FAQ

Click questions to expand answers.

ISPO Services

What services are provided by the ISPO?

Help.UNM
The ISPO utilizes self-service intake services using University’s enterprise ticketing system Help.UNM, and phone and in-person intake services from the UNM IT Service Desk, the University's central support organization for IT-related services and computer-related issues. All information security or privacy related events and incidents, and service requests are forwarded to ISPO by Service Desk staff.
  • Privacy, Compliance, and Risk Services
    • Contract Review
    • Data Sharing Agreement Review
    • Institutional Review Board (IRB) Review
    • PCI Compliance
    • Other Privacy, Compliance, and Risk Services
  • Information Security Services
    • Continuous Vulnerability Monitoring
      • Application Access Requests
      • Application Maintenance and Support Requests
    • Event Management
    • Digital Forensics
    • Firewall Change Requests
    • Incident Response Services
      • Information Security Incident Response Services
        • Minor Incidents
        • Major Incident
    • Information Request
    • Operational Intelligence
      • Event Management
      • Event Log Analysis
    • Penetration Testing
      • Network Vulnerability Penetration Test
      • Web Applications Penetration Test
    • Vulnerability Assessment(s)
      • Network Vulnerability Assessment
      • Web Applications Assessments
    • Other Information Security Request

How do I request service from the ISPO?

The ISPO utilizes the University’s enterprise service management system Help.UNM and intake services provided by the UNM Information Technologies (UNM IT) Customer Service Desk, the University's central support organization for information technology-related services and computer-related issues.  All information security-related events, incidents, and requests are forwarded to the ISPO by UNM IT Customer Service Desk agents and coordinators.

Please use Help.UNM or call the IT Customer Service Desk at 7-5757 to ensure that your request is opened, tracked, and processed in a timely manner.  Requests submitted via email or channels not monitored by the IT Service Desk staff cannot be processed.

Information Security Services

Application Access Request

NOTICE: The ISPO requires several pieces of information to process an Application Access Request and we recommend you thoroughly review all of the information below.

How do I submit an Application Maintenance Request?

NOTICE: The ISPO requires several pieces of information to process an Application Access Request and we recommend you thoroughly review all of the information below.

How do I submit an Application Support Request?

Submit a request through Help.UNM or call the UNM IT Service Desk at (505) 277-5757

How do I submit a Cloud Vendor Assessment Request?

Submit a request through Help.UNM or call the UNM IT Service Desk at (505) 277-5757

How do I submit a Consulting Request?

NOTICE: The ISPO requires several pieces of information to process an Application Access Request and we recommend you thoroughly review all of the information below.

How do I submit a Cybersecurity Incident Data Analysis Request?

Submit a request through Help.UNM or call the UNM IT Service Desk at (505) 277-5757

How do I submit a Digital Forensics Request?

Submit a request through Help.UNM or call the UNM IT Service Desk at (505) 277-5757

How do I submit a Feedback Request?

NOTICE: The ISPO requires several pieces of information to process an Application Access Request and we recommend you thoroughly review all of the information below.

How do I submit a Firewall Configuration Assessment Request?

Submit a request through Help.UNM or call the UNM IT Service Desk at (505) 277-5757

How do I submit a IDS/IPS Configuration Assessment Request?

Submit a request through Help.UNM or call the UNM IT Service Desk at (505) 277-5757

How do I submit an Information Request?

NOTICE: The ISPO requires several pieces of information to process an Application Access Request and we recommend you thoroughly review all of the information below.

How do I submit a Penetration Testing Request?

Submit a request through Help.UNM or call the UNM IT Service Desk at (505) 277-5757

How do I submit a Vulnerability Assessment Request?

Submit a request through Help.UNM or call the UNM IT Service Desk at (505) 277-5757

How do I submit a request for a Firewall Change Request?

Submit a request through Help.UNM or call the UNM IT Service Desk at (505) 277-5757

Privacy, Compliance, and Risk Services

How do I submit a request for a Contract Review?

Submit a request through Help.UNM or call the UNM IT Service Desk at (505) 277-5757.

How do I submit a request for a Data Sharing Agreement Review?

Submit a request through Help.UNM or call the UNM IT Service Desk at (505) 277-5757

How do I submit a request for an Institutional Review Board (IRB) Review?

Submit a request through Help.UNM or call the UNM IT Service Desk at (505) 277-5757

How do I submit a request for PCI Compliance services?

