training is mandated by the State of Texas and is required to be completed at hire and annually thereafter by all employees and contractors who use a computer for 25% or more of their responsibilities. IT Solutions thanks you for supporting information security awareness and university compliance.

September 27, 2021

Cybersecurity Awareness Month Events

October is Cybersecurity Awareness Month, a global effort to help everyone stay safe and protected when using technology whenever and however you connect. The theme for the month is, ‘Do Your Part. #BeCyberSmart’ and Texas Woman’s University is proud to be a champion and support this online safety and education initiative this October. 

The cybersecurity of our faculty, staff and students is important to Texas Woman’s University. Throughout the month of October, IT Solutions will host new , including competitive opportunities with prizes like Apple AirPods, TWU power banks, and Dining Dollars:

Cybersecurity Awareness Month Info Booth

October 5, 12:00-1:00 PM, Student Union 1st Floor | In-person event | Presented by TWU Information Security

Drop by the Cybersecurity Awareness Month Info Booth for giveaways and information about this year's activities.

Find the Phish - Phishing Tournament

October 11-15 | Virtual event | Presented by TWU Information Security

Can you find the phish? Constant streams of email provide ample opportunity for cyber criminals to take advantage of hurried email practices such as skimming content, downloading attachments and clicking links. In TWU’s first phishing tournament, TWU faculty, staff and students can prove their sleuthing skills by reporting authorized, simulated phishing attempts. The tournament will take place over the course of one week where participants will receive various authorized, simulated phishing emails from TWU Information Security and the SANS Security Awareness Platform.

Prizes:

• 1st place - Apple AirPods with TWU case
• 2nd place - Apple AirTag
• 3rd place - TWU branded power bank
  

TWU Asset E-waste Recycling

October 21, 10:00 AM-2:00 PM, East Side of FMC | In-person event | Presented by TWU IT Solutions and Facilities Management & Construction

Faculty and staff are invited to clear out and responsibly recycle all TWU non-tagged assets that may be outdated, broken, or simply taking up space within their departments or academic components. Proper destruction of storage devices and electronics is key to keeping TWU cyber secure.

IT Solutions (ITS) is hosting Computer Crusher, a local electronic waste (e-waste) recycler, to collect TWU non-tagged assets. This event is for faculty and staff that work with TWU equipment.

For drop-off procedures and accepted items, please see event details at . 

TWU Cybersecurity Trivia

October 28-29 | Virtual event | Presented by TWU Information Security

Put your cybersmarts to the test! Questions will be based on cybersecurity tips we share all month long, so follow along on Twitter (@TWUTech) and Facebook (TWU Technology) to gain an advantage. Participants must be a Texas Woman's University faculty, staff or student to play. 

Prizes:

• 1st place - $50 TWU Dining Dollars
• 2nd place - $25 TWU Dining Dollars
• 3rd place - $15 TWU Dining Dollars

Registration is required to play and is limited to 50 participants. Register here: https://forms.gle/oHZLCTvNRGH7XPzw8

Happy Cybersecurity Awareness Month!

October 12, 2021

Google Shared Drive Incident

The self-service creation of Google Shared Drives is currently unavailable as IT Solutions continues to remediate and monitor an incident. We are actively working to ensure that the appropriate controls are in place before allowing TWU users to create their own Google Shared Drives. We will update the TWU community as more information is available.

Faculty, staff and students may request the creation of a Google Shared Drive by contacting the Service Desk via 940-898-3971, servicedesk@twu.edu, or techchat.twu.edu.

November 15, 2021

Google Shared Drive Self-Creation Restored

The self-service creation of Google shared drives is now available. TWU faculty, staff and students may create Google shared drives; however, self-created Google shared drives may only be shared with other TWU email addresses. If a user needs to add an external user or share files within a Google shared drive with a person outside of TWU, they may make a request by contacting the Service Desk via 940-898-3971 servicedesk@twu.edu, or techchat.twu.edu.

