This page describes the following aspects of the Information Security Program at NC State:
IT Governance at NC State is the framework of processes and organizational structures specifying who makes decisions, how decisions are implemented, who is held responsible, and more.
IT Governance Structure
As one of the initiatives from the university IT Strategic Plan, OIT launched a redesigned IT governance structure in the fall of 2019 with the goals of improving efficiency and better differentiating the governance-related structure from the work of operational groups and advisory groups.
Information Security Governance
Viewed as integral to all functions, information security is embedded throughout the new IT governance structure per the Information Security Governance model.
Information Security Advisory Group
The Information Security Advisory Group (ISAG) plays a significant role in the NC State Information Security Program as an advisory team that provides valuable input into the development of security regulations and rules. The ISAG serves as a vital forum for discussion of information security topics. The group is comprised of members across campus that represent all roles and responsibilities as defined in the Information Security Governance model.
- Reviewing and assisting security strategy and integration efforts
- Reviewing and providing input into the development of Regulations and Rules to protect university information and assets
- Ensuring business unit manager and process owner support integration
- Identifying emerging risks
- Promoting business unit security practices
- Identifying compliance issues
- Reviewing and advising adequacy of security initiatives (to serve business functions) and value delivered (with regard to enabled services)
- Reviewing and ensuring that security initiatives meet business objectives
- Serving as an advisory group for the Cybersecurity Awareness Team, providing guidance and decisions as needed.
UNC Information Security Council
The UNC Information Security Council (ISC) was established to provide information security guidance to UNC constituent institutions and affiliated organizations.
Mission: Ensure the protection, confidentiality, integrity, and availability of information and information resources within all UNC constituent institutions and affiliated organizations.
UNC CIO Council Support
The UNC ISC is an advisory group to the UNC Chief Information Officers (CIO) Council regarding information security issues — providing the Council with reports, updates, and opinions per their requests.
UNC ISC Council Members
UNC ISC council members provide support and timely information to one another regarding security tools, events, and incidents. The NC State CISO is a standing member of the UNC-ISC.
OIT S&C, in collaboration with university stakeholders, developed the university’s first cybersecurity strategic plan, Envision a Secure State, to identify and defend against cyber threats to the university. Pending funding, the plan will be implemented over a 3-year period and will encompass a bold vision and straightforward mission.
Vision: An agile, secure and resilient cyber environment that empowers the NC State community to innovate and achieve the university’s mission: teaching, research, and engagement.
Mission: Employment of risk-based measures to defend the university’s digital assets from internal and external threats. This mission identifies key risks the university must address to meet its goals and objectives successfully.
Mission-identified Key Risks
Significant security incidents at NC State result from the key risks defined in Table 1.
|Table 1. Key Security Risks at NC State|
|R1||User errors or susceptibility to social engineering|
|R2||Inequitable investments (without defined priorities) in cybersecurity defenses|
|R3||Inferior defense mechanisms|
|R4||Lack of timely and actionable intelligence|
Mission-identified Strategic Goals
Table 2 defines strategic security goals at NC State.
|Table 2. Key Security Goals at NC State|
|G1||Be a leader in higher education cybersecurity awareness.|
|G2||Embrace a risk-based approach to protect digital assets.|
|G3||Enable proactive advanced cybersecurity defenses.|
|G4||Create a comprehensive data-driven monitoring and reporting system (a dashboard) that generates near real-time, actionable intelligence.|
|Information Security Program at NC State||Cybersecurity Leadership||Cybersecurity Threat Awareness & Collaboration|