Elevate the role for security planning and management beyond IT by creating a University-wide Cyber Security Team and CISO position empowered to implement a comprehensive security strategy designed to mitigate current and anticipated future risks.
Information security concerns raised in a 2011 NSHE Network Security Audit of UNLV served as one of the catalysts for the development of the IT Master Plan. The lessons learned in completing the audit’s recommended remediations have changed the security culture at UNLV. Those changes must be sustained and extended as part of the technology planning process.
Since the audit findings in 2011, more sophisticated threats, expanded use of digital data, increasingly interconnected systems, and the growing severity of the damage caused by successful attacks have elevated the need for a comprehensive campus-wide approach to securing UNLV’s information assets. The approach must provide protection from unauthorized access while facilitating access for those authorized to use campus data. It must also help employees understand and meet their responsibilities for protecting the information assets under their care. Most importantly, the approach must be continuously adjusted to address evolving threats, new technologies, new compliance requirements, and emerging campus directions.
Continually strengthening the university’s security posture in such a dynamic environment requires strong leadership, university-wide collaboration, and a proactive response to changing needs. To maintain the secure foundation established in response to the security audit and to continue to provide the security expected of a Top Tier institution, UNLV should:
- Develop a comprehensive, proactive security strategy
- Establish the role of a Chief Information Security Officer (CISO)
- Form a UNLV Cyber Security Team
- Sustain and extend the work of the NSHE Security Audit
- Continually enhance security educational, training, and awareness programs
- Establish and maintain ongoing risk assessment efforts
1. Develop a comprehensive security strategy
It is recommended that UNLV develop an agile security strategy that includes:
- Security solutions that cut across organizational boundaries
- A framework focused on protecting computing infrastructure, end points, and data
- Highly integrated multiple layers of protection
- Ongoing risk assessment
- Adherence to best practices
- Flexibility to address changing needs
- Mechanisms to incorporate new compliance requirements
- Ongoing alignment with campus strategic directions
Periodic assessment and revision of the strategy will ensure that it continues to adapt to new security risks.
2. Hire a Chief Information Security Officer (CISO)
UNLV should establish the role of a CISO, a best practice for institutions as complex and large as UNLV. Creating a CISO position is integral to developing the security posture required for high profile research institutions and consistent with NSHE policy. The CISO will be responsible for instituting a strategic approach to sustaining security awareness, risk assessment, and compliance management programs. Cabinet approval for the authority of the CISO and associated office will be needed. Also in keeping with best practices, the CISO should report to the new CIO.
Clear authority for the CISO and well-defined responsibilities for a new CISO office are imperative. Recommended responsibilities include:
- Security analysis
- Forensic investigations
- Risk assessment
- Facilitation of the UNLV Cyber Security Team
- Oversight of compliance with federal, state, and local regulations (e.g., HIPAA, FERPA, NSHE, etc.)
- Development of and compliance with UNLV IT security policies and procedures
- Breach response management
- Security awareness
To be successful, the new CISO office must have support from UNLV’s executive leadership team, be housed outside of central IT, and have adequate resources to meet the recommended responsibilities. Additionally, the work of a CISO office needs to be collaborative and provide visibility into the activities designed to strengthen security at UNLV.
3. Form a Cyber Security Team
Establishing a cross-organizational Cyber Security Team will enable the university to design and deliver comprehensive security programs that protect the entire campus. The Cyber Security Team, comprised of information and technology specialists from across the campus, will:
- Work through the Technology Advisory Committee (TAC) and Technology Review Board (TRB) to ensure alignment with other IT initiatives
- Adopt an industry standard security framework to guide security initiatives on campus
- Create and foster a campus-wide approach to IT security
- Maximize UNLV’s ability to address compliance requirements and changing security risks
- Promote awareness on IT security issues, compliance changes, threat mitigation, and individual responsibility for helping ensure a safe IT environment
- Recommend to the TRB policies, procedures, and technical measures that protect the IT environment
- Develop and maintain a Security Liaison program
- Recommend security measures for emerging technologies (e.g., mobile devices, cloud services)
More information about the Cyber Security Team, including charges, can be found in Appendix 8A.
