OIT Change Management

This service optimizes communication and coordination between OIT and the NC State campus community, with our focus on the following results:

• Minimized conflicts when we make technical changes to our services
• OIT service customers understand the reason for the changes and the impact they will have.

OIT Continuity

These services maintain the OIT Business Continuity Plan while:

• Providing overall guidance for unit plans
• Facilitating resiliency testing as needed

Data Discovery and Protection

The Data Discovery and Protection (DDP) program is a campus-wide data management initiative to safeguard all university data. Visit the Data Discovery and Protection web page for details.

Data Encryption

This service offers guidance with data-encryption solutions to protect university data.

Log Management and Event Correlation

This service includes the management and maintenance of a central repository for the investigation and analysis of security events. After collecting and correlating events from multiple sources, the results are shared to help identify, resolve, and prevent incidents.

Multifactor Authentication

Multifactor Authentication (MFA) adds a critical layer of security when a user logs into an account. With the MFA service, the user must meet one of the following authentication requirements in addition to entering a unique passphrase:

• USB security key
• Security code (delivered to a mobile device via text or mobile app)
• Backup code

The MFA service includes the following:

• Technical security implementation and support
• Alert investigation, remediation, and notification

Network Security Monitoring

This service monitors the university network with packet brokers, aggregating data from all network devices to send to analysis tools.

Password Vault Management

This service manages and supports the university’s password-vault utility for the system administrators and staff across campus that are supported by the central license.

SSL Certificate Management

This service includes the reviews and certificates required for Secure Socket Layer (SSL) applications.

Vulnerability Scanning and Penetration Testing

This service includes implementation and support for scanning and penetration testing, investigation, remediation, and notification associated with identified alerts.

Web Application Security Testing

This service helps NC State development teams assess the security of their web applications and reduce associated security risks. In addition to empowering developers to identify and fix the most critical security issues, this service provides guidance regarding web-application security concepts and best practices.

Data Management

This service provides ongoing assistance in collaboration with data trustees, stewards, and custodians to align data classification and protection requirements with:

• Current threats
• Legal and university requirements

General Security Consultation, Security Architecture, and Review

This service provides the ongoing protection of sensitive university data and other digital assets by offering the following:

• Consultation, guidance, and ad hoc support to maintain security best practices throughout system life cycles
• Security requirements and design criteria for university initiatives

IT Risk Management

This service provides the following support:

• Continuous IT risk identification, ranking, and mitigation recommendations
• Security assessments to identify and reduce risks, particularly for non-IT organizations
• Continuous third-party application security assessments to ensure product security meets university requirements
• Planning and facilitation of activities necessary for the university to evaluate and resolve IT, data, and risk issues
• Consulting services to help secure data with integration of business processes

Security Awareness and Training

This service includes the following for students, faculty, staff, and all university stakeholders:

• Development and delivery of effective security awareness and training
• Development and facilitation of workshops and customized training
• Coordination of training associated with university-related security certifications to document and demonstrate compliance with mandated policy, regulations, rules, and standards
• Security awareness training for students, faculty, and staff referred by university stakeholders — for example, schools, departments, Principal Investigators (PI’s), Internal Audit, Institutional Review Board (IRB), and so forth

Data Security Training

This online Data Security Training module is required annually for all university employees, including student employees. This training module focuses on cybersecurity awareness topics that are critical to the university, including phishing, Two-Factor Authentication (2FA), and mobile device security.

HIPAA Training

The HIPAA Privacy and Security Rules training encompasses a hybrid of all campus-relevant, HIPAA-covered components; required annually.

Targeted Training

Data Management Regulation and Data Sensitivity training: University data trustees, stewards, managers, custodians, and all users of sensitive-data environments are required to complete targeted training based on their roles and responsibilities. This training is provided to those who must access sensitive data; required before access can be granted.

Ad Hoc Training

OIT S&C provides training on a variety of security topics based on customer needs.

Cybersecurity Liaison Team

This service provides management and coordination of the Cybersecurity Liaison Team.

