IT Strategic Plan

Goal #1 - Keep CMU Safe

Initiative #1 - Create and Maintain an Information Security Program

Expected Outcomes: Ensure that core security policies and processes are in place and that policy workflows are efficient and mature.  Find new ways of working to manage security within the OIT team.  Conduct periodic and regular evaluations and assessments of both overall risk and the program itself.



      • Complete the Information Security Program Policy Manual
      • Review and Refine the Process of Technology Acquisition
      • Identify Staffing, Tools and Other Resources to Ensure Compliance with Existing Policy
      • Measure and Evaluate the Information Security Program
      • Conduct Regular Risk Assessments

Planned for 2018-2019

      • Secure Configurations - Servers Policy
      • Identify BYOD Strategy
      • Inaugurate full Contract Review
      • Build a Security Staffing Plan - adjust resourcing as appropriate
      • Conduct IT Risk Assessment
      • Administer Gartner ITScore

Initiative #2 - Expand Information Security Communication, Training, and Awareness

Expected Outcomes: Conduct regular and periodic advisories, training and awareness activities, and phishing simulations



      • Develop and execute a Communications Plan Detailing a Full Suite of Information Security Communication, Training, and Awareness Activities

Planned for2018-2019

      • Document the Communication, Training and Awareness Plan
      • Expand programming for students

Initiative #3 - Build a Program of Continuous Monitoring and Response

Expected Outcomes: Log and Vulnerability Management are in place across campus, as are Web and Application Scanning and Identity Access Monitoring.  Intrusion Detection will be expanded, and Penetration Testing implemented.



      • Expand Log Management
      • Expand Vulnerability Management
      • Implement Web and Application Scanning
      • Implement Identity Access Management
      • Expand Intrusion Detection
      • Implement Penetration Testing
      • Strengthen Incident Response Processes

Planned for 2018-2019

      • Build a plan to implement a Security Operations Center
      • Extend use of the Security Incident Event Management system
      • Document Information Security Incident Response Procedures

Initiative #4 - Expand Secure Computing Controls

Expected Outcomes:  All devices attached to the CMU network will be protected by controls appropriate to the use of those devices and sensitivity of the data that they store or manage.  Only appropriately vetted systems will be visible external to CMU.  CMU will actively exercise significant control over access to resources that are known to be problematic.  CMU has placed at least rudimentary controls on the delivery of phishing emails.  CMU has full visibility into where restricted data resides and who has access to it, and  appropriate controls are in place in each case.



      • Build and Implement policies for managing the configuration of CMU workstations, servers, printers, and other networked devices
      • Implement a border firewall and use it to block external access to appropriate CMU resources and CMU access to problematic external resources
      • Implement a mechanism for identifying more phishing attempts and blocking them or otherwise rendering them ineffective
      • Develop and maintain an inventory of restricted data sets and build an environment for their protection

Planned for 2018-2019

      • Substantially complete implementation of campus workstation controls
      • Build a plan for bringing servers into compliance with new policy
      • Review use of and access through remote access gateways/portals
      • Build a plan for DNS architecture improvements

Initiative #5 - Strengthen Identity and Access Management

Expected Outcomes: 

Identity protection will be in place and solid.  On- and Off-Boarding practices will be reviewed and adjusted as necessary.



      • Introduce Multi-Factor Authentication
      • Review and Revise Off-Boarding strategies for faculty, staff, and alumni
      • Review provisioning strategies and develop a strategy for adopting role-based access

Planned for 2018-2019

      • Construct architecture for two-factor authentication
      • Conduct a pilot of two-factor authentication

Initiative #6 - Expand Record Management, Business Continuity, and Disaster Recovery Activities

Expected Outcomes: OIT disaster recovery capabilities will be documented and divisional business continuity plans will work synchronously with those capabilities.  Network and systems redundancy will be extensive and appropriate to the needs of the institution.  Record management will work in tandem with OIT systems capabilities to provide the right balance between access and security.



      • Through a series of exercise and simulations, develop and document a shared understanding of CMU's Business Continuity and Disaster Recovery capabilities
      • Through an inventory process, identify areas handling and storing restricted data
      • Bring systems into alignment with data/system owner expectations
      • Build a "Culture of Resilience"

Planned for 2018-2019

      • Conduct a campus-wide Business Continuity Exercise designed to surface critical records and provide new advice regarding record retention and management
      • Inaugurate "Spring Cleaning"
      • Shift remote Data Center capability to new location
      • Document existing OIT recovery capability and "next step" plan