What are the biggest challenges faced by the ProtectUs: Cybersecurity System-wide Initiative at UC Merced?
The two biggest challenges are around the technical requirements to satisfy the mandate and to ensure that changes are well communicated and coordinated with the campus community.
How confident is OIT that the requirements of the mandate will be met by the deadline? Are there challenges that make this seem uncertain?
The long and short of it is that it's not a matter of "will complete", but "must complete". OIT is feeling confident that we will meet the requirements set by the mandate by the deadline, but there is always a level of uncertainty with a project this big and complex.
Has testing of these changes already begun?
Yes. OIT has "proof of concept" services running in private lab environments. There is no plan at this time to have public testing, but if we do, we'll reach out to those who have signed up on our interest form.
What can campus partners and vendors do to help with the ProtectUs mandate effort(s)?
The main thing we're asking for is engagement. We'll be sending out lots of information and reaching out to us directly or through the feedback form with your thoughts and/or concerns will be very helpful in ensuring we are correctly anticipating as many use cases as possible. If there was ever a project where "it takes a village" applied, it is this one.
With ProtectUs becoming a big part of campus moving forward, are their new jobs being created to help monitor and maintain these systems?
Yes, through the 2024 Budget Call, OIT was award additional funding to support ProtectUs and part of those funds are going to a new position on campus.
Will all students be required to complete the Cybersecurity training?
No. At this time, the mandate only requires that student employees complete the training. There are discussion at the systemwide level to see if "cyber citizen" or "cyber hygiene" training can be made available to the broader campus communities. We'll share more information if it becomes available and/or if it would have the same impact on non-employed students.
Will any of the outcomes from this mandate impact the costs to PIs?
No. We are not anticipating any individual costs as a part of meeting the mandate. That said, if you want confirmation about potential costs or impacts, please reach out via our feedback form.
Will there be any downtime associated with these changes?
Definitely. When we anticipate that a change will impact the campus community, we will share that information ahead of time.
How will this change the way I sign in?
What does the completion status of my mandatory cybersecurity change about accessing services secured with Singe Sign-On (SSO)?
• If you have completed your training or your training is not overdue, nothing changes and you'll be able to access all services secured with SSO without issue.
• If you have not completed your training, beginning 14 days before it is due, you will be remided to complete your training but will otherwise be able to access services secured with SSO.
• If you are overdue on your training, you will be alerted to this when you next login. You'll be directed to where you can go complete the training immediately or request a 24-hour extension.
What happens when I request a 24-hour extension?
This is a self help feature. As soon as you request the 24-hour extension, you will regain full access to all services secured with SSO for the next 24-hours. After that time, you will no longer be able to access any services secured using SSO. An email will be sent to you, your supervisor, and the Information Security team to notify and confirm the extension was granted.
Will I really lose access to all services if I am deliquent on my mandatory cybersecurity training? Are there exceptions?
Yes and the only current exceptions are: UC Learning Center, TRS, and CatCourses.
I have employees that access service accounts. How do I make sure they no longer have access after they are no longer employed by my department?
This is a two step answer:
We strongly recommend changing the service account password anytime you expect someone to no longer access the account. This is the best and most effective way to stop unwanted access to accounts.
Audit access to the account - including 2FA devices attached to the account - on a regular basis (every 4-6 months). Ultimately, there is not a technology solution (today) to solve this problem and instead has to be managed by business processes within departments. You can verify which 2FA devices are enrolled at anytime by following these steps.
I already enabled 2FA on my service account and I still got the email?
First, thank you for being ahead of the game. Our intention was to send the original message only to service account owners who had who had not already enabled Duo. Unfortunately, our filtering efforts were not successful in this first attempt, but we have identified the issue and it will not happen in the future.
How do I confirm that I set up 2FA correctly on my service account?
You can test/verify this in two ways. First, sign in to https://mercedid.ucmerced.edu. Select “Sponsored Accounts”. Each of the accounts will have either a red ‘x’ or a green shield with a checkmark in the column labeled “2FA”. If the account has the latter, then 2FA has been successfully enabled. Second, you can attempt to sign into the Service Account. If you get prompted by DUO to enroll a device or enter a 6-digit code, then 2FA is enabled.
