Enterprise Information Security Program Plan
For
Alpha Community College
Professor Richard Brunner
Christopher Plemmons, David Lussier, Manny Hameed, Robert Crager, and Sara Asif
Contents
1. Introduction 6
1.1. Purpose 6
1.2. Scope 6
1.3. Background 6
1.4. Assumptions/Constraints 8
2. Alpha Community College Organization 9
2.1. Vision 9
2.2. Mission 10
2.3. Core Values 11
2.4. Board of Trustee’s Strategic Business Objectives 12
3. Legal and Privacy 14
3.1. Applicable Laws, Statutes, or Regulations 14
3.2. Security and Privacy 16
3.3. Privacy Impact Analysis (PIA) or Data Protection Impact Assessment (DPIA) 17
4. Information Security 19
4.1. Key Enterprise Team Members and their roles and responsibilities 19
4.2. RACI Matrix 31
4.3. Security Functional Team Members 31
4.4. Information/Data Classification Scheme 32
4.5. Data Retention Schema 34
4.6. Magnetic Remanence Schema 34
4.7. Aligning the Information Security Program 35
4.8. Security Framework(s) 36
4.8.1. Control Framework(s) 37
4.8.2. Non-control Framework(s) 38
4.9. GAP Assessment 39
4.9.1. GAP Assessment Steps 39
4.10. Risk Management Program 40
Establish Process Metrics and Consistently 41
Report to Management 41
4.10.1. Identification 41
4.10.2. Evaluation 41
4.10.3. Treatment Planning 41
4.10.4. Treatment Implementation 41
4.10.5. Disposition 42
4.11. Reporting Metrics 44
4.12. Top 3 Risks 46
4.12.1. Noncompliance with HIPPA Security and Privacy Laws 46
4.12.1.1. Asset(s) potentially affected. 46
4.12.1.2. Threat or threat actors 46
4.12.1.3. Vulnerability(ies) 46
4.12.1.4. Impact if realized. 47
4.12.1.5. Time period that we believe the risk remains active. 47
4.12.2. CEO Email Fraud 47
4.12.2.1. Asset(s) potentially affected. 47
4.12.2.2. Threat or threat actors 47
4.12.2.3. Vulnerability(ies) 48
4.12.2.4. Impact if realized. 48
4.12.2.5. Time period that we believe the risk remains active. 48
4.12.3. Violation of International Privacy Laws 48
4.12.3.1. Asset(s) potentially affected. 48
4.12.3.2. Threat or threat actors 49
4.12.3.3. Vulnerability(ies) 49
4.12.3.4. Impact if realized. 49
4.12.3.5. Time period that we believe the risk remains active. 49
5. Information Security Policies, Procedures, Standards, or Processes 49
6. Information Security Programs 51
6.1. Cloud Computing 51
6.1.1. Why are you initiating/doing this program? 51
6.1.2. Risk – Violation of International Privacy Laws 51
6.1.3. What are you going to do within the program? 52
6.1.4. What are your expected outcomes, and how are you measuring these expected outcomes? 53
6.1.5. What is your timeline for implementation? 59
6.2. Project 2: Vulnerability and Threat Management 59
6.2.1. Why are you initiating/doing this program? 59
6.2.2. Risk – CEO Email Fraud 60
6.2.3. What are you going to do within the program? 60
6.2.4. What are your expected outcomes, and how are you measuring these expected outcomes? 62
6.2.5. What is your timeline for implementation? 63
6.3. Project 3: Data Loss Prevention 64
6.3.1. Why are you initiating/doing this program? 64
6.3.2. Risk – Noncompliance with HIPPA Security and Privacy Laws 64
6.3.3. What are you going to do within the program? 64
6.3.4. What are your expected outcomes, and how are you measuring these expected outcomes? 67
6.3.5. What is your timeline for implementation? 68
6.4. Project 4: Network Segmentation 69
6.4.1. Why are you initiating/doing this program? 69
6.4.2. Risk – Noncompliance with HIPPA Security and Privacy Laws 69
6.4.3. What are you going to do within the program? 69
6.4.4. What are your expected outcomes, and how are you measuring these expected outcomes? 71
6.4.5. What is your timeline for implementation? 72
7. Appendix A ― Acronyms and Abbreviations 73
8. Appendix B ― Definitions 75
9. Appendix C ― References 77
10. Appendix D ― Collaboration 83
11. Appendix E ― Infrastructure Diagram for Alpha Community College 84
Introduction
Purpose
Alpha Community College’s information security policy focuses on protecting critical data from loss, damage, or inappropriate use. Also educating faculty, staff, students, and visitors about the importance of protecting data generated, accessed, transmitted, and stored by the College. To identify strategies that should be in place to protect the confidentiality, integrity, and availability of College data and comply with local and federal regulations. Policies in this document are intended to ensure that the College maintains appropriate functional access for students, faculty, and staff while adhering to security standards.
Scope
This policy applies to all individuals who are given access to Alpha Community College’s computer equipment, systems, and networks owned or operated by Alpha Community College, including, but not limited to, the following, whether full-time or part-time: faculty, staff, and students. This policy applies to information, electronic and computing devices, and network resources to conduct Alpha Community College business or interact with internal networks and business systems, whether owned or leased by Alpha Community College, the individual, or a third party.
Background
Alpha Community College is located in north Texas, having campuses located throughout the DFW Metroplex with approximately 50,000 students. The students of Alpha Community College have the opportunity to achieve a two-year Associates of Applied Science (AAS) degree across multiple disciplines or earn a certificate through the workforce programs. Alpha Community College has transfer agreements between 5 community colleges across Texas, allowing students from these institutions to obtain a four-year degree in either a Bachelor of Science (BS) or a Bachelor of Applied Technology (BAT). Some of the currently offered programs are below.
Bachelor of Science degrees are in the following disciplines:
Nursing
Dental Hygiene
Digital Analytics
Bachelor of Applied Technology granting degrees are in the following disciplines:
Cybersecurity
Resource Protection
Alpha Community College maintains a strong relationship with local businesses wherein special projects deal with respective business proprietary information that could include a business’s trade secret data or information. These special projects allow Alpha Community College students and faculty to work with local businesses in supporting or contributing to new project initiatives. These local businesses give students skills in solving technical challenges, perform assessments, and other such items. Local company relationships between higher education and local businesses offer a unique opportunity wherein learned theory is put into real-world practice resulting in realized business solutions.
Alpha Community College is also home to a centrally located health care center near the largest campus, providing health care to Alpha Community College students, faculty, full and part-time employees, and their families. The health care center provides care to local neighborhood families on an appointment basis. Alpha Community College’s Health Center is located near Central University. Central University’s Medical and Dental students and faculty provide medical and dental care services at Alpha Community College’s Health Center. Alpha Community College Students matriculating in Nursing or Dental Hygiene provide health or dental care services under Alpha Community College, or Central University’s Medical and Dental licensed faculty supervision.
Assumptions/Constraints
It is anticipated that this information security program will be accepted and supported by Alpha Community College employees, contractors, business partners, and third-party vendors. The executive leadership team will be accountable for guaranteeing that all parties are acquainted with this program through the onboarding processes, periodic training, and access to repositories with distributed documentation.
Alpha Community College Organization
Vision
Alpha Community College serves the Dallas/Fort Worth (DFW) area as a premier learning institution where student success exemplifies the strength of a diverse, DFW Metroplex community college.
Alpha Community College-specific vision ideals are as follows:
A college environment that values and supports a culturally diverse and intellectually dynamic community prepares students for global citizenship.
Respected liberal arts and sciences with transfer programs that facilitate student preparation for the baccalaureate experience.
Respected Bachelor of Science (BS) granting programs in Nursing, Dental Hygiene, and Digital Analytics serving health care and business needs of DFW and surrounding areas; and Bachelor of Applied Technology (BAT) granting programs in Cyber Security and Resource Protection serving business needs of DFW and greater surrounding areas.
Superior career programs that prepare students to meet current and evolving labor market needs
Innovative developmental and literacy programs that prepare students for more advanced educational and training opportunities.
Agile programs that meet the needs of employers and emergent workforce development initiatives
Responsive continuing adult and community education programs that enhance and encourage individual growth and development.
An engaged and excellent faculty, staff, and administration that enable students to meet their full potential.
A teaching and learning environment that exemplifies ongoing and productive communication and collaboration across the institution and with local businesses.
An innovative health and dental programs leveraging local Medical and Dental School support providing health and dental services at Alpha Community College’s Health Center
Strong and mutually beneficial partnerships with public and parochial schools, community organizations, and governmental agencies that model effective community-based educational programs.
State-of-the-art technology employed to enhance teaching and learning.
Accessible and affordable education designed to optimize opportunities for student participation.
A supportive learning community that uses learning outcomes to measure success and guide innovative curricular and program improvements to meet individual and group needs.[24]
(Reference: https://www.ccp.edu/about-us/mission-and-goals)
Mission
Alpha Community College’s mission statement is as follows:
Alpha Community College is an open-admission, associate degree (with Bachelor of Science (BS) and Bachelor of Applied Technology (BAT) programs) granting institution which provides access to higher education for all who may benefit. Its programs of study in the liberal arts and sciences, career technologies, and basic academic skills provide a coherent foundation for college transfer, employment, and lifelong learning. The College serves the Dallas/Fort Worth (DFW) area by preparing its students to be informed and concerned citizens, active participants in the cultural life of the DFW Metroplex, and enabled to meet the changing needs of business, industry, and the professions. To help address broad economic, cultural, and political concerns of the DFW area and beyond, the College draws together students from a wide range of ages and backgrounds and seeks to provide the programs and support they need to achieve their goals.
The College seeks to create a caring environment which is intellectually and culturally dynamic and encourages all students to achieve:
Greater insight into their strengths, needs and aspirations, and greater appreciation of their own cultural background and experience.
Increased awareness and appreciation of a diverse world where all are interdependent.
Heightened curiosity and active interest in intellectual questions and social issues
Improved ability to pursue paths of inquiry, to interpret and evaluate what is discovered, and to express reactions effectively.
Self-fulfillment based on service to others, preparation for future work and study, and enjoyment of present challenges and accomplishments.[24]
(Reference: https://www.ccp.edu/about-us/mission-and-goals)
Core Values
Alpha Community College believes that learning thrives when there is a sense of curiosity and excitement about the world in which we live. As such, we value:
Excellence
Quality in the educational and training experiences that we provide, which is based on our dedication to teaching and learning.
Innovation
Creative problem solving, responsiveness, entrepreneurship, and our ability to adapt quickly to a changing world.
Sustainability
Commitment to the long-term health of the institution, the community, the economy, and the environment.
Accountability
Institutional and individual responsibility for our actions, growth, and development.
Integrity
Academic and personal honesty, fairness, ethical conduct and respect for others in our learning and working environments.
Engagement
Involvement in and collaboration with the college, local and global communities. [29]
(Reference: https://www.northampton.edu/about/mission-vision-and-values.htm)
Board of Trustee’s Strategic Business Objectives
Alpha Community College’s Board of Trustees should be considered the same as an organization’s Board of Trustees (BOT) for this assignment. Alpha Community College’s Strategic Business Objectives are including the following items:
Double Alpha Community College’s Health Center’s footprint within the next 3-years allowing expansion of Nursing and Dental Hygiene programs that meet projected workforce needs by 2025. This maps to Central University’s Medical and Dental program expansion plans.
Expand international student enrollment by 60 % with stretch goal of 75%.
Obtain Department of Homeland Security (DHS) and National Security Agency (NSA) Cybersecurity of Excellence for 2-year institution within the next year laying plans for 4-year institution approval in the next 3-years.
