Strategic Plan
ISO Vision
The confidentiality, integrity, and availability of the University’s data and information systems is protected from accidental damage and malicious actors and Western’s culture is transformed so information security is integrated into all business practices.
ISO Mission
- Users are secure.
- Systems are secure.
- Computing personnel use best practices.
- Vulnerabilities are managed and risk is reduced.
- The University's mission to provide academic excellence and an inclusive environment is supported.
ISO Strategic Goals
Visibility
Users are aware of the Information Security Office and leverage it as a resource.
| Implementation | Metric |
|---|---|
| The ISO develops a website with information on policy, standards and guidelines, training options, incident response resources, design reviews, best practices, and other ISO services. | The ISO has an active website by May 2021. |
| The ISO proactively reaches out to end-users and other IT personnel to advance security initiatives. | The ISO has personally contacted 100% of all business unit and academic department heads by January 2022. |
Training
All employees are trained in information security. Employees are aware of best practices and where to go for help and advice.
| Implementation | Metric |
|---|---|
| A Canvas course is offered for new and existing employees. Training is done during employee onboarding and yearly thereafter. Processes are developed to track which employees still need to take the course. | 75% of staff have taken the training by June 2023. |
| Specialized training in security tools and best practices are developed for IT personnel. | The ISO has developed content covering Security Center Defender for Endpoint, data classification, data loss prevention, and web application scanning. |
Monitoring of Users, Systems, and Networks for Vulnerabilities, Security Incidents and Anomalies
The ISO will configure systems to detect and respond quickly to all incidents. Where possible, incident response will be automated. Some monitoring will be done by the ISO, and other monitoring will be distributed to campus system administrators. Vulnerabilities are managed by a program that identifies and tracks remediation of those vulnerabilities.
| Implementation | Metric |
|---|---|
| Monitoring is dependent on the identification of IT assets. The ISO will maintain a system to track all of the IT assets. The ISO will transition from using Lansweeper to using Infoblox IP Address Management, Cisco CPI, and MS Defender for Endpoint. | 95% of assets on the Western network are identified. This excludes residential networks. |
| The ISO maintains a security and information event management (SIEM) system that integrates intelligence from multiple disparate systems. The SIEM will be configured to provide dashboards, reporting, and alerting capabilities. | A series of dashboards are built to monitor firewall, DNS, DCHP, critical endpoint, Office 365, and security tool logs. The system is configured to alert on critical security events. Configurations are complete by July 2023. |
| The ISO leverages the Microsoft enterprise security tool suite to monitor, alert, and automatedly respond to security incidents. These tools include Defender for Identity, Defender for Endpoint, MS Cloud App Security, Azure Security tools, Privileged Identity Management, and any other security tools that are included with the University’s licensing. The Microsoft Security Center for Defender for Endpoint will be configured with role-based access control so endpoints can also be monitored by system administrators. | The ISO enrolls 90% of all endpoints in the Microsoft Defender for Endpoint protection by June 2023. All system technicians are managing the monitoring of their own assets in Security Center for Defender for Endpoint. 90% or more of security incidents are handled by automated processes. |
| The ISO runs a vulnerability scanner to identify security issues in networking equipment, IoT devices, and any other systems not managed by Microsoft Security Center Defender for Endpoint. Remediation of vulnerabilities is tracked. | 90% of High to Critical vulnerabilities are remediated between quarterly scans. 50% of Medium vulnerabilities are remediated between quarterly scans. |
| The ISO runs a web application scanner tool to perform authenticated dynamic testing of the University’s internal and external websites. | 90% of High to Critical vulnerabilities are remediated within 7 days. 50% of Medium vulnerabilities are remediated within 60 days. |
| The University's external-facing websites are scanned for vulnerabilities by the Cybersecurity and Infrastructure Security Agency (CISA). | 90% of High to Critical vulnerabilities are remediated within 7 days. 50% of Medium vulnerabilities are remediated within 60 days. |
| The ISO works with external partners to share information on threats. | None. |
Information Security Program Adheres to the NIST Cybersecurity Framework
The Information Security Office advances the University’s Information Security Program by adopting the NIST Cybersecurity Framework. The ISO is focused on moving from the framework’s Partial Implementation Tier to the Repeatable Tier.
| Implementation | Metric |
|---|---|
| The ISO participates in the National Cybersecurity Review (NCSR) run by the Multi-State Information and Analysis Center. | The University assesses its compliance with the NIST controls on a yearly basis and seeks to reduce the gaps by 25% yearly. The (NCSR) is used as a year-to-year measurement tool. |
Academic Collaboration
The ISO works with University academic staff to ensure the protection of FERPA protected data and research work.
| Implementation | Metric |
|---|---|
| The ISO provides consultation services and information security training to academic personnel. Information on protecting academic research work is provided on the ISO website. | None. |