4. Sustain and extend the work of the NSHE Security Audit
Since July 2011, the security audit has been the driver for security improvements at UNLV. These audit remediations have focused on protecting devices (i.e., networks, computers) and systems (e.g., identity management, file storage solutions) with some attention to policy development and security awareness. Additional layers of security are needed to protect data residing on the devices and in information systems. The following protections should be implemented:
- Data Encryption - for protecting sensitive data in storage and in transit
- Data Loss Prevention - for detecting sensitive data that may leave the campus unencrypted
- Data Backup Solutions – for recovering critical data after an equipment failure or theft
A comprehensive data encryption solution will secure the data in the event that border protection (e.g., firewalls) and/or device protection (e.g., servers, computers) are penetrated and will bring UNLV into compliance with state regulations. Once the university has an encryption solution, data loss protection solutions are needed to prevent unencrypted sensitive data from leaving the campus. A desktop backup solution will provide business continuity for employees whose documents may be irretrievable after a computer malfunction or theft.
5. Enhance education, training, and awareness
Providing better protection for the devices and the data on those devices will significantly improve information security at UNLV. However, individuals who access that data must also be aware of the important role they have in the protection of university data assets. When individuals share their passwords, leave their computers on and unattended for long periods of time, or move sensitive data to unencrypted flash drives, campus data is at risk. UNLV’s security strategy includes ongoing comprehensive education, training, and awareness programs that emphasize collective responsibility for IT security. The initial rollout of UNLV’s Smart Computing awareness campaign began in 2015. The ongoing effort should be assessed and the results used to inform the development of additional awareness activities. To facilitate this effort, security awareness and training for employees and students is included in the responsibilities of the CISO and as a charge for the Cyber Security Team.
6. Establish and maintain an ongoing risk assessment program
Comprehensive enterprise security solutions are expensive, resource intensive, and can take 18 to 24 months to implement. To help determine when new solutions should be added to UNLV’s security strategy, the university is developing a risk management plan based on industry standards and best practices. The risk management plan will include:
- A comprehensive data classification effort and associated risk mitigation plans for sensitive data
- Assistance for investigators in identifying and mitigating risk associated with collecting, storing, and sharing research data
- Assistance with designing and auditing data streams between enterprise information systems and other campus applications
- Adoption of comprehensive data retention schedules
- Proactive self-assessment
The data classification effort
To manage risks effectively, the university must:
- Identify all potentially vulnerable information system resources and data
- Determine the risk tolerance and impact of a compromise for the systems and data
- Define appropriate controls to mitigate the risks for those systems and data deemed most critical
These efforts need to be done in concert with the campus data management efforts (see Initiative 13). Existing data elements in the campus data dictionary need to be reviewed and assigned a security classification to inform users about the security measures required when using the data. Procedures for adding new data elements to the dictionary must include security classification reviews and, if warranted, risk management plans.
Special needs for research data
As Top Tier initiatives are realized, new security measures are needed to collect, retain, protect, and disseminate research data. Data management plans for various granting agencies are now mandated. The plans will need to be audited for their effectiveness. The data being collected as part of research projects involving health and/or social issues are of particular concern. Investigators may require assistance from information security professionals to identify the risks. The newly proposed Research Technology Group (see Initiative 1) can work with the CISO office and/or the Cyber Security Team to ensure investigators have the resources needed to keep their research data both safe and accessible.
Auditing data streams
The campus risk assessment plan should include periodic audits of the data streams that move data from enterprise systems (e.g., student, human resources, and finance) to supplemental systems . For example, many of the new Retention, Progression, and Completion efforts involve moving information currently residing in the student information system and the learning management system to new data analytic applications (e.g., EAB Student Success Collaboration). Much of the data is FERPA-protected. The protections provided by the originating systems must be preserved as the data are moved, transformed, and stored. Periodic audits are needed to ensure ongoing compliance. An increase in data movement and transformation activities is also expected with the introduction of new human resources and finance information systems and will require similar periodic audits (see Initiative 9).
