Re: [USHE-ISO] USHE Security Outcomes / Shared Services Discussion

No offense taken. We're all working with different tools and I'm sure we'll all have different ideas on what's possible. I think the whole point of the groups is to come to a compromise we can all agree on.

On Tue, Aug 8, 2023 at 11:30 AM Dustin Udy d.udy@utah.edu wrote:

Um yeah, I think those costs are totally questionable. They don't seem to be taking in account for the number of political meetings every one of us would be in not to mention the HOW long it would take to even get some of them done. You'd need to have tools to find all your data and assets before you can get some of them started. Those seem like pipe dreams from a group that isn't in the trenches.

Sorry Eric, I don't like that list and I'm not saying the U's is the gold standard, it's what we came up with with what tools we already had as well as what we thought we could pull off, my opinion of Corey's baby.

Dustin

• These are just my opinions, they may not reflect that of my boss or

organization. I may have had a lot of coffee and not enough water a well here.

---

From: USHE-ISO ushe-iso-bounces@lists.dixie.edu on behalf of Eric Bennick via USHE-ISO ushe-iso@lists.dixie.edu Sent: Tuesday, August 8, 2023 11:02 AM To: Andrew Goble Cc: ushe-iso@lists.dixie.edu Subject: Re: [USHE-ISO] USHE Security Outcomes / Shared Services Discussion

Sorry, I guess that was more of a rhetorical question. Let me try to offer a better start to the discussion. The CISA has already provided a document which has identified minimum controls and ranked them according to impact, cost, and complexity. I wanted to suggest everyone here take a look if you haven't already. There are 38 controls on the list, and I'm going to put forward the suggestion that we use these as the recommended subset of CIS controls. It seems like this is what the CIOs are asking for, I don't think we need to spend too much time debating the details when this resource already exists and was created specifically for entities like us which are resource constrained.

On Tue, Aug 8, 2023 at 10:45 AM Eric Bennick <ebennick@weber.edumailto: ebennick@weber.edu> wrote: Andrew, maybe I'm missing something, but wouldn't log auditing be a critical part of any toolset? Perhaps it's implied that each tool comes with its own logs, but having logs available is different than connecting log sources to something like ELK stack to make them more accessible. I don't know about you, but I prefer my logs to be parsed. I'm not so much of a masochist that I would enjoy scrolling through billions of lines of unstructured logs.

On Tue, Aug 8, 2023 at 10:19 AM Andrew Goble via USHE-ISO < ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu> wrote: Hi all,

I'll try to keep this brief. There is no tl;dr version so bear with me.

At the CIO retreat last month, Corey presented on their efforts at the U to create a University baseline of controls and tools that should be in place across all business/academic units. They came up with a list 36 controls out of CIS and the following toolset:

1. Network Access Control (NAC)
2. Default Deny at the Network Perimeter
3. Multi-factor Authentication (MFA)
4. Data Loss Prevention (DLP)
5. Privilege Access Management (PAM)
6. Endpoint Privilege Management (EPM)
7. Endpoint Detection and Response (EDR)
8. Endpoint Security Solution (ESS)

*Corey/Dustin can correct me if I have their narrative wrong

With the State and Board of Regents very much aboard the shared services train, the CIOs have tasked us to go through a similar exercise, except for the System. The end output here is to identify a subset of CIS controls (I view this as identifying a small, critical USHE-specific Implementation Group 1) and a set of tools / needs that would be part of the solution in achieving desired security outcomes for those controls. Finally, this leads to Yet Another Funding Request™ to ask for the resources to make these outcomes possible. I have no comment on the efficacy of repeated funding asks, that's not the point here. USHE is clearly a leader in the state for shared or collaborative IT services already and this is an effort to stay in that leadership position by acting on our own terms instead of standing pat and letting the legislature/state act for/on us.

ACTION ITEMS What I would ask of each of you is some discussion on the above:

What subset of CIS might we agree on as a USHE IG1? (may or may not be the same 36 the UofU chose for their internal project, and I think fewer is probably better to start with) What tools (specifically tied back to the controls we identify) might we coordinate and take advantage of shared purchasing and possible management on? General thoughts and disposition?

I've also attached a simple spreadsheet with the UofU toolset just to get an idea of where we are at system-wide on that toolset. Please fill it out and send it back to me and I'll compile a master list.

Thanks, Andrew

-- USHE-ISO mailing list USHE-ISO@lists.dixie.edumailto:USHE-ISO@lists.dixie.edu http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-iso