The mission of the Chief Information Security Office is to safeguard the confidentiality, integrity, and availability of information systems by providing proactive security expertise, creating and maintaining a robust security architecture and fostering a culture of security awareness throughout the campus.
The Chief Information Security Office (CISO) is responsible for establishing and maintaining a security framework and comprehensive program that supports the University’s mission and goals. The security program will address:
- Security Management Practices (Security controls, Policies/Procedures, Risk Management)
- Access Control Systems (Identification/Authentication/Authorization, Access Control Models)
- Telecommunications and Network Security (TCP/IP, LAN/MAN/WAN Technologies, Firewall types and Architectures)
- Cryptography (Ciphers and Algorithms)
- Security Architecture and Models (Access control models, Certification/Accreditation)
- Operations Security (Responsibilities, Roles, Media Library and Resource Protection)
- Application and Systems Development (SDLC, Database Models)
- Business Continuity and Disaster Recovery (Planning, Roles/Responsibilities, Liability, BIA)
- Law, Investigation and Ethics (Laws, Crimes, Evidence handling)
- Physical Security (Location issues, physical vulnerabilities/threats, perimeter protection)
- Change Management
- Security awareness and training
The CISO reports directly to the Vice President of Information Technology/CIO. The CISO will be the strategic and managing body of IT security initiatives. There is also a need for an operational security group that implements controls, executes technical scans and audits, performs forensics, etc. This operational group will report up through the Technical Infrastructure Services area but will be tasked directly by the CISO. In order to maintain a trust barrier and separation of duties, the members of the operational security group will not have dual responsibility within the TIS area.