Submit a request through Help.UNM or call the UNM IT Service Desk at (505) 277-5757
The ISPO utilizes self-service intake services using University’s enterprise ticketing system Help.UNM, and phone and in-person intake services from the UNM IT Service Desk, the University's central support organization for IT-related services and computer-related issues. All information security or privacy related events and incidents, and service requests are forwarded to ISPO by Service Desk staff.

What is the Purchasing Risk Assessment service and how do I request it?

NOTICE: The ISPO requires several pieces of information to process a Purchasing Risk Assessment request and we recommend you thoroughly review all the information below.

Purchasing Risk Assessment

About this Service

The Purchasing Risk Assessment service is driven by the University’s Data Privacy, Regulatory Compliance, and Risk Management obligations as they apply to the main and branch campuses.  The purchasing risk assessment process is aimed at identifying risk as it applies to third-party access to the University’s information.  In certain scenarios where it is determined sensitive information covered by contractual obligations, University Administrative Policies, and/or regulatory requirements, is being collected, stored, transmitted, or otherwise processed, a review of the appropriate business agreement and the vendor’s privacy policies and information security controls will be required.  Similarly, on-premises use of third-party solutions or services may also require a further review of the in-scope system and of the respective vendor.  Sensitive information includes, but is not limited to, Controlled Unclassified Information (CUI), Personally Identifiable Information (PII), or Credit Card Information (PCI-DSS).

Procurement requests involving Purchasing Cards (PCards), Contracts, Requests for Proposal (RFPs), and other procurement methods shall be reviewed by appropriate enterprise or departmental information technology staff and the UNM Information Security & Privacy Office (ISPO).  The University’s vendors are required to meet the contractual and regulatory obligations for the sensitive information they will have access, including, but not limited to:

  • Banner ID (FERPA/HIPAA Identifier);
  • Credit Card Information (regulated by the Payment Card Industry);
  • Direct Deposit information (regulated by Federal Trade Commission);
  • Institutional Review Board (IRB) activities;
  • Protected Health Information (PHI) (regulated by Health Insurance Portability and Accountability Act – HIPAA);
  • Social Security Number (SSN) (regulated by Federal Privacy Act of 1974);
  • Student Grades and other academic records (regulated by Family Educational Rights and Privacy Act – FERPA);
  • Student Loan information (regulated by Gramm Leach Bliley Act - GLBA)

Refer to University Administrative Policies 2000, 2030, 2520, 2550 and 2580 for additional information.

Healthcare/HIPAA related requests for the Health Sciences System (HSC) are reviewed by the HSC Information Security Office (HSC ISO).  Please contact HSC-ISO for more information.

The purpose of a purchasing risk assessment is to ensure information for which the University is entrusted is adequately safeguarded.

Intake Process

The ISPO utilizes the University’s enterprise ticketing system Help.UNM and intake services provided by the UNM Information Technologies (IT) Service Desk, the University's central support organization for information technology-related services and computer-related issues.  All information security-related events, incidents, and requests are forwarded to the ISPO by IT Service Desk staff.  Please use Help.UNM to ensure that your request is opened, tracked, and processed in a timely manner.  Requests submitted via email or channels not monitored by the IT Service Desk staff cannot be processed.

IT staff with internal access to Cherwell IT Service Management (Cherwell ITSM) must select the appropriate Record Type, Service Request Type, and Category, when generating a record, and must use the appropriate workflow when creating tasks for Cherwell teams.  Additionally, IT staff are required to provide all the information outlined in the ‘Required Information’ section below.  Requests that are not appropriately generated within Cherwell, or that do not include the minimum required information will be summarily cancelled/denied.

Please note, by the end of 2020 the intake for this service will be migrated away from Help.UNM to a Banner ERP workflow.  Please periodically review this document to recieve notification of the planned change.

Required Information

Privacy Impact Assessment Questionnaire (PIAQ)

All Purchasing Risk Assessment requests must include an electronically completed and Privacy Impact Assessment Questionnaire (PIAQ), specifically the version intended for the UNM Purchasing Department.  All PIAQs submitted during the purchasing risk assessment process must be reviewed and submitted by an applicable IT Officer or IT Liaison, or in some cases an IT Manager through Help.UNM.  For more information, please reference the ‘Intake’ section above.