Digital Forensics

This service provides the following:

• System forensics analysis, data acquisition, and incident response
• System data retrieval in response to requests from law enforcement, litigation holds, and sysadmins — to assist in root-cause analysis

Security Incident and Response

This service includes incident response management, notification, and tracking for information security issues such as the following:

• Potential unauthorized disclosure or alteration of:
  • University data not routinely made available to the general public; for example, employee evaluations
  • Data the university is bound legally or contractually to protect; for example, social security numbers, credit card numbers, and certain research data
• Loss or theft of electronic storage devices or media containing:
  • University data not made available to the general public routinely
  • Data the university is bound legally or contractually to protect
• Content in a university web page, through pop-up or direct access:
  • Advertising for a non-educational commercial product; for example, an online pharmacy
  • Pornographic material
  • Distribution of viruses or malicious software from a computer on the NC State University network

Security Support

This service supports campus organizations that require system access higher than what is available to its users.

Examples: Litigation Hold retrievals, employee separation support, answering general security questions, and so forth.

Access Reviews

This service provides assistance with annual access certification for enterprise systems.

Internal and External OIT Audit Coordination

This service facilitates:

• Internal and external IT audits involving OIT
• Corrective actions (and monitors their effectiveness)

Litigation Holds/eDiscovery Coordination

Electronic discovery, aka e-discovery, is the process of “retrieving, saving and producing electronically stored information in anticipation of and during litigation.”

In 2006, the Federal Rules of Civil Procedure were amended to include the preservation and production of Electronically Stored Information (ESI) — stating that ESI may be stored on PDAs, laptops, office computers, and portable media (such as USB drives, CDs, DVDs, and so forth.).

Failure to comply with the requirements for producing ESI may subject the university to serious sanctions.

Research Data Security Consultation & Evaluation

In response to PI or ORI requests for security-requirement reviews of special contracts or grants, this service includes negotiation of terms and assessment of NC State’s ability to comply.

Security Compliance Program Development, Management & Continuous Assessment

To ensure compliance with university policies and state and federal requirements, this service provides continuous activities:

• Assessment of university infrastructure, systems, services for compliance ISO 27002, GLBA, Red Flags, NIST 800-171, PCI DSS, HIPAA, and so forth
• Annual ISO 27002 compliance gap analysis for the UNC System security peer-review program
• PCI compliance assessment and validation activities

• HIPAA compliance program management to ensure protection of PHI data
• NIST 800-171 compliance program management to ensure protection of Controlled Unclassified Information (CUI)
• Higher Education Opportunity Act (HEOA) Compliance program management to ensure effective responses to potential violations of the Digital Millennium and Copyright Act (DMCA)
• PowerAmerica Security and Compliance Program (PA SCP) management to ensure that PowerAmerica data on campus (and also on external member locations) are protected as required by the PA SCP

Security Policy, Regulations, Rules (PRRs) and SOP Development

To ensure alignment with university business needs, the evolving threat landscape, and compliance requirements, this service provides the development and maintenance of information security Policies, Regulations, Rules (PRRs) and SOPs.

IT Purchase Compliance Management

The IT Purchase Compliance requirement applies to all IT purchases of $5,000 or more and all HIPAA- and PCI-related purchases regardless of cost. This includes new IT purchases as well as maintenance and support renewals for IT purchases made previously. This service manages the overall process to ensure that security, accessibility and integration reviews occur on campus software purchases greater than $5,000.

IT purchases include software and more:

• Software applications and operating systems
• Web-based applications (SaaS)
• Cloud-hosting services
• Products that process electronic payments
• Network and storage solutions (for example, Load Balancer, IP management, VPN, storage platform, and so forth)
• Integrated hardware such as endpoints connected to special purpose devices (for example, microscopes)

License Risk Assessment

This service includes the following:

• Clickwrap Agreement Risk Assessment — Conduct risk assessments on clickwrap agreements before users accept licensing terms. This service ensures the terms meet university and State standards.
• Non-Negotiable Hard Copy License Review and Risk Assessment — For those agreements at an impasse between Contracts Management and the vendor, agreements are reviewed and risk assessments are generated for colleges and departments to accept risk instead of the university.