Our Guiding Principles for IT Security & Risk

Creating a secure environment is everyone's responsibility, fostering a culture where security and privacy are valued by all.

As much as possible, we want to be moving towards more explicit access authorization, and less implicit access to resources. This is true across all domains: identity, networking, data, devices.

Security considerations must be integrated early in the lifecycle of any project, system, or service – not saved for the final stages. Getting security involved from the start prevents costly rework and results in more robust solutions.

We strive to avoid "checklist security" by understanding the intent behind requirements and implementing controls that genuinely reduce risk, rather than just fulfilling a mandate.

Resources are finite. We weigh risks appropriately, investing time and effort where it provides the strongest return in protecting the university's mission and assets.

Threats and systems constantly evolve. We aim for continuous monitoring and automated compliance checks rather than relying solely on point-in-time snapshots or annual audits to understand our risk posture.

We start with the assumption that our users–faculty, staff, and students–are capable colleagues who generally want to do the right thing and make good decisions regarding security when properly informed and treated with respect. We believe that most users are competent and responsible, even if occasional mistakes are made.

The data and logs (telemetry) we collect from systems are primarily intended as a safety net; not to be a tool for surveillance or proving bad faith. Our focus is on guarding against external threats, not monitoring our users as adversaries.

Building on the trust we place in our users, we work to enable faculty and researchers to perform common tasks without unnecessary roadblocks.

We look for opportunities to automate repetitive tasks, threat detection, and response actions. Humans are slow; automated systems can react much faster.

Automating simpler, routine tasks frees up valuable human time and expertise to focus on more complex problems, analysis, and strategic improvements.

Implementing automation often requires experimentation. We view failures not as setbacks, but as learning opportunities integral to process improvement.

Security analysis often requires correlating information from many sources. Breaking down data silos makes security monitoring and incident response more effective (Security is a Big Data problem).

Streamlining and simplifying business workflows related to security not only improves user experience but also reduces opportunities for error or oversight.

When designing or implementing security solutions, we favor simplicity over unnecessary complexity. As the saying goes, "Simple is better than complex; Complex is better than complicated".