In the Privacy Impact Assessment Questionnaire (PIAQ), the requestor will be asked:

  • Who is the business process owner the information or information system is intended to support;
  • What is the applicable Purchasing Order (P.O.), Request for Quotes (RFQ), Request for Information (RFI), or Contract Number;
  • What is the name of the vendor as well as the goods or services being procured;
  • What is the request type (new, update, renewal);
  • What information is being collected, stored, transmitted or processed;
  • How the information or information systems will be used;
  • The academic, administrative, or research purpose for the information or information systems;
  • What individuals or groups will need to access the information or information systems;
  • What locations where the information or information systems will be deployed;
  • What locations from which to access the information or information system(s) is needed;

Data Owner or Data Steward Approval

In all scenarios involving sensitive information, written approval from the appropriate Data Owner or Data Steward must be obtained and submitted in the Help.UNM ticket.  For questions regarding Data Stewards, please see the UNM Data Governance site located at this linkPlease ensure the applicable Data Owner or Data Steward has provided their approval for your procurement request before starting the procurement process and before submitting a Purchasing Risk Assessment request.

Business Agreement(s) and Vendor's Privacy Policies

In all scenarios involving sensitive information, the ISPO shall review applicable business agreement(s) between the University and vendor, and the vendor's information privacy policies and procedures.  At the end of the contract period, vendors must certify in writing that all UNM data was either returned to UNM in a form agreed to by UNM, or that all UNM information was destroyed.  Please ensure that you have attained the appropriate documentation before submitting a Purchasing Risk Assessment request.

Higher Education Community Vendor Assessment Tool (HECVAT)

In all scenarios involving sensitive information, the ISPO may need to review the information security policies and procedures of the vendor.  Additionally, a review of specific safeguards must be completed to comply with regulatory requirements.  In such cases, the vendor must complete the Higher Education Community Vendor Assessment Tool (HECVAT).  Please ensure you have attained the vendor completed HECVAT from your vendor before submitting a Purchasing Risk Assessment request.

Social Security Number Collection Reporting Worksheet (SSNCRW)

In all scenarios involving third-party (vendor) access to SSN, the requestor is required to submit a completed Social Security Number Collection Reporting Worksheet (SSNCRW).  In such cases, the appropriate IT Officer, IT Liaison, or IT Manager must complete the SSNCRW.

Workflow

  1. Purchasing Agents shall contact their area’s appropriate IT Officer, IT Liaison, or IT Manager to assess a proposed purchase and collaboratively complete a Privacy Impact Assessment Questionnaire (PIAQ) with their IT contact.  If and where necessary/required, the IT contact will know whether to collect additional information (i.e. Data Owner or Data Steward approval, business agreements, vendor privacy policies, vendor-completed HECVAT, department-completed SSNCRW, etc.).

    NOTE: The IT contact is responsible for collecting all necessary information before submitting a request. For more information or to contact your IT Officer (ITO) please reference the following page:  Get To Know Your ITO.

  2. IT Officers, IT Liaisons, or IT Managers shall submit a Purchasing Risk Assessment request through Help.UNM after collecting all the necessary information outlined in the ‘Required Information’ section above.
  3. Data Owners or Data Stewards shall review proposed procurements that involve the data they are responsible for and shall provide written authorization to use said information (if necessary/required).
  4. The ISPO’s Privacy, Compliance, and Risk area shall review electronically completed PIAQs and ensure all appropriate documentation has been submitted.
  5. The ISPO’s Information Security Operations shall review the vendor's information security policies, procedures, and controls (if necessary/required).

Responsibilities

Purchasing Agents

Purchasing Agents are responsible for thoroughly reviewing this document and for coordinating communication between the departmental contact responsible for the business process a proposed procurement supports and the appropriate IT Officer, IT Liaison, or in some cases IT Manager.

IT Officers, IT Liaisons, and IT Managers

UNM-designated IT Officers, IT Liaisons, and in some cases IT Managers are responsible for thoroughly reviewing this document, coordinating responses to the Privacy Impact Assessment Questionnaire (PIAQ), collecting additional documentation if required (i.e. Data Owner or Data Steward approval, business agreements, vendor privacy policies, vendor-completed HECVAT, department-completed SSNCRW, etc), and for submitting a request on behalf of the applicable Purchasing Agent via Help.UNM.

Data Owners and/or Data Stewards*

UNM-designated Data Owners or Data Stewards are responsible for appropriately reviewing proposed procurements that involve all data they are responsible for.

ISPO - Privacy, Compliance, and Risk

The ISPO's Privacy, Compliance, and Risk area is responsible for reviewing all electronically completed PIAQ's submitted through Help.UNM, and where applicable reviewing additional documentation and contacting the ISPO's Information Security Operations team in the event a review of the vendor's information security policies, procedures, and controls is required.

