IT Strategic Plan

Goal #1 - Keep CMU Safe

Initiative #1 - Create and Maintain an Information Security Program

Expected Outcomes: Ensure that core security policies and processes are in place and that policy workflows are efficient and mature.  Find new ways of working to manage security within the OIT team.  Conduct periodic and regular evaluations and assessments of both overall risk and the program itself.

 

Strategies:

      • Complete the Information Security Program Policy Manual
      • Review and Refine the Process of Technology Acquisition
      • Identify Staffing, Tools and Other Resources to Ensure Compliance with Existing Policy
      • Measure and Evaluate the Information Security Program
      • Conduct Regular Risk Assessments

Planned for FY18

      • Extend Vulnerability Scanning Campus-Wide
      • Conduct Gartner ITscore Assessment
      • Responsible Use Policy Revisions
      • Data Stewardship Policy Revisions
      • Global ID Password Policy
      • Secure Configurations - Workstations Policy
      • Secure Configurations - Servers Policy
      • Secure Configurations - Printers and Other Networked Devices Policy
      • Security Incident Response Policy
      • Computer Disposal Policy Revisions
      • Revise Technology Acquisitions Process, Implement Full Contract Review
      • Adjust Resourcing as Required

Initiative #2 - Expand Information Security Communication, Training, and Awareness

Expected Outcomes: Conduct regular and periodic advisories, training and awareness activities, and phishing simulations

 

Strategies:

      • Develop and execute a Communications Plan Detailing a Full Suite of Information Security Communication, Training, and Awareness Activities

Planned for FY18

      • Conduct regular, periodic advisories
      • Launch tracked awareness video for faculty/staff
      • Conduct phishing simulation
      • Launch Security Portal

Initiative #3 - Build a Program of Continuous Monitoring and Response

Expected Outcomes: Log and Vulnerability Management are in place across campus, as are Web and Application Scanning and Identity Access Monitoring.  Intrusion Detection will be expanded, and Penetration Testing implemented.

 

Strategies:

      • Expand Log Management
      • Expand Vulnerability Management
      • Implement Web and Application Scanning
      • Implement Identity Access Management
      • Expand Intrusion Detection
      • Implement Penetration Testing

Planned for FY18

      • Expand use of SIEM tools
      • Implement Annual Penetration Testing
      • Implement NetFlow monitoring
      • Implement xxx-ISAC monitoring
      • Begin cycle of regular risk assessments required by IS Policy
      • Implement Vulnerability Scanning and Web/App Monitoring
      • Install Next-Gen Firewall
      • Document Incident Response

Initiative #4 - Expand Secure Computing Controls

Expected Outcomes:  All devices attached to the CMU network will be protected by controls appropriate to the use of those devices and sensitivity of the data that they store or manage.  Only appropriately vetted systems will be visible external to CMU.  CMU will actively exercise significant control over access to resources that are known to be problematic.  CMU has placed at least rudimentary controls on the delivery of phishing emails.  CMU has full visibility into where restricted data resides and who has access to it, and  appropriate controls are in place in each case.

 

Strategies:

      • Build and Implement policies for managing the configuration of CMU workstations, servers, printers, and other networked devices
      • Implement a border firewall and use it to block external access to appropriate CMU resources and CMU access to problematic external resources
      • Implement a mechanism for identifying more phishing attempts and blocking them or otherwise rendering them ineffective
      • Develop and maintain an inventory of restricted data sets and build an environment for their protection

Planned for FY18

      • Build and begin implementation of plan to bring campus workstations into compliance with new policy
      • Build and begin implementation of a plan for the Next-Gen Firewall
      • Review use and configuration of remote access gateways/portals
      • Install Office 365 PhishHunter and ATP
      • Pilot ICE through new consolidated virtual desktop environment
      • Introduce OT advisory role into TRP review

Initiative #5 - Strengthen Identity and Access Management

Expected Outcomes: 

Identity protection will be in place and solid.  On- and Off-Boarding practices will be reviewed and adjusted as necessary.

 

Strategies

      • Introduce Multi-Factor Authentication
      • Review and Revise Off-Boarding strategies for faculty, staff, and alumni

 

Planned for FY18

      • Select and implement a second factor for authentication, build a plan for future implementation
      • Build a plan for revising off-boarding practices

Initiative #6 - Expand Record Management, Business Continuity, and Disaster Recovery Activities

Expected Outcomes: OIT disaster recovery capabilities will be documented and shared with campus so that divisional business continuity plans will work synchronously with those capabilities.  Network and systems redundancy will be extensive and appropriate to the needs of the institution.  Record management will work in tandem with OIT systems capabilities to provide the right balance between access and security.

 

Strategies

      • Through a series of exercise and simulations, develop and document a shared understanding of CMU's Business Continuity and Disaster Recovery capabilities
      • Through an inventory process, identify areas handling and storing restricted data
      • Bring systems into alignment with data/system owner expectations

 

Planned for FY18

      • Conduct a campus-wide Business Continuity Exercise designed to surface critical records, force creation of a single DR scenario, and provide new advice regarding record retention and management
      • Conduct inventory of HIPAA systems