Security threats, such as phishing attacks, not only attempt to steal NC State’s data and interrupt its business processes but also threaten the university’s ability to deliver core functions of teaching, research and outreach. Cyber criminals and hacktivists are organized in their efforts to penetrate campus defenses, and by many measures, they are winning.
The distributed nature of the university computing environment adds more complexities to the fight against cyber threats. Individual IT units, already stretched for resources, typically do not stand a chance against the threats of today. In fact, many do not have the tools and resources to monitor their computing systems to detect breaches when they occur. In addition, NC State also has a myriad of external compliance mandates that dictate the security controls that must be implemented to protect various data types.
Recognizing the magnitude of this problem, the university made a strategic decision to protect against cyber threats through a comprehensive and orchestrated approach, where all constituents play a key role in defending systems, processes and business functions. As part of the University Strategic IT Plan, OIT Security and Compliance is developing the NC State Cyber Security Roadmap, a framework that will consist of the right set of policies and procedures, tools and technologies, trained IT support personnel, and knowledgeable users to enable the campus community to succeed in protecting personal and university assets. This roadmap leverages the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF), which divides security into five core areas to identify functional security needs:
Inventory and develop an understanding of systems, assets, data, and capabilities to effectively address cybersecurity risks.
Develop and implement appropriate safeguards to ensure delivery of critical services, protection of sensitive data and compliance with mandates.
Develop and implement appropriate monitoring activities to identify and address the occurrence of a cyber security event in a timely manner.
Implement appropriate activities in response to detected cyber security events.
Develop and implement appropriate activities to restore impaired capabilities or services due to cyber security events. Recognize that, even with a comprehensive and orchestrated security strategy, cyber security events will occur and cause disruption.
The cyber security roadmap will help the university prioritize its investment to fight cyber threats in a manner that addresses top risks and ensures its security program aligns with its needs. The roadmap will:
- identify gaps in current cyber security practices and capabilities.
- provide a prioritized listing of desired improvements, tools, capabilities, and resources as well as a timeline to achieve the desired state.
- provide financial investment projections to plan and budget adequately to achieve cybersecurity goals.
OIT Security and Compliance will solicit assistance from major stakeholders across the university to ensure the roadmap truly captures the university’s needs. Look for opportunities to provide input into the development of the roadmap in the coming months.