As part of the Information Security Program at NC State, OIT offers the following services:
OIT Change ManagementThis service optimizes communication and coordination between OIT and the NC State campus community, with our focus on the following results:
- Minimized conflicts when we make technical changes to our services
- OIT service customers understand the reason for the changes and the impact they will have.
OIT ContinuityThese services maintain the OIT Business Continuity Plan while:
- Providing overall guidance for unit plans
- Facilitating resiliency testing as needed
This service offers guidance with data-encryption solutions to protect university data.
This service provides the support necessary to protect the confidentiality, availability, and integrity of critical resources at the campus level.
File Integrity Monitoring
File Integrity Monitoring (FIM) validates the integrity of operating system and application files by verifying a current file state against its known, good baseline.
The FIM service includes the following:
- Technical security implementation and support
- Alert investigation, remediation, and notification
Log Management and Event CorrelationThis service includes the management and maintenance of a central repository for the investigation and analysis of security events. After collecting and correlating events from multiple sources, the results are shared to help identify, resolve, and prevent incidents.
Multifactor AuthenticationMultifactor Authentication (MFA) adds a critical layer of security when a user logs into an account. With the MFA service, the user must meet one of the following authentication requirements in addition to entering a unique passphrase:
- USB security key
- Security code (delivered to a mobile device via text or mobile app)
- Backup code
The MFA service includes the following:
- Technical security implementation and support
- Alert investigation, remediation, and notification
Network Security MonitoringThis service monitors the university network with packet brokers, aggregating data from all network devices to send to analysis tools.
Password Vault ManagementThis service manages and supports the university’s password-vault utility for the system administrators and staff across campus that are supported by the central license.
Sensitive Information Identification and Response (SIIR)This service provides SIIR process development and response management. Visit the SIIR site for details.
SSL Certificate ManagementThis service includes the reviews and certificates required for Secure Socket Layer (SSL) applications.
Vulnerability Scanning and Penetration TestingThis service includes implementation and support for scanning and penetration testing, investigation, remediation, and notification associated with identified alerts.
Web Application Security TestingThis service helps NC State development teams assess the security of their web applications and reduce associated security risks. In addition to empowering developers to identify and fix the most critical security issues, this service provides guidance regarding web-application security concepts and best practices.
This service provides ongoing assistance in collaboration with data trustees, stewards, and custodians to align data classification and protection requirements with:
- Current threats
- Legal and university requirements
General Security Consultation, Security Architecture, and Review
This service provides the ongoing protection of sensitive university data and other digital assets by offering the following:
- Consultation, guidance, and ad hoc support to maintain security best practices throughout system life cycles
- Security requirements and design criteria for university initiatives
IT Risk Management
This service provides the following support:
- Continuous IT risk identification, ranking, and mitigation recommendations
- Security assessments to identify and reduce risks, particularly for non-IT organizations
- Continuous third-party application security assessments to ensure product security meets university requirements
- Planning and facilitation of activities necessary for the university to evaluate and resolve IT, data, and risk issues
- Consulting services to help secure data with integration of business processes
Security Awareness and Training
This service includes the following for students, faculty, staff, and all university stakeholders:
- Development and delivery of effective security awareness and training
- Development and facilitation of workshops and customized training
- Coordination of training associated with university-related security certifications to document and demonstrate compliance with mandated policy, regulations, rules, and standards
- Security awareness training for students, faculty, and staff referred by university stakeholders — for example, schools, departments, Principal Investigators (PI’s), Internal Audit, Institutional Review Board (IRB), and so forth
Data Security Training
This online Data Security Training module is required annually for all university employees, including student employees. This training module focuses on cybersecurity awareness topics that are critical to the university, including phishing, Two-Factor Authentication (2FA), and mobile device security.
The HIPAA Privacy and Security Rules training encompasses a hybrid of all campus-relevant, HIPAA-covered components; required annually.
Data Management Regulation and Data Sensitivity training: University data trustees, stewards, managers, custodians, and all users of sensitive-data environments are required to complete targeted training based on their roles and responsibilities. This training is provided to those who must access sensitive data; required before access can be granted.
Ad Hoc Training
OIT S&C provides training on a variety of security topics based on customer needs.
Cybersecurity Liaison Team
This service provides management and coordination of the Cybersecurity Liaison Team.