Triple Cybersecurity support to local businesses within the next 2 years allowing AAS and BAT students expanded opportunities for gaining practical experience while expanding Alpha’s relationship with businesses.
Create a Cybersecurity Research Center allowing faculty, staff, and students an opportunity in performing meaning cybersecurity research specific to local business requirements.
Legal and Privacy
Applicable Laws, Statutes, or Regulations
The applicable laws, statutes, or regulations section will list all laws, ordinances, constitutional, regulatory, statutes, rules, codes, certificates, permits, and requirements adopted, enacted, implemented, promulgated, issued, entered, or deemed applicable by or under the authority of any Governmental Body having jurisdiction in Texas, the U.S., and internationally that effects Alpha Community College.
Children’s Online Privacy Protection Act (COPPA)
IAW 15 U.S. Code Chapter 91, Alpha Community College will not knowingly collect PII from children 13 years of age or younger without prior verifiable consent from a legal parent or guardian. Upon discovery of any form of illegal PII collected, subjection to termination will immediately ensue until consent from a legal parent or guardian can be verified within a reasonable time.
All PII collected legitimately will be maintained within reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children and furthermore stored in an encoded format. (IAW California Civ. Code § 1798.120(c)) All California residence between ages 13-16).
Family Educational Right and Privacy Act of 1974 (FERPA)
Alpha Community College realizes that certain information regarding the university’s students is confidential in nature by reason of the Family and Educational Rights and Privacy Act of 1974. Unless verifiable consent is obtained from the University’s student or their legal guardians, Alpha Community College agrees to safeguard these records IAW FERPA and Institution policies to the extent of the law. The Institution will only release information whenever any Alpha Community College student has provided verifiable consent to release information to the extent broader than as provided for by FERPA or Institution policy.
Health Insurance Portability and Accountability Act (HIPPA)
IAW Public Law 104-191, Alpha Community College safeguards all “Individually identifiable health information” (PHI) stored or transmitted information, in any form or media whether oral, electronic, or paper.
Uniform Trade Secrets Act (UTSA)
Alpha Community College fosters an environment in which it encourages its students to assist in the local community. All students who wish to participate in these special projects will uphold Alpha Community College’s value statements in the highest degree. Any trade secrets or data obtained by the students by improper means, theft or misappropriation will result in immediate expulsion and be penalized under 18 U.S. Code § 1832 – Theft of trade secrets.
Stop Hacks and Improve Electronic Data Security (SHIELD)
If you are a New York resident, Alpha Community College adheres to the New York’s SHIELD Act and has implemented data protection standards IAW NIST 800-122. IAW NY State Senate Bill S557B, if any privileged information of a New York resident is disclosed due to an unauthorized security breach the owner of that information will be notified immediately upon discovery.
International Law
General Data Protection Regulation (GDPR)
If you are accessing this site from a country that is a member of the European Union the processing of your Personal Data is subject to the General Data Protection Regulation (GDPR), or other European Privacy laws. Alpha Community College complies with the requirements of GDPR and other European privacy laws.
All data collected from students to include the name of the student, academic records or any other information will be considered private in nature and stored separately from U.S students at Alpha Community College.
GDPR provides rights to individuals (“data subject”) to manage their personal information. An e-form is provided if you wish to make a request to Alpha Community College in respect to any of these rights.
Article 17 of the GDPR (“right to be forgotten”) You have the right to erase any personal data being processed at Alpha Community College at any time except for the following situations:
Your data is being processed for academic grading purposes.
If you have misused or have been suspected in misusing our services.
You have an ongoing service ticket.
Personal Information Protection and Electronic Documents Act (PIPEDA)
If you are accessing this site from Canada or any Canadian province the information you provide is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). Alpha Community College complies with the requirements of PIPEDA and other Canadian privacy laws.
Consent from the end user will be collected before the collection of any personal information.
All information collected will be within a scope of reasonable means.
Security and Privacy
Alpha Community College acknowledges the significant role in safeguarding all PII and confidential information regarding its faculty and students. Alpha Community College’s CISO (Chief Information Security Officer) and CPO (Chief Privacy Officer) will work collaboratively to ensure security objectives are met (see section 4.7 for CISO and CPO interface). ACC’s CISO primary duties will primarily focus on the overall security of data on the institution’s networks, focusing on data governance and infrastructure. ACC’s CPO will be tasked with protecting personal information and having oversight of how data is collected, stored, shared, and transmitted, and maintains compliance with the latest data protection regulations that apply to Alpha Community College both domestically and abroad.
CPO needs both legal expertise and technical knowledge to propose strategies in line with compliance requirements and viable for the existing company infrastructure. Because of this, the CPO will be a part of the security steering committee to ensure a consensus of security strategies can be made. The CPO will report to the general counsel, who will be focused on business needs, such as executing strategies developed by the steering committee. CPO will ensure that the institution has effective people, operational controls, and administrative and reporting procedures to ensure the institution’s financial strength and operating efficiency.
Privacy Impact Analysis (PIA) or Data Protection Impact Assessment (DPIA)
Alpha Community College understands its duty in protecting the data of faculty and students. A privacy impact analysis is a process that assists institutions in identifying and managing the privacy risks arising from new initiatives, processes, strategies, and policies. PIA acts as a form of impact assessment to assess a large amount of sensitive and/or private data about individuals in or flowing through Alpha Community College’s network. The primary goals of a PIA are to:
Ensure compliance with applicable legal, regulatory, and policy requirements for privacy.
Identify and evaluate the risks of potential privacy breaches or other incidents and effects.
Identify appropriate privacy controls to mitigate unacceptable risks.
Alpha Community College will perform a PIA (Privacy Impact Analysis) quarterly, led by the CPO (Chief Privacy Officer). The Overall objective of a PIA is to avoid costly or reputationally damaging privacy matters, with the following goals in mind:
Enhance informed decision-making.
Help the institution gain the public’s trust and confidence.
Demonstrate to faculty, students, and staff that Alpha Community College takes privacy seriously.
Additionally, a PIA will occur when one of the following criteria have been met:
An addition of any new program, service, capability, or process.
Any update/upgrade/change to an existing program, service, capability, or process.
A DPIA (Data Protection Impact Analysis) will be implemented whenever data processing is likely to result in a high risk to the rights and freedoms of individuals. IAW article 35 of the GDPR a DPIA will be conducted when one or more of the following criteria are met:
Implementation of new technologies relating to EU-based personal data or data classified as PII.
If personal processing data related to “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data to uniquely identify a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”
If the data processing is used to make automated decisions about people that could have legal (or similarly significant) effects
A DPIA will be conducted before and during the planning stages of any new project to achieve the most efficient and effective path to comply with our data protection obligations and to meet individuals’ expectations of privacy.
Information Security
Key Enterprise Team Members and their roles and responsibilities
Alpha Community College’s Security teams will be led by the following Chief Officers.
Board of Trustees
President, Alpha Community College-This is your CEO
Head of Campus Provosts
Campus Financial Officer
Head of Human Resources includes Head of Registrar and Bursars Office
General Counsel includes Chief Privacy Officer
Chief Information Officer
Chief Security Officer includes Chief Information Security Officer
Head of Alpha Community College Health Center
Internal Audit
Board of Trustees
The Alpha Community College board of trustees is responsible for strategic planning and oversight of the CEO or president, who is responsible for carrying out the plans of the board of trustees. Under the leadership of the board chair, the trustees offer advice and counsel to the CEO or President.
As the final authority for Alpha Community College, trustees make all legal and fiduciary decisions, although they delegate some specific powers and duties to others. The board of trustees is responsible for developing and approving the college’s mission, strategic goals and objectives, and establishing policies related to programs and services.Another duty of trustees is to approve the annual budget and to set significant program fees. [31]
President and Chief Executive Officer (CEO)
Reports directly to, and is accountable to, the Board of Directors for an academic institution’s performance.
Responsible for a deep commitment to student access and success.
Oversee general management and leadership of campus operations, including managing and allocating resources to achieve overall plans and objectives.
Connect the institutional strategy of attaining high student access and success levels with administrative and academic units’ operations.
Identify gaps in student outcomes based on race, ethnicity, and gender and mobilize the campus to improve results.
Lead the campus to significantly improve student outcomes by implementing well-designed institutional changes at scale and ensuring efforts are sustained over the long term.
Raise revenue and resources that support student access and success; act as campus spokesperson and donor liaison to support campus foundations’ fundraising efforts.
Engage with campus stakeholders to understand their concerns and needs to discern opportunities for improvements.
Ensure that the campus has qualified, trained, and motivated staff to perform the responsibilities outlined in their respective position descriptions; monitor the efficient and effective performance of all campus employees.
Motivate, coach, and develop those individuals across the organization involved in leading or executing operational excellence or continuous improvement objectives.
Analyze and implement solutions across the campus to identify and eliminate waste, reduce costs, promote educational excellence, and improve the student experience.
Monitor performance and provide in-depth and timely management commentary on operational excellence results and lead the debate on any corrective measures and other control processes.
Evaluating the work of other executive leaders within the institution, including directors, vice presidents, and presidents
Assessing risks to the company and ensuring they are monitored and minimized
Setting strategic goals and making sure they are measurable and describable [10][31]
Head of Campus Provosts
Alpha Community College campus provost serves as the academic chair or head of the college faculty.
The campus provost serves on the Council of Provosts. The Council of Provosts will consider and make recommendations to the administration and to the Academic Senate on campus-wide issues of undergraduate education, including, but not limited to general education, advising, honors programs, undergraduate academic engagement, academic integrity, and issues of student retention.
The campus provost assesses contribution to the Council of Provosts and the campus-wide leadership issues of undergraduate education and leadership and stewardship.
Campus provosts provide leadership in defining the vision and the mission of the college.
Be responsible for developing and maintaining a collegial environment conducive to students’ scholarly interaction and college-affiliated faculty.
Responsible for ensuring equal employment opportunity and leading the college’s good faith efforts to meet established affirmative action goals for college academic and staff positions.
With other faculty of the college, recruit new faculty members to participate in the college. Upon request, the college provost should assess a faculty member’s contribution to the college for personnel actions.
Convene the college Senate faculty in discussions of the academic function of the colleges, including, but not limited to, discussions of the role of colleges in sponsoring courses, imposing graduation requirements, and establishing curricula that are complementary to that of departmental and divisional curricula.
Explore ways for divisions and colleges to work synergistically to provide complementary academic programs and processes that enhance undergraduate education, such as college educational programs, academic advising, academic standing review, and academic integrity
Co-curricular learning. [1]
Campus Financial Officer
The Alpha Community College Campus Financial Officer is a member and officer of the board. CFO is responsible for directly paying bills, invoices and managing bank accounts, loans, and credit cards. The comptroller’s responsibility lies in overseeing the college’s financial transactions, reports, and overall financial health.
Campus Financial Officer helps the board to establish budgeting priorities that correspond to strategic planning goals and objectives. The Campus Financial Officer is a financial expert who helps the trustees analyze and understand financial reports to assist them in decision-making. As all trustees have fiduciary responsibilities, the Campus Financial Officer helps the board make sound decisions to allocate institutional resources. Duties and responsibilities include establishing and monitoring internal controls according to approved procedures for processing financial transactions.
As part of their responsibility for oversight, the campus financial officer regularly reviews financial records to ensure that monetary transactions are being recorded accurately and on a timely basis.
Campus Financial Officer ensures compliance with applicable laws and regulations and the organization’s policies and procedures. [31]
Head of Human Resources includes Head of Registrar and Bursars Office
HR leader functions as a strategic partner for Alpha Community College, leading the human resources (HR) function in a hub and spoke service delivery model; actively serving as a leader, consultant, resources, and authority on HR policies, practices, resources, and transactions.
