Saint Mary's University of Minnesota Information Security Program
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Saint Mary’s University of Minnesota
Information Security Program
2020-2021
This document contains confidential information for Saint Mary’s University of Minnesota Official
Use Only. It shall not be disclosed in whole or in part without consent from the Executive Vice
President and CFO.Contents
Executive Summary 2
1. Program Scope and Details 4
1.1 Department Overview ................................................................................................................... 4
1.2 IT Staff Responsibilities and Contact Information ......................................................................... 4
2. Hardware Info 4
2.1 Overall Network Configuration ...................................................................................................... 4
2.2 Physical and Environmental Protection ........................................................................................ 5
2.3 Hardware ....................................................................................................................................... 7
3. Data and Software 7
3.1 Software ........................................................................................................................................ 7
3.2 Data Flow/Integrations .................................................................................................................. 8
3.3 Data Categorization ...................................................................................................................... 8
3.4 Report Requests ........................................................................................................................... 8
4. System Security Controls 8
4.1 Onboarding process ...................................................................................................................... 8
4.2 Offboarding process ...................................................................................................................... 8
4.3 Password Policies ......................................................................................................................... 9
4.4 Access Control .............................................................................................................................. 9
4.5 Badge Access ............................................................................................................................... 9
4.6 Surveillance ................................................................................................................................. 10
4.7 Third Party Access ...................................................................................................................... 10
4.8 Consent to do Business (Electronic) ........................................................................................... 10
4.9 IT Change Control ....................................................................................................................... 10
5. Maintenance 10
5.1 System and Information Integrity and Uptime ............................................................................. 11
5. 2 Backup Process .......................................................................................................................... 11
5.3 Audit ............................................................................................................................................ 11
5.4 Donation Process ........................................................................................................................ 11
5.5 E-Waste Disposal ........................................................................................................................ 11
6. Awareness and Training 11
7. Risk Assessment/Security Assessments 12
7.1 Cybersecurity Insurance ............................................................................................................. 12
8. Incident Response 12
8.1 Incident Response Plan .............................................................................................................. 12
1Executive Summary
The Saint Mary’s University of Minnesota (SMUMN) Information Security Program is a roadmap
to help move our university to a more secure environment and to ensure proper processes and
policies are in place to meet regulated guidelines and standards. In today’s world, it is not a
matter of “if” a security breach happens, but rather “when”. Therefore, it’s essential that we
continue to be proactive so we are prepared to analyze, secure, document, and report, if
necessary, any incidents within an appropriate time frame. The program is coordinated by the
Director of IT and reviewed and updated annually by the IT Leadership Team.
SMUMN is dedicated to protecting the private information of its students, faculty, staff and
alumni and data security is a top priority for the IT Department. High availability, with minimal
downtime, is a must to help our students achieve their goals. Our network continues to grow
and the needs of our students are constantly changing.
Utilizing the InfoTech Research group for many best practice templates, this document
summarizes SMUMN’s approach to data security. It discusses current safeguards in place,
identifies internal and external risks, and provides a framework for future efforts to secure our
data. This program addresses the guidelines documented in:
● National Institute of Standards and Technology (NIST)
● General Data Protection Regulation (GDPR)
● Payment Card Industry (PCI)
● Family Education Rights and Privacy Act (FERPA)
● Health Insurance Portability and Accountability Act (HIPAA)
● Department of Energy (DOE)
● Title IV
● California Consumer Privacy Act (CCPA)
SMUMN uses InfoTech’s Governance and Management Assessment to track our security
preparedness. Overall maturity has moved from 36% to 57% to 61% between March 2017 to
February 2020. As with any performance improvement project, some issues were quickly
identified and addressed providing a larger increase in maturity between our first 2
assessments. This past year, all 7 categories stayed the same or increased slightly and the
Auditing category made it into the green for the first time. It was again identified that our
Security Culture is our biggest risk. This past summer, we partnered with KnowBe4, a well-
known leader in security awareness training. A baseline phishing test was sent to staff and
faculty in late July 2020 and resulted in 26.1% phish-prone rate meaning one quarter of our staff
failed. 82 of our employees, actually entered their credentials. Future phish tests and training
will be provided to staff and faculty on a regular, but random, basis. Those who fail, will receive
additional training. This new software will greatly increase the Security Culture category which is
currently at 19%.