This service provides the following:
- System forensics analysis, data acquisition, and incident response
- System data retrieval in response to requests from law enforcement, litigation holds, and sysadmins — to assist in root-cause analysis
Security Incident and Response
This service includes incident response management, notification, and tracking for information security issues such as the following:
- Potential unauthorized disclosure or alteration of:
- University data not routinely made available to the general public; for example, employee evaluations
- Data the university is bound legally or contractually to protect; for example, social security numbers, credit card numbers, and certain research data
- Loss or theft of electronic storage devices or media containing:
- University data not made available to the general public routinely
- Data the university is bound legally or contractually to protect
- Content in a university web page, through pop-up or direct access:
- Advertising for a non-educational commercial product; for example, an online pharmacy
- Pornographic material
- Distribution of viruses or malicious software from a computer on the NC State University network
This service supports campus organizations that require system access higher than what is available to its users.
Examples: Litigation Hold retrievals, employee separation support, answering general security questions, and so forth.
This service provides assistance with annual access certification for enterprise systems.
Internal and External OIT Audit Coordination
This service facilitates:
- Internal and external IT audits involving OIT
- Corrective actions (and monitors their effectiveness)
Litigation Holds/eDiscovery Coordination
Electronic discovery, aka e-discovery, is the process of “retrieving, saving and producing electronically stored information in anticipation of and during litigation.”
In 2006, the Federal Rules of Civil Procedure were amended to include the preservation and production of Electronically Stored Information (ESI) — stating that ESI may be stored on PDAs, laptops, office computers, and portable media (such as USB drives, CDs, DVDs, and so forth.).
Failure to comply with the requirements for producing ESI may subject the university to serious sanctions.
Research Data Security Consultation & Evaluation
In response to PI or ORI requests for security-requirement reviews of special contracts or grants, this service includes negotiation of terms and assessment of NC State’s ability to comply.
Security Compliance Program Development, Management & Continuous Assessment
To ensure compliance with university policies and state and federal requirements, this service provides continuous activities:
- Assessment of university infrastructure, systems, services for compliance ISO 27002, GLBA, Red Flags, NIST 800-171, PCI DSS, HIPAA, and so forth
- Annual ISO 27002 compliance gap analysis for the UNC System security peer-review program
- PCI compliance assessment and validation activities
- HIPAA compliance program management to ensure protection of PHI data
- NIST 800-171 compliance program management to ensure protection of Controlled Unclassified Information (CUI)
- Higher Education Opportunity Act (HEOA) Compliance program management to ensure effective responses to potential violations of the Digital Millennium and Copyright Act (DMCA)
- PowerAmerica Security and Compliance Program (PA SCP) management to ensure that PowerAmerica data on campus (and also on external member locations) are protected as required by the PA SCP
Security Policy, Regulations, Rules (PRRs) and SOP Development
To ensure alignment with university business needs, the evolving threat landscape, and compliance requirements, this service provides the development and maintenance of information security Policies, Regulations, Rules (PRRs) and SOPs.
IT Purchase Compliance Management
The IT Purchase Compliance requirement applies to all IT purchases of $5,000 or more and all HIPAA- and PCI-related purchases regardless of cost. This includes new IT purchases as well as maintenance and support renewals for IT purchases made previously. This service manages the overall process to ensure that security, accessibility and integration reviews occur on campus software purchases greater than $5,000.
IT purchases include software and more:
- Software applications and operating systems
- Web-based applications (SaaS)
- Cloud-hosting services
- Products that process electronic payments
- Network and storage solutions (for example, Load Balancer, IP management, VPN, storage platform, and so forth)
- Integrated hardware such as endpoints connected to special purpose devices (for example, microscopes)
License Risk AssessmentThis service includes the following:
- Clickwrap Agreement Risk Assessment — Conduct risk assessments on clickwrap agreements before users accept licensing terms. This service ensures the terms meet university and State standards.
- Non-Negotiable Hard Copy License Review and Risk Assessment — For those agreements at an impasse between Contracts Management and the vendor, agreements are reviewed and risk assessments are generated for colleges and departments to accept risk instead of the university.
|Information Security Program at NC State||Cybersecurity Threat Awareness & Collaboration||Compliance Assurance|