Information Technology systems are essential to the efficient and effective operation of the North Dakota University System. As such, CTS has a responsibility to safeguard information created, collected, or distributed within its environment and protect it from unauthorized disclosure, modification, or destruction.The degree of data and system protection is based on the nature of the information and its intended use.
To apply appropriate security measures, the NDUS Information Security Strategic Plan involves a multilayered approach:
Governance is the canopy that administers and manages the information security environment for the NDUS. The two groups that provide this oversite include:
- NDUS Information Security Council (ISC)
- CTS Information Security Group (ISG)
The foundation of the NDUS information security strategy rests on rests on system rules and doctrine:
- NDUS policies (1200 series)
- NDUS procedures
- Data standards
In between the canopy and the foundation, a variety of tools and tactics create the defensive posture:
- Multi-factor authentication
- Endpoint protection
- Training and awareness
- Sensitive information discovery
- Vulnerability management
- Centralized logging
The Information Security Department (InfoSec), in collaboration with the NDUS Information Security Council (ISC), has identified 10 strategic initiatives aimed at protecting CTS systems and data from known cyberattack vectors. These initiatives aligned with the Center for Internet Security’s (CIS) 20 Critical Security Controls (CSC), which are a set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks. InfoSec also utilizes the National Institute of Standards and Technology (NIST) Cybersecurity Framework (NCF) as the foundation for much of its security planning efforts.
Data Loss Prevention
Avoiding loss of data is paramount to security. CTS has deployed technologies to scan endpoints and network systems for restricted and private information. This will allow CTS and campuses to reduce their sensitive data footprint, control access to this data, and minimize the risk of a breach. In addition, InfoSec will work to implement data loss controls in systems where sensitive information might be exposed, such as email and cloud services.
InfoSec has worked with CTS and institutions to deploy endpoint protection to CTS and 9 NDUS campuses. Other endpoint protections are also being explored to expand capabilities and systems to improve endpoint computer security.
NDUS currently scans over 7,700 systems across CTS and 11 campuses to help mitigate threats and reduce the attack surface to systems, services, and applications. Additionally, InfoSec has worked with CTS departments to conduct more detailed and accurate credentialed scans in the NDUS datacenter, as well as configure and conduct policy scans to assess compliance with the CIS security benchmarks.
InfoSec and a CTS functional team have worked to implement a centralized logging system to assist in identifying security risks and conducting incident response for CTS systems and applications. Future efforts include the expansion of log collection to more CTS data center systems, implementing security event dashboards and alerts, and procuring and deploying the Splunk Enterprise Security application to address security risks and assist in responding to security incidents more proactively.
Identity and Access Management
The InfoSec team, in coordination with CTS and NDUS institutions, continues to expand multi-factor authentication (MFA) system to protect more applications from the risk of stolen credentials. Currently, MFA protects 47 critical business applications more than 25,000 student accounts across the NDUS.
Helping faculty, staff, and students understand security risks, as well as how to protect themselves, NDUS data, and resources is a key to improving the overall security posture of the NDUS. InfoSec has worked with CTS and 5 NDUS campuses to procure and deploy a security awareness and phishing assessment platform called InfoSecIQ from the Infosec Institute. Infosec will continue to expand security awareness activities as well as explore security skills training for CTS and campus IT employees.