Sorry, I guess that was more of a rhetorical question. Let me try to offer a better start to the discussion. The CISA has already provided a document which has identified minimum controls and ranked them according to impact, cost, and complexity. I wanted to suggest everyone here take a look if you haven't already. There are 38 controls on the list, and I'm going to put forward the suggestion that we use these as the recommended subset of CIS controls. It seems like this is what the CIOs are asking for, I don't think we need to spend too much time debating the details when this resource already exists and was created specifically for entities like us which are resource constrained.

On Tue, Aug 8, 2023 at 10:45 AM Eric Bennick ebennick@weber.edu wrote:

Andrew, maybe I'm missing something, but wouldn't log auditing be a critical part of any toolset? Perhaps it's implied that each tool comes with its own logs, but having logs available is different than connecting log sources to something like ELK stack to make them more accessible. I don't know about you, but I prefer my logs to be parsed. I'm not so much of a masochist that I would enjoy scrolling through billions of lines of unstructured logs.

On Tue, Aug 8, 2023 at 10:19 AM Andrew Goble via USHE-ISO < ushe-iso@lists.dixie.edu> wrote:

...

Hi all,

I'll try to keep this brief. There is no tl;dr version so bear with me.

At the CIO retreat last month, Corey presented on their efforts at the U to create a University baseline of controls and tools that should be in place across all business/academic units. They came up with a list 36 controls out of CIS and the following toolset:

1. Network Access Control (NAC)
2. Default Deny at the Network Perimeter
3. Multi-factor Authentication (MFA)
4. Data Loss Prevention (DLP)
5. Privilege Access Management (PAM)
6. Endpoint Privilege Management (EPM)
7. Endpoint Detection and Response (EDR)
8. Endpoint Security Solution (ESS)

*Corey/Dustin can correct me if I have their narrative wrong

With the State and Board of Regents very much aboard the shared services train, the CIOs have tasked us to go through a similar exercise, except for the System. The end output here is to identify a subset of CIS controls (I view this as identifying a small, critical USHE-specific Implementation Group 1) and a set of tools / needs that would be part of the solution in achieving desired security outcomes for those controls. Finally, this leads to Yet Another Funding Request*™* to ask for the resources to make these outcomes possible. I have no comment on the efficacy of repeated funding asks, that's not the point here. USHE is clearly a leader in the state for shared or collaborative IT services already and this is an effort to stay in that leadership position by acting on our own terms instead of standing pat and letting the legislature/state act for/on us.

ACTION ITEMS What I would ask of each of you is some discussion on the above:

What subset of CIS might we agree on as a USHE IG1? (may or may not be the same 36 the UofU chose for their internal project, and I think fewer is probably better to start with) What tools (specifically tied back to the controls we identify) might we coordinate and take advantage of shared purchasing and possible management on? General thoughts and disposition?

I've also attached a simple spreadsheet with the UofU toolset just to get an idea of where we are at system-wide on that toolset. Please fill it out and send it back to me and I'll compile a master list.

Thanks, Andrew

-- USHE-ISO mailing list USHE-ISO@lists.dixie.edu http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-iso

Um yeah, I think those costs are totally questionable. They don't seem to be taking in account for the number of political meetings every one of us would be in not to mention the HOW long it would take to even get some of them done. You'd need to have tools to find all your data and assets before you can get some of them started. Those seem like pipe dreams from a group that isn't in the trenches.

Sorry Eric, I don't like that list and I'm not saying the U's is the gold standard, it's what we came up with with what tools we already had as well as what we thought we could pull off, my opinion of Corey's baby.

Dustin

- These are just my opinions, they may not reflect that of my boss or organization. I may have had a lot of coffee and not enough water a well here.

________________________________________ From: USHE-ISO ushe-iso-bounces@lists.dixie.edu on behalf of Eric Bennick via USHE-ISO ushe-iso@lists.dixie.edu Sent: Tuesday, August 8, 2023 11:02 AM To: Andrew Goble Cc: ushe-iso@lists.dixie.edu Subject: Re: [USHE-ISO] USHE Security Outcomes / Shared Services Discussion

Sorry, I guess that was more of a rhetorical question. Let me try to offer a better start to the discussion. The CISA has already provided a document which has identified minimum controls and ranked them according to impact, cost, and complexity. I wanted to suggest everyone here take a look if you haven't already. There are 38 controls on the list, and I'm going to put forward the suggestion that we use these as the recommended subset of CIS controls. It seems like this is what the CIOs are asking for, I don't think we need to spend too much time debating the details when this resource already exists and was created specifically for entities like us which are resource constrained.

