Peer Cybersecurity Assessments: For and by Higher Education

REN-ISAC Peer Assessment Service* Security Policy Security Operations Organization of Security Communications and Operations Management Information Systems Acquisition, Development, and Maintenance Incident Response Identity Management and Access Human Resources Security Compliance Physical Security Business Continuity Planning *Assessment methodology and materials copyright 2019 by The Research and Education Network Information Sharing and Analysis Center (REN-ISAC) and the Trustees of Indiana University.

Introduction Executive Summary Policy Administration Organization Internal Organization Centralization/Decentralization Asset Management Responsibility for Assets Information Classification Human Resources Security Orientation Physical and Environmental Security Identity and Access Control Identity Management Authentication Privileged Accounts Network Access Control and Registration Information Systems Acquisition, Development, and Maintenance Systems Procurement Database Management Endpoint Management Vulnerability Management Third Party Patch Management Security of Equipment Off-Premises Security in Development and Support Processes External Parties and Cloud Services Storage Business Continuity Planning Compliance Management FERPA RED FLAGS RULE (FTC 16 CFR 681) GDPR Controlled Unclassified Information (CUI) and NIST 800-171 Gramm-Leach-Bliley Act (GLBA) and NIST 800-171 PCI DSS HIPAA Security Operations Building a Security Operations Team Risk Assessment Protective Processes & Procedures Protective Technology Security Continuous Monitoring Response Day-to-day Activities of Security Operations Information Security Incident Response Report Intake Expert Triage Calling an Incident Incident Response Planning and Execution Team Logistics Information Sharing Notifications and Reporting Containment, Eradication, and Recovery Follow-Up Activities Select Incident Response References General Higher Education Compliance Obligations

Assessment Structure – 4-5 weeks Develop Statement of Work Perform Pre-Discovery Conduct Site Visit – usually 3-4 days Follow-up Questions Writing Narrative Inserting and prioritizing recommendations w/NIST references Sharing Draft – CIO Finalizing Report Report content belongs to the university or college being assessed

Peer Assessors Assessors are long-time CISOs or CIOs employed or recently retired from universities or colleges Teams are usually 2-4, depending on the needs of the camps being assessed Campuses are informed in advance of assessor assignments Campus does not have approval Campus can point out conflicts or other issues

Add-ons: In-depth analysis Incident Response Security Operations Policies Compliance Future: Penetration Testing

Historical Assessments 20+ assessments, 17 unique organizations Variety of sizes from non-Carnegie Mellon class thru very large R1s. CIOs’ interest in security varies wildly Capabilities of CISOs and security staff varies widely There is usually disconnect between the CIO and the CISO The CIO has usually not told the CISO what to prioritize, and the CISOs ofttimes take it upon themselves to decide CISOs sometimes take on functions beyond those typical to securing the realm The CISO then doesn’t have enough resources…

Senior leadership of campuses are not fully aware of risks From aggregate experience: 5 Security-Related Problem Areas in Higher Education Senior leadership of campuses are not fully aware of risks Security Programs aren’t deliberately planned and organized Incident response is ad hoc Data management structure isn’t defined or followed Decentralized IT environments aren’t considered in risk assessments

Session Evaluations There are two ways to access the session and presenter evaluations: 1 2 In the online agenda, click on the “Evaluate Session” link From the mobile app, click on the session you want from the schedule > then click the associated resources > and the evaluation will pop up in the list