How to report an IT security concern to WSE IT
Universities are big, complex, decentralized, and open — all factors that contribute to research and learning but that make securing the IT environment difficult. We encourage anyone with an IT security concern to bring it to our attention as soon as possible. The most direct way to report a security concern is to open a help desk ticket by emailing firstname.lastname@example.org. If you want to immediately escalate your concern, you are encouraged to write WSE IT’s director Ernie Soffronoff at email@example.com.
If you would like to anonymously report a security concern you may do so through the JHU Compliance Hotline.
IT security research on Johns Hopkins IT resources
IT security research is a part of the research and educational mission of Johns Hopkins, in particular through the Johns Hopkins Information Security Institute. While we in the operational parts of IT recognize and appreciate the importance of security research, it is critical for anyone interested in performing that research themselves on Hopkins IT resources to follow industry best practices. Those best practices are embedded in the Johns Hopkins Information Technology Use Policies. The policies are currently being revised to more clearly address IT security research at Johns Hopkins, but as general provisional guidance anyone interested in research MUST:
- Get prior authorization for any research project
- Document the purposes, techniques, risk mitigation plan, and disclosure criteria for the authorized project
- Obtain a faculty or staff sponsor for the authorized project
- Obtain authorization for any tools being used to conduct the project
We’re excited about how the skills and enthusiasm of our community can help us better protect our infrastructure, but want to make sure the work is done with minimal impact to the availability of the systems and that it won’t improperly reveal sensitive (possibly legally protected) data. Failure to perform proper planning, to obtain authorization, or to appropriately disclose findings could lead to serious consequences up through expulsion or termination, so please contact us before developing your project.