On Tue, Aug 8, 2023 at 10:45 AM Eric Bennick <ebennick@weber.edumailto:ebennick@weber.edu> wrote: Andrew, maybe I'm missing something, but wouldn't log auditing be a critical part of any toolset? Perhaps it's implied that each tool comes with its own logs, but having logs available is different than connecting log sources to something like ELK stack to make them more accessible. I don't know about you, but I prefer my logs to be parsed. I'm not so much of a masochist that I would enjoy scrolling through billions of lines of unstructured logs.

On Tue, Aug 8, 2023 at 10:19 AM Andrew Goble via USHE-ISO <ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu> wrote: Hi all,

I'll try to keep this brief. There is no tl;dr version so bear with me.

At the CIO retreat last month, Corey presented on their efforts at the U to create a University baseline of controls and tools that should be in place across all business/academic units. They came up with a list 36 controls out of CIS and the following toolset:

1. Network Access Control (NAC) 2. Default Deny at the Network Perimeter 3. Multi-factor Authentication (MFA) 4. Data Loss Prevention (DLP) 5. Privilege Access Management (PAM) 6. Endpoint Privilege Management (EPM) 7. Endpoint Detection and Response (EDR) 8. Endpoint Security Solution (ESS)

*Corey/Dustin can correct me if I have their narrative wrong

With the State and Board of Regents very much aboard the shared services train, the CIOs have tasked us to go through a similar exercise, except for the System. The end output here is to identify a subset of CIS controls (I view this as identifying a small, critical USHE-specific Implementation Group 1) and a set of tools / needs that would be part of the solution in achieving desired security outcomes for those controls. Finally, this leads to Yet Another Funding Request™ to ask for the resources to make these outcomes possible. I have no comment on the efficacy of repeated funding asks, that's not the point here. USHE is clearly a leader in the state for shared or collaborative IT services already and this is an effort to stay in that leadership position by acting on our own terms instead of standing pat and letting the legislature/state act for/on us.

ACTION ITEMS What I would ask of each of you is some discussion on the above:

What subset of CIS might we agree on as a USHE IG1? (may or may not be the same 36 the UofU chose for their internal project, and I think fewer is probably better to start with) What tools (specifically tied back to the controls we identify) might we coordinate and take advantage of shared purchasing and possible management on? General thoughts and disposition?

I've also attached a simple spreadsheet with the UofU toolset just to get an idea of where we are at system-wide on that toolset. Please fill it out and send it back to me and I'll compile a master list.

Thanks, Andrew

-- USHE-ISO mailing list USHE-ISO@lists.dixie.edumailto:USHE-ISO@lists.dixie.edu http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-iso

I totally agree with you there.

________________________________________ From: Eric Bennick ebennick@weber.edu Sent: Tuesday, August 8, 2023 11:43 AM To: Dustin Udy Cc: Andrew Goble; ushe-iso@lists.dixie.edu Subject: Re: [USHE-ISO] USHE Security Outcomes / Shared Services Discussion

No offense taken. We're all working with different tools and I'm sure we'll all have different ideas on what's possible. I think the whole point of the groups is to come to a compromise we can all agree on.

On Tue, Aug 8, 2023 at 11:30 AM Dustin Udy <d.udy@utah.edumailto:d.udy@utah.edu> wrote: Um yeah, I think those costs are totally questionable. They don't seem to be taking in account for the number of political meetings every one of us would be in not to mention the HOW long it would take to even get some of them done. You'd need to have tools to find all your data and assets before you can get some of them started. Those seem like pipe dreams from a group that isn't in the trenches.

Sorry Eric, I don't like that list and I'm not saying the U's is the gold standard, it's what we came up with with what tools we already had as well as what we thought we could pull off, my opinion of Corey's baby.

Dustin

- These are just my opinions, they may not reflect that of my boss or organization. I may have had a lot of coffee and not enough water a well here.

________________________________________ From: USHE-ISO <ushe-iso-bounces@lists.dixie.edumailto:ushe-iso-bounces@lists.dixie.edu> on behalf of Eric Bennick via USHE-ISO <ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu> Sent: Tuesday, August 8, 2023 11:02 AM To: Andrew Goble Cc: ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu Subject: Re: [USHE-ISO] USHE Security Outcomes / Shared Services Discussion

Sorry, I guess that was more of a rhetorical question. Let me try to offer a better start to the discussion. The CISA has already provided a document which has identified minimum controls and ranked them according to impact, cost, and complexity. I wanted to suggest everyone here take a look if you haven't already. There are 38 controls on the list, and I'm going to put forward the suggestion that we use these as the recommended subset of CIS controls. It seems like this is what the CIOs are asking for, I don't think we need to spend too much time debating the details when this resource already exists and was created specifically for entities like us which are resource constrained.