One sure way to protect sensitive data is to delete it when it is no longer required. While some data must be kept indefinitely (e.g., transcript data), most can be deleted after an agreed-upon retention period. NSHE has recently established data retention periods. UNLV must develop retention schedules and procedures to ensure records are in compliance with the new NSHE regulations. The CISO and/or the Cyber Security Team should help evaluate automated options for securely eradicating expired data. The adoption of data retention schedules is also critical for the implementation of document management solutions (see Initiative 12) and data management and reporting efforts (see Initiative 13).
Although the university is subject to external audit, UNLV’s should supplement these audits with proactive security monitoring. The CISO office will be responsible for conducting periodic internal audits of the information systems containing data deemed to be the most sensitive. Those responsibilities include: identifying data security weaknesses; evaluating and prioritizing the associated risks; and creating teams to implement effective risk mitigation solutions.
- Chief Information Officer
- Chief Information Security Officer
- Technology Advisory Committee
- Technology Review Board
- Cyber Security Team
The annual salary for a CISO position at a large research University is estimated at $110,000 to $140,000 plus benefits.
New staff resources (2 FTE within OIT) will be needed to implement and support the three major security initiatives planned for the next three to four years (i.e., data encryption, data loss protection, desktop backup). The salary range for each position is approximately $70,000 plus benefits.
The three staff resources above will also be needed to implement and maintain data classification efforts, support research data management plans, conduct risk assessments, and help develop and implement risk mitigation plans.
Data encryption and data loss protection solutions costs vary widely and depend on how well they integrate with other solutions in place at the time of their implementation. Data encryption solutions are approximately $175,000. Data loss prevention solutions are approximately $250,000. Both have annual maintenance costs of about 5%.
Estimated costs for a limited rollout of computer backup services are $52,000 one-time funds and $21,000 annually. The full cost will be determined once a pilot program is complete.
New Positions: 3 FTE; Total One-time and Recurring Costs FY16-FY19: $1,011,081
Action Items to Implement Initiative
- Hire a Chief Information Security Officer.
- Create a UNLV Cyber Security Team.
- Establish annual goals to achieve Cyber Security Team recommendations.
- Adopt an industry standard security framework.
- Implement and regularly assess a comprehensive security strategy.
- Annually review and audit IT security policies and procedures.
- Annually recommend revisions to UNLV's IT security education, training, and awareness program.
- Implement data encryption, data loss prevention, and desktop backup solutions.
- Adopt a tiered classification system for UNLV data.
- Establish and annually update UNLV's risk assessment program.
- Improved security of UNLV IT assets.
- Security measures are balanced with access and usability needs.
- Fewer disruptions to university business as security breaches decrease.
- Reduced risk to UNLV’s reputation.
- Increased document and data protection provided by computer backups.
- Improved risk management.
- Increased support for unique research data security needs.
- UNLV faculty and staff are better prepared to meet their obligation for protecting university assets.
Measures of Success
- Increased recognition of the role of the Chief Information Security Officer.
- UNLV’s Cyber Security Team progress on meeting its charges.
- Improved ratio of information security staff to institutional FTE count.
- Reduction in the time to resolve data security incidents.
- Activities to strengthen federal, state, and NSHE compliance.
- Reduction in IT security risks.
- Effectiveness of security awareness training.
- Decreased incidents of lost documents and data due to inadequate backup.
- Increased efficiency in assessing risk.
Other relevant research
Based on 2012 data provided by the EDUCAUSE Core Data survey (January 2013), Doctoral Institutions average one information security staff per 4,553 institutional FTEs. Based on FY 2012 data, UNLV had 21,910 institutional FTEs, which would equate to 4.8 information security staff at UNLV. However, the current staffing indicates two FTEs within OIT and one FTE in Research.
At the University of Colorado Boulder, an IT security assessment was linked to the annual hardware inventory. The key elements of this effort include:
- Gaining executive support to conduct institutional audit of all hardware to ensure security compliance
- Providing deans and business officers with a standard inventory template, scanning tools to locate computers and servers storing private data, and local IT support to complete the audit
- A goal of achieving 90% inventory compliance by the fourth year of the effort