2Security is a moving target and we must proactively and intentionally focus time and money to
protect our data. As noted above, part of this program is an annual review by the IT Leadership
Team to assess the security program and associated processes and policies. During this
review, IT Leadership also discusses and documents the upcoming security initiatives for the
year. The last review was in July 2020.
2020-2021 Security Initiatives
1. *Move servers to internal IP addresses
2. *Create data classification documents
3. *Account cleanup (onboarding and off boarding)
4. *Security Awareness Training for staff and faculty
5. *Implement 2 Factor Authentication for GSuite University wide
6. *Add card access on the TC campus server room
7. Install TC security cameras
8. Additional UPS for the TC Campus Server Room and Elevators
9. Revise backup scheme/DR
10. Update VMware and replace hosts
11. Physically secure data closets in SLC
Recap of the completed 2019-2020 Security Initiatives
1. Install firewall for Apple Valley and Rochester campuses-Completed
2. *Move desktops and servers to internal IP addresses-80%
3. *Document data integration between applications-Completed
4. *Add a backup internet connection for the Winona Campus-Completed
5. Replace the private data line from the Winona Campus to the TC Campus-Completed
6. Update end of life server operating systems (24 needed)-Completed
7. Upgrade security camera server and software on Winona Campus-Completed
8. Upgrade card access software and server on Winona Campus-Complete
* Indicates the initiative was started in a previous year and has carried over either because it
was not completed or because it is a multi-year project.
These topics and others are discussed in greater depth throughout this document. Specific
updates and timelines regarding this year’s initiatives are documented here and documentation
of previous security initiatives are linked as an Appendix at the end of this document. If you
have any questions about the Information Security Program, please contact the Director of IT.
32019-2020 Security Initiatives
What
section of
the plan
Anticipated Date does this
Initiative Completion Completed Owner apply too? Notes
Firewalls were purchased and installed in both Apple Valley and Rochester. Apple Valley
Install firewall for Apple Valley and Rochester campuses 9-1-19 7-2019 Mike Ziegler 2.2 has since closed.
80% complete. Desktops and wireless complete. Need to finish some servers. Moved to
Move IP addresses out of public ip ranges for desktops and servers 6-1-20 In progress Mike Ziegler 2.2 2020-2021 security initiatives.
A list of applications has been created and integrations marked with descriptions. Need to
Document data integration between applications 12-31-19 12-2019 Amanda Schock 3.2 document the fields that are transferred between apps.
Delayed due to Covid and Strategic Iniaitive #5 progress. Moved to 2020-2021 security
Create data classification documents 12-31-19 In progress Amanda Schock 3.3 iniatives.
30,000 email accounts were deleted brining us to about 15,000 left. A policy/process is
being brought forward with hopes for January 1, 2021 implementation to complete gmail
cleanup. User accounts will follow. Directory cleanup in progress with goal for October
Account cleanup (onboarding and offboarding) 12-31-19 In progress IT Leadership 4 31st, 2020. Adjuncts are now termed out of Great Plains after 1 year vs 2.
Security Awareness Training for staff and faculty 6-1-20 In progress Tianna Johnson/Chad Lang 6 KnowBe4 was purchased and baseline test complete. More training to come.
Add a backup internet connection for Winona Campus 12-31-19 6-2020 Mike Ziegler Backup line with CenturyTel implemented early summer 2020.
Replace the private line from the Winona Campus to the TC Campus 5-1-20 6-2020 Mike Ziegler 2.2 Move to HBC with 1 GB line
Update EOL Server OS (25 needed) 12-1-19 4-2020 Mike Ziegler 2.2 Windows and linux servers have been updated and or replaced.
