Overview
Information assets and technology resources are both valuable and essential to the mission of Marshall University. Administrative, technical, and physical safeguards are required to protect the assets and resources to support that mission; meet legal, regulatory, and contractual obligations; and protect privacy.
The Marshall University Cybersecurity Program Plan provides high-level information describing the university Cybersecurity Program and its major components including the appointment of a coordinator, the selection and implementation of safeguards, ongoing risk assessments, training, and the management of service providers.
Specific cybersecurity policies, standards, and guidelines as well as detailed plans and procedures are represented in separate documents.
Goals
- Align the University’s information security efforts to support its mission while supporting privacy, legal, regulatory, and contractual obligations.
- Promote awareness of information security risks and responsibilities.
- Collaborate with other organizations and institutions to increase awareness, knowledge, and sharing of information security information.
- Maintain an awareness of relevant requirements, technologies, and risks to continuously improve this program.
Roles and Responsibilities
Chief Information Security Officer
The Chief Information Security Officer (CISO) has been appointed to coordinate this program.
Office of Information Security
The Office of Information security under direction of the CISO and reporting to the Chief Information Officer (CIO) maintains a dedicated staff of trained cybersecurity professionals. The Office of Information Security is responsible for organization-wide IT risk management, vulnerability management, security operations, incident management and response, and management of the Information Security Program.
Departments
Deans, department heads, and designate contacts assist in implementation of the Information Security Program. Their responsibilities include:
- Serve as a point of contact for the Office of Information Security
- Annual inventory of sensitive information and covered assets
- Performing annual unit-level risk assessments
- Assisting with security incident response
- Participating in annual awareness training.
Personnel
- Responsible Use – Each person using University Information Technology resources is required to be familiar and comply with University policies and must comply with those policies as well as all relevant laws, regulations, obligations, standards, and rules. Accounts, access codes, privileges, and IT resources must not be used for unauthorized purposes.
- Awareness Training – All employees and users with access to protected data receive information security awareness training at the time of hiring or orientation and at least annually thereafter.
Covered Assets
Any institutional data classified as Internal, Sensitive or Restricted per the University Data Classification Standard (ITG-4) including regulated data (e.g., FERPA, HIPAA, GLBA, etc.) and information governed by specific policies or requirements (e.g., PCI, GDPR, etc.).
Mission critical systems including infrastructure, applications, equipment, etc.
Data Management Lifecycle
Collection and management of covered data assets are governed by this plan and associated policies, rules, and standards. Data retention and destruction complies with the University Records Retention Policy (UPGA-3).
Risk Assessments
Risk assessments are conducted at least annually to identify foreseeable risks to covered assets. Risk assessments are used to inform the selection and implementation of safeguards. Identified risks without mitigating safeguards are documented, appropriately reviewed, approved, and monitored.
Units are responsible for conducting unit-level risk assessments to identify risks that are unique to their area of operation and for implementing appropriate safeguards to address these risks in addition to the common safeguards. Units can perform risk assessments independently, or units can request support from the Office of Information Security to complete unit-level assessments.
Safeguards
Program safeguards include physical, administrative, and technical safeguards across five high level functions: identification, protection, detection, response, and recovery. Taken together these safeguards constitute a common control environment for university systems.
Identification – measures for identifying threats and risks
- Annual review of covered data and critical systems
- Vulnerability assessment
- Risk assessment
- Oversight of third-parties
Protection – measures to prevent breaches and associated impacts
- Information security policies, standards, and guidelines
- Security awareness training for all new employees
- Annual security awareness training for employees
- New employee background checks
- Identity theft protection
- Network perimeter security
- Vulnerability management
- Critical network services protection
- Anti-malware
- Multi-Factor-Authentication (MFA)
- Regular network security reviews, audits, and penetration tests
- Intrusion prevention and data loss prevention
- Remote access protection (VPN, VDI, etc.)
- Physical security measures
Detection – measures to detect security incidents
- Network security monitoring
- Anti-malware monitoring
- Account use and access alerts
- Security event management
- Participation in industry information sharing.
Response – measures for responding to attack or breach conditions
Recovery – measures for ensuring recovery to normal operations
- Business Continuity/Continuity of Operations Plan
Service Providers
The Office of Information Security, the Procurement Office, and the Legal Department ensure service providers implement appropriate safeguards and that contractual agreements detailing privacy and security requirements are in place. The Procurement Office coordinates with the Office of Information Security to ensure appropriate measures are in place to protect covered information.
Program Monitoring and Maintenance
This Program is evaluated and adjusted continuously. Feedback from risk assessments, security operations, and incident response activities inform the design and implementation of program components and safeguards by the program coordinator.
Plan Review and Approval
This plan is reviewed at least annually.
Red Flags Rule Compliance and Identity Theft Protection
Units with data covered by the GLBA policy will also be covered by the University Fair and Accurate Credit Transactions Act Compliance Policy (UPFA-7).
Questions
Any questions concerning the content of this Plan and associated Policies, Standards and Guidelines should be addressed to Jon Cutler, Chief Information Security Officer, ciso@marshall.edu .
References
- Data Classification Standard – https://www.marshall.edu/it/files/ITG-4-Guideline-for-Data-Classification-2019.pdf
- Records Retention Policy – https://www.marshall.edu/policies/files/2023/12/UPGA-3-Record-Retention-Policy-2012-10-30.pdf
- Information Security Incident Response Procedure – https://www.marshall.edu/it/files/ITP-19-posted.pdf
- Red Flags Rule – https://www.marshall.edu/policies/files/2023/12/UPFA-7-Identity-Theft-Prevention-Program-2019-12-3.pdf
Plan Revision and Review
Date | Reviewer | Description |
2021-05 | CISO / jbc | Submission of initial program plan |
2022-06 | CISO / jbc | Annual plan review |
2023-07 | CISO / jbc | Edits, annual plan review |
2024-07 | CISO / jbc | Edits, annual plan review |