On Tue, Aug 8, 2023 at 10:45 AM Eric Bennick <ebennick@weber.edumailto:ebennick@weber.edu<mailto:ebennick@weber.edumailto:ebennick@weber.edu>> wrote: Andrew, maybe I'm missing something, but wouldn't log auditing be a critical part of any toolset? Perhaps it's implied that each tool comes with its own logs, but having logs available is different than connecting log sources to something like ELK stack to make them more accessible. I don't know about you, but I prefer my logs to be parsed. I'm not so much of a masochist that I would enjoy scrolling through billions of lines of unstructured logs.

On Tue, Aug 8, 2023 at 10:19 AM Andrew Goble via USHE-ISO <ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu<mailto:ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu>> wrote: Hi all,

I'll try to keep this brief. There is no tl;dr version so bear with me.

At the CIO retreat last month, Corey presented on their efforts at the U to create a University baseline of controls and tools that should be in place across all business/academic units. They came up with a list 36 controls out of CIS and the following toolset:

1. Network Access Control (NAC) 2. Default Deny at the Network Perimeter 3. Multi-factor Authentication (MFA) 4. Data Loss Prevention (DLP) 5. Privilege Access Management (PAM) 6. Endpoint Privilege Management (EPM) 7. Endpoint Detection and Response (EDR) 8. Endpoint Security Solution (ESS)

*Corey/Dustin can correct me if I have their narrative wrong

With the State and Board of Regents very much aboard the shared services train, the CIOs have tasked us to go through a similar exercise, except for the System. The end output here is to identify a subset of CIS controls (I view this as identifying a small, critical USHE-specific Implementation Group 1) and a set of tools / needs that would be part of the solution in achieving desired security outcomes for those controls. Finally, this leads to Yet Another Funding Request™ to ask for the resources to make these outcomes possible. I have no comment on the efficacy of repeated funding asks, that's not the point here. USHE is clearly a leader in the state for shared or collaborative IT services already and this is an effort to stay in that leadership position by acting on our own terms instead of standing pat and letting the legislature/state act for/on us.

ACTION ITEMS What I would ask of each of you is some discussion on the above:

What subset of CIS might we agree on as a USHE IG1? (may or may not be the same 36 the UofU chose for their internal project, and I think fewer is probably better to start with) What tools (specifically tied back to the controls we identify) might we coordinate and take advantage of shared purchasing and possible management on? General thoughts and disposition?

I've also attached a simple spreadsheet with the UofU toolset just to get an idea of where we are at system-wide on that toolset. Please fill it out and send it back to me and I'll compile a master list.

Thanks, Andrew

-- USHE-ISO mailing list USHE-ISO@lists.dixie.edumailto:USHE-ISO@lists.dixie.edu<mailto:USHE-ISO@lists.dixie.edumailto:USHE-ISO@lists.dixie.edu> http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-iso

Ugly or not, your baby is making progress Corey.

Dustin

________________________________________ From: USHE-ISO ushe-iso-bounces@lists.dixie.edu on behalf of Corey Roach (CISO) via USHE-ISO ushe-iso@lists.dixie.edu Sent: Tuesday, August 8, 2023 2:36 PM To: ushe-iso@lists.dixie.edu Subject: Re: [USHE-ISO] USHE Security Outcomes / Shared Services Discussion

I suggest rephrasing the question. I keep trying to steer the CIOs away from a discussion of specific tools or even specific controls. Focus on the capabilities first, then determine what you need to achieve that functionality.

I'd frame it as "What do you need to even begin addressing the CISA or CIS controls?" What is the bare minimum functionality you need to answer the fundamentals of any of the standard frameworks: a comprehensive list of hardware and software and a data inventory? How are you going to get those?

From there, you can go one baby step further. Can you control access to your network and resources both locally and remotely? Do you have adequate insight and control to reasonably quantify risk and vulnerabilities, and respond to an incident?

Until you can do those things, drilling into control "X" to try to achieve maturity "Y" is futile. For example, you can log to your heart's content or have an excellent password policy, but it's kind of pointless if you can't accurately quantify where all your systems are or what/where the data you're trying to protect is. You can't know where to focus your efforts or reasonably quantify success or value.

