Andrew, maybe I'm missing something, but wouldn't log auditing be a critical part of any toolset? Perhaps it's implied that each tool comes with its own logs, but having logs available is different than connecting log sources to something like ELK stack to make them more accessible. I don't know about you, but I prefer my logs to be parsed. I'm not so much of a masochist that I would enjoy scrolling through billions of lines of unstructured logs.

On Tue, Aug 8, 2023 at 10:19 AM Andrew Goble via USHE-ISO <ushe-iso@lists.dixie.edu> wrote:
Hi all,

I'll try to keep this brief.  There is no tl;dr version so bear with me.

At the CIO retreat last month, Corey presented on their efforts at the U to create a University baseline of controls and tools that should be in place across all business/academic units.  They came up with a list 36 controls out of CIS and the following toolset:

  1. Network Access Control (NAC)
  2. Default Deny at the Network Perimeter
  3. Multi-factor Authentication (MFA)
  4. Data Loss Prevention (DLP)
  5. Privilege Access Management (PAM)
  6. Endpoint Privilege Management (EPM)
  7. Endpoint Detection and Response (EDR)
  8. Endpoint Security Solution (ESS)
*Corey/Dustin can correct me if I have their narrative wrong

With the State and Board of Regents very much aboard the shared services train, the CIOs have tasked us to go through a similar exercise, except for the System.  The end output here is to identify a subset of CIS controls (I view this as identifying a small, critical USHE-specific Implementation Group 1) and a set of tools / needs that would be part of the solution in achieving desired security outcomes for those controls.  Finally, this leads to Yet Another Funding Request to ask for the resources to make these outcomes possible.  I have no comment on the efficacy of repeated funding asks, that's not the point here.  USHE is clearly a leader in the state for shared or collaborative IT services already and this is an effort to stay in that leadership position by acting on our own terms instead of standing pat and letting the legislature/state act for/on us.


ACTION ITEMS
What I would ask of each of you is some discussion on the above:

What subset of CIS might we agree on as a USHE IG1?  (may or may not be the same 36 the UofU chose for their internal project, and I think fewer is probably better to start with)
What tools (specifically tied back to the controls we identify) might we coordinate and take advantage of shared purchasing and possible management on?
General thoughts and disposition?

I've also attached a simple spreadsheet with the UofU toolset just to get an idea of where we are at system-wide on that toolset.  Please fill it out and send it back to me and I'll compile a master list. 

Thanks,
Andrew



--
USHE-ISO mailing list
USHE-ISO@lists.dixie.edu
http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-iso