OIT Security and Compliance 2010-2011 Annual Report

1.    Programs:

Changes in Scope of Activities:

  • Annual volume of university PCI DSS payment card transactions approaches one million, which will put the university in a higher audit category for PCI DSS compliance verification and attestation, with a significant increase in SSC personnel workload.
  • Evaluated, selected and implemented HEOA compliant solution for automatically handling wireless network DMCA copyright infringement notifications.  Red Lambda software product is now in use to identify individuals and route the notifications to Student Conduct and HR/ER for misconduct action.
  • Handling phishing detection, prevention, mitigation, and recovery responsibilities previously in ISO unit – particularly for GoogleApps service, a significant new workload.
  • Implemented central log collection and management using the Splunk tool which provides greater visibility and analysis of various computer logs by OIT staff.
  • Implemented a moratorium on Unity ID account renames
  • Negotiated and implemented the Apple iTunes App Store Volume Purchasing Program.
  • Negotiated and implemented new Apple OS licensing model that expanded the license to include iLife and iWork
  • Coordinated termination of software licenses/maintenance with savings of $351,571.51.
  • Implemented new Bittorent software download process to handle larger download files.
  • Consolidated agreements for savings of over $15,000.
  • Negotiated multi-year renewals for average savings of 9%-15%.
  • Created an electronic repository of agreements, POs, invoices, license certificates, etc. for all of the license agreements managed by Software Licensing Management team.
  • Negotiated short term extensions of licenses to accommodate service shutdowns to prevent full annual license payments (i.e. mainframe, Pure Message, Documentum, etc.).
  • Expanded JMP and JMP Genomic to unlimited campus licenses, including 64-bit editions
  • Coordinated with SAS to find a solution for reducing SAS 9.2 distribution sizes.
  • Negotiated and coordinated major new purchases for NCSU and OIT, including SCCM, Red Lambda, Aegis Trident, and Oracle Waveset.
  • Negotiated a resolution to the Google Postini overage charges.
  • Currently working on internal software asset management processes to bring OIT into the ISO 19770-1 standards.
  • Provided project management assistance to large scale projects: NexGen and IAM.

Changes in Volume of Activities:

  • Public record, litigation hold and eDiscovery requests increased from 15 to over 18.
  • PCI DSS monthly compliance monitoring for credit card merchant accounts increased from 175 to 216.  New accounts added increased from 41 to 52. Assisted account holders with questionnaires for PCI DSS v1.2 and planning for the more complex PCI DSS v2.0 both for new account verification and annual renewal of PCI Compliance.
  • Security computer misuse incident investigations averaged 59/month up from 51. The maximum number of incidents handled in a month increased from 71 to 87.
  • DMCA copyright infringement notifications increased to an average of 211/month (up from 148) with a peak month of 413 (highest monthly volume in the last 4 years, up from 351). Nomad wireless notifications doubled over last year (new average of 135/month).
  • Provided 9,311 downloads (compared to 8,600 during 09-10) of major software titles to faculty/staff/students – greatly reducing physical media and duplication costs
  • Currently managing over 156 major license Agreements for OIT and NCSU
  • Assisted with ~20 incident reviews, resiliency tests/exercises to improve processes.

Special Achievements of Significance:

  • 2010 Computer Security Month – 5 hour-long security awareness presentations for faculty/staff/students from NCSU & other universities.

Special Program Review, Studies, or Plans:

  • Completed review of all PRR’s under OIT’s responsibility and developed a plan to complete edits before December 31, 2011 (in conjunction with OGC).
  • Developed and published the new university Payment Card Merchant Services Regulation and provided education on its implications to campus.
  • Created a regulation for computer systems backup and incorporated into University Email and Records Retention regulation.
  • Developed Sensitive Data Framework including the identification of data elements subject to legislative protection and their level of sensitivity under a new data classification statement, a university Data Sensitivity Protection Regulation, and an initial set of controls for protecting sensitive data.
  • Implemented systems to gather research data about network activity for CSC.
  • Provided two representatives to the IRB to help them evaluate technical security and privacy issues.
  • Conducted annual security HR/FIN/SIS access reviews.
  • Finalized all action items for the Backup Systems Audit performed by Internal Audit.
  • Coordinated the Information Systems portion of the 2010-11 Financial Audit – no findings.
  • Produced 2010 OIT Risk Summary Report that identities risks with associated mitigation strategies for a more secure, robust, efficient and effective central IT environment.
  • Developed and conducted a Business Continuity/Resilience Roadshow with BCDR in October 2010 – communicated restoration time frames for the central IT environment.
  • Continued facilitation of OIT Priority Roadmap to help identify and prioritize the many projects that need to be completed.
  • Coordinated a review/recommendation of portfolio/project management tools to help manage the growing portfolio and complexity of OIT projects.

2.    Initiatives: Major initiatives and/or Changes to Programs or Activities

  • Eliminated manager position of Identity & Access Management (IAM) team due to 10-11 RIF.
  • Three IAM staff members transferred to Shared Services unit as result of 10-11 RIF and organizational re-structure
  • Resignation in part-time position to support SAS licensing due to graduation.

3.    Diversity: Initiatives and Progress

4.    Staff: Major New Appointments, Kudos, Professional Activities, and Recognition

  • Noah Genzel transferred from Organizational Resilience team to become Call Center Manager in TSS.
  • Transferred Mike McComas from IAM to an Organizational Resilience Analyst in ORS.
  • Tim Gurganus achieved SANS IT forensics certification and used this expertise for evidence gathering activities with General Counsel and other law enforcement bodies.

5.    Concerns and Recommendations for the Future

  • Funding for staff training on IT security, new technologies and existing systems.
  • Ability to provide competitive salaries to retain/recruit adequate staff talent required to support complex scope of services and increasing customer/compliance requirements.
  • Support for new security services with increasing security and compliance workload.
  • Lack of staff to handle IAM functional responsibilities and compliance with mandated policies/regulations.
  • Critical staff/projects constrained by more aggressive schedules, increased workload & numerous projects.
  • Implementation of data sensitivity awareness training lags for all University faculty/staff, particularly for IT developers of Web applications, and data stewards across the University. As a result, little attention is being paid to where sensitive data is being stored and how it is protected both within the university and across the Internet.
  • Porous Internet perimeter security policy is resulting in constant exploitation of vulnerabilities from outside the university. The perimeter should be strengthened through additional IT security tools.
  • Security of Internet cloud-based IT applications is immature and fraught with issues.
  • Web application security is more critical and complex as attackers target browser applications and third party software vulnerabilities.  Additional tools are needed to detect or protect against the changing threat landscape.
  • Widespread exploits across hundreds of machines due to lack of timely application of vendor security software patches to University servers/client PCs.
  • Need to investigate/mitigate very high and increasing volume of new and more complex security incidents such as brute force password cracking attempts on privileged accounts, creative targeted phishing attacks and advanced persistent threat attacks looking for sensitive data.