Leads in developing and using HR strategy at college/division level; communicates and implements HR practices and goals within the college/division; support culture and workplace consistent with the Alpha Community College mission, vision, and core values.
Advisor to Dean/Vice President/Departmental Leaders on strategic and operational decisions; serve as a partner for human resources strategies and functions (e.g., talent acquisition and onboarding, diversity, equity, and inclusion, engagement, and leadership, health and well-being, policy compliance, risk management, total rewards, etc.).
Strategic and agile partner to leaders on communication and management of HR function and alignment of vision, mission, and goals with HR strategy, policy, and procedure (such as the annual salary process, etc.)
Leaders in advancing diversity, equity, and inclusion, organizational culture, and values attract, retain, and motivate talented and diverse people and produce quality outcomes, change management, and leadership that promotes development and engagement.
Serve as an active liaison between Alpha Community College Human Resources and the college/division/department(s); is typically the first point of contact (non-transactional or routine issues) for college HR.
Analyze, interpret, and forecast college/division workforce data trends to inform data-driven decisions. Consider budget parameters including various funding sources, reported areas of need and concern (e.g., vacancy rates, turnover, compensation, demographics, etc.), and landscape; develop strategies to address.
Interpret and promote the equitable application of human resource policies and procedures for the college/division and work collaboratively with campus stakeholders to solve problems (UHR, EOD, General Counsel, Office of the Provost, ELR, etc.) to achieve positive outcomes for the UI.
Ensure college/division and department policies, practices and programs meet legal/regulatory standards and conform with Alpha Community College policies; lead informal complaint investigations.
Provide strategic leadership for HR programs and services (e.g., Compensation Strategies, Employee Health, well-being and Safety, Employee and Labor Relations, Leave Management, Organizational Effectiveness, Performance Management, Recruitment, and Retention, etc.).
Advice, guide, review, approve and oversee HR policies, practices, resources, and transactions at the college/division level.
Provide ongoing advice and guidance on Faculty HR policies and processes, which may include: Faculty Recruitment and Appointments, Faculty Reviews, Promotion and Tenure, Post Tenure Effort Allocation, Special Compensation, Conflicts of Interest, Academic and Professional Record (APR), etc.
Supervise and mentor Head of Registrar and Bursars Office staff within college/division and across the organization. Responsibilities include setting performance goals in collaboration with departmental leaders, decisions regarding salary advancement/promotion, conducting annual performance appraisal, and final hiring, etc.[36]
General Counsel includes Chief Privacy Officer
The Alpha Community College Counsel may consist of attorneys who manage legal conflicts between administrators, faculty, staff, students, or other constituencies. Attorneys present at board meetings to advise the board of trustees on matters of institutional policy. Under the best of circumstances, the board of trustees will develop a trusted relationship with General Counsel so they will be sure to receive early warning of any potential legal problems. Regular and routine meetings between trustees and attorneys develop the necessary foundation for a mutually trusting professional relationship.
The General Counsel regularly works closely with the CEO or President to address legal matters that surface in campus operations, bringing such issues to the board of trustees as necessary.
Attorneys for the General Counsel have access to all reasonable means of obtaining information on which to base their advice and opinions to fulfill their responsibilities to protect and preserve the legal interests of the college.
Campus attorneys may also meet with auditors in executive sessions to answer their questions and avoid unnecessary worries over financial matters.
General Counsel is working with the board to review policies and procedures for common crises and catastrophes on campus and dealing with campus security.[31]
Chief Information Officer (CIO)
Responsible for developing collaborations among the academic and administrative constituents to advance the academic’s mission
Leadership in the development of a strategic direction for information technology services, gauging and anticipating the diverse needs of university constituents, monitoring trends and innovations in the industry to meet those needs; developing and implementing strategic extended and short-term technology plans; and making actionable recommendations to senior leadership
Ensure IT data security, risk management, disaster recovery, and business continuity planning processes are in place and receive a regular review for currency and adequacy
Exercise diligent evaluation and careful budgetary management, including budget preparation and the ability to analyze and resolve complex issues
Develop and organize technology talent that is structured to efficiently deliver services across the organization
Develop, successfully implement, and oversee strategic technology policies throughout the College
Works with the student body and student affairs professionals to advance the student experience with creative technology integration in areas where students live, work, and play. [48]
Chief Information Security Officer (CISO)
Facilitates an information security governance structure by implementing a hierarchical governance program, including the formation of an information security steering committee or advisory board.
Supervises, trains, coaches, directs, coordinates, and disciplines assigned personnel while adhering to organizational human resource policies and procedures and related employment laws.
Defines and facilitates the processes for information security risk and legal and regulatory assessments, including the reporting and oversight of treatment efforts to address negative findings.
Provides regular reporting on the information security program details status to enterprise risk teams, senior business leaders, and the board of directors.
Creates and manages a targeted information security awareness training program for all employees, contractors, and approved system users and establishes metrics to measure this security training program’s effectiveness for the different audiences.
Provides clear risk mitigating directives for projects with components in IT, including the mandatory application of controls.
Make sure that cybersecurity policies and procedures are communicated to all personnel and that compliance is enforced.
Constantly update the cybersecurity strategy to leverage new technology and threat information.
Manages the budget for the information security function, monitoring and reporting discrepancies.
Develops and enhances an up-to-date information security management framework
Creates and manages a unified and flexible control framework to integrate and normalize international laws, standards, and regulations.
Develops and maintains a document framework of continuously up-to-date information security policies, standards, and guidelines. Oversee the approval and publication of these information security policies and practices.
Creates a framework for roles and responsibilities concerning information ownership, classification, accountability, and protection of information assets.
Liaises with external agencies, such as law enforcement and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture and is kept well abreast of the relevant threats identified by these agencies.
Collaborates and liaises with the data privacy officer to ensure that data privacy requirements are included where applicable.
Oversees technology dependencies outside of direct organizational control. This includes reviewing contracts and the creation of alternatives for managing risk.
Develops and oversees effective disaster recovery policies and standards to align with the enterprise business continuity management (BCM) program goals.
Oversight network, systems, security, development, service desk, student computer labs, classroom technology, audio/visual capabilities, project management, IT governance, and enterprise project implementation. [9][13][15]
Head of Alpha Community College Health Center
Develops, implements, and evaluates overall health maintenance and health promotion activities on the Alpha community College campus.
Works and interacts directly with Alpha Community College personnel to identify and assess health problems, initiate appropriate investigations, and submit recommendations.
Analyze and evaluate the effectiveness of programs and determine the need for development and implementation of policies, procedures, and changes in techniques and methods at the Health Center unit to ensure satisfactory student health outcomes.
Participates in coalitions, advisory committees, and task-forces that facilitate achievement of work and project objectives of Health Center, Division of Student Development and Success, and the College community.
Establishes and maintains intra and interagency agreements that promote communication and networks between the college health programs and health centers in the community.
Supervises, coordinates, and monitors the day-to-day Health Center staff and consultants; coordinates appropriate malpractice insurance and certifications of staff training/qualifications such as CPR, First Aid, and AED (defibrillator) use.
Develops and monitors plans & plays an integral role in disaster response and mitigation.
Responsible for budgeting, procurement, and requisition of supplies, equipment, and other biological supplies, needed for the health center.
Assists with clinical and disease management of patients who come to the health center and serves as a resource for training new employees, providing clinical support for clinicians employed at the health center, providing preventive healthcare programs to the campus community, and making appropriate referrals to off-campus resources.
Responsible for the management and evaluation of the Student Health Insurance Program (enrollment, billing, coding, reimbursements, invoicing insurance carriers, etc.).
Facilitate workshops for new student orientation, resident assistants, student leaders, faculty, and staff.
Oversee the Electronic Medical Record system; ensure confidentiality of information in compliance with FERPA and HIPPA requirements.
Interpret, implement and monitor compliance with Texas and federal laws related to healthcare delivery, including medical staff credentialing, reporting of epidemics/contagious diseases, and other public health matters
Represent the College to the Texas Department of Health, Centers for Disease Control, and other external agencies.
Ensure that all equipment and supplies are in good working order and calibrated according to manufacturer’s guidelines, including emergency response equipment. [12]
Internal Auditor
Internal Auditor assists Alpha Community College management and the Audit Committee of the Board of Trustees in accomplishing their objectives by bringing a systematic and disciplined approach to evaluating and improving the College’s risk management, control, and governance processes.
Objectively assess an Alpha Community College’s IT and/or business processes
Assess the Alpha Community College’s risks and the efficacy of its risk management efforts
Ensure that the college is complying with relevant laws and statutes
Evaluate internal control and make recommendations on how to improve
Identifying shortfalls or gaps in processes
Promote ethics and help identify improper conduct
Assure safeguards
Investigate fraud
Communicate the findings and recommendations
Provide an opinion (Unqualified, qualified, adverse, or disclaim)
Assess compliance with policies and procedures and sound business practices [49]
Information Security Steering Committee
Alpha Community College requires an Information Security Steering Committee to ensure the success of the security program. This committee reviews the effectiveness of policy implementation. Provide clear direction and visible management support for security initiatives. Initiate plans and programs to maintain information security awareness. Ensure that security activities are executed in compliance with the policy.
Assessing inventory of high-risk information assets (paper and electronic) and supporting plans to address information security weaknesses.
Reviewing information security policies and standards and recommending improvements and revisions, as appropriate.
Reviewing specific information security breaches and the related breach notification process.
Serving as a liaison for the campus information security issues and help to make information security more visible within the university.
Evaluating information security training needs [7]
Information Security Steering Committee Members
Chief of Staff, Office of the President
Head of Campus Provosts
Head of Human Resources
Chief Privacy Officer
Chief Information Officer
Chief Security Officer
Chief Information Security Officer
Head of College Health Center
Internal Audit [49]
RACI Matrix
RACI Matrix that assigns RACI responsibilities for each key team member at Alpha Community College.
Note: RACI Matrix has been removed in this Edited version
Security Functional Team Members
This section will describe the responsibilities of the Chief Information Security Officer (CISO)’s team and the Chief Information Officer (CIO)’s team. A Responsible, Accountable, Consulted, and Informed (RACI) Matrix will be provided to describe the responsibilities corresponding to each essential security function within Alpha Community College’s network. [37]
Note: RACI Matrix has been removed in this Edited version
Information/Data Classification Scheme
Data maintained, managed, and held by Alpha Community College is categorized into four categories: Confidential, Restricted, Private, and Public data. The table below explains each category in more detail, citing examples for each category. [6]
Classification
Definition
Confidential
Data that would cause irreparable damage to Alpha Community College, its industry partners, its staff, and students attending the college. Examples of confidential data include student ID numbers, addresses, social security numbers, and entities of that nature. Data in this category should be safeguarded with the most robust security controls and mechanisms the College has access to.
Restricted
Data characterized by any unauthorized disclosure, revision, or dismantling of data that could cause significant damage to the College. Examples of restricted data include H.R. data, employee federal tax records, and entities of that nature. Data in this category should be safeguarded through significant security controls.
Private
Data that could cause moderate damage to the College through an unauthorized disclosure, revision, or dismantling of such. Examples of private data include audit reports, loan information pertaining to the College, and entities of that nature. Data categorized by this classification should be safeguarded through a reasonable level of security controls.
Public
Data that is publicly available and could cause little to no damage to the college if unauthorized disclosure, revision, or dismantling were to occur.
Examples of public data include course information, research publications, and entities of that nature. To prevent the dismantling or alteration of data in this category, it should be safeguarded through some level of security controls.
