IT Security

Core Team Lead was Lori Temple.

What was considered during this planning session

  • Establishment of a security management structure with clearly assigned security responsibilities
  • Creation, implementation, and regular review of information technology policies and procedures
  • Creation, implementation, and updates to plans to address identified risks
  • Implementation of effective security-related education and awareness programs
  • Provisions to monitor the security program’s effectiveness with mechanisms to make changes as necessary

Summary of session

The IT security session addressed current security issues and concerns as a starting point for developing a plan for changing how the University manages and addresses IT security across the enterprise. The meeting included representatives from  System Computing Services (SCS), OIT and distributed IT areas. A detailed update on progress made in addressing the NSHE UNLV Network Audit conducted in 2011 was also provided.

It was agreed that the minimum need for IT security is to reduce the number of data breaches as well as the cases of stolen technology that result in a compromise of sensitive information. The objective of the IT Master Plan should be to assist the University in moving in this direction through improved planning and coordination of resources, implementation of security best practices, and better education.

Key outcomes identified to inform the IT Master Plan

  • Elevate the visibility of information security across the University
    • Consider the establishment of the role of a Chief Information Security Officer (CISO), considered a best practice for institutions as complex and large as UNLV, and consistent with NSHE policy
    • Secure Cabinet approval for the authority of the CISO and associated office
    • Define the responsibilities of the CISO office (e.g., Security Analysis, Investigations, Risk Assessment, Management of a UNLV Cyber Security Team, Security Policies and Procedures, Security Awareness, etc.)
  • Establish a Cyber Security Team at UNLV
    • Charge the team with supporting ongoing information security efforts in the context of accepted best practices
    • Appoint Security Liaisons from across UNLV who would coordinate with the Cyber Security Team
  • Develop comprehensive education, awareness, and training programs
    • Emphasize that data security is everyone’s responsibility
    • Create a Security 101 training program (currently being worked on in OIT)
    • Work with Human Resources to develop appropriate orientation materials for new employees
  • Create a sustainable risk assessment function that is based on industry standards and best practice
    • Consider using the NIST risk assessment framework
    • Establish risk-based decision making factors in support of improved IT security practices
  • Strengthen the security posture of UNLV through the implementation of the Identity Management initiative
    • Determine practical methods for addressing security issues associated with the increasing presence of mobile devices on campus
  • Ensure data governance needs are addressed within the context of information security
    • Develop a tiered classification system for UNLV data (see SCS and Michigan Technology University Information Security Plan for examples)
      • Establish a baseline for data security around compliance requirements (e.g., FERPA, HIPAA, etc.)
      • Consider the need for data classification systems for different types of data – Academic, Administrative, Student; and Research