USD IT Security Program and Policies

Issue/Question

What is the USD IT Security Program, and what are it's Policies and Procedures.

Environment

  • USD IT Security
  • CIS Controls V8

Cause

Program and Policy Education

Resolution

Policy Statement: The University is committed to safeguarding its information systems and data against cyber threats and ensuring the confidentiality, integrity, and availability of University resources. To achieve this objective, USD utilized resources and strategy made available through membership in the Multi-State Information Sharing and Analysis Center (MS-ISAC).   MS-ISAC is a round-the-clock cyber threat monitoring and mitigation center for state and local governments operated by the Center for Internet Security (CIS) under a cooperative agreement with the U.S. Department of Homeland Security (DHS) and the federal Cybersecurity and Infrastructure Security Agency (CISA).  

CIS’s mission is to make the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats.  This mission aligns with the security mission of USD to protect the University’s users, systems, and data. 

Policy Objectives:

  1. Adoption of CIS Controls v8: The University will adopt and implement the CIS Controls v8 framework to establish a comprehensive IT security program and policy set.
     
  2. Risk-Based Approach: The University will prioritize implementation of controls based on risk assessment findings, business requirements, and regulatory obligations.
     
  3. Mapping to CIS Controls: The University will map its existing IT security policies, procedures, and controls to the CIS Controls framework to identify gaps and prioritize implementation efforts.
     
  4. Security Governance: The University will establish a security governance structure responsible for overseeing the implementation and enforcement of security controls, including assigning roles and responsibilities for various aspects of security management.  This governance program will be run by the USD CISO.
     
  5. Data Governance: The University will develop a framework of policies, procedures, and processes that ensure data is managed securely, ethically, and effectively throughout its lifecycle, encompassing collection, storage, use, and disposal, to support organizational goals, compliance requirements, and stakeholder expectations.  This governance will be a managed by the data governance steering committee.
     
  6. Evaluation and Reporting: The USD Security program will be updated and evaluated for effectiveness yearly. Annual review of the effectiveness of the USD Information Security program will be based on data gathered and archived in the online CIS Controls Self-Assessment Tool (CIS CSAT).  CSAT will help USD assess, track, prioritize, and report on its implementation of the CIS Controls year after year.  The tool will also help USD identify where CIS Controls and Safeguards are already well-implemented and where there are weak points that could be improved.  Evaluation results will be provided to appropriate and required leadership stakeholders.
     
  7. Continuous Improvement: The University will continuously monitor, evaluate, and update its IT security policies and program to align with emerging threats, technological advancements, and changes in the University's operational environment.

Policy Implementations:

  1. CIS Control 1: Inventory and Control of Enterprise Assets
  2. CIS Control 2: Inventory and Control of Software Assets
  3. CIS Control 3: Data Protection
  4. CIS Control 4: Secure Configuration of Enterprise Assets and Software
  5. CIS Control 5: Account Management
  6. CIS Control 6: Access Control Management
  7. CIS Control 7: Continuous Vulnerability Management
  8. CIS Control 8: Audit Log Management
  9. CIS Control 9: Email and Web Browser Protections
  10. CIS Control 10: Malware Defenses
  11. CIS Control 11: Data Recovery
  12. CIS Control 12: Network Infrastructure Management
  13. CIS Control 13: Network Monitoring and Defense
  14. CIS Control 14: Security Awareness and Skills Training
  15. CIS Control 15: Service Provider Management
  16. CIS Control 16: Application Software Security
  17. CIS Control 17: Incident Response Management
  18. CIS Control 18: Penetration Testing

AI Policy Implementations:
1.  USD Generative AI IT Security Policy

USD Security Operations Center
1. USD SOC Guide

Compliance and Enforcement: All members of the University community are responsible for adhering to this policy and contributing to the successful implementation of our cybersecurity framework.  Non-compliance with this policy and it's implementations may result in disciplinary action, including but not limited to loss of access privileges, fines, or termination of employment.

Policy Review: This policy will be reviewed annually to ensure alignment with CIS Controls updates, changes in technology, and regulatory requirements. Updates will be made as necessary to maintain the effectiveness and relevance of the University's IT security program and policies.

Conclusion: By adopting the CIS Critical Security Controls v8 as the foundation for its IT security policy and program, the University demonstrates its commitment to proactively addressing cybersecurity risks and protecting its information assets. This policy provides a framework for implementing robust security measures to mitigate threats and ensure the resilience of University operations.  Some policy implementations and CIS mappings were generated with assistance from AI.

Please contact the Service Desk if you need further assistance