You can, of course, plug those fundamental capabilities back into your chosen framework to show how they'll support a more robust future program, which is essentially what we did. That's where the "36 controls" Steve can't seem to let go of came from. The tools we picked don't "solve" 36 controls. It enables us to start to address them once the fundamentals are in place.

My $0.02 anyway. Dustin, feel free to call my mutant baby ugly.

-- Corey Roach Chief Information Security Officer The University of Utah and University of Utah Health 801.213.3397

On Aug 8, 2023, at 11:12 AM, Dustin Udy via USHE-ISO ushe-iso@lists.dixie.edu wrote:

I totally agree with you there.

---

From: Eric Bennick ebennick@weber.edu Sent: Tuesday, August 8, 2023 11:43 AM To: Dustin Udy Cc: Andrew Goble; ushe-iso@lists.dixie.edu Subject: Re: [USHE-ISO] USHE Security Outcomes / Shared Services Discussion

No offense taken. We're all working with different tools and I'm sure we'll all have different ideas on what's possible. I think the whole point of the groups is to come to a compromise we can all agree on.

On Tue, Aug 8, 2023 at 11:30 AM Dustin Udy <d.udy@utah.edumailto:d.udy@utah.edu> wrote: Um yeah, I think those costs are totally questionable. They don't seem to be taking in account for the number of political meetings every one of us would be in not to mention the HOW long it would take to even get some of them done. You'd need to have tools to find all your data and assets before you can get some of them started. Those seem like pipe dreams from a group that isn't in the trenches.

Sorry Eric, I don't like that list and I'm not saying the U's is the gold standard, it's what we came up with with what tools we already had as well as what we thought we could pull off, my opinion of Corey's baby.

Dustin

• These are just my opinions, they may not reflect that of my boss or organization. I may have had a lot of coffee and not enough water a well here.

---

From: USHE-ISO <ushe-iso-bounces@lists.dixie.edumailto:ushe-iso-bounces@lists.dixie.edu> on behalf of Eric Bennick via USHE-ISO <ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu> Sent: Tuesday, August 8, 2023 11:02 AM To: Andrew Goble Cc: ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu Subject: Re: [USHE-ISO] USHE Security Outcomes / Shared Services Discussion

Sorry, I guess that was more of a rhetorical question. Let me try to offer a better start to the discussion. The CISA has already provided a document which has identified minimum controls and ranked them according to impact, cost, and complexity. I wanted to suggest everyone here take a look if you haven't already. There are 38 controls on the list, and I'm going to put forward the suggestion that we use these as the recommended subset of CIS controls. It seems like this is what the CIOs are asking for, I don't think we need to spend too much time debating the details when this resource already exists and was created specifically for entities like us which are resource constrained.

On Tue, Aug 8, 2023 at 10:45 AM Eric Bennick <ebennick@weber.edumailto:ebennick@weber.edu<mailto:ebennick@weber.edumailto:ebennick@weber.edu>> wrote: Andrew, maybe I'm missing something, but wouldn't log auditing be a critical part of any toolset? Perhaps it's implied that each tool comes with its own logs, but having logs available is different than connecting log sources to something like ELK stack to make them more accessible. I don't know about you, but I prefer my logs to be parsed. I'm not so much of a masochist that I would enjoy scrolling through billions of lines of unstructured logs.

On Tue, Aug 8, 2023 at 10:19 AM Andrew Goble via USHE-ISO <ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu<mailto:ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu>> wrote: Hi all,

I'll try to keep this brief. There is no tl;dr version so bear with me.

At the CIO retreat last month, Corey presented on their efforts at the U to create a University baseline of controls and tools that should be in place across all business/academic units. They came up with a list 36 controls out of CIS and the following toolset:

1. Network Access Control (NAC)
2. Default Deny at the Network Perimeter
3. Multi-factor Authentication (MFA)
4. Data Loss Prevention (DLP)
5. Privilege Access Management (PAM)
6. Endpoint Privilege Management (EPM)
7. Endpoint Detection and Response (EDR)
8. Endpoint Security Solution (ESS)

*Corey/Dustin can correct me if I have their narrative wrong

With the State and Board of Regents very much aboard the shared services train, the CIOs have tasked us to go through a similar exercise, except for the System. The end output here is to identify a subset of CIS controls (I view this as identifying a small, critical USHE-specific Implementation Group 1) and a set of tools / needs that would be part of the solution in achieving desired security outcomes for those controls. Finally, this leads to Yet Another Funding Request™ to ask for the resources to make these outcomes possible. I have no comment on the efficacy of repeated funding asks, that's not the point here. USHE is clearly a leader in the state for shared or collaborative IT services already and this is an effort to stay in that leadership position by acting on our own terms instead of standing pat and letting the legislature/state act for/on us.

