Rationale
This plan is in response to and in anticipation of
- The current Office of the Chief Information Officer (OCIO) security initiatives arising from the security framework and the associated security standards;
- The preliminary College of Arts and Sciences (ASC) audit findings by Internal Audit;
- The IT risk management and compliance activities of the University Risk Management Committee, the Office of University Compliance and Integrity, the Office of Research Compliance, and University Archives;
- A College of Arts and Sciences Technology Services (ASCTech) internal assessment of college IT assets, risk and security;
- More generally, construction of a highly functional, secure, and risk-averse, modern computing environment in line with strategies being undertaken across the campus.
Governance and Administrative Direction
ASCTech will lead and guide the effort for the entire college but will need governance, direction and support from academic administration at both the college and unit levels. Indeed, to be successful, these IT security, risk management, and compliance strategies and initiatives must have strong support and advocacy at not only the top of the academic administration but also at the unit level. It must be leadership support that puts IT risk management and compliance high on the departmental agenda, and makes it an important part of budgetary and workforce decisions. Ultimately the modern IT environment demands IT security and risk management be ingrained into all aspects of the academic organizational structure. This strategy herein would be part of the first such step in this college. Such direction and leadership can only come about as part of an overall IT asset strategy based on what IT risks exist, what risks can be mitigated, what levels of functionality need to be built or preserved, and what residual risk remains and is accepted and assumed by the college after all of the reduction efforts.
Plan Formulation
In the Arts and Sciences, we are advocating for a two-pronged plan be set in motion in FY22 that will both set the stage for future work and, equally importantly, substantially reduce college IT risk in the near-term. The two-prong approach is (1) a very high-level IT security and risk assessment survey of desktop and network computing devices, software, and infrastructure across all units of the college. This would be a general assessment of devices and systems to establish both an overview of college security and risk, and a functional baseline for risk remediation; (2) this functional base, base level, or minimum college standard then will be utilized in a triaged remediation strategy.
This proposal calls for establishing a common base level of hardware and software that must be met (unless exempted) by all IT devices and systems in the college regardless of location or unit of support. In cases where systems or equipment do not meet the base, and thus create unacceptable levels of risk for the equipment owner, unit, and/or the college, a triaged approach to replacement or remediation will be utilized.
Overall, this plan can lay the groundwork for the more involved risk remediation efforts required by the OCIO security standards in the coming years as well as substantially reduce overall IT risk in the college. In the last three years, ASCTech and college IT units have made great strides in improving overall college IT operations and building a secure, highly functional computing environment. Ultimately the goal is to bring the entire college up to a base-level of hardware, software, security, and functionality that will provide a solid base for all the future security and risk initiatives that are in the planning stages now.
Implementation Task Categories
- Asset Discovery and Management: The first step in risk management is the process of discovering all IT assets, particularly those that communicate on external networks and those that contain important data. This allows for determinations of what needs to be secured, replaced, reconfigured, and so on. This will lead into the ongoing process of asset management and may also include some personally owned devices. Note: An additional task is to document the environment more generally.
- Data Categorization and Control: All identified assets need to be further evaluated for what data they contain or have the potential to contain. Depending on the data types, controls and procedures need to be put in place to prevent data exposure, data loss (intentional or unintentional), data corruption, and so on. Such controls and procedures include data loss prevention scans (DLP), data encryption, data backups, and various forms of device security. Note: In addition to end-user devices, all servers shall be scanned by DLP.
- Ongoing Evaluation and Monitoring: Make the security ongoing and capable of surviving adverse events, so called business continuity, as in data backups.
- Training and Engagement: Train and educate everyone on both the safe, less risky operation of the network, data stores, and IT assets, and why it is in everyone’s interest to do so. Continue building relationships with end-users. Create a so-called security culture. We should start this year moving from break/fix-oriented IT to support-oriented IT. And work to establish new and better relationships with OCIO security.
- Implement Governance Program and develop a chart of “Responsibilities for Chairs and Academic and Staff Directors.”
Specific Tasks:
- Purchase new computers to replace all computers incapable of providing needed functionality while meeting security standards. This program is a 1:1 program: units must trade for a new one to replace an out-of-specification production machine.
- Faculty and staff in the program should have no more than a primary and a secondary computer to be used for their duties. ASCTech is not staffed to support more than 2 computers per FTE.
- ASCTech will provide each department within the college an asset inventory with a multi-year roadmap of computers to be replaced in their area.
- Asset management software will be deployed on all computers. Asset management will include all aspects of lifecycle management up to and including secure disposal.