Within the above classifications of data, there are several types of data that must be addressed. Some include Electronic Protected Health Information (EPHI), student information for students residing in California, New York, or deriving from the European Union (E.U.) (GDPR), and Payment Card Industry (PCI) data to name a few. If data under the confidential category were to be misused, leaked, or stolen it would pose a [VERY HIGH-HIGH] (85-95%) level of risk to the integrity and confidentiality of private, personal, and other sensitive data on Alpha Community College’s systems. Furthermore, data and information classified under the restricted category should it be misused, leaked, or stolen poses a [MEDIUM-HIGH] (65-75%) level of risk to the confidentiality and integrity of private, personal, and other sensitive data on Alpha Community College’s systems. [39]
The following data types are classified as Confidential:
Personal Identifiable Information (PII)
Electronic Protected Health Information (EPHI) and Protected Health Information (PHI) (Compliant with HIPPA)
Personal Identifiable Education Records (Compliant with FERPA)
Personal Data from European Union (EU) (Compliant with GDPR)
Personal Data from residents of New York (Compliant with SHIELD)
Personal data from residents of California (Compliant with CCPA)
Personal data from residents of Canada (Compliant with PIPEDA)
Business entities and third-party partners trade secret or proprietary information (Compliant with EEA and DTSA)
The following data types are classified as Restricted:
Human resources data
Financial and payroll data and information
Payment Card Industry data (Compliant with PCI DSS)
Federal Tax Information (FTI)
Etc.
Version
Published
Author
Description
0.1
03/26/2021
Robert Crager
Original draft
Data Retention Schema
Alpha Community College will hold any Record or Document actively used for a period of up to seven years unless required otherwise by law. Each category mentioned below is responsible for the record it creates, uses, processes, stores, and destroys. The categories and their corresponding retention period are as follows:
Record Category
Retention Period
Active Period
Archive Period
1
Data records from residents of California or the European Union (E.U.)
Active or upon request from user
6 years or upon request from user
2
Personal Identifiable Information (PII)
Active
6 years
3
Electronic or Physical Personal Health Information (PHI)
Active
6 years
4
Payment Card Industry (PCI) Data and Logs
Active or upon request from user
1 year
5
Audit Logs
3 months
1 year
6
Tax Records
Active
3 years
7
Medical Records
2 years
7 years or in accordance with local laws and regulations
8
Employee Records
Active
3 years
9
Student Records
Active
5 years
10
Other Records
2 years
5 years or in accordance with local laws and regulations
Legal Hold
A legal hold (also known as a litigation hold) is a notification sent from an organization’s legal team to employees instructing them not to delete electronically stored information (ESI), or discard paper documents, that may be relevant to a new or imminent legal case. In the case that Alpha Community College were actively involved in a legal investigation or prosecuted in any way, the College will retain and maintain all applicable records until further guidance is given from the general council and the legal hold is resolved. [40]
Magnetic Remanence Schema
Alpha Community College will uphold data sanitation standards IAW NIST 800-88. Means of destruction and disposal will be governed and categorized by the data classification schema in section 4.4. All media that’s subject to sanitization within Alpha Community College, regardless of classification, will be reviewed in a final validation process and documented to ensure all criteria of the data destruction process are met before reuse or disposal.[51]
Classification
Data Disposal Procedure
Confidential/Restricted
All data classified as restrictive or confidential in nature will be subject to cryptographic erase and media destroyed through shredding or crushing to the point where target data retrieval is made unattainable using state of the art laboratory techniques.
Private
All data classified as private in nature will be subject to cryptographic erase and media destroyed through shredding or crushing. However, if Alpha Community College wishes to re purpose the media device, only standard read/write commands will be utilized for data sanitization purposes.
Public
All data deemed public in nature will be subject to cryptographic erase if leaving the College’s control. However, if Alpha Community College wishes to re purpose the media device, only standard read/write commands will be utilized for data sanitization purposes.
Alpha Community College utilizes storage devices with integrated encryption and access control abilities, also known as Self-Encrypting Drives (SEDs). SEDs are a constant feature that maintains persistent encryption on the drive. End users are unable to turn off encryption capabilities which ensures all data to be encrypted. Cryptographic Erase leverages the encryption of target data by enabling sanitization of the target data’s encryption key. This leaves only the ciphertext remaining on the media, effectively sanitizing the data by preventing read access.
Read/write sanitization procedures include overwriting the logical storage location of a file(s) and all user-addressable locations. The security objective of the overwriting process is to replace the target data with other non-sensitive data.
Aligning the Information Security Program
Alpha Community College believes that adequate security controls and practices are crucial in fostering a security-rich environment where security is not seen only as a responsibility; it is also woven into the very fabric of all institution’s practices. To prevent data breaches and unauthorized network access, Alpha Community College will utilize a Security Steering Committee to sustain good system health and develop reliable and cost-effective strategies to safeguard student and faculty data. The Steering Committee will consist of business unit leaders, HR, legal, finance, marketing, privacy departments, and the CISO and CPO. The Committee will utilize the RACI from section 4.2 and a charter to realize the Committee’s responsibilities, scope, and structure. The Committee will function by gathering information from the institution’s medical and dental department heads and local businesses with relationships to the college regarding security affairs. The CISO and CPO will then form security strategies with the Committee so that a consensus can be met to ensure project goals align with business and security objectives. The CPO will interface with the board to implement security controls to institution functions to address external and internal risks. The CISO will, in turn, integrate the security programs with the institution’s medical and dental department heads as well as a local business to educate, advise and influence activities with Cyber risk implementations.
Security Framework(s)
Alpha community college has to comply with US government laws (state and federal) and International laws (EU, etc.). The use of a hybrid security framework ( ISO, NIST 800 NIST CF) is best suited to minimize the overall risk and liability and ensure all aspect of the college program and operations are covered, including but not limited to GDPR (EU Privacy), HIPA (Health data), PCI (Financial) and the CIS Top 20 Controls.
CIS Top 20 Critical Security Controls
From the CIS Top 20, Alpha Community College will use the following for our baseline sets of controls: [46]
#1. Inventory and Control of Hardware Assets
#2. Inventory and Control Software Assets
#3. Continuous Vulnerability Management
#4. Controlled Use of Administrative Privileges
#5. Secure Configuration and Hardware Software on Mobile Devices, Laptops, Workstations, and Servers.
#17. Implement a Security Awareness and Training Program
To address audit finding 5, we are doing the following to establish the baseline sets of security controls for our current state for Alpha community college.
The process for establishing the baseline sets of security controls are as follows:
Complete the full CIS Top 20 Version 7.1 assessment
Focus effort on CIS Top 20 Controls 1, 2, 3, 4, 5 and 17
Use “CIS-Controls-and-Sub-Controls-Mapping-to-NIST-CSF” Excel file in mapping CIS controls (1-5 and 17) to corresponding NIST CSF controls in developing baseline security controls
Determine which baseline security controls are not applicable regardless if implemented or not for the organization and document these results using the process described on the “What Do we need to do to get there ?” GAP Assessment Slide
Becomes baseline security controls for Small to Medium-sized Enterprises.[5]
Utilizing CIS security controls through this process, we have created our baseline set of controls for our current state while closing out an audit finding 5. We aspire to achieve the maximum protection and performance of Alpha Community College and its faculty, students, and associated information.
Control Framework(s)
Security Control Frameworks are designed to promote due diligence and security management communications among internal and external organizational stakeholders. The security Framework consists of three main components: the Core, Implementation Tiers, and Profiles. This subsection looks at the control framework that Alpha Community College will be utilizing. [43]
ISO 27001-2
As Alpha Community College will use ISO as its baseline security controls set in place, ISO 27001-2 is the international standard that sets out a risk-based approach to information security. It prioritizes the protection of all essential information, not just the data processed in IT systems. It requires organizations to identify information security risks and select appropriate controls to tackle them. ISO 27001 also offers certification that demonstrates the organization has invested in the people, processes, and technology to protect your organization’s data and provides. Its compliance is frequently growing as regulatory demands (such as the GDPR, HIPAA, and CCPA) (47) place pressure on organizations to protect their consumer and personal data. That will be a good start for Alpha community college.[42]
NIST 800-53
US federal agencies widely adopt NIST 800-53, and it offers a very comprehensive set of security and privacy safeguards referred to as controls that address specific organization weaknesses. It is determined for a low-impact, moderate-impact high-impact information system. It is used by organizations of all sizes across the public and private sectors. NIST SP 800-53 is an excellent roadmap covering all the basics for a good data security plan. Once the baseline is achieved, you can further improve and secure your system by adding additional software, more stringent requirements, and enhanced monitoring. As the NIST is a government-funded entity, it is freely available for anyone to use their Framework at no cost than ISO.[44]
Non-control Framework(s)
NIST Cybersecurity Framework
With the increase in cyber and advanced persistent threats from organized criminal organizations and enemy nation states’ with an increased focus on critical infrastructure, the National Institute of Standards Technology Cybersecurity framework serves as an excellent security control framework to manage and mitigate cybersecurity risk. The cybersecurity controls in the Framework are broken up into five essential functions. These functions are: Identity, Protect, Detect, Respond, Recover. It is also the broadest of the frameworks and is flexible enough to be implemented by non-US and non-critical infrastructure organizations. Indeed, the document is regularly being amended to adapt to changing industry needs. Several existing and well-known cybersecurity frameworks include COBIT 5, ISO 27000, and NIST 800-53. NIST cybersecurity framework builds upon those frameworks to add more security. [45]
GAP Assessment
Alpha Community College will perform a GAP Assessment to assess the differences in performance between the college’s information systems to determine whether requirements are being met and, if not, what steps should be taken to ensure that they are completed successfully. [34]
GAP Assessment Steps
The process for our GAP Assessment will be conducted according to the CIS Top 20, which goes as follows:
Step 1. Perform Initial Gap Assessment – determining what has been implemented and where gaps remain for each control and sub-control.
Step 2. Develop an Implementation Roadmap – selecting the specific controls (and sub-controls) to be implemented in each phase and scheduling the stages based on business risk considerations.
Step 3. Implement the First Phase of Controls – identifying existing tools that can be repurposed or more fully utilized, new means to acquire, processes to be enhanced, and skills to be developed through training.
Step 4. Integrate Controls into Operations – focusing on continuous monitoring and mitigation and weaving new processes into standard acquisition and systems management operations.
Step 5. Report and Manage Progress against the Implementation Roadmap developed in Step 2. Then repeat Steps 3-5 in the next phase of the Roadmap. [5]
Risk Management Program
Alpha Community College will establish a responsible risk management approach to recognize and manage cyber risk exposure. To attain its strategic aims and mission, ACC will accept a risk-appropriate degree with a potential reward. Determined by the Board of Trustees, Alpha Community College can withstand any cumulative annual loss up to 5 Million Dollars, based on required Insurance policies established by the state. There will be circumstances when taking calculated risks will be appropriate. Alpha Community College’s risk is willing to take within agreed tolerances for a risk appetite decided by the Board of Trustees for crucial risk areas specified by the college. Assessments of risk will be considered with particular attention to the risk’s impact on ACC’s core activities.
Identification
Evaluation
Treatment Planning
Treatment Implementation
Disposition
Establish a
Risk Register
Develop a Risk
Rating Criteria
Consider Process
And Technology
Keep Focus on
Identified Risk
Risk Minimization
and Acceptance
Identification
Evaluation
Treatment Planning
Treatment
Implementation
Disposition
Goals:
Proactive
Comprehensive
Timely
Honest
Goals:
Consistent Approach
Business Consequence
Map Existing Mitigation
Goals:
Consider Cost
Establish Timeline
Involve Stakeholders
Goals:
Adjust Process Gaps
Consider Education/
Communication
Goals:
Mitigation Acceptance
Establish Ongoing Monitoring
Establish Process Metrics and Consistently
Report to Management
Identification
Minimize potential risks using audit findings, GAP assessments, notice daily and social news, evaluate operational security metrics, and comply with compliance gaps.