ACTION ITEMS What I would ask of each of you is some discussion on the above:

What subset of CIS might we agree on as a USHE IG1? (may or may not be the same 36 the UofU chose for their internal project, and I think fewer is probably better to start with) What tools (specifically tied back to the controls we identify) might we coordinate and take advantage of shared purchasing and possible management on? General thoughts and disposition?

I've also attached a simple spreadsheet with the UofU toolset just to get an idea of where we are at system-wide on that toolset. Please fill it out and send it back to me and I'll compile a master list.

Thanks, Andrew

-- USHE-ISO mailing list USHE-ISO@lists.dixie.edumailto:USHE-ISO@lists.dixie.edu<mailto:USHE-ISO@lists.dixie.edumailto:USHE-ISO@lists.dixie.edu> http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-iso -- USHE-ISO mailing list USHE-ISO@lists.dixie.edu http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-iso

-- USHE-ISO mailing list USHE-ISO@lists.dixie.edu http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-iso

I have had DLP in my mind as well and agree with the privacy aspect as well. Our problem is having manpower to implement and manage such a tool. I know it's been said that we all don't have the staffing to manage the tools, so just reiterating that point.

I just sent my information in the sheet as well.

Jim

On Wed, Aug 23, 2023 at 5:41 PM Eric Bennick via USHE-ISO < ushe-iso@lists.dixie.edu> wrote:

I've put the information you wanted in the sheet. As for the tools, I would personally vote to give top priority to DLP, because it'll help with the privacy requirements the legislature created and also with the stuff the USHE privacy

I've put the information you wanted in the sheet. As for the tools, I would personally vote to give top priority to DLP, because it'll help with the privacy requirements the legislature created and also with the stuff the USHE privacy committee is working on.

On Tue, Aug 8, 2023 at 10:19 AM Andrew Goble via USHE-ISO < ushe-iso@lists.dixie.edu> wrote:

...

Hi all,

I'll try to keep this brief. There is no tl;dr version so bear with me.

At the CIO retreat last month, Corey presented on their efforts at the U to create a University baseline of controls and tools that should be in place across all business/academic units. They came up with a list 36 controls out of CIS and the following toolset:

1. Network Access Control (NAC)
2. Default Deny at the Network Perimeter
3. Multi-factor Authentication (MFA)
4. Data Loss Prevention (DLP)
5. Privilege Access Management (PAM)
6. Endpoint Privilege Management (EPM)
7. Endpoint Detection and Response (EDR)
8. Endpoint Security Solution (ESS)

*Corey/Dustin can correct me if I have their narrative wrong

With the State and Board of Regents very much aboard the shared services train, the CIOs have tasked us to go through a similar exercise, except for the System. The end output here is to identify a subset of CIS controls (I view this as identifying a small, critical USHE-specific Implementation Group 1) and a set of tools / needs that would be part of the solution in achieving desired security outcomes for those controls. Finally, this leads to Yet Another Funding Request*™* to ask for the resources to make these outcomes possible. I have no comment on the efficacy of repeated funding asks, that's not the point here. USHE is clearly a leader in the state for shared or collaborative IT services already and this is an effort to stay in that leadership position by acting on our own terms instead of standing pat and letting the legislature/state act for/on us.

ACTION ITEMS What I would ask of each of you is some discussion on the above:

What subset of CIS might we agree on as a USHE IG1? (may or may not be the same 36 the UofU chose for their internal project, and I think fewer is probably better to start with) What tools (specifically tied back to the controls we identify) might we coordinate and take advantage of shared purchasing and possible management on? General thoughts and disposition?

I've also attached a simple spreadsheet with the UofU toolset just to get an idea of where we are at system-wide on that toolset. Please fill it out and send it back to me and I'll compile a master list.

Thanks, Andrew

-- USHE-ISO mailing list USHE-ISO@lists.dixie.edu http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-iso https://urldefense.com/v3/__http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-iso__;!!BSlRHw!7Y5HTEQwuAOVnwuH9eMWYR1jeeNiqj_FwlDdOcBl37rwU62SV_7K_nlvdy2igekM05B9RN-o7R6WZSNsUORTmU1N$

-- USHE-ISO mailing list USHE-ISO@lists.dixie.edu

https://urldefense.com/v3/__http://lists.dixie.edu/cgi-bin/mailman/listinfo/...