I don’t use/need/want this service account any longer what do I do?
Not a problem! Please use existing process to work with your CAO (Chief Administrative Officer) to deactivate the account. If you or they need more help, please contact the OIT Service Desk for assistance.
I only use this account for connecting backend systems or CatCard access. Will I still be impacted by enabling 2FA?
This change only impacts your ability to access services secured behind SSO (Single Sign-On). If the service account is used for anything else, this will not impact your use of that account. If you enable DUO following our guides nothing will happen other than you’ll no longer receive notifications about needing to enabling it.
Why is Duo asking me for a 6-digit code and how do I get them?
While push notifications are convenient for personal accounts, service accounts are often shared and accessed by multiple people. Given the way Duo push notifications work, we discovered during testing, this can often lead to confusion with people getting pushes without knowing where they are coming from. To help avoid this, we have instead configured service accounts to be accessed by entering the 6-digit code provided by the Duo app. For help using the 6 digit code visit the following articles: Authenticating Service Accounts with Duo & How to Manage Devices for Service Accounts with Duo.
Do I really need to enable 2FA on my service account?
In order to be compliant with the mandate, yes. That said, as mentioned in the email, there is an opportunity to review your specific use cases and concerns with our security team to see if there is an exception they can grant. Please open a consultation request as soon as possible to get more guidance.
I became an alumni before Duo (2FA) was released to the campus. What will happen to my account?
Essentially, you will now need to use the Duo app from a mobile device if you ever need to access your UC Merced accounts after this enhancement is enabled. You can read about the current Duo implementation here.
Will this change the way I sign into public stations or the computer labs?
We're not anticipating any changes at this time. We'll share more information should that change.
How will this change the way I connect to the network?
Will I have to do anything different to connect to wifi?
Other than making sure you successfully authenticate to eduroam, nothing will change about how you connect to wifi.
Will I have to do anything different to connect to the network with a cable?
Once our Network Access Control (NAC) enhancements are deployed, you will be required to authenticate your connection much like you do with wifi.
Will anything else happen when I connect to wired or wireless network(s)?
Yes. All devices will now under go a vulnerability scan to ensure they are running the most current version of an operating system and that it doesn't have any known vulnerabilities.
What will happen if my device is not up to date or has a vulnerability?
The network will alert you to this issue and then place you on a special network that will only allow you to access the internet until such time the device is updated and/or the vulnerability remediated.
How will this change the way I purchase devices?
My department receives donated technology, what can we do to ensure these devices are compliant?
We'll have guidance on how to ensure these devices are compliant. At this time, we can confirm that these devices will be treated as "University Owned Devices" for the purposes of the mandate.
How will this change the way I use devices for school and work?
Will my current computer needed to be wiped clean and redone?
While this is possible, we'll have more information and guidance on this in the future.
For remote employees, how will the anti-virus (EDR) software be installed?
Self help documentation will be made available to help those without anti-virus installed accomplish this. Additionally, you can make an appointment with the OIT Service Desk to have them remote into your computer and assist with the installation.
What antivirus (EDR) application will we be using?
At this time, UCOP has provided Trellix HX as the application to support the EDR part of the mandate. We have been made aware that UCOP is re-evaluating which application they will support going forward. Unfortunately, this decision will not be made before the mandate deadline of May 2025. That in mind, we will be installing the Trellix HX application to meet the mandate and in the future replace it when a new one is selected.
Will devices running macOS be required to run the EDR software?
Yes. The mandate stipulates that all university owned devices must have EDR software installed. Our current antivirus solution already supports macOS.
Will devices running Linux be required to run the EDR software?
Yes. The mandate stipulates that all university owned devices must have EDR software installed. We'll have more information and details on this specific operating system later.
Will I lose administrator access to my computer?
This is not a part of the mandate and, if anything, the EDR requirement helps ensure that we can continue to provide administrator level access to your devices.
Don't See Your Question?
If you have a general question or feedback to share about ProtectUs, please use this form to let us know.