CAG’s Data Security and Compliance Team develops customized security plans, programs and risk registers. We also create policy standards and procedures based on appropriate security frameworks and the regulatory environment for your individual campus.
Our expert team integrates with your internal operations and provides solid security guidance while participating in change control, staffing meetings and project meetings. While we typically begin with the assessments process, we also offer ongoing services to remediate issues and mitigate risk.
Our team members hold certifications including CISM, CISA and CISSP with substantial practical experience in providing these services to Higher Education institutions of every size and type.
Security Lifecycle Process Overview
CAG uses an information security lifecycle of Identify, Assess, Protect and Monitor. The process is repeated to maintain an effective information safeguard and security program.
Step 1. Identify
- Vulnerability scans of the internal and external environment
- Port scan across the external perimeter
- Reviews of existing network diagrams
- Controls assessment of agreed to Security Control sets (agreed to prior)
- A subset of PCI QSA review
- Review of IT inventories
Any immediate security risks identified will be discussed.
Step 2. Assess
The first time we assess, we create the baseline of controls review and document your current situation. In subsequent years, we perform annual risk assessments and evaluate applications, networks, data centers, and organization security.
We will establish a baseline of maturity in the Information Safeguards and Security Program. Maturity is based on CMMI (Capability Maturity Model Integration – ISACA)
Step 3. Protect
- Once the Baseline is created and an agreed plan is identified, we begin to work on the plan.
- Present to senior management the security maturity and the risks.
- Accept – The risk is understood, and the decision is made to continue as-is
- Remediate – Put measures in place that will reduce the impact of the risk
- Transfer – Purchase insurance or offload to a more qualified party
- Avoid – Stop the activity
Step 4. Audit and Monitor
- Based on the program, plan, and standards (what is in place) perform audit reviews to ensure that controls are being followed.
- Monitoring involves examining systems to determine if they comply with the standards and policy.
We then begin the process again with step 1.
Regulatory and Compliance Audits
These audits evaluate your existing compliance with the appropriate frameworks and regulatory governance, identify areas of improvement, and recommend a plan of action for remediation and improvement.
Some of the key components of the CAG Regulatory and Compliance Audit include:
- Review current security practices and documentation developed to date
- Tour of the facilities and overall environment
- Interviews with key team members such as:
- Security Manager
- Infrastructure Manager
- Support Services Manager
- Development Manager
- PMO Manager
- Deliverables provided upon completion of the Regulatory and Compliance Audit are:
- Information Security Program
- Information Security Plan
- Risk Register
These assessments address both the technical and logical components such as controls encryption, smart cards, passwords, biometrics, constrained interfaces, access control lists (ACLs), protocols, firewalls, routers, intrusion detection systems, and clipping levels. They also address the physical components such as controls guards, fences, motion detectors, locked doors, sealed windows, lights, cable protections, laptop locks, swipe cards, guard dogs, video cameras, mantraps, and alarms.
CAG Vulnerability Assessments typically include the following three activities:
- Vulnerability scan to assess the current infrastructure’s security posture. The scan will help us detect systems that are out of date with patching, have weak passwords, or any other vulnerabilities that may pose a threat to the environment. We will scan internal and external devices to get a full security picture.
- IT Due Diligence. CAG evaluates several key technology components that can typically be problematic.
- Active Directory Assessment
- Network Device
- Web Filtering
- Cloud Services
- Deliverables will include a report of the findings along with remediation recommendations.
Virtual Information Security Officer Services
Many institutions ask us to serve as their Information Security Officer in an ongoing capacity. In addition to a senior security leader that can attend client meetings and liaise on the institution’s behalf, institutions benefit from the support of our security team members to investigate and follow up on issues that may arise. Our VISO service can assist with increasing the security maturity of the institution, improving ROI on security activities and managing vendor relationships.
In addition, our ISO team will:
- Develop security and privacy policies that incorporate the best industry practices and fulfill all requirements of the institution.
- Coordinate planning activities related to responses to security events. Planning activities are to include cross-departmental and cross-campus procedures.
- Validate that activities and controls related to the prevention of security incidents are in place and being followed consistently.
- Ensure that appropriate controls related to the access of secure information are documented and are being followed.
- Provide guidance and counsel to the CIO and key members of the university leadership team. Work closely with senior administration, academic leaders, and the campus community in defining objectives for information security.
- Lead efforts to internally assess, evaluate and make recommendations to management regarding the adequacy of the security controls for the institution’s information and technology systems.
- Coordinate and track all information technology and security-related audits including scope of audits, members involved, and outcomes. Provide guidance, evaluation and advocacy on audit responses.
- Develop and administer technical security standards.
Responsibilities of the VISO
- Gramm–Leach–Bliley Act(GLBA)
- NIST 800-171
- NIST 800-53
- PCI Compliance
- TAC 202 or other state standards
Recommended meetings in which ISO participates
- Change control
- Identify Data movement and if it is secure
- Approval of Firewall rules
- Approval of third-party connections
- Staff meetings
- Project review meeting
- As needed developer meetings
- As need consultative discussions
- Monitoring of security alerts
- Subcommittees such as Information Governance and Export Controls groups
Documents produced and maintained by ISO
- Policy, Standards, and Procedures (aligned with required compliance)
- Information Safeguard and Security Program
- Information Safeguard and Security Plan
- Information Safeguards and Security Program and Security Plan Summary
- Information Safeguards and Security Program and Security Plan Executive Summary
- Information Safeguards and Security Program and Security Plan Public Summary (If open records request applies)
- Information Safeguards and Security Review Presentation
- IT Risk Register
- Incident Response Plan
- Insider Threat Management Program
- Control Crosswalk (mapping of standards and procedures to required controls)
- Monthly Report
Documents produced and maintained by IT custodians and information owners
- Information System Inventory
- Information System Component
- Network and Application Runbooks as identified by critical systems and Disaster Recovery
- Risk Assessments for Applications, Networks, Datacenters and Organization Security
Other activity as needed
- Third-party assessments; As needed contract review
- Legal hold management and collection guidance
- Tabletop disaster recovery testing and review
- Monthly as-available relevant security content for staff and users
- Monthly state reporting, if required
Remediation and Ongoing Support of Programs, Plans and Risk Registers
After each security audit, additional access controls may need to be put in place to protect the confidentiality, integrity, and availability of the various systems. CAG has the ability to assist during the remediation/mitigation phase, typically via an assigned project team and agreed scope of work.
© 2021 Columbia Advisory Group