This plan is in response to and in anticipation of:
- The current Digital Security and Trust (DST) security initiatives arising from the security framework (ISCR) and the associated security standards.
- The IT risk management and compliance activities of the University Risk Management Committee, the Office of University Compliance and Integrity, the Office of Research Compliance, and University Archives.
- A College of Arts and Sciences Technology Services (IRIS) internal assessment of college IT assets, risk and security.
- More generally, construction of a highly functional, secure, and risk-averse, modern computing environment in line with strategic plans being undertaken across the college.
IRIS will lead and guide the effort for the entire college but will need governance, direction, and support from academic administration at both the college and unit levels.
Indeed, to be successful, these IT security, risk management, and compliance strategies and initiatives must have strong support and advocacy at not only the top of the academic administration but also at the unit level.
It must be leadership support that puts IT risk management and compliance high on the departmental agenda, and makes it an important part of budgetary and workforce decisions.
Ultimately the modern IT environment demands IT security and risk management be ingrained into all aspects of the academic organizational structure.
This strategy herein would be part of the first such step in this college.
Such direction and leadership can only come about as part of an overall IT asset strategy based on what IT risks exist, what risks can be mitigated, what levels of functionality need to be built or preserved, and what residual risk remains and is accepted and assumed by the college after all of the reduction efforts.
In the Arts and Sciences, a two-pronged plan was set in motion in FY22 that will both set the stage for future work and, equally importantly, substantially reduce college IT risk in the near-term.
The two-pronged approach is:
- A very high-level IT security and risk assessment survey of desktop and network computing devices, software, and infrastructure across all units of the college.
- This would be a general assessment of devices and systems to establish both an overview of college security and risk, and a functional baseline for risk remediation;
- This would be a general assessment of devices and systems to establish both an overview of college security and risk, and a functional baseline for risk remediation;
- This functional base, base level, or minimum college standard then will be utilized in a triaged remediation strategy.
This proposal calls for establishing a common base level of hardware and software that must be met (unless exempted) by all IT devices and systems in the college regardless of location or unit of support.
This level will establish an Arts and Sciences certified end point (ACE).
In cases where systems or equipment do not meet the base, and thus create unacceptable levels of risk for the equipment owner, unit, and/or the college, a triaged approach to replacement or remediation will be utilized.
Overall, this plan can lay the groundwork for the more involved risk remediation efforts required by the DST security standards in the coming years as well as substantially reduce overall IT risk in the college.
In the last three years, IRIS and college IT units have made great strides in improving overall college IT operations and building a secure, highly functional computing environment.
Ultimately the goal is to bring the entire college up to a base-level of hardware, software, security, and functionality that will provide a solid base for all the future security and risk initiatives that are in the planning stages now.
Asset Discovery and Management
- The first step in risk management is the process of discovering all IT assets, particularly those that communicate on external networks and those that contain important data.
- This allows for determinations of what needs to be secured, replaced, reconfigured, and so on.
- This will lead into the ongoing process of asset management and may also include some personally owned devices.
- Note: An additional task is to document the environment more generally.
- Note: An additional task is to document the environment more generally.
- The first step in risk management is the process of discovering all IT assets, particularly those that communicate on external networks and those that contain important data.
Data Categorization and Control
- All identified assets need to be further evaluated for what data they contain or have the potential to contain.
- Depending on the data types, controls and procedures need to be put in place to prevent data exposure, data loss (intentional or unintentional), data corruption, and so on.
- Such controls and procedures include data loss prevention scans (DLP), data encryption, data backups, and various forms of device security.
- All identified assets need to be further evaluated for what data they contain or have the potential to contain.
Ongoing Evaluation and Monitoring
- Make the security ongoing and capable of surviving adverse events, so called business continuity, as in data backups.
- Make the security ongoing and capable of surviving adverse events, so called business continuity, as in data backups.
Training and Engagement
- Train and educate everyone on both the safe, less risky operation of the network, data stores, and IT assets, and why it is in everyone’s interest to do so.
- Continue building relationships with end-users.
- Create a so-called "security culture", moving from break/fix-oriented IT to support-oriented IT.
- And work to establish new and better relationships with DST.
- Train and educate everyone on both the safe, less risky operation of the network, data stores, and IT assets, and why it is in everyone’s interest to do so.
Governance
- Implement Governance Program and develop a chart of “Responsibilities for Chairs and Academic and Staff Directors.”
- Purchase new computers to replace all computers incapable of providing needed functionality while meeting security standards.
- This program is a 1:1 program: units must trade for a new one to replace an out-of-specification production machine.
- This program is a 1:1 program: units must trade for a new one to replace an out-of-specification production machine.
- Faculty and staff in the program should have no more than a primary and a secondary computer to be used for their duties.
- IRIS is not staffed to support more than 2 computers per FTE.
- IRIS is not staffed to support more than 2 computers per FTE.
- IRIS will provide each department within the college an asset inventory with a multi-year roadmap of computers to be replaced in their area.
Asset management software will be deployed on all computers.
Asset management will include all aspects of lifecycle management up to and including secure disposal.