Important note: Users may share files and folders from their Google My Drive with external users by setting the appropriate sharing permissions per file or folder. TWU faculty, staff and students are encouraged to only create Google shared drives when necessary, as shared folders within Google My Drive may be sufficient for most cases. For best practices and a comparison of My Drive vs. shared drives, please see this Google article: https://support.google.com/a/users/answer/9310352?hl=en

December 13, 2021

TX-RAMP Certification for Cloud Services

In the 87th Legislative Session, the Texas Legislature passed Senate Bill 475, requiring the Texas Department of Information Resources (DIR) to establish a state risk and authorization management program that provides “a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency.” 

To comply, DIR established a framework for collecting information about cloud services security and assessing compliance with required controls and documentation. Beginning January 1, 2022, Texas Government Code § 2054.0593 mandates that state agencies (including TWU) must only enter or renew contracts to receive cloud computing services that comply with TX-RAMP requirements.

Any cloud service contract being renewed after December 31st, 2021 will be subject to the TX-RAMP certification process and will involve TWU, DIR, and the respective cloud vendor. New contracts and renewals taking place in 2022 will have additional vetting that will have to take place and will significantly increase the amount of time to procure cloud services.

When requesting to renew or purchase a cloud service, please follow the current TWU procurement process. During the risk assessment, TWU Information Security will assess the cloud service and its intended usage at TWU. The risk assessment will determine if the cloud service vendor is required to pursue TX-RAMP certification. If TX-RAMP certification is required, the vendor must have a valid certification before the contract can be executed.

Additional details regarding the TX-RAMP program and vendor certification process can be found via DIR: https://dir.texas.gov/texas-risk-and-authorization-management-program-tx-ramp

If you have any questions or concerns, please contact Procure@twu.edu.

April 14, 2020

Moving at short notice from a trusted office environment to working remotely can create security risks. There has been an increase in coronavirus-related phishing attacks, according to European cybersecurity agency ENISA. Learn more at https://inside.twu.edu/technology/read/cybersecurity-tips-for-working-from-home

June 24, 2020

As people across the country take to distance learning and teleworking, cybercriminals are looking to profit from pandemic fears with a surge of scams, phishing emails, and malicious software related to COVID-19. You will most likely experience an increase in COVID-19 related marketing and messaging through various channels (e.g. browsing websites, emails, phone calls). Some of these messages will convey important official news, while others will undoubtedly be fake with malicious intentions. 

Scams and phishing attacks range from the typical “Are you available?” gift card scam, fake charity organizations, to COVID-19 trackers applications containing malware. Recognize more of these attacks by reviewing the latest round-up of COVID-19 related scams and phishing attacks. 

In these uncertain times, practice the following security tips to stay safe online: 

Verify the source - The new proactive cybersecurity adage has become ‘verify, then trust.’ When a message seems out of place, trust your gut feelings and verify the request through another separate method of contact to confirm it’s authentic.

Play defensively - Ensure you practice good cybersecurity hygiene by installing anti-malware software on your computer and examine messages with additional scrutiny.

Scrutinize the urgency - If the message carries a undue sense of urgency, especially one that prompts you to act, take a deep breath, step back and analyze the message objectively. Scams and phishing campaigns force an emotional response. Recognizing when this happens puts you one step ahead. 

Think before you click - In addition to the above tips, never open an attachment or click on a link from senders you don’t recognize. The attachment or link won’t expire, so you’ll have time to think it over for a few extra critical seconds. 

Report a Phish - Everyone plays a crucial role in preventing scams and phishing attacks. If you receive one, please follow these instructions for reporting a phish. 

For additional helpful consumer tips, please review from the Federal Trade Commission advisory on responding to COVID-19 scams.

July 30, 2020

Text or SMS-based phishing (otherwise known as ‘smishing’) has become an emerging threat.

Your contact information is scraped or gathered through a public forum or contact list such as an attendee listing or conference/webinar signup sheet. An attacker makes the assumption that the parties are related (e.g. all work at twu) and attempts to send the phishing attack through sms texts impersonating one party.

Here are some additional resources that explain what a smishing attack is, as well as tips to guard against them:

• YouTube video -  https://youtu.be/6ehWeZRNCxM
• Article - https://usa.kaspersky.com/resource-center/threats/what-is-smishing-and-how-to-defend-against-it

The best ways to guard against a smishing are similar to guarding against phishing emails. Always scrutinize the implied urgency of any message you receive, and if possible, verify with the sender using another method (e.g. calling the sender to confirm).