A student team works with an organization to identify sources of security risk observed within the client’s operations. Students then propose cost-effective measures to improve data protection. In addition to a formal security risk report, students provide their client organization with training materials on recommended security safeguards. Students use as guidance reputable industry standards that are widely adopted by security professionals.

The security risk assessment project for a client organization gives security students an opportunity to put into practice what they have learned in the classroom. The real-world experience that students gain from the project on problem-solving, team communication, and information security prepares them for professional work. In return, participating organizations benefit from students’ security risk assessment.

The Clinic aims to raise security awareness within community-based nonprofit organizations that handle sensitive client information, yet may not have the expertise or resources needed to determine how to improve security. An emphasis is placed on locating information security improvements that are effective and free or low-cost, such as policies, operational procedures, and simple changes in system configuration that can greatly improve an organization’s security.

Students can achieve course objectives without directly accessing personal client information and without directly accessing the organization’s computer network. However, if desired, the client organization may request technical cybersecurity students to run basic vulnerability scanning software on their network to identify weaknesses that intruders may be able to easily identify.

In addition to security risk assessment services, the Clinic also offers security policy review; policy creation; compliance reviews; and program development.

Prospective clients may request particular services. Examples include, but are not limited to:

• Access control
• Data breach incidence response planning
• Desktop computer security
• General information security risk assessment
• Network security
• Physical security (of information)
• Security regulatory compliance checklist
• Security program development

The Cybersecurity Clinic partners with DePaul’s Steans Center to identify prospective community-based partners who are interested in and more likely to benefit from student-led cybersecurity services. Community-based nonprofit organizations who are not currently partners with the Steans Center may also request Clinic services by completing an application.

Clinic projects that are part of a course term project generally last 10-weeks. Prospective clients may also request smaller projects that student teams volunteer to work on outside of a course. Clients may request more than one cybersecurity project to be worked on concurrently or sequentially.

Both students and clients are expected to commit to the successful completion of Clinic projects. We ask our organizational clients to commit to:

• Meeting remotely with a member of the Clinic leadership team prior to the start of a project in order to confirm the scope of services to be provided.

• Designating an organizational representative that will be available to meet remotely with students weekly. (Students will not always need to meet each week.) Ideally, this person has the authority or operational knowledge needed to ensure a successful project completion.

• Enabling students to meet remotely with the organization’s IT staff or IT contractor (if applicable) at least twice to ask technology infrastructure questions.

• The organizational representative discusses security risk assessment (or other project deliverables, such as policy development) with student team members and asks questions where clarification is needed.

• Students receive feedback in a timely fashion on a project so that the team has input prior to continuing with subsequent project tasks.

• When the project is part of a course, an organizational representative attends class remotely or in-person for 30-40 minutes the week of class.

• When the project is part of a course, an organizational representative attends class in-person for 30-40 minutes on the last day of class.

Organizational clients working with students on cybersecurity projects understand that students are still learning their craft. Clients are expected to use their judgment on which student recommendations to adopt.

Student participants on Clinic projects are required to agree to non-disclosure agreements of sensitive client information and operations. Reasonable efforts are made to safeguard the sensitivity of client data and operations. Quality, effectiveness, and security are emphasized on student teams for all Clinic projects.

While the Clinic holds students to a high standard, mistakes are possible. DePaul students, faculty, staff, administrators, nor the University may be held liable for student mistakes, errors, or omissions.

Nonprofit organizations located in the Chicago area may apply for Clinic services by completing an application. Submitted applications will be reviewed once per month. Applicants will receive notice on whether their applications have been accepted and/or if additional information is needed.

Accepted project requests will be placed on a list. Accepted projects will become an active project when a student team has been identified and in accordance with the academic calendar.The student team completes the project. All projects have a start and an end within a limited timeframe; the Clinic does not provide continuous services. The following image illustrates the lifespan of a Clinic project:

Applications will be accepted on an ongoing basis. Students can volunteer for Clinic projects throughout the academic year. However, for a client request to be part of a course project, the application must be submitted by the following deadlines:

• Spring 2025 quarter – February 13, 2025
• Fall 2025 quarter – May 7, 2025
• Winter 2026 quarter – October 27, 2025

Depending on the cybersecurity services requested, students with a particular skill or training will be sought as needed. For example, if a prospective client has requested technical scanning of their network to identify weaknesses, then students who have had this training will be identified to provide this service. Similarly, requests for security program development will be serviced by students who have had the relevant coursework and educational focus.

Given the interdisciplinary nature of our Clinic, prospective clients are welcomed to request cybersecurity services that include any combination of technology, policy, and procedural components.