Evaluation
For Alpha Community College, our team has decided to use a quantitative approach. The team recognizes that a loss in reputation, data records being stolen, or interruption to availability would be critical to the college’s infrastructure. ACC’s student information is an asset and is of the utmost importance.
Treatment Planning
Alpha Community College’s treatment planning is devoted to certifying a thorough risk management program to decrease liability in all college activity areas. Our treatment plan is responsible for arranging and implementing a program to enable ACC to fulfill risk management objectives. One example of this effort is developing a college-wide Risk Management Council composed of delegates from each campus and other Alpha Community College administration members.
Treatment Implementation
The ACC risk management program, focuses on many vital risks, including emergency response plans, training programs, hurricane preparedness, business continuity, accident prevention, and regulatory compliance. Risk management will also use the latest communication procedures to ensure everything is up to date and available communication.
Disposition
Alpha Community College will endlessly engage in monitoring risks and decide whether or not each risk was resolved. If the response is yes, we will ascertain whether the risk in question was determined appropriately or if it took an unnecessary amount of time. All risks will be reported to the proper personnel as soon as they are discovered and resolved to guarantee minimum damage to ACC’s risk appetite.
The Risk Reporting Matrix is used to determine the level of risks identified within a program. The level of risk for each root cause is reported as low (green), moderate (yellow), or high (red). There are three (3) steps associated with the Risk Reporting Matrix that are:
Step One. Determine the level of likelihood of a risk occurring by using established criteria. These criteria should be detailed in the Risk Management Plan. Example criteria are below.
Level
Likelihood
Probability of Occurrence
1
Not Likely
10%
2
Low Likely
30%
3
Likely
50%
4
High Likely
70%
5
Near Certain
90%
Step Two. Determine the level and types of consequences of each risk using established criteria, Risk Confidence & Probability. These criteria should be detailed in the Risk Management Plan. Example criteria are below.
Level
Technical Performance
Schedule
Cost
1
Minimal or no consequence to technical performance
Minimal or no impact
Minimal or no impact
2
Minor reduction in technical performance or Supportability, can be tolerated with little or no impact on the program.
Able to meet key dates.
Slip < * month(s)
Budget increase or
unit production cost
increases.
< ** (1% of
3
Moderate reduction in technical performance or supportability with limited impact on program objectives
Minor schedule slip. Able to meet key milestones with no schedule float.
Slip < * month(s)
Sub-system slip > *
month(s) plus available
Budget increase or
unit production cost
increase
< ** (5% of Budget)
4
Significant degradation in technical performance or major shortfall in supportability; may jeopardize program success.
Program critical path
affected.
Slip < * months
Budget increase or
unit production cost
increase
< ** (10% of
Budget)
5
Severe degradation in technical performance; Cannot meet KPP or key technical/supportability threshold; will jeopardize program success.
Cannot meet key program milestones.
Slip > * months
Exceeds APB
threshold
> ** (10% of
Budget)
Step Three. Plot the results for each risk in the corresponding single square (as pointed to by the arrow) on the Risk Reporting Matrix.
Risk Confidence & Probability [33]
Consequence (effect)
The outcome of a future occurrence expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain. However, the consequence varies with each risk in terms of cost, schedule, and impact on health, human life, or some other critical factor. The consequence has to be weighted in terms of the probability of it occurring.
Probability (likelihood)
A risk is an event that “may” occur. The probability of it occurring can range anywhere from just above 0 percent to just below 100 percent. (Note: It can’t be exactly 100 percent, because then it would be a certainty, not a risk. And it can’t be exactly 0 percent, or it wouldn’t be a risk.)
Probability is often represented on a Risk Reporting Matrix. [33]
Reporting Metrics
Following report metrics will be reported to the Chief Executive Officer and the Board of Trustees.
Source: National Association of Corporate Director’s “Cyber-Risk Oversight Handbook 2020, Key Principles and Practical Guidance for Corporate Boards”
Top 3 Risks
Noncompliance with HIPPA Security and Privacy Laws
College Employees, Alpha Community College Students, Vendors who are supporting the Medical Center, or Business Partners associated with the Medical Center potentially mishandling electronic protected health information (e-PHI) or the potential for any person or entity trying to gain unauthorized access to Alpha Community College’s e-PHI resources that could have a VERY HIGH (85-95%) impact pending HHS OCR’s review and assessment of civil or criminal penalties against Alpha Community College for non-compliance to HIPAA’s Security and Privacy Rules and potentially delaying or canceling of Alpha Community College’s Health Center’s planned expansion of Nursing and Dental Hygiene programs [High (35-55%)]. Alpha Community College has a VERY HIGH vulnerability in being non-compliant to HIPAA’s Security and Privacy Rules, which could result in significant fines, reputation damages, and financial loss.
Asset(s) potentially affected.
Assets affected would include student and/or faculty E-PHI data as well as PII data.
Threat or threat actors
We believe potential threat actors include internal threats, which include but are not limited to disgruntled employees, students improperly utilizing Alpha Community College resources, third-party vendors, or untrained medical staff.
Vulnerability(ies)
Lack of understanding in data classification, poor network segmentation, and improper risk assessment
Impact if realized.
If this impact is realized, Alpha Community College could face a tier 1 or 4 violation of HIPPA’s compliance classification resulting in fines of $50,000 per violation. Alpha Community College could also face GDPR violations pending determination of the citizen’s E-PHI data that was exposed.
Time period that we believe the risk remains active.
This risk will constantly remain but can be mitigated by implementing the Vulnerability and Threat Management Program described in further detail in section 6.
CEO Email Fraud
Alpha Community College faces a VERY HIGH (85-95%) risk due to potential fraudulent financial transactions or penalties for privacy data breaches due to fraudulent emails from the college president’s account. This could have a VERY HIGH (85-95%) impact pending levels of penalties applied against Alpha Community College for non-compliance to US and EU privacy laws and/or regulations. Alpha Community College has a Medium-to-High vulnerability in being the security and integrity of business email accounts and the potential for exposure to business processes. Alpha Community College has a VERY HIGH vulnerability in cumulative annual losses up to 5 Million Dollars or more, based on required Insurance policies set up by the state.
Asset(s) potentially affected.
Assets affected would include institution financial information as well as PII.
Threat or threat actors
We believe potential threat actors include internal and external threats to include: disgruntled employees, black hat hackers, competitors, or organized crime.
Vulnerability(ies)
Vulnerabilities would include a lack of security, system flaws that would ultimately lead to a new set of vulnerabilities, including interruption of organizational processes and potential for data exfiltration.
Impact if realized.
If the impact is realized, Alpha Community College faces social engineering and advanced persistent threats due to email compromise, potentially leading to PII exposure, financial information loss, and reputation loss.
Time period that we believe the risk remains active.
This risk will constantly remain but can be mitigated through the implementation of the Vulnerability and Threat Management Program that is described in further detail in Section 6 of this document.
Violation of International Privacy Laws
Alpha Community College faces a VERY HIGH risk due to cloud service provider’s failure to protect international student information. Alpha Community College has a VERY HIGH vulnerability in being non-compliant with international privacy laws. The breach could have a very high impact among international students and may damage the college’s reputation abroad, which could hinder efforts to increase international student enrollment. Alpha Community College also has potential exposure to violations of international privacy law, facing possible fines.
Asset(s) potentially affected.
Assets affected would include currently enrolled International student’s personal information at Alpha Community College.
Threat or threat actors
We believe potential threats are internal and external: cloud service Provider, employees, College vendor management, students, college employees, any unauthorized external user who have or is trying to access Open University and Adult Learning Center.
Vulnerability(ies)
Vulnerabilities would include a non-compliance confidentiality agreement with students’ information and lack of governance over record use and access. Process and security control failures for configuring a public instance of a cloud server, GDPR (and similar laws) breach, Potential coding or system flaw, lack of oversight over processes regarding records at cloud service, overall inadequate privacy practices.
Impact if realized.
Potential fines from breach of international privacy laws; GPDR example: up to 10,000,000 EUR, or up to 2% of the total worldwide annual turnover (Source: https://eugdprcompliant.com/fines-for-non-compliance/). Loss of confidence among international students. May not reach a goal of international student enrollment increase. May lose the confidence of local businesses, which will impact plan to set up cybersecurity operation.
Time period that we believe the risk remains active.
This risk will constantly remain due to potential loss of reputation among international students, affecting their long-term goals in increasing international students’ enrollment. Alpha Community College faces potential civil or criminal penalties for violation of international privacy laws.
Information Security Policies, Procedures, Standards, or Processes
Each item is prioritized using a scale from 1-10 (1 being the highest and 10 being the lowest) in this section. Also, provided details on why each item was rated such, and the following items demonstrating a risk-based approach given scare resources are as follows:
Priority
Item
Rationale
1
2
3
4
5
6
7
8
9
10
Information Security Programs
This section addresses the top 4 or so programs that a CISO will execute within the first six months to a year, with possible identification of additional programs required to implement an effective information security program that counters the identified risks in the Information Security Section
Note: Matrix has been removed in this Edited version
Cloud Computing
Why are you initiating/doing this program?
Alpha Community College requires a process and procedure to use the public cloud to ensure critical data is built on a secure foundation. Protect student data and business proprietary information with multilayered security across Alpha Community College’s cloud, datacenters, infrastructure, and operations. Implementing this program will ensure non-University Adult Learning information is not stored in the cloud and data is protected as per the compliance requirements. This program will perform a complete assessment of business supporting students or faculty’s unique project and Alpha Community College’s Open University and Adult Learning Center to find opportunities to diminish sensitive information exposure.
Risk – Violation of International Privacy Laws
Effective Cloud policies and procedures will help Alpha Community ensure sensitive and financial information is not public facing as well as ensure Alpha Community College’s compliance with various HIPPA and GDPR privacy laws.
What are you going to do within the program?
The cloud program’s goal is to build the core cloud framework encompassing all requirements from Alpha Community College. These are the cloud program’s critical areas that will ensure complete alignment of Alpha Community College’s strategy.
Streamline compliance and protect your student and business proprietary data with the most comprehensive compliance coverage in the cloud service provider.
Alpha Community College will know where the data is stored.
Strengthen the security of your cloud workloads with built-in services
Protect data, apps, and infrastructure quickly with built-in security services that include security intelligence to help identify rapidly evolving threats early—so Alpha Community College can respond quickly. Implement a layered, defense-in-depth strategy across identity, data, hosts, and networks.
Unify security management and enable advanced threat protection across hybrid cloud environments.
Configure policies to classify, label, and protect data based on its sensitivity. Cloud Information Protection will organize data by full automation, driven by data owners, or based on Alpha Community College’s recommendation.
Add classification and protection information for continuous protection that follows data—ensuring it remains protected regardless of where it’s stored or who it’s shared with.
Track activities on shared data and revoke access if necessary. Alpha Community College IT team can use powerful logging and reporting to monitor, analyze, and reason over data.
What are your expected outcomes, and how are you measuring these expected outcomes?
The cloud program will provide complete visibility of Alpha Community College’s public cloud presence and all the related data in terms of compliance, accessibility, monitoring of attempted restricted data, automation of data classification while maintaining ease of use.
The cloud program is built on continuous monitoring of expected outcomes. All cloud-based programs will have a built-in cloud blueprint that will provide compliance reports and steps to follow for any remediations.
Also cloud security center will monitor in real-time any security control with a dashboard view to inform the security administrator of any immediate remediation required.
Cloud-native tools will be used to provide additional metrics for the KPI, effectiveness of this program.
