The CIO Division is fully committed to enhancing security awareness within the University of Arizona community. This commitment is evident in how IT professionals are encouraged to become security experts through various teachable initiatives, safeguarding both personal and university proprietary information. The Information Security Office (ISO) leads these initiatives, tasked with protecting the University’s computing and information assets from emerging security threats, ensuring compliance with laws, regulations, and university policies.

The ISO team has adopted a very human-centric and strategic approach to lead security awareness initiatives, inspiring a shift in the University community’s security culture. The rationale is that a true change in security awareness, implementation, and data protection requires the full participation of the University’s leadership, staff, faculty, students and researchers.

In 2017, the University of Arizona’s technology deployment was a web of independent and often obsolete information technology infrastructure. There was a lack of rigor in establishing and maintaining digital security, including end-user devices of various brands and platforms, numerous applications requiring software patching, and limited cybersecurity knowledge among employees. There was not a common practice in securing the University’s information resources.

Dual-authentication had not yet become the norm for personal and financial data. The presence of hackers and nefarious cyber criminals added urgency to develop active learning and practicing of data security by all employees so not to jeopardize instruction and administrative processing that depended on the university network.

Positive change ensued in 2018 from a State of Arizona audit of the university’s IT systems, revealing individual technology centers and rapid growth of risk to the university’s digital domain. Recognizing the imperative to heighten data security, the ISO team was expanded to collectively steward the rapidly changing digital space, ensuring its security, accessibility, and benefit to all.

ISO used strategic thinking and innovation to forge several processes that updated technology and educated the community. Partnerships across colleges and divisions fostered shared rules and norms of behavior, creating new capacities to guard against cyber threats. By FY 2021, the ISO team designed and implemented a comprehensive security program to protect sensitive information, reduce risk, and define roles and responsibilities.

The Information Security Risk Management (ISRM) Program serves as the central program, providing an integrated, prioritized approach to addressing risk to university information resources. It aligns with the University’s business and academic objectives, involving collaboration with individual IT units. This five-part program includes data identification and collection activities, risk assessment, risk analysis and planning in coordination with ISO staff, and the submission of a security plan collaboratively reviewed with ISO data security experts.

Establishing security and risk manager roles within units broadened knowledge and communication channels between ISO security experts and the many owners of data information and information systems throughout the university. Through recent years of progress, the importance of building and maintaining trust in the university’s multifaceted digital domain is complex, but it is imperative that units work on it together.

Security awareness training has been a commitment of the University of Arizona and mandatory for all employees since 2008. In 2018, the training underwent redesign, and in 2021 was migrated into EDGE Learning which allowed easy end-user access and the ability to track the annual commitment for all staff. With the enforcement of awareness training, compliance has grown to 99% of full-time employees completing the training in FY 2023. The long-term success of the training is measurable by employees’ efficacy in their vigilance against potential cyber threats at work and at home.

The ISO staff approached enhancing security awareness for executive staff through collaborative policy development. Over a 12 month period, 17 new and updated policies were implemented and published in 2019. This tremendous effort represented the initiation of a cohesive, University-wide information security strategy. The ISO has continued to work with an ISO Policy Working Group, comprised of representatives from multiple college- and department-level IT professionals, to continuously review and revise the 17 policies establishing security roles and collaborative processes now embedded in the culture of IT departments and units across the university.