The IT dept is setup. Cabinet and Dept managers will be next to implement. Moved to
Implement 2 Factor Authentication for GSuite University wide 12-31-19 In progress Tianna Johnson 4.3 2020-2021 security initiatives.
Upgrade security camera server and software on Winona Campus 9-1-19 12-2019 Mike Ziegler/Chad Lang Server is purchased. Need to install software.
Upgrade card access software and server (RS2) on Winona Campus 9-1-19 7-2019 Mike Ziegler 4.5 Completed in July 2019.
Add card access on the TC campus server room 12-1-19 Tianna Johnson 2.2 Moved to 2020-2021 security initiatives.2020-2021 Security Initiatives
What section of
Anticipated Date the plan does
Initiative Completion Completed Owner this apply too? Notes
This goal is carried over from previous years however has been
updated to reflect the fact that desktops, wireless, and other devices
have already been moved. Once complete, we can look to schedule a
Move servers to internal IP addresses 6-1-21 In progress Mike Ziegler 2.2 penetration test.
Create data classification documents 6-1-21 Amanda Schock 3.3 Will be completed in coordination with Strategic Initiative #5.
30,000 email accounts were deleted brining us to about 15,000 left.
A policy/process is being brought forward with hopes for January 1,
2021 implementation to complete gmail cleanup. User accounts will
follow. Phone directory cleanup is in progress with a goal for October
31st, 2020. Adjuncts are now termed out of Great Plains after 1 year
Account cleanup (onboarding and offboarding) 3-1-21 In progress IT Leadership 4 vs 2 years.
KnowBe4 was purchased and baseline test complete. More training
Security Awareness Training for staff and faculty 1-1-21 In progress Tianna Johnson 6 to come.
The IT dept is setup. Cabinet and Dept managers will be next to
Implement 2 Factor Authentication for GSuite University wide 1-1-21 In progress Tianna Johnson 4.3 implement.
Add card access on the TC campus server room 1-1-21 Tianna Johnson 2.2
Install TC security cameras 11-1-20 In progress Tianna Johnson/Chad Lang 4.6 Getting quotes and meetings with vendor are scheduled
Additional UPS for the TC Campus Server Room and Elevators 7/1/2020 7/1/2020 Mike Ziegler 2.2 UPSs were purchased and installed.
Revise backup scheme/DR 5/1/2021 Mike Ziegler 5.2
Update vmware and replace hosts 6/1/2021 Mike Ziegler 2.1
Secure more data closets in SLC 6/1/2021 Mike Ziegler 2.2Security Awareness Training
and Simulated Phishing Platform
Helps you manage the ongoing problem of social engineering
KnowBe4 Security Awareness Training
Old-school security awareness training doesn’t hack it anymore. Today, your employees
are frequently exposed to sophisticated phishing and ransomware attacks.
Baseline Testing
We provide baseline testing to assess the Phish-Prone™ percentage
TRAIN
of your users through a free simulated phishing attack.
Train Your Users
The world’s largest library of security awareness training
content; including interactive modules, videos, games, posters
and newsletters. Automated training campaigns with scheduled
reminder emails.
SH
ANA
Phish Your Users
Best-in-class, fully automated simulated phishing attacks,
YZ
HI
thousands of templates with unlimited usage, and community
phishing templates.
E P
L
See the Results
Enterprise-strength reporting, showing stats and graphs for
both training and phishing, ready for management. Show the
great ROI!
The System Really Works
With KnowBe4’s massive database, we analyzed
nearly 4 million users over the course of at least 12
months, and our 2020 research continues to uncover
alarming results. The overall industry initial Phish-
Prone percentage benchmark turned out to be a
troubling 37.9%.
Fortunately, the data showed that this 37.9% can be
brought down more than half to just 14.1% within 90
days after deploying new-school security awareness
training. The results after one year show that by
following these best practices, the final Phish-Prone
percentage can be minimized to 4.7% on average.