ISPO - Information Security Operations*

The ISPO's Information Security Operations area is responsible for reviewing the vendor's information security policies, procedures, and controls if required.

 *These areas are only engaged in limited scenarios   

Questions and Feedback

If you have questions or feedback regarding this document or the Purchasing Risk Assessment service, please use Help.UNM or call the IT Service Desk at 7-5757 to ensure that your information request or feedback request is opened, tracked, and processed in a timely manner.  The IT Service Desk will forward your request to ISPO staff.

Malware & Hacking

What do I do if I suspect that my UNM-owned computing asset has been compromised?

  1. Gather information about the event including the following: 
    • Date and time of the event
    • Location of the event
    • How you suspect the event may have occurred
  2. Isolate the affected machine by disconnecting the machine from a network (either wired or wireless), but do not power-off the machine, volatile (and valuable) data will be lost of the machine is powered-off
  3. After you have collected the relevant information, report the event by opening a Help.UNM ticket and by calling the ISPO on-call number (505) 277-2497

What do I do if I suspect my personal computing asset has been compromised?

  1. First, disconnect from the network by turning off Wi-Fi and unplugging Ethernet
  2. Then, contact the IT Service Desk for help at (505) 277-5757
Make sure you have all important and/or security-related operating system updates and an up-to-date antivirus program installed, then scan your machine with that antivirus program. More often than not however, you should reinstall your operating system to be certain that the compromise is eradicated.

NetID Issues

My account (NetID) was locked by ISPO, who do I contact to have my account unlocked?

To regain access to your account, please contact the UNM IT Service Desk. The IT Service Desk is the University's central support organization for IT-related services and computer-related issues, and can be reached at (505) 277-5757.
UNM IT Customer Support Services hours can be found in FastInfo #3351: What are the hours of operation for IT Customer Support Services?

What do I do if I suspect that my account (NetID) is compromised?

Immediately change your NetID password at https://netid.unm.edu or by calling the UNM Information Technologies (IT) Customer Service Desk at (505) 277-5757
Non-hyperlinked format (copy and paste into your URL bar): https://netid.unm.edu

Email Issues

What is spam email?

Spam is the electronic version of ‘junk mail’.  Spam refers to unsolicited and unwanted email sent to either an individual or list of individuals.  Spam does not necessarily contain malware as legitimate email sent for commercial purposes could potentially fall into this category.  Conversely, threat actors may send spam email that contains links to sites used for phishing or that contain malware. 
 
The University’s enterprise email system discards the majority of spam email messages sent to LoboMail (unm.edu) accounts.  In an effort to ensure legitimate email is not discarded, some spam emails are delivered but are sorted into the ‘Junk E-mail’ folder which allows LoboMail users to identify potential spam that has been received.  Unsolicited or otherwise unexpected email found in this folder can be safely ignored (and does not need to be reported).  Spam messages found in the ‘Inbox’ folder can be  reported using the ‘Report Message’ feature in Outlook

What is phishing email?

Phishing is a form of social engineering.  Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization.  For example, a threat actor may send email seemingly from the University that requests a user’s username and password or other personal information, often suggesting that there is a problem with a user’s account.  When users respond and provide their information, threat actors can use it to gain access to the user’s account.

The University will never ask for your password to your NetID through email, even during a password reset.  If you receive an email asking for your password, sensitive information, or personally identifiable information and you suspect that it is fraudulent, check the  Phish Bowl for examples of phishing email and to see if the email has been reported to the  ISPO.  Phishing email found in the ‘Inbox’ folder can be  reported using the ‘Report Message’ feature in Outlook.

What do I do when I get spam email?

  1. Do not reply to the sender
  2. Use the ' Report Message' feature in Outlook to report the email

What do I do when I get phishing email?

  1. Do not reply to the sender
  2. Use the ' Report Message' feature in Outlook to report the email

Other

I didn't find the answer I was looking for, who do I contact for more information?

Please send your questions to security@unm.edu
To properly track your Information Request, a ticket will be opened on your behalf.  In such an occurrence, all follow-up communication and correspondence will be handled through the address help@unm.edu

Report an Incident

If you suspect that your NetID (i.e. LoboMail account) or a computer have been compromised and you need to know what to do, please see our FAQ

Abuse Report Form

- or -

Report Message: Junk

 - or -

Report Message: Phishing

 - or - 

Help.UNM Self Service

 - or -

UNM EthicsPoint


For more information, visit our Contact Information page