Measuring the expected outcomes of Cloud Computing implementation:
Get comprehensive compliance coverage
Metric: HIPPA, NIST SP 800 53 R4, NIST SP 800 171 R2 Controls
Relevance: The compliance report will provide the effectiveness of the cloud computing controls. This metric would include a list of control passed out of implemented controls and for each of databases, devices, endpoints of file shares.[4]
Own your data
Metric: Data encryption, data classification, internal or external
Relevance: Alpha Community College will have visibility of their own data movement with details. This metric gives an indication of the risks associated with data movement. [4]
Security Control
Metric: Misconfigured cloud computing VMs, Network Security Groups, Access Control List devices and total compliance score.
Relevance: Implementing this program will allow Alpha Community College consistently aware of all the security control from on-premises to cloud subscriptions. Any violation of control can be alerted or use auto secure to revert back any changes [4]
Classify Alpha Community College cloud data based on the sensitivity
Metric: Data classification label conformance as per defined Alpha Community College
Relevance: One of the critical areas is to classify data to understand the sensitivity and label them accordingly. Enabling classification automation will provide Alpha Community College the streamlined data classification.
Apply the Goal, Question, Metric Approach [50]
Goal 1
[1] Purpose
[2] Issue
[3] Object (process)
[4] Viewpoint
Maintain
Controls of
Comprehensive Compliance for HIPPA, NIST SP800 53 R4 & NIST800 171 R2
from the viewpoint of CISO
Question 1
What is the current compliance of implemented cloud security?
Metrics 1
Metrics 2
Metrics 3
Metrics 4
Metrics 5
Total number of compliance security control not met
Number of security control not met for HIPPA
Number of security control not met for HITRUST
Number of security control not met for NIST800 53 & a7a
Number of days the security control not resolved
Question 2
What is the compliance of cloud security after control implementation?
Metrics 1
Metrics 2
Metrics 3
Metrics 4
Metrics 5
Metrics 6
Number of open compliance security
Number implemented security control for HIPPA
Number implemented security control for HITRUST
Number implemented security control for NIST800 53 & a7a
Compliance cloud control status total
Number of days of full compliance
* All matrix data will be gathered via the implementation of the Azure policy regulatory compliance blueprint.
Goal 2
[1] Purpose
[2] Issue
[3] Object (process)
[4] Viewpoint
Own your Data
by encrypting and classifying
and allowing permission accordingly for risk associated with data movement
from the viewpoint of CISO
Question 1
How is the data classification automated and maintained?
Metrics 1
Metrics 2
Metrics 3
Metrics 4
The number of data classification frameworks implemented.
Number of files classified as per Cloud Information Protection
Number of files labeled and protected as per Information Protection
Number of files monitored and responded as per process in Information Protection
Question 2
How is ACC’s cloud data integrity maintained?
Metrics 1
Metrics 2
Metrics 3
Metrics 4
Metrics 5
Metrics 6
Number of files encrypted at rest in cloud storage
Number of files encrypted while in transit
Number of files flagged in data loss prevention (DLP)
Number of files not protected recorded by Right management Service
Number of files’ Access Right changed per week
Number of files accessed and changes without the right
*All matrix data will be gathered using Azure Information Protection Services and Azure Rights Management Services
Goal 3
[1] Purpose
[2] Issue
[3] Object (process)
[4] Viewpoint
Maintaining Access Control
by source and destination
to standardize consistent security control
from the viewpoint of CISO
Question 1
How is Access Controlled in Cloud infrastructure?
Metrics 1
Metrics 2
Metrics 3
Metrics 4
Metrics 5
Number of Network Security Group (NSG) per VNET
Number of NSG implemented for each VMs
Number of Any Any rules in NSG
Number of NSG rule changed for cloud resources
Number of open recommendations in Security Center
Question 2
How is the Access Controlled in a datacenter infrastructure?
Metrics 1
Metrics 2
Metrics 3
Metrics 4
Metrics 5
Number of Egress/Ingress point with ACL in the datacenter
Number of Access Control List in each border device
Number of ACL changes to border devices
Number of source/ destination changes in ACL
Number of b2b VPN and ACLs
* All matrix data will be gathered via DCNM, ServiceNow, or SolarWinds configuration management, or NetMRI tools.
Goal 4
[1] Purpose
[2] Issue
[3] Object (process)
[4] Viewpoint
Firewall policy
change and maintain
compliance for consistent security control
from the viewpoint of CISO
Question 1
Current firewall policy compliance for Cloud infrastructure?
Metrics 1
Metrics 2
Metrics 3
Metrics 4
Metrics 5
Metrics 6
Metrics 7
Number of firewall policy
Number of firewall policy that is active with hit counts
The number of firewall policy does not have hit counts
Firewall policy with Any Any rule
Number of policy changes without change ticket
Number of compliance control gap in all firewall
Traffic logs for all Deny policy hit count
Question 2
Current firewall policy compliance for on-premises infrastructure?
Metrics 1
Metrics 2
Metrics 3
Metrics 4
Metrics 5
Metrics 6
Number of Egress/Ingress point with ACL in the datacenter
Number of Access Control List in each border device
Number of ACL changes to border devices
Number of source/ destination changes in ACL
Number of b2b VPN and ACLs and changes
Traffic logs for all Deny policy hit count
* All matrix data will be gathered via Tufin tools integration with Service Management Software ServiceNow.
Goal 5
[1] Purpose
[2] Issue
[3] Object (process)
[4] Viewpoint
Block Malicious, Unauthorized, and Ransomware traffic
by Intrusion Detection and Prevention to proactively secure ACC from data breach and compromise
from the viewpoint of CISO
Question 1
What is the current network traffic pattern?
Metrics 1
Metrics 2
Metrics 3
Metrics 4
Metrics 5
Number of network subnet and traffic flow (internal/external)
Number of VLANs or subnet and associated traffic
Number of source/destinations internal traffic
Number of Top talkers in the network per week
Number of Intra VLAN or Intra VNET traffic
Question 2
What is the current state of Intrusion Detection and Prevention?
Metrics 1
Metrics 2
Metrics 3
Metrics 4
Metrics 5
Metrics 6
Metrics 7
Number of detected intrusions detected
Number of intrusions blocked by IPS/IDS
Number of False/Positive and False Negative Ratio
Number of compromise analysis
Number of Reliability of Attack Detection
Number of Possibility of Attack
IDS network throughput without dropping any packets
* All matrix data will be collected via Palo Alto Panorama console and or Cisco Secure Firewall Management Center.
Figure: Dashboard [4]
What is your timeline for implementation?
An initial draft program plan will be established to review with the business and Alpha Community Security organization and prioritize the program implementation. Once the draft program is checked, a final project plan will be developed to address the immediate need while, in parallel, an assessment, strategy, design, and implementation are in progress.
This program’s estimated timeline will take between six months to a year, assuming all resources and budget are approved.
Project 2: Vulnerability and Threat Management
The Vulnerability and Threat management program describes how Alpha Community College will manage, monitor, mitigate, and remediate threats and vulnerabilities within the institutions’ network boundaries.
Why are you initiating/doing this program?
Alpha Community College handles sensitive information of students, faculty, and external users of the College’s services. To ensure the confidentiality and integrity of student, faculty, and users’ data, Alpha Community College will implement this Vulnerability and Threat Management program to improve on and adopt new technologies to enhance the threat mitigation and vulnerability remediation within the College’s network.
Furthermore, the College needs to uphold a strong security posture and maintain compliance with the Texas Cybersecurity Act through regular security assessments of critical and non-critical components within the infrastructure of the College.
Risk – CEO Email Fraud
The vulnerability management program will address any risks of exposures which could result in email fraud, ransomware, malware, and unauthorized access to Alpha Community College assets that could result in potential financial fraud.
What are you going to do within the program?
The Vulnerability and Threat Management plan includes the following four phases of implementation:
Prioritization of Critical Assets
Asset Discovery
Vulnerability/Threat Detection
Remediation, Recovery, and Reporting
Prioritizing critical assets is the first step in the vulnerability and threat management process implemented by this plan. It includes developing an itemized list of assets found within Alpha Community College’s possession or responsibility, including but not limited to computers, printers, servers, mobile devices, data types, and any third-party components on the Colleges network. After creating an itemized list, the College will prioritize the assets based on criticality. Alpha Community College will understand critical assets that need the utmost attention and protections and understand the College’s overall risk appetite. By creating this list, the College will more effectively and efficiently divide organizational resources and security mechanisms to focus on the most critical assets ensuring their security. [11]
Asset discovery consists of scanning Alpha Community College’s network for existing hardware and software (CIS Controls 1 and 2) to develop a device and software inventory list consisting of version numbers, MAC addresses, IP addresses, etc. The list will aid in the vulnerability and threat detection process defined in step 3 of the implementation plan. By having this inventory list ready, Alpha Community College streamlines the vulnerability and threat scanning process to prevent potential attackers or threats from stealthily infiltrating the network.
Vulnerability/Threat Detection is the third step of the implementation plan and includes the vulnerability scanning techniques necessary to detect vulnerabilities and threats on Alpha Community College’s network. This phase of the plan introduces the periodic scanning of the College’s network in search of common vulnerabilities either described in the Common Vulnerability and Exposures (CVE) database or in intrusion detection/prevention system sensors and filters. This step is key to the Vulnerability and Threat Management program’s success as it will be the sole reason for identifying risks on the network.
The Remediation, Recovery, and Reporting step is the final step in implementing this program and consists of methods to mitigate and/or recover from vulnerabilities and threats on Alpha Community College’s network. This phase consists of analyzing the vulnerability and threat scans, then identifying critical vulnerabilities the College can and should resolve/patch, which will be conducted by the IT team and Security Officer conjointly. Once critical vulnerabilities are identified, the IT team will implement necessary remediation techniques for the vulnerabilities, typically including a software update or patch. Sometimes, damages may have already been dealt from a threat or vulnerability, in which case, the College will refer to necessary documentation such as their Disaster Recovery Plan (DRP) and Incident Response Plan (IRP). In any case, it is critical to report if a vulnerability, especially a critical one, has been detected and/or corrected on Alpha Community College’s network. Reporting vulnerabilities and threats can be made in several ways, including automated logging of vulnerability scans, manual logging of suspicious activity, etc. Reporting of vulnerabilities and the remediation of such should be conducted by the IT team and confirmed/signed off by a security management member. [17]
What are your expected outcomes, and how are you measuring these expected outcomes?
Maintain Device Inventory List
Metric: Percentage of known and unknown devices on the network
Relevance: Alpha Community College needs to maintain a device inventory list to ensure they are informed of all devices on their network at any given time. This will provide insight into their network and flag suspicious devices that are typically not on the network.
Effective Periodic Scanning
Metric: Percentage of vulnerabilities and/or threats identified and remediated through periodic scanning capabilities vs percentage of vulnerabilities/threats identified but not remediated
Relevance: Critical to the overall success of the program by comparing which vulnerabilities and/or threats are resolved so they do not persist on the network
Timely Response
Metric: Average time it takes to find a vulnerability on the network
Relevance: It is crucial to find vulnerabilities on the infrastructure promptly to ensure critical assets’ security on the network. If the College has software with a known vulnerability, how long will it take to respond?
Timely Remediation
Metric: Average time it takes to completely remediate, patch, or resolve a vulnerability or threat on the network (measured on a monthly and annual basis)
Relevance: Crucial to completely resolving the vulnerabilities before they are able to act on the network, otherwise student, staff, and other personal information is at risk of exposure on Alpha Community College’s network.
What is your timeline for implementation?
