Initiative V: Manage Information Security, Regulatory Compliance and Technology-Focused Business Continuity and Disaster Recovery
Protecting the security and integrity of the IT environment, sensitive information on university community members, intellectual and educational assets, research data and institutional operations is a fundamental responsibility of the university. Disaster preparedness is a must for the continuity of operations and functions of the university if disaster strikes.
We must work together to promote a strong and secure infrastructure and excellent practices to protect that infrastructure. Developing and deploying appropriate policies and effective enforcement means to secure the integrity of information technology resources, safeguard institutional information and protect the privacy of university community members as they engage in online activities.
IT security is the responsibility of all members of the Case Western Reserve University community. The community relies heavily upon the expertise of IT to define standards, based upon best practices, to develop and implement policies and to enforce them, ensuring that the community is best positioned to defend the integrity of the university. First and foremost, the university must establish formal assessment strategies and continually work with university partners to ensure the CWRU information environments are secure.
Action Item 17.1: Implement a formal security risk management program. Perform regular risk assessments for critical IT infrastructure and important university business/academic areas and risk reporting/risk action decision-making by university executive leadership.
Action Item 17.2: Assess the need for regular security audits that may include an audit of the separation of services handling sensitive information from public information systems.
Information technology is a strategic asset of the institution. Loss, in part or total, of the IT environment, services and data can cripple the institution. CWRU must be prepared for the recovery of critical services in a timely manner so that the university can continue to function in the aftermath of an outage due to natural or human-made disaster.
Action Item 18.1: Develop a business continuity plan (BCP) for university IT systems, in partnership with the university Business Continuity Coordinator and the university community. This plan should also develop prudent and reasonable funding models to be able to react and recover from any disaster. These plans must be regularly updated with prescribed measures implemented for use, if needed, in the event of covered incidents.
Case Western Reserve University must secure its environment at high levels. Best practices must be developed for a diversely IT equipped community, particularly students, as all university members must be able to securely engage with the university IT environment. IT infrastructure must be designed with security as a key element, be auditable and be protected from data loss threats. Applying an in-depth defense strategy to all current and new network and cloud-based systems and services must become the new normal. CWRU needs to evolve security beyond device-based controls and move to a strategy based upon the identity and role of individuals who are authorized and then authenticated for access to information and resources.
Action Item 19.1: Establish mechanisms to respond systematically to security incidents through the creation of a security operations center that implements established incident management workflows and regularly assesses lessons learned in order to improve security risk management.
Action Item 19.2: Develop identity-based and role-based strategies to provide access to CWRU’s data and infrastructure both on-campus and in cloud services. Enterprise authentication services must be strengthened to protect from threats to our globally accessible information systems, while balancing the need for simpler methods of authentication.
Action Item 19.3: Develop and communicate guidelines for the secure adoption and support of cloud-based solutions, including infrastructure and hosted third-party application solutions, to allow CWRU to provision secured cloud or virtual computing environments.
Action Item 19.4: Develop a basic set of security programs and communicate fundamental security practices that will better protect the university’s information and technology assets. IT should lead efforts to develop communication and education programs, including targeted training seminars, that will improve the awareness and understanding of the university community about IT security and CWRU policies in regard to IT security.
Action Item 19.5: Information Security staff will work to reduce the threat surface and secure all information resources through the development of university-wide best practice policies that, in turn, are fully embraced and enforced by the university leadership.