IT Strategic Plan

Goal #1 - Keep CMU Safe

Initiative #1 - Create and Maintain an Information Security Program

Expected Outcomes: Ensure that core security policies and processes are in place and that policy workflows are efficient and mature.  Find new ways of working to manage security within the OIT team.  Conduct periodic and regular evaluations and assessments of both overall risk and the program itself.



      • Complete the Information Security Program Policy Manual
      • Review and Refine the Process of Technology Acquisition
      • Identify Staffing, Tools and Other Resources to Ensure Compliance with Existing Policy
      • Measure and Evaluate the Information Security Program
      • Conduct Regular Risk Assessments

Planned for 2019-2020

      • Review three Level 1 policies
      • Review OIT and HIPAA incident response policies to ensure proper coordination
      • Conduct audit plan for 2019-2020
      • Administer Gartner ITScore

Initiative #2 - Expand Information Security Communication, Awareness, and Training

Expected Outcomes: Conduct regular and periodic advisories, training and awareness activities, and phishing simulations



      • Develop and execute a Communications Plan Detailing a Full Suite of Information Security Communication, Training, and Awareness Activities

Planned for 2019-2020

      • Document the Communication, Awareness, and Training Plan
      • Expand programming for students

Initiative #3 - Build a Program of Continuous Monitoring and Response

Expected Outcomes: Log and Vulnerability Management are in place across campus, as are Web and Application Scanning and Identity Access Monitoring.  Intrusion Detection will be expanded, and Penetration Testing implemented.



      • Expand Log Management
      • Expand Vulnerability Management
      • Implement Web and Application Scanning
      • Implement Identity Access Management
      • Expand Intrusion Detection
      • Implement Penetration Testing
      • Strengthen Incident Response Processes

Planned for 2018-2019

      • Implement a Security Operations Center (SOC)
      • Extend use of the Security Incident Event Management system
      • Build plan for Data Loss Protection in O365

Initiative #4 - Expand Secure Computing Controls

Expected Outcomes:  All devices attached to the CMU network will be protected by controls appropriate to the use of those devices and sensitivity of the data that they store or manage.  Only appropriately vetted systems will be visible external to CMU.  CMU will actively exercise significant control over access to resources that are known to be problematic.  CMU has placed at least rudimentary controls on the delivery of phishing emails.  CMU has full visibility into where restricted data resides and who has access to it, and  appropriate controls are in place in each case.



      • Build and Implement  policies for managing the configuration of CMU workstations, servers, printers, and other networked devices
      • Implement a border firewall and use it to block external access to appropriate CMU resources and CMU access to problematic external resources
      • Implement a mechanism for identifying more phishing attempts and blocking them or otherwise rendering them ineffective
      • Develop and maintain an inventory of restricted data sets and build an environment for their protection

Planned for 2019-2020

      • Substantially complete implementation of campus Mac and Windows workstation controls
      • Implement new backup and encryption tools
      • Bring campus servers into compliance with new policy
      • Review use of and access through remote access gateways/portals
      • Build a plan for DNS architecture improvements
      • Full release of Microsoft ATP and MFA solutions

Initiative #5 - Strengthen Identity and Access Management

Expected Outcomes: 

Identity protection will be in place and solid.  On- and Off-Boarding practices will be reviewed and adjusted as necessary.



      • Introduce Multi-Factor Authentication
      • Review and Revise Off-Boarding strategies for faculty, staff, and alumni
      • Review provisioning strategies and develop a strategy for adopting role-based access

Planned for 2019-2020

      • Full release of multi-factor authentication in Office 365
      • Begin expansion of use of multi-factor authentication across other systems

Initiative #6 - Expand Record Management, Business Continuity, and Disaster Recovery Activities

Expected Outcomes: OIT disaster recovery capabilities will be documented and divisional business continuity plans will work synchronously with those capabilities.  Network and systems redundancy will be extensive and appropriate to the needs of the institution.  Record management will work in tandem with OIT systems capabilities to provide the right balance between access and security.



      • Through a series of exercise and simulations, develop and document a shared understanding of CMU's Business Continuity and Disaster Recovery capabilities
      • Through an inventory process, identify areas handling and storing restricted data
      • Bring systems into alignment with data/system owner expectations
      • Build a "Culture of Resilience"

Planned for 2019-2020

      • Conduct a campus-wide Business Continuity Exercise designed to surface critical records and provide new advice regarding record retention and management
      • Inaugurate "Spring Cleaning"
      • Shift remote Data Center capability to new location
      • Document existing OIT recovery capability and "next step" plan