Data is a strategic asset to the university, and our IT infrastructure must support the secure processing, transmission, and storage of our data. Private data must be protected from inadvertent exposure. Data quality is tantamount for our research mission as well as our desire to enhance business efficiencies. Our reliance on data to accomplish our work requires that it be available when needed.
To fulfill this mandate, Oregon State University established an Office of Information Security charged with the development of an information security program. The OIS is conducting a security risk assessment as a first step toward formalizing an information security program. A risk assessment will provide us with the information to ensure that our security initiatives are addressing the largest security risks to the organization.
The framework chosen by the OIS for our security efforts is the Consortium for Cybersecurity Action's (CCA) 20 Critical Controls for Effective Cyber Defense. The 20 Critical Controls enable us to build upon the combined knowledge of actual attacks and effective defenses from top experts within the Information Security community and has proven its worth as a practical, cost-effective way to reduce security risk.
Using the 20 Critical Controls as the program framework, the risk assessment process is simplified; a gap analysis will be performed, beginning with the OIS itself, eventually moving on to other university systems based on criticality and risk profile.
Failure to perform this assessment may lead to initiatives that are costly yet are not highly successful at mitigating risk.
Inadequate staffing presents a risk that the assessment will provide incomplete, or untimely, data that results in risk not being measured effectively.
Dave Nevin, Chief Information Security Officer