I totally agree, manpower is what the true critical need is for everyone. I think the problem with making that our top request is manpower means we'd be asking for recurring funding. From what I understand, requests for funding have historically resulted in failure, asking for tools/capabilities is a different approach which we're hoping will have a better chance of success.
I'm totally fine if we want to make this a funding request to cover personnel, if that's what everyone agrees on. I'm in support of doing anything which provides the greatest benefit to the entire group.
On Thu, Aug 24, 2023 at 8:51 AM Jim Shakespear shakespear@suu.edu wrote:
I have had DLP in my mind as well and agree with the privacy aspect as well. Our problem is having manpower to implement and manage such a tool. I know it's been said that we all don't have the staffing to manage the tools, so just reiterating that point.
I just sent my information in the sheet as well.
Jim
On Wed, Aug 23, 2023 at 5:41 PM Eric Bennick via USHE-ISO < ushe-iso@lists.dixie.edu> wrote:
I've put the information you wanted in the sheet. As for the tools, I would personally vote to give top priority to DLP, because it'll help with the privacy requirements the legislature created and also with the stuff the USHE privacy I've put the information you wanted in the sheet. As for the tools, I would personally vote to give top priority to DLP, because it'll help with the privacy requirements the legislature created and also with the stuff the USHE privacy committee is working on.
On Tue, Aug 8, 2023 at 10:19 AM Andrew Goble via USHE-ISO < ushe-iso@lists.dixie.edu> wrote:
Hi all,
I'll try to keep this brief. There is no tl;dr version so bear with me.
At the CIO retreat last month, Corey presented on their efforts at the U to create a University baseline of controls and tools that should be in place across all business/academic units. They came up with a list 36 controls out of CIS and the following toolset:
- Network Access Control (NAC)
- Default Deny at the Network Perimeter
- Multi-factor Authentication (MFA)
- Data Loss Prevention (DLP)
- Privilege Access Management (PAM)
- Endpoint Privilege Management (EPM)
- Endpoint Detection and Response (EDR)
- Endpoint Security Solution (ESS)
*Corey/Dustin can correct me if I have their narrative wrong
With the State and Board of Regents very much aboard the shared services train, the CIOs have tasked us to go through a similar exercise, except for the System. The end output here is to identify a subset of CIS controls (I view this as identifying a small, critical USHE-specific Implementation Group 1) and a set of tools / needs that would be part of the solution in achieving desired security outcomes for those controls. Finally, this leads to Yet Another Funding Request*™* to ask for the resources to make these outcomes possible. I have no comment on the efficacy of repeated funding asks, that's not the point here. USHE is clearly a leader in the state for shared or collaborative IT services already and this is an effort to stay in that leadership position by acting on our own terms instead of standing pat and letting the legislature/state act for/on us.
ACTION ITEMS What I would ask of each of you is some discussion on the above:
What subset of CIS might we agree on as a USHE IG1? (may or may not be the same 36 the UofU chose for their internal project, and I think fewer is probably better to start with) What tools (specifically tied back to the controls we identify) might we coordinate and take advantage of shared purchasing and possible management on? General thoughts and disposition?
I've also attached a simple spreadsheet with the UofU toolset just to get an idea of where we are at system-wide on that toolset. Please fill it out and send it back to me and I'll compile a master list.
Thanks, Andrew
-- USHE-ISO mailing list USHE-ISO@lists.dixie.edu http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-iso https://urldefense.com/v3/__http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-iso__;!!BSlRHw!7Y5HTEQwuAOVnwuH9eMWYR1jeeNiqj_FwlDdOcBl37rwU62SV_7K_nlvdy2igekM05B9RN-o7R6WZSNsUORTmU1N$
-- USHE-ISO mailing list USHE-ISO@lists.dixie.edu
https://urldefense.com/v3/__http://lists.dixie.edu/cgi-bin/mailman/listinfo/...
-- [image: suu.edu] https://www.suu.edu/125/ Jim Shakespear | Director of IT Security INFORMATION TECHNOLOGY, SOUTHERN UTAH UNIVERSITY ELC 513 | (435) 865-8202