The vulnerability and threat management program at Alpha Community College will be deployed within six months to one year of this plan’s enactment. The program will be implemented with the following outline schedule:
Initial coordination efforts and project launch
Develop prioritization of critical assets under the program
Begin Program Implementation
Define how and what assets the network will be scanned for
Perform the initial asset scan
Perform the vulnerability scan (reoccurring)
Review the vulnerability scan for immediate threats and vulnerabilities persisting on the network
Develop a remediation plan addressing, at least, the most critical vulnerabilities affecting crucial assets to the Colleges operational functionality
Implement the remediation plan
Analyze effects of implementing such remediation plan (rescan, manually check on affected systems, etc.)
Formally document that the vulnerabilities and/or threats have been remediated or why they have not been resolved.
Repeat steps three and four on a weekly, monthly, or bi-monthly basis
Repeat steps one and two on an ad-hoc basis (when new assets are acquired, when assets are removed or decommissioned, annually, etc.)
Project 3: Data Loss Prevention
The Data Loss Prevention (DLP) policy defines how Alpha Community College can share and protect data in use, motion, and rest.
Why are you initiating/doing this program?
Alpha Community College stores and maintains E-PHI, PII, and financial data, which are invaluable assets to the institution. “Global data protection regulations constantly change, and your organization needs to be adaptable and prepared. Within the past couple of years, lawmakers in the EU and New York State have passed the GDPR and NYDFSN Cyber Security Regulation, both of which have tightened data protection requirements. DLP solutions allow organizations the flexibility to evolve with changing global regulations.”
Data Loss Prevention detects potential data breach/ex-filtration attempts. It helps to prevent them by monitoring, detecting, and blocking sensitive data at rest, data in motion, and data in use.
Risk – Noncompliance with HIPPA Security and Privacy Laws
The program will put controls in place that will prevent the sharing of sensitive information internally or externally by third-party vendors, students, or employees which will better secure Alpha Community College’s E-PHI data as well as keep compliance with various HIPPA and GDPR laws.
What are you going to do within the program?
This data loss prevention policy defines how Alpha Community College can share and protect data. There are seven (7) important points that will be implemented in this program. They are as follows:
Prioritizing the Data
Classifying the Data
Analyze and Understand causes of data loss.
Monitor the data movement.
Communicate and develop controls.
Provide end-user training.
Rollout the data loss prevention program
The program will start with prioritizing the most sensitive and valuable data the is most likely to be the target of attackers. In this case, Alpha Community College’s E-PHI, PII, and Financial data are the highest priority for protection. The data classification will be evaluated by the data content, not where it is stored or how it was created.
Identifying causes of data loss was foundational to the development of this program. The IASCA claims that “causes of data loss, broken down by potential area of weakness: people, process and technology. This list can also be viewed as organizational vulnerabilities.”
Ref: https://www.isaca.org/-/media/images/isacadp/project/isaca/articles/journal/2018/volume-1/18v1-data-loss-prevention-5.jpg
Getting the institution to sponsor and support this program involved communicating to the institution’s leadership and explaining the benefits of this data loss protection program using metrics gathered while monitoring the data life cycle. End User Training will also be conducted to provide an understanding the importance of data risk and how their actions might result in data loss. The Roll Out plan is the final step of this program, “Of course, data loss prevention is an ongoing process, not a single set of steps. By starting with a focused effort to secure a subset of your most critical data, DLP is simpler to implement and manage. A successful pilot will also provide lessons for expanding the program. Over time, a larger percentage of your sensitive information will be included, with minimal disruption to business processes.” (1)
What are your expected outcomes, and how are you measuring these expected outcomes?
Expected Outcomes of DLP implementation:
Data Comprehension.
Metric: Database and data stores not yet classified.
Relevance: Data classification is done to identify where sensitive data resides. It’s crucial to identify databases and other data resident devices so that effective controls may be applied to them. This metric would include number of databases, devices, end points and file shares which have not yet been classified.
Identify potential data leakage points.
Metric: Databases that require fingerprinting.
Relevance: Database fingerprinting is one of the key methods in which modern DLP tools use to protect your sensitive data against possible leakages. Ideally, all databases holding sensitive data must be fingerprinted and available to the DLP tool. This metric gives an indication of the risks associated with databases which are yet to be fingerprinted.
Identify hardware devices that process and store sensitive data.
Metric: Misgoverned devices in the network handling sensitive data.
Relevance: This is the number of misgoverned devices apart of the network which can process and stores sensitive data. File shares, endpoints, servers etc. Each of these devices is potential egress points for sensitive data. An effective DLP program will manage these devices to prevent ex-filtration of sensitive data.
Records Management
Metric: Unassigned personnel to handle sensitive data.
Relevance: Identify the data owner or custodian who should be responsible for managing the data throughout their life cycle, which includes data in use, in motion and at rest. Records management not only concerns data backups, archives, and retention, but also data destruction.
Cost Benefit Analysis
Metric: Costs associated with the implementation of a DLP program.
Relevance: Perform a cost-benefit analysis of the DLP tools under consideration. This will help to understand the cost of ownership of DLP solutions/tools. The analysis will cover both implementation and operational costs.
What is your timeline for implementation?
This data loss protection program will be rolled out within the next six months to a year, pending approval and revisions. DLP strategies will be implemented in a phased approach targeting the items identified in this program’s prioritizing and classification steps to include Alpha Community College’s E-PHI, PII and trade secrets information as the highest priority for protection.
Project 4: Network Segmentation
The network segmentation project plan intends to assist staff responsible for Alpha Community College’s network architecture and design to increase the networks’ security posture by applying network segmentation and segregation strategies.
Why are you initiating/doing this program?
Network segmentation and segregation are highly effective strategies Alpha Community College can implement to limit the impact of a network intrusion. Once implemented correctly, these strategies can make it significantly more difficult for an adversary to locate and gain access to ACC’s most sensitive information; and increase the likelihood of detecting an adversary’s activity promptly. With adversary’s targeting internal networks directly using spear-phishing and social engineering techniques, along with the increasing use of mobile and remote working, common flat network architectures will not protect ACC from contemporary cyber threats. As a result, it is essential for Alpha Community College to segment networks and segregate sensitive information, hosts, and services from the environment in which users access external resources, particularly the web, email, and other internet services. [20]
Risk – Noncompliance with HIPPA Security and Privacy Laws
Proper Network segmentation will create separate storage areas so that E-PHI records can be segregated from non-sensitive materials on the network. Furthermore, network segmentation can aid in mitigation of ransomware attacks, by separating critical network infrastructure with non-sensitive areas.
What are you going to do within the program?
The Network Segmentation program aims to develop a secure network that will minimize the effects of an intrusion or malicious attack on Alpha Community College infrastructure. The following five best practices are to be implemented at ACC.
Apply technologies at more than just the network layer. Each host and network will be segmented and segregated, where possible, to the lowest level that can be practically managed. Network Segmentation will apply from the data link layer up to and including the application layer. In susceptible environments, physical isolation may be incorporated. Host-based and network-wide measures will be deployed in a complementary manner and be centrally monitored. [20]
Utilize the principles of least privilege and need‐to‐know. When a host, service, or network does not need to communicate with another host, service, or web, it will not be allowed. When a host, service, or network only needs to talk to another host, service, or network on a specific port or protocol, and nothing else, it will be restricted to this. Adopting these principles across a network will complement the minimization of user privileges and significantly increase the environment’s overall security posture. [33]
Alpha Community College will separate hosts and networks based on their sensitivity or criticality to their operations. Separation may include using different hardware or platforms depending on different security classifications, security domains, or availability/integrity requirements for specific hosts or networks. Separate management networks and consider physically isolating out-of-band management networks for sensitive environments. [20]
Identify, authenticate, and authorize access by all entities to all other entities. All users, hosts, and services should have access to all other users, hosts, and services restricted to only those required to perform their designated duties or functions. All legacy or local services which bypass or downgrade the strength of identification, authentication, and authorization services will be disabled wherever possible and have the use closely monitored. [20]
Implement whitelisting of network traffic instead of blacklisting. Only allow access for known good network traffic (i.e., identified, authenticated, and authorized), rather than blocking access to known bad network traffic. Not only will this result in a superior security policy, but it will also significantly improve an organization’s capacity to detect and assess potential network intrusions. [33]
What are your expected outcomes, and how are you measuring these expected outcomes?
The network segmentation is critical for the Alpha Community College. By implementation the segmentation, there will be Web Tier, Apps Tier, and Data Tier. The division of each of these tiers will allow traffic flow via a firewall and or Intrusion Detection System or Intrusion Prevention System. All malicious traffic will be blocked at the ingress point and prevent any disruption to the application availability. If the application requires data access for the presentation layer, then the traffic will be analyzed, so only authenticated traffic will be accessing the data tier.
Network segmentation will also include multiple Access Control List to further eliminate unauthenticated traffic to the data layer and maintain its confidentiality and integrity.
Access Control List
Metric: Access Control List (ACL) of all border devices and source/destination traffic analysis
Relevance: Ensure ACL consistency, so security controls are in place and not changed or modified to allow undesired traffic. The third-party tool ‘Tufin’ will be utilized to gather the metric.
Firewall Policy Compliance
Metric: Traffic logs for all deny, policy utilization, and shadow rule
Relevance: The traffic log will provide Alpha Community College with a traffic pattern and proactively block unknown sources with malicious intent. Also, maintain firewall policy consistency among all border network devices.
Intrusion Detection and Prevention
Metric: Malicious traffic block, Unauthorized traffic, and Ransomware
Relevance: Segmenting network with IPS/IDS will provide Alpha Community College and its related business the ability to proactively prevent and malicious traffic. The security team will have complete visibility of inbound and outbound traffic to ensure the College network is free from unwanted anomalies.
What is your timeline for implementation?
The Network Segmentation program plan will be formed for review to the Board of Trustees and Alpha Community College organization and concentrate on the program’s application. Once the program is checked, the program’s approximate timeline will take between six months to a year, presuming all resources and budget are authorized.
Appendix A ― Acronyms and Abbreviations
ACC – Alpha Community College
BAT – Bachelor of Applied Technology
BOT – Board of Trustees
CCO – Chief Compliance Officer
CIO – Chief Information Officer
CSO – Chief Security Officer
CIS – Center for Internet Security
CISO – Chief Information Security Officer
COPPA – Children’s Online Privacy Protection Act
DFW – Dallas/Fort Worth
DHS – Department of Homeland Security
DLP – Data Loss Prevention
DPIA – Data Protection Impact Analysis
FISA – Foreign Intelligence Surveillance Act
FERPA – Family Educational Right and Privacy Act
GDPR – General Data Protection Regulation
GLBA – The Gramm-Leach-Bliley Act
HBI – High Business Impact
HIPPA – Health Insurance Portability and Accountability Act
HSR – HIPAA Security Rule
InfoSec – Information Security
IP – Internet Protocol
ISO – International Organization for Standardization
IT – Information Technology
LBI – Low Business Impact
MBI – Medium Business Impact
NSA – National Security Agency
NIST – National Institute of Standards and Technology
PCI – Payment Card Industry
PII – Personal Identifiable Information
PIPEDA – Personal Information Protection and Electronic Documents Act
VA – Vulnerability Assessment
IAW – In Accordance With
SHIELD – Stop Hacks and Improve Electronic Data Security
Appendix B ― Definitions
Asset – anything that has value
Availability – property of being accessible and usable upon demand by an authorized entity
Baiting – like the real-world Trojan horse that uses physical media and relies on the curiosity or greed of the victim.
Business email compromise attacks – a form of cybercrime that uses email fraud to attack commercial, government, and non-profit organizations to achieve a specific outcome that negatively impacts the target organization.
Confidentiality – the property that information is not made available or disclosed to unauthorized individuals, entities, or processes
Gap Assessment – a method of assessing the differences in performance between a business’ information systems or software applications to determine whether business requirements are being met and, if not, what steps should be taken to ensure they are met successfully.
