University Cybersecurity Program Plan
The university Cybersecurity Program Plan provides high-level information describing the university Cybersecurity Program and its major components including the appointment of a coordinator, the selection and implementation of safeguards, ongoing risk assessments, training and the management of service providers.
Specific cybersecurity policies, standards, and guidelines as well as detailed plans and procedures are represented in separate documents.
The Chief Information Security Officer (CISO) has been appointed to coordinate this program.
Office of Information Security Roles and Responsibilities
The Office of Information security under direction of the CISO and reporting to the Vice President of Information Technology (VPIT) maintains a dedicated staff of trained cybersecurity professionals. The Office of Information Security is responsible for organization-wide risk management, vulnerability management, security operations, incident management and response, and management of the Cybersecurity Program.
Unit Contacts, Roles and Responsibilities
Deans, department heads, etc. designate contacts called Departmental Network Liaisons (DNLs) to assist in implementation of the Cybersecurity Program. DNL responsibilities include:
- serving as a point of contact for the Office of Information Security,
- annual inventory of Sensitive, Restricted, and Critical covered assets,
- reporting and assisting with security incident response,
- and participating in annual training.
Units are responsible for conducting unit-level risk assessments to identify risks that are unique to their area of operation and for implementing appropriate system-specific safeguards in addition to the common safeguards enumerated below. Risk assessments can be carried out independently as a gap analysis utilizing the Data Classification and Protection Standard or units can request support from the Office of Information Security to complete unit-level assessments.
Any institutional data classified as Internal, Sensitive or Restricted per the university’s Data Classification and Protection Standard including regulated data (e.g. FERPA, HIPAA, GLBA, etc.) and those data governed by separate policies / committees (e.g. Customer Information Security Program Policy and GLBA Policy, Credit/Debit Card Policy, Data Management and Governance Committee).
Mission critical systems including infrastructure, applications, equipment, etc.
Data Management Lifecycle
Collection and management of covered data assets are managed by the university’s governance structure in accordance with the University System of Georgia Business Procedures Manual.
All data assets are classified and protected in accordance with the university’s Data Classification and Protection Standard.
Data retention and destruction comply with the policy referenced at http://www.usg.edu/records_management/. Acceptable destruction procedures are also included in the university’s Data Classification and Protection Standard.
Risk assessments are conducted at least annually to identify existing and potential safeguards to mitigate foreseeable risks to covered assets. Risk assessments are used to inform the selection and implementation of safeguards. Identified risks without mitigating or compensating safeguards are documented and tracked in a central risk registry.
Program safeguards include physical, administrative and technical safeguards across five high level functions: identification, protection, detection, response, and recovery. Taken together these safeguards constitute a common control environment for university systems.
Identification – measures for identifying threats and risks
- Annual inventory of Sensitive/Restricted Data and Critical systems
- Vulnerability assessment
- Risk assessments
- Procurement oversight for computer equipment, software and services (CESS)
Protection - measures to prevent security breaches and associated impacts
- Security awareness onboarding for all new employees
- Twice annual security awareness training for all employees
- New employee background checks
- Annual security training for appointed DNLs
- Identity theft protection (see Red Flags below)
- Information security policies, standards, and guidelines (PSGs) including minimum security standards
- Network perimeter security including zero-day threat protection
- Firewall rules management including separation of duties and expiration of rules
- Vulnerability management
- Penetration tests and network security audits
- Data loss prevention
- DNS threat protection
- Two-factor authentication service
- Restricted data VPN and VDI environment
- Physical security
Detection - measures to detect security incidents
- Intrusion detection
- Network security monitoring
- Data loss prevention
- Security event management, correlation and alerting
- VPN logon notifications
- Membership in multiple industry Information Sharing and Analysis Centers (ISACs)
Response - measures for responding to attack or breach conditions
- Centralized incident management capability and formal Cyber Security Incident Response Plan (CSIRP) including procedures for notifying the University System of Georgia, regulators, partners and affected individuals.
- Incident detection, containment, and forensics procedures.
Recovery – measures for ensuring recovery to normal operations
- Continuity of Operations Plan (COOP)
The Office of Information Security, the Procurement Office, and the Office of Legal Affairs ensure service providers implement appropriate safeguards and that contractual agreements detailing privacy and security requirements are in place via the CESS process. The Office of Information Security also coordinates directly with service providers to test the security of systems that will store or process covered data.
Program Monitoring and Maintenance
The Cybersecurity Program is evaluated and adjusted continuously. Feedback from risk assessments, security operations, and incident response activities inform the selection and implementation of program components and safeguards by the program coordinator.
Plan Review and Approval
The CISO reviews and approves this plan at least annually.
This document is classified as “Public” information per the university Data Classification and Protection Standard and can be shared accordingly. This document shall be published publicly via the EITS website.
Red Flags Rule Compliance and Identity Theft Protection
Units with data covered by the GLBA policy will also be covered by the UGA Red Flags Rule policy.