Approval of Previous Minutes —

Meeting minutes from April 13, 2023 and April 27, 2023. Motion to approve by Kristin Villa. Motion passed unanimously.

Guest Speaker Presentation —

1. The beginning of the year was a bit eventful, with a Duo shutdown and a phishing attack.
   1. IT was able to bypass the Duo authentication until the system was functioning again so that campus could continue working.
   2. The phishing attack resulted in some spam emails going out, but IT was able to control the accounts relatively quickly, as well as learning more about these specific attacks. The intent behind the attack was to access more credentials and specifically targeted students.
      1. Students have been particularly vulnerable because they aren’t required to use MFA. IT is going to shift into requiring MFA while maintaining equity and privacy for students who do not have a smart device. Additional configuration and discussion must occur before IT can implement this. IT will ask for feedback from campus before they do so.
      2. Financial aid also presents an additional phishing risk for students, as phishing attacks are timed around disbursement times and can gain control of those crucial funds.
2. IT will be revamping the identity and access management system. Our existing infrastructure is not set up to handle many visitors nor facilitate students moving around campus. These barriers are part of our HLC accreditation.
3. Q&A
   1. Q: Campus did not receive a notification of the Duo issue. Is there a reason for this?
      1. A: IT doesn’t have control over where that information would go. We wouldn’t want potential attackers to take advantage of that knowledge and the situation. Additionally, IT wasn’t sure whether deactivating Duo authentication was what the phishing attackers were aiming for.
   2. Q: Can you share the philosophy behind why an MFA has not been implemented before now for our students? How did CSUs address the issue of student access?
      1. Not every CSU campus implemented a MFA at the same time. Particularly during the pandemic, at nearly all universities, there was hesitation regarding introducing yet another change. We are certainly not the last university to implement a MFA.
      2. There are also the same challenges of equity and privacy that we must still figure out.
      3. In the Fall of 2021, a university in California did not have an MFA yet and they were attacked. The campus network was compromised.
   3. Q: Are students required to take the same IT security trainings as faculty and staff?
      1. A: We rely on other resources and information to educate students, but we also know that the training for staff and faculty might not be as resonant with students. IT is looking into some providers to provide a student-focused training that would enhance the education they are receiving at KU.
   4. Q: Why not tapping into the resources available on campus to create a communication/education campaign tailored to our students? The School of Journalism and Mass Communication is an example.
      1. A: We would love for our students to create effective ways of educating their fellow students and to reward them for it. The CSUs have partnered students studying computer science with students studying journalism and communication to create amazing campaigns.
   5. Q: What do we do when we receive something that we identify something as phishing or suspect?
      1. A: Forward the email to abuse@ku.edu and the information security team will investigate it so that we can filter it. IT will sometimes publish these attempts (once they have been cleaned up) as an educational resource. We can also use this data for self-phishing campaigns to identify more vulnerable units or departments and remedy these vulnerabilities.
   6. Q: Since we don’t have an MFA, what is keeping us safe?
      1. A: There is data showing that requiring password-resets too often reduces the strength of passwords. Right now, that is something we rely upon, but when we integrate the MFA we will require these resets less often. We would love to try to move to a password-less system that uses geo-locating. We also currently use firewalls and SSO.
   7. Q: Are there best practices for shared accounts where several people need to remember the password?
      1. A: Passwords that keep one element the same for all accounts, while another element changes per account, such as an abbreviation. You can also utilize password-keepers, which KU provides.
      2. We also need to be mindful of third-party credentials that can interface with your KU account.
   8. Q: How likely is it for us to encounter a ku.edu email that is not associated with KU? What happens if someone does make a mistake and clicks on one of these links?
      1. A: It is extremely unlikely for a hacker to create an email with that domain. What happens more often is that the email appears to come from a person associated with KU, but the email itself is not a KU domain. You can hover your cursor over an email or link to check.
      2. There is no disciplinary practice around this, as it can happen to anyone. We focus on this as an educational opportunity, and people rarely make the mistake more than once.
   9. Q: Is there any vulnerability when we interact with an email at all? Even if we don’t click a link, just forward it to IT?
      1. A: It is possible with very sophisticated attacks. There is some information that goes back to the attacker when you interact with an email at all that could be valuable, but this happens with benign emails as well, such as advertisements. However, it is unlikely that you are really creating further vulnerability.
   10. Q: Mac Mail has a preview option on some emails; are those safe or unsafe to preview if we think it’s a suspect email?
       1. A: They are as safe as they can be. At some point, there will always be a vulnerability, so it’s a balance of risk and convenience.
   11. Q: Out of curiosity how much does KU pay for insurance?
       1. A: I don’t have that number on hand, as it was renewed right before I joined KU, but it is very reasonable. It is based on history, just like other insurance, and we have a good track record.

Student Senate Report

1. The first Student Councils meeting was last night, and Student Senate’s first cycle will wrap up next week with the Students Assembly. The Councils meeting business was mostly funding bills, but also a couple constitutional amendments:
   1. Give president and vice president candidates campaign money during the spring. They have historically had this money, but it has not been in the constitution.
   2. Open travel funding for all student groups on campus, where historically it has only been open to the KU Mock Trial Team and the KU Model UN. The student groups will have to demonstrate that travel is essential for the groups’ functioning.

Staff Senate Report

1. Staff Senate will be holding their first meeting of the year next week, where they will be finalizing committee charges.
2. The final forum to present the Docking Institute recommendations to improve staff satisfaction will be later this month, on September 21st from 2-3 p.m. in Watson 3 West Reading Room. The event will be hybrid.

Faculty Senate Report

Victor and Kristin both attended the annual Provost’s retreat before the semester started and a follow-up meeting yesterday. They also had their first Governance meeting with the Provost last week and met with the Vice Provost for Faculty Affairs this week. The first KBOR meeting will be in two weeks and next week will be the first Faculty Senate President Council meeting, where the presidents from the KBOR schools will plan for the meeting.

University Senate Report

1. Recent conversations with the Provost have focused on the following:
   1. How KU is going to move forward with recent Supreme Court decisions and how it will impact all constituents, including student recruitment.
   2. The KU campus safety plan, especially in light of what recently occurred at University of North Carolina
   3. The COACHE Faculty Satisfaction Survey response. We will get some updates in the next few weeks, especially after the Staff Satisfaction Final Forum.
   4. Shared Governance. Ani Kokobobo, within last year’s Shared Governance Advisory Team, created a culture charter and a final report. These will be communicated through Governance soon and the Provost is interested in continuing this conversion.
2. We are hoping to produce more regular communications from Governance, including a monthly Governance email that includes information about all of senates and is co-signed by all of the presidents.
3. We are also working on training for University Senators. This will hopefully help everyone feel that they have a good understanding of how the Senate works and what it means to be a senator.

Unfinished Business —

University Senate Vice President

Hollie Hall had to step down as Graduate Student Body President and University Senate, so we need to elect a new University Senate Vice President.

DaNae Estabine nominated Kevin Barnes to serve as FY2024 University Senate Vice President. Kevin Barnes accepted the nomination. Motion to approve by Kristin Villa. Seconded by Teri Chambers. Approved by acclamation.

Approval of Charges for Standing Committees

Academic Computing and Electronic Communications (ACEC), Academic Policies and Procedures (AP&P), Athletic, Calendar, International Affairs, Libraries, Planning and Resources (P&R), Retirees Rights and Benefits (RRB)

Motion to approve by Vance Sorell. Seconded by Brendan Falen. Approved by acclamation.