Information Security Services CIO Council Update Nov. 27, 2017 Monday 2:10 – 2:40 Smith 561

Purpose and Intended Outcome To brief the CIO Council on the HUIT Security updated service catalog, including the availability of managed security services (MSS) Intended Outcome Receive feedback from the CIO Council on service catalog updates and guidance on whether the MSS is of broader interest

Background Services in the Information Security catalog have not been reviewed since they were established 6 years ago We have heard that our customers like working with us, but that they are not always clear on the set of services we offer or their scope Our current expansion into managed security services and our desire to leverage the service model further necessitated a revamping of our catalog Going forward, we would like to leverage the service model as a significant part of our planning and roadmap development

Mapping of Existing to Proposed Services – available to all schools Service Offering (existing) Service Offering (proposed) Security Awareness Security Training Security Architecture, Engineering, and Risk Assessment Risk Assessment Vulnerability Assessment * Source Code Analysis Security Operations and Response Security Incident Response * Network Security Monitoring and Alerting Endpoint Security Monitoring and Alerting * Security Compliance DMCA/HEOA Compliance Security Consulting (newly defined) Information Security Governance (newly defined) Individual Risk Mitigation (under development) Threat Feed Service (under development) Authentication Management and Security Services “Shifting left” * Includes a second tier as part of the managed security service (MSS)

Managed Security Services (MSS) Launched in response to schools who approached HUIT Security about exploring ways to staff up their security practice Chose to go the route of expanding services for an additional cost instead of hiring dedicated staff Leverages shared expertise in HUIT Security instead of trying to find one person who can meet the diverse security needs in a school In no way intended as a means of reducing existing services Starting with three managed service offerings to meet initial demands, looking to expand during the remainder of this year Endpoint Security Monitoring and Alerting (CrowdStrike) Vulnerability Assessment (Tenable/Nessus) Security Incident Response and additional capabilities Finalizing cost for FY19 – proposed model is 70% of the loaded midpoint salary of a grade 58 staff member (currently calculates to $95K/year)

Endpoint Security Monitoring and Alerting   Core Offering MSS Offering Alert Management Email notification of alerts Review of Critical and High priority alerts on a daily basis Best effort deeper analysis on request Containment for critical alerts Review of all alerts Remove false positives Deeper analysis when applicable File review and analysis Containment as defined by school Agent Management License management and expense Deployment on standard schedule (3-5 days post release by CrowdStrike) Latest agent version supported on the OS Standard prevention policy Custom deployment groups/schedule Custom prevention policies Metrics Develop metrics as requested by school. Possibilities include: Number of hosts installed/updated Percentage of hosts installed/updated Frequent alerts Users/groups with higher than average alerts

Vulnerability Management   Core Offering MSS Offering Agent Deployment Management License management and expense Updated Agents and Portal Develop automation for installation Agent monitoring Scan Management Best effort scanning/alerting based upon newly discovered critical vulnerabilities Deploy scanners per environment Develop Custom Scans Prioritization for remediation Understand impact/likelihood Provide clear steps to remediation/compensating controls Review/Classification of systems (based upon data security levels) Metrics Develop metrics as requested by school Integration with other data sources Splunk Access control devices

Security Incident Response and additional capabilities   Core Offering MSS Offering Incident Response Notification to SSO of externally notified incidents Engagement/surge support in cases involving significant intrusion or possible HRCI access/exfiltration Review of and feedback on documentation of environment as it pertains to HUIT ability to engage during incident response Analysis in cooperation with SSO of externally notified incidents Engagement/surge support during moderate severity incidents Assistance in developing appropriate documentation to enable HUIT to effectively understand the environment during incident analysis and response Work with school to understand local security management systems (e.g., log collection, firewalls, etc.) Annual tabletop review/exercise Process Improvement & Automation Activities Will deliver developed process improvements/automation activities in an ongoing fashion Will work with school to prioritize HUIT process improvement/automation activities that meet identified analytic needs Metrics Develop metrics as requested by school Will attempt to integrate HUIT systems with school based data sources

Current Status Launched at start of the fiscal year Two schools signed up Slowly ramping up Building some useful tools and capabilities Already realized benefits

Questions for CIO Council Does the new service catalog align better with your understanding of what HUIT Security provides? Does the MSS meet a need within the schools? What services should be the targets for enhancement under the MSS?