Overarching Information security Strategy
- Implement the State System Defense-in-Depth Security Architecture Principles
- A Defense-in-Depth Security Architecture establishes five tenets that each IT Security Program can use as guiding principles for their program.
- Offense informs defense - Use of shared knowledge to learn and adapt.
- Prioritization - Focus on controls that mitigate immediate risks.
- Measurements and Metrics – Established standardized performance metrics for reporting across the State System.
- Continuous diagnostics and mitigation – Established processes and procedures for continued monitoring and improvement of the security architecture.
- Automation – Automate reliable and scalable security metrics and data for real-time information.
- Implement Center for Internet Security (CIS) Controls as our Information Technology Security Framework and Assessment
- The Center for Internet Security (CIS) provides security standards and best practices through the utilization of CIS Controls and Benchmarks that are used to measure gaps and capabilities of information technology security programs.
- The State System will utilize the CIS Controls as the baseline information security standard for protecting IT Resources. Information technology security assessments, to be performed on an annual basis, and are to be conducted utilizing the CIS tool ‘CIS-CSAT’. Annual assessment timeframes will be communicated by the Office of the Chancellor to the Universities. Refer to Appendix C Recommended Timeline for general timeline information.
- The State System is to follow CIS assessment guidelines that focus on ensuring the CIS Controls are properly in place to mitigate information technology security threats and strengthen the State System’s Defense-in-Depth Security Architecture through each University’s IT Security Program.
- Foundational Controls and Implementation Group Baseline
- CIS Controls are categorized through Implementation Groups (IG) developed by CIS. We will implement IG 1 and IG 2.
- Information Technology Risk Management Strategy
- Our risk control strategies to guide and reduce identified risks.
- Avoidance: To eliminate the conditions that allow the risk to be present at all, most frequently by dropping the project or the task.
- Acceptance: To acknowledge the risk’s existence, but to take no preemptive action to resolve it, except for the possible development of contingency plans should the risk event come to pass.
- Mitigation: To minimize the probability of a risk’s occurrence or the impact of the risk should it occur.
- Deflection: To transfer the risk (in whole or part) to another organization, individual, or entity.
Contact info for the INFORMATION SECURITY OFFICER
Questions regarding the classification, storage, transmission or destruction of university data should be directed to the Information Security Office at security@commonwealthu.edu.