As described in our Mission & Vision statement, the Marshall University Division of Information Technology provides an evolving, reliable, innovative, integrated and services-oriented information technology environment. Network and IT Information Security also provides supporting roles to the success of the campus IT environment. The Network and IT Information Security programs are comprised of a number of standard elements which include leadership and staffing, governance, security architecture, internal and external audit, and various risk and change management process.
A written cybersecurity program plan is posted on the IT website at the following URL https://www.marshall.edu/it/departments/information-security/cybersecurity-program-plan/
The Information Security program is supported through a shared governance process facilitated by the University Information Technology Council (ITC). Policies, standards, procedures and guidelines for information technology in general, and information security specifically. University Policies receive an additional review by the Office of the President and ultimately the Marshall University Board of Governors (BOG). There is a number of policies, standards, and procedures which govern the information security program on campus located at https://www.marshall.edu/it/governance/policies/
The Information Security program is supported through a shared governance process facilitated by the University Information Technology Council (ITC). Policies, standards, procedures and guidelines for information technology in general, and information security specifically are developed and promulgated by this Council. University Policies receive an additional review by the Office of the President and ultimately the Marshall University Board of Governors (BOG).
The following are a number of key policies, standards, and procedures which govern the information security program on campus:
- MUBOG IT-1 MU Information Technology Acceptable Use Policy
- MUBOG IT-2 MU Information Security Policy
- MUBOG IT-3 MU Electronic Communications Policy
- MUBOG AA-47 MU Electronic Records Management Policy
- MUITC ITP-5 MU Information Systems Identity and Content Retention Procedure
- MUITC ITP-23 MU Password Standards for Administrative Systems
- MUITC ITP-19 MU Information Security Incident Response Procedure
- MUITC ITP-40 MU IT Procedure for Employee Account Termination
- MUITC ITP-42 MU Standard for Baseline Security of Servers
- MUITC ITP-44 MU Standard for Security of Information Technology Resources
- MUITC ITG-4 MU Guidelines for Data Classification
- MUITC ITG-9 MU Mobile Computing and Storage Guidelines
Leadership and Staffing
The Office of Information Security is currently comprised of the Chief Information Security Officer (CISO), who reports to the Chief Information Officer (CIO) and two full-time Information Security Analysts who reports to the CISO. The Information Security team also works closely with other campus units both within and external to IT.
The Division of Information Technology has acquired, implemented and operates a number of key components which play an information role in information security architecture and reflect a defense-in-depth strategy in the protection of University networks, system and applications. A number of these items are highlighted below:
- Network perimeter security – the Marshall University Network (MUNet) is secured at the perimeter using high-availability network firewall. The next-generation firewall technology provides user-, application- and content-based inspection, network intrusion detection and malicious content filtering, and network address translation (NAT) to limit unsolicited inbound connections.
- Secure Remote Access – remote access is provided using a virtual private network (VPN) service or through a remote terminal service access using two-factor authentication (2FA).
- E-mail and Endpoint Security Services – the campus utilizes additional layers of anti-spam and anti-malware software which eliminate malicious and disruptive content arriving via e-mail or other file transfer methods.
- Endpoint Detection and Response (EDR) – University-managed devices receive protection through an enterprise endpoint security platform designed to prevent, detect, investigate and respond to advanced threats.
- Segmented, Switched Network – the campus local area network is segmented into virtual sub-networks (VLANs) based on building, campus locations, and data sensitivity. The allows for separation of high-risk/high-value network activity (e.g. datacenter, business units, academic computer labs, VOIP, PCI-compliance, Residence Halls and wireless WiFi networks.
- Centralized IT Datacenter – core information technology services are housed primarily in the campus data center located on the Huntington, WV campus in the Drinko Library. This facility is designed both for physical security (data center doors are 2-factor authenticated, 24×7 security cameras, smoke detection and fire suppression) and high-availability (uninterruptible power supply with standby diesel generator back-up).
- Enterprise Data Storage and Protection – the IT datacenter team utilize an enterprise-class storage area network (SAN) and protect data through a combination of replicated storage (provided by the SAN) and traditional backups of host- and application-specific data. The backup application utilizes a ‘disk-to-disk’ process which allows for back-data to be immediately moved out of the data center to a backup target located across campus.
- Central Authentication System – campus network and application access is secured via a centralized, directory-based identity and authentication system. This allows for the quick provisioning and de-provisioning of access to networks, systems, and applications across campus.
- Multi-Factor-Authentication (MFA) – Marshall University network accounts are enabled for multi-factor (MFA) by default. MFA provides an additional layer of protection to minimize unauthorized account use for high-risk applications such as Banner SIS, campus e-mail, online document storage, and remote access.
Internal and External Audits
The Division of IT and the Office of Information Security perform and participate in regular audits of the various information security processes on campus. These include weekly self-assessments using network security and vulnerability reporting software; periodic engagements with our application vendors (Oracle, Ellucian, Microsoft, Cisco, Palo Alto, etc.) to review system configurations and ensure best practices are being followed; and actively participating with external third-party auditors for annual IT assessment supporting the University financial system and financial aid audits.
Risk and Change Management Process
A continuous stream of data – logs, messages, alerts, reports – are generated each day describing the operations and individual interactions with the campus Information Technology environment. Additionally, Information Technology manages requests to make upgrades or changes to critical systems through a formal change-management process. For example, when changes are needed for the Ellucian® Banner student information system, those requests are documented and submitted for review to the affected business units. When the business unit completes the review and grants permission, then the IT team will move forward with scheduling those changes. A similar process is followed when anomalous activity and alerts are generated by systems, these issues are logged in a support request ticketing system to document the issue, troubleshooting steps, and corrective action was taken. In the event of a suspected information security incident, the MU Information Security Incident Response Procedure (MUITC ITP-19) is followed so that all necessary team members are involved and the appropriate University leadership is kept informed.
The Marshall University Division of IT and Office of IT Security recognizes the wisdom of the statement “security is a process, not a product” and as such will continue our efforts to identify and manage risk to University information systems. Examples of recent activities begun as a result of past audit suggestions include Cyber Liability insurance coverage through the State of WV Board of Risk & Insurance Management; acquisition and beginning the deployment of mobile device data encryption to secure sensitive data on University-owned laptops; the availability of personal security certificates to allow for secure e-mail and file transfers; adoption of multi-factor-authentication to protect authentication credentials for employees and students. We look forward to working with our campus faculty to discover, apply and improve our network and cybersecurity solutions to support new research opportunities.