Mission and Stategic Plan

Information Security Mission and Strategic Plan

Mission

To provide leadership to the institution of Metropolitan State College of Denver for the continuous development, implementation and maintenance of a safe, productive and reliable information processing environment.

Objective

To ensure the security and reliability of the College's Information assets and computing resources. Information and computing resources must be available to those individuals who are authorized to access and use those resources at the time those resources are needed. Information and computing resources must be safe from unauthorized access, use, disclosure, modification or destruction.

Organizational structure

The Director of Information Security reports to the Associate Vice President of Information Technology. Two FTE reports to the Director of Information Security.

Roles and responsibilities

The security team provides internal consultant services to the Division of Information Technology and the Metro State community on matters of sound information processing and information security practices. The security team also manages an on-going security awareness campaign with the College community as a part of this consultant service.

The security team conducts internal security assessments of information processing activities and services and reports its findings to IT Management and other key shareholders. The security team also continuously monitors security sensors for signs of security breaches or other malevolent activities.

Members of the security team are required to maintain a high degree of ethical standards and professional conduct. The security team adheres to the International Information Systems Security Certification Consortium, or (ISC)² Code of Ethics.

Members of the security team must stay abreast with emerging information processing technologies, standards and practices, as well as keep current with the ever changing threat models. Members of the security team attend outside training classes and seminars (at least annually), attend conferences (at least annually), subscribe to professional journals, and maintain membership in professional organizations for security professionals.

Strategic goals

• Information security fully integrated into the culture and daily activities of the College.
• Implementation of Network Access Control.
• Centralized and enhanced logging facilities for all IDS, firewalls, network gear and servers.
• All IT employees demonstrate a high degree of professional conduct and skill.

Tactical Goals

• Security training for all IT staff (beyond basic awareness training.)
• Adoption of security standards and baselines for applications, network gear, servers and workstations.
• Physical and logical separation between administrative computing and academic computing activities.
• Host based IDS on all servers.
• Secure Web based remote access for students and employees.
• Measure and document effectiveness of security practices.
• Ongoing development of IT employees' leadership skills.
• Developers trained in secure software development and testing.
• Implement an internal penetration testing regime.

Operational Goals

• Maintenance of a high degree of professional conduct.
• Adoption of ISO-17799 security standards.
• Enhanced network intrusion detection.
• Weekly vulnerability Scans of all servers and network gear.
• Weekly audits of all file shares and access control lists.
• Weekly audits of all administrative accounts.
• Improved internal documentation and written procedures.