Governance – the act or manner of governing, of exercising control or authority over the actions of subjects; a system of regulations
Information Security – ensures that within the enterprise, information is protected against disclosure to unauthorized users (confidentiality), improper modification (integrity), and non-access when required (availability)
Integrity – Property of accuracy and completeness
Key Goal Indicators – A common approach to creating practical points of reference to gauge the extent to which outcomes are realized
Key Performance Indicators – Something that can be counted and compared
Phishing – a technique of fraudulently obtaining private information.
Pretexting – the act of creating and using an invented scenario to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances.
Ransomware – a type of malware from crypto virology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid.
Risk – Effect of uncertainty on objectives
Risk appetite – The amount and type of risk that an organization is willing to take to meet their strategic objectives
Risk tolerance – The specific maximum risk that an organization is willing to take regarding each relevant risk
Social engineering – the psychological manipulation of people into performing actions or divulging confidential information.
Spear phishing – a technique that fraudulently obtains private information by sending highly customized emails to few end users.
Tailgating – an attacker, seeking entry to a restricted area secured by unattended, electronic access control, e.g. by RFID card, simply walks in behind a person who has legitimate access.
Threat – Potential cause of an unwanted incidence, which can result in harm to a system or organization
Vulnerability – Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source
Appendix C ― References
“308.240 – Duties and Responsibilities of College Provosts.” Apo.Ucsc.Edu, 11 May 2020, apo.ucsc.edu/policy/capm/308.240.html.
“Access Control Policy and Implementation Guides.” NIST, CSRC, 2 Sept. 2016, csrc.nist.gov/Projects/Access-Control-Policy-and-Implementation-Guides.
Allen, Julia, et al. “Structuring the Chief Information Security Officer Organization.” ResearchGate, 30 Sept. 2015, www.researchgate.net/publication/282646726_Structuring_the_Chief_Information_Security_Officer_Organization.
“Azure Security Center.” Microsoft Azure, azure.microsoft.com/en-us/services/security-center/#features. Accessed 20 Apr. 2021.
Brunner, Rick. “Module 8-Current State and Security Frameworks Part 1.” Determining Baseline Security Controls for Small to Medium-Sized Enterprises Using CIS Top 20 [Collin College Frisco], PowerPoint presentation, 3 May 2018.
Carnegie Mellon University. “Guidelines for Data Classification – Information Security Office – Computing Services.” CMU, 2 July 2008, www.cmu.edu/iso/governance/guidelines/data-classification.html.
“Charter: Information Security Committee.” St. Lawrence University, 11 Jan. 2019, www.stlawu.edu/it/charter-information-security-committee.
CIS (Center for Internet Security). “CIS Controls.” CIS, 17 Mar. 2021, www.cisecurity.org/controls/PDF.
“CISO mind map: An overview of the responsibilities and ever expanding role of the CISO.” Twitter@AttackIQ, 1 June 2016, twitter.com/attackiq/status/738176063130329089.
Connecticut Board Of Regents For Higher Education. “CSCU – Position Description.” CT.Edu, www.ct.edu/ceosearch/position. Accessed 29 Mar. 2021.
“CRR Supplemental Resource Guide.” Carnegie Mellon University, Department of Homeland Security, 2016, us-cert.cisa.gov/sites/default/files/c3vp/crr_resources_guides/CRR_Resource_Guide-VM.pdf.
“Director, Health Services – University of the District of Columbia.” Udc.Applicantstack.Com, udc.applicantstack.com/x/detail/a2hbyxh9ljyr. Accessed 20 Apr. 2021.
“EHire – Chief Information Security Officer.” Eapps.Austincc.Edu, Austin Community College, 29 Mar. 2021, eapps.austincc.edu/ehire/posting/online_version.php?job_num=2012017#::text=TheCISOisresponsiblefor,supportingandadvancingACCsobjectives
Esage G, Alisa. “Cybersecurity Framework or ISO 27001.” Information Security Newspaper | Hacking News, 24 Feb. 2018, www.securitynewspaper.com/2018/02/24/cybersecurity-framework-iso-27001.
Fimlaid, Justin. “The First 101 Days as a New CISO – A Chief Information Security Officer’s Playbook.” NuHarbor Security, 4 Sept. 2018, www.nuharborsecurity.com/first-101-days-new-ciso-chief-information-security-officers-playbook.
Furneaux, Alison. “NIST 800–30: Five Rules for Effective Cyber Risk Management.” CyberSaint Security, www.cybersaint.io/blog/cybersecurity-risk-management-blog-tips. Accessed 20 Apr. 2021.
Georgiev, Lachezar. “Vulnerability Management Policy.” SecurityStudio, 18 Nov. 2020, securitystudio.com/policy-templates/vulnerability-management-policy.
Graf, Susan. “A Guide on Top 30 GRC Frameworks in 2019.” Ignyte Assurance Platform, 15 Apr. 2021, ignyteplatform.com/top-30-security-frameworks-2019.
“How Long Should I Keep Records?” Www.Irs.Gov, Internal Revenue Service, 29 Sept. 2020, www.irs.gov/businesses/small-businesses-self-employed/how-long-should-i-keep-records.
“Implementing Network Segmentation and Segregation.” ACSC, Apr. 2019, www.cyber.gov.au.
“ISO 27001, the Information Security Standard.” IT Governance USA, 2016, www.itgovernanceusa.com/iso27001.
Janson, Andrew. “FERPA Compliance in Education: How to Securely Manage Student Records.” RecordNations, 13 Nov. 2020, www.recordnations.com/2019/07/ferpa-how-to-manage-student-records.
Landsberger, David. “Security Awareness Training: Why You Need a Corporate Acceptable Use Policy.” CompTIA, 12 Apr. 2021, www.comptia.org/blog/security-awareness-training-corporate-acceptable-use-policy.
“Mission and Goals.” Community College of Philadelphia, 28 Oct. 2013, www.ccp.edu/about-us/mission-and-goals.
Moraetes, George. “Choosing the Right Security Framework to Fit Your Business.” Security Intelligence, 27 Mar. 2020, securityintelligence.com/choosing-the-right-security-framework-to-fit-your-business.
“NIST 800–53 vs ISO 27002 vs NIST CSF.” Compliance Forge, www.complianceforge.com/faq/nist-800-53-vs-iso-27002-vs-nist-csf.html. Accessed 20 Apr. 2021.
“NIST Policy on Information Technology Resources Access and Use.” NIST, 25 Aug. 2016, www.nist.gov/director/nist-policy-information-technology-resources-access-and-use-0.
“Non-Disclosure Agreement (NDA) Template.” LawDistrict, www.lawdistrict.com/non-disclosure-agreement/?utm_source=google&utm_medium=cpc&gclid=Cj0KCQjw38-DBhDpARIsADJ3kjmdvyeZewW6Rs6cOiXyzjIgAO6FXEb6tavB6IVMnN0tzzmuSy924f8aAitHEALw_wcB. Accessed 20 Apr. 2021.
Northampton Community College. “Mission, Vision, and Values.” Northampton Community College, www.northampton.edu/about/mission-vision-and-values.htm. Accessed 20 Apr. 2021.
Pahwa, Mayur. “Network Segmentation and Segregation.” MayurPahwa, 7 July 2019, www.mayurpahwa.com/2019/07/network-segmentation-and-segregation.html.
Price, Nick. “Roles & Responsibilities of a Board of Directors for a College.” BoardEffect, 4 Jan. 2019, www.boardeffect.com/blog/roles-responsibilities-board-directors-college-university/.
“Recordkeeping Requirements.” Www.Eeoc.Gov, U.S. Equal Employment Opportunity Commission, www.eeoc.gov/employers/recordkeeping-requirements. Accessed 20 Apr. 2021.
“Risk Reporting Matrix.” AcqNotes, 13 Mar. 2021, acqnotes.com/acqnote/tasks/risk-reporting-matrix.
Sales, Francesca. “Gap Analysis.” SearchCIO, 16 Dec. 2014, searchcio.techtarget.com/definition/gap-analysis.
“Security, Identity & Compliance.” Amazon Web Services, Inc., aws.amazon.com/architecture/security-identity-compliance/?cards-all.sort-by=item.additionalFields.sortDate&cards-all.sort-order=desc. Accessed 20 Apr. 2021.
“Senior HR Leader Roles and Responsibilities.” University Human Resources – The University of Iowa, Jan. 2021, hr.uiowa.edu/administrative-services/campus-hr-community/senior-hr-leader-roles-responsibilities.
“Setting up a Security Steering Committee.” RSM, 7 Dec. 2018, rsmus.com/what-we-do/services/risk-advisory/cybersecurity-data-privacy/setting-up-a-security-steering-committee.html.
Simos, Mark, et al. “How to Organize Your Security Team: The Evolution of Cybersecurity Roles and Responsibilities.” Microsoft Security, 5 Oct. 2020, www.microsoft.com/security/blog/2020/08/06/organize-security-team-evolution-cybersecurity-roles-responsibilities.
Singh, Rupinder, and Dr. Jatinder Singh. “Performance Metrics Scorecard.” Global Journal of Computer Science and Technology Network, Web & Security, vol. 12, no. 12, 2012. Global Journals Inc, core.ac.uk/download/pdf/231163152.pdf.
Smith, John. “Data Classification Policy Template.” Netwrix, 1 Jan. 2018, www.netwrix.com/data_classification_policy_template.html.
Stubbs, Donna. “Legal Hold (Litigation Hold) – The Basics of E-Discovery.” Exterro, 2 July 2018, www.exterro.com/basics-of-e-discovery/legal-hold/.
G, Alisa Esage. “Cybersecurity Framework or ISO 27001.” Information Security Newspaper | Hacking News, 24 Feb. 2018, www.securitynewspaper.com/2018/02/24/cybersecurity-framework-iso-27001/. Accessed 20 Apr. 2021.
Moraetes, George. “Choosing the Right Security Framework to Fit Your Business.” Security Intelligence, Security Intelligence, 26 Jan. 2018, securityintelligence.com/choosing-the-right-security-framework-to-fit-your-business/.
“NIST 800-53 vs ISO 27002 vs NIST CSF.” Www.complianceforge.com, www.complianceforge.com/faq/nist-800-53-vs-iso-27002-vs-nist-csf.html.
“NIST CSF and ISO 27001.” IT GOVERNANCE, Aug. 2020, p. 11. IT GOVERNANCE.
“CIS-Controls-Version-7.1.” Center for Internet Security, 1 Apr. 2019.
“ISO 27001 – IT Governance USA.” Itgovernanceusa.com, 2016, www.itgovernanceusa.com/iso27001.
Position Description: Chief Information Officer. (n.d.). Retrieved from https://www.nsula.edu/wp-content/uploads/Ron-Wright-Job-Description.pdf
Brunner, Rick. “Information Security Project Lab—Alpha Community College Version 1.” Information Security Project Plan Lab/Exercise [Collin College Frisco], PowerPoint presentation, 31 March 2021.
Brunner, Rick. “Goal, Question, Metric Version 5.” Goal, Question, Metric (GQM) [Collin College Frisco], PowerPoint presentation, 3 May 2021
Kissel, R, Regenscheid, A, Scholl, M, Stine, K (2014 December) National Institute of Standards and Technology “Guidelines for Media Sanitization” Retrieved from https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final
Appendix D ― Collaboration
The following people contributed to this Information Security Program Plan: Christopher Plemmons, David Lussier, Manny Hameed, Robert Crager, and Sara Asif.
Professor Richard Brunner provided expertise, review, and instruction.
Appendix E ― Infrastructure Diagram for Alpha Community College
2