2. Classify and categorize university systems
Next, classify and categorize the systems and data your organization uses. This can be a broad scan of all computing and data assets, or in the case of zero-trust architectures, it can be more narrowly focused on the “protective surface” of your institution’s critical assets. In either case, the goal of this effort is to assign each system a classification (usually based on data sensitivity) and categorize systems based on similar attributes so that you can assign common controls.
3. Perform comprehensive threat modeling
Threat modeling requires an organization consider the risks to data and IT assets in the context of its overall business and regulatory environment. In this phase, it helps establish a repeatable process to assess risk and identify the highest priority systems to review.
A repeatable risk assessment process such as the NIST Risk Management Frameworkcoupled with proper system classification and categorization, will help your institution identify and assign security controls consistently over time.
DISCOVER: Future proof higher education infrastructure security strategy.
4. Select and implement security controls
Once your systems have been classified and the risks assessed, you should have a good idea of your top priorities for selecting controls. Security controls are safeguards that ensure that a particular security policy is enforced or violations are reported. Security controls can be technical, administrative, or physical in nature and are often grouped into families. NIST Special Publication 800-53 identifies 18 discrete control families ranging from physical access to system and information integrity.
To successfully implement security controls, IT teams must translate those controls into technical configuration, business processes, or physical controls. Fortunately, several resources can help you. The US Department of Defense publishes Security Implementation Technical Guides which provide step-by-step instructions for implementing control families on different platforms. Moreover, the Internet Security Center offers basic configurations for many systems. These benchmarks can be used both to configure a system initially and to monitor it over time for compliance with a given set of controls.
In this phase, it is important to consider not only the controls, but also the measures necessary to accurately assess the effectiveness of the security architecture. Measuring baseline compliance, patch cadence, or vulnerability scan results over time can help you understand where your architecture is performing effectively and where it needs attention.
TO EXPLORE: How to avoid security breaches within the IT department.
5. Monitor, adapt and continually improve controls
Finally, an organization must monitor and evaluate the effectiveness of its security controls over time. NIST Special Publication 800-137 offers guidance that integrates security monitoring into the risk management framework and provides technical, business, and executive insight into security posture. It describes a family of continuous information security monitoring tools and their main requirements.
Integration with both helpdesk and inventory systems and with security information and event management and log aggregation tools is essential. Tools supporting the Security Content Automation Protocol can continuously monitor SCAP-compliant endpoints and alert if they deviate from an established baseline.