See how your company’s Phish-Prone percentage
compares to your peers! The Industry Benchmarking
feature is included with your subscription.Find Out How Effective Our Security Awareness Training Is
KnowBe4 is the world’s largest integrated platform for awareness training combined with simulated phishing
attacks. Join our tens of thousands of customers who have mobilized their end users as a last line of defense.
KnowBe4 Security Awareness Training Features
Unlimited Use Social Engineering Indicators
We offer three Training Access Levels, giving you access Patented technology turns every simulated phishing email
to our content library of 1,000+ items based on your into a tool IT can use to dynamically train employees by
subscription level. Unlimited access to all phishing instantly showing them the hidden red flags they missed
features with flexible licensing. No artificial license within that email.
ceilings and 10% overage allowance. Powerful new
features added regularly. User Management
KnowBe4’s Active Directory Integration allows you to
Engaging, Interactive Browser-based Training easily upload user data and saves you time by eliminating
The interactive training gives your users a fresh new the need to manually manage user changes. You can
learner experience that makes learning fun and engaging. also leverage the Smart Groups feature to tailor and
Your users can choose the language they’re most automate your phishing campaigns, training assignments
comfortable with for the entire training interface, and remedial learning based on your employees’ behavior
helping deliver a more immersive training experience. and user attributes.
With the optional gamification feature, users can
compete against their peers on leaderboards and earn Security Roles
badges while learning how to keep your organization Allows you to define unlimited combinations of level
safe from cyber attacks. access and administrative ability that you’d like specific
user groups to have. With delegated permissions you
Upload Your Own Content have the ability to limit roles to only display specific data
Want to supplement your KnowBe4 security awareness or allow for the phishing, training, and user management
training content with your organization’s custom training of specific groups.
or other corporate training content? Upload your own
Advanced Reporting Feature
SCORM-compliant training and video content and
60+ built-in reports provide holistic views and detailed
manage it alongside your KnowBe4 ModStore training
reporting on your key awareness training indicators over
all in one place - at no extra cost!
time. Leverage Reporting APIs to pull data from your
New! Assessments KnowBe4 console and for multiple accounts, Roll‑up
Find out where your users are in both security knowledge Reporting makes it easy to view results in aggregate.
and security culture to help establish baseline security
Virtual Risk Officer™
metrics. Use the skills-based assessment and the
The new innovative Virtual Risk Officer (VRO) functionality
security culture survey to measure and monitor your
helps you identify risk at the user, group and organizational
users’ security knowledge and sentiment to a security-
level and enables you to make data-driven decisions when
aware culture over time.
it comes to your security awareness plan. Leverage the
User Event API to push custom security-related events
Custom Phishing Templates and Landing Pages
from your third-party platforms (like Mimecast or Splunk)
Apart from the thousands of easy-to-use existing
to the KnowBe4 Console, influencing your users’ risk
templates, you can customize scenarios based on
scores accordingly.
personal information and include simulated attachments
to create your own targeted spear phishing campaigns. PhishER
Each Phishing Email Template can have its own Custom As you phish and train your users they will start reporting
Landing Page, which allows for point-of-failure education. potentially dangerous emails to your incident response
team. The increase of this email traffic… can present a
Phish Alert Button
new problem! PhishER, is an optional add-on for managing
KnowBe4’s Phish Alert add-in button gives your users a
the high volume of messages reported by your users and
safe way to forward email threats to the security team
helps you identify and respond to email threats faster.
for analysis, and deletes the email from the user’s inbox
to prevent future exposure. All with just one click!
Did you know that 91% of successful data breaches started with a spear phishing attack?
Get your free phishing security test and find out what percentage of your employees are Phish-prone
www.KnowBe4.com/PST
KnowBe4, Inc. | 33 N Garden Ave, Suite 1200, Clearwater, FL 33755 | Tel: 855-KNOWBE4 (566-9234) | www.KnowBe4.com | Email: Sales@KnowBe4.com March 2020
© 2020 KnowBe4, Inc. All rights reserved. Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective companies.You can also read
