ISAAC @ Texas State - A Success Story

The ISAAC Value Proposition at

Texas State University-San Marcos

Don VolzSpecial Assistant to the

Vice President for Information Technology

2

ISAAC @ Texas State

Texas State Profile (we’re big, complex, and … )– Public, state-assisted, 5th largest university in Texas– 30,800 students:

• ~6,000 on-campus residents, ~14,000 San Marcos metro residents– 101 bachelor’s, 88 master’s, 10 doctoral programs– 9 colleges, 43 academic departments & schools, 28 centers & institutes– Main campus in San Marcos, TX -- satellite campus in Round Rock, TX

IT both centralized and decentralized (… technologically diverse)– Tech platforms: Unix (various), Linux, Windows, MacOS, … even OpenVMS – Central IT administers 2 highly virtualized, mostly redundant data centers and

offers a full suite of IT support services, including network management, enterprise systems, help desk, computer repair, technology procurement, classroom technology support, instructional design, etc.

– Unit-specific IT infrastructure and support varies by unit• Server farms and administrators• Faculty/staff desktop hardware and software support• Lab administration

– Trending toward greater centralization (in part due to ISAAC)

3

ISAAC @ Texas State

Pre-2006 State (the way we were)– No centralized Information Security function– Security responsibilities distributed across central IT and beyond

2006 (in the beginning …)– IT Security function established within Office of the VPIT – IT Security’s Mission: implement and sustain a university-wide

information security program– Initial Program Goals

• Inventory information assets and rank by criticality and risk• Quickly mitigate risks to most critical and vulnerable assets• Bring ALL assets into compliance with state information security

standards (TAC 202 – Texas Administrative Code, Chapter 202)• Establish policies and processes that sustain standards compliance

and continuously improve information security posture

4

ISAAC @ Texas State

Planning Assumptions (confronting the brutal facts)– Previous Higher Ed breaches – mostly unit-administered assets

• Large quantities of sensitive and confidential information• Protections often minimal, overly permissive, and/or out-of-date• Limited awareness of security threats, standards, best practices

– Campus culture – carrots work better than sticks• IT Security must be a proactive, collaborative enabler • IT Security must be a trusted risk management partner • IT Security must clearly appreciate the business need• IT Security must NOT be the “security gestapo” • Compliance is not the goal, but one method for managing risk

– A never ending journey • Information security will never be finished• Owners/administrator relationships must be nurtured• Security Training/Tools → empowered allies on the front line

5

ISAAC @ Texas State

First Things First (let’s get this party started)

– Find most critical assets and assets at greatest risk• Outreach to asset sysadmins by IT Security; to VPs/Deans by VPIT • Network mapping exercises and in-person visitation• Registered asset data into a database• 27 environments prioritized for risk assessment

– Establish risk assessment methodology and tools• Must be standards-based, aligned with TAC 202, Web-enabled • Must produce measurable outcomes• Found ISAAC (http://net.educause.edu/ir/library/powerpoint/EDU0460.pps)

• Acquired access to hosted version of ISAAC used by TAMU system institutions (just as if Texas State was a member)

6

ISAAC @ Texas State

2007 - First Real Assessments (crawling before we walk)– IT Security acquires ISAAC user accounts

• Conducts pilot assessments of IT servers• Authors reference materials specific to Texas State

– IT Security completes in-person, on-site assessments• Visits locations of 27 highest priority environments• Completes ISAAC assessment with asset owner/sysadmin• Provides mitigation alternatives with monthly follow-up• Produces 1st Information Security State of the University report

– First Lessons Learned• Limited knowledge of standards, best practices, security threats• Basic concepts (e.g., data classification, FERPA) often foreign to

system administrators• Unit system administrators are silo’d and rarely communicate• Low hanging fruit: remove unnecessary sensitive data, employ

basic device hardening, relocate hosts/services to data centers

7

ISAAC @ Texas State

2008 – The Second Time Around (a new and better approach)– # of assessments double (27 to 65), individual visits not feasible – Workshop approach: 12, 3-hour workshops over 3-month period– Workshop agenda

• Announced IT Security’s new pen testing service • Introduced new .NET Server registration application• Provided overview of ISAAC and risk assessment methodology• Attendees entered/updated server registration data• Attendees began (some even completed) ISAAC risk assessment process

– IT Security answered questions, facilitated discussion, …– Following workshop, attendees certified and submitted assessments – Attendees judged workshop approach as “highly effective” – As in 2007, IT Security

• Proposed options, facilitated resolution of risk and compliance issues• Aggregated assessment data• Produced 2nd annual IT Security State of the University report, noting status

changes from previous year

8

ISAAC @ Texas State

2009 – Gaining Momentum (Reaping Rewards)– Audit reviews the risk assessment process, six prior-year assessments.

• Process findings are positive – enhancement recommendations shared with TAMU for consideration in next ISAAC release

• Spot check findings positive – recommended mitigation actions were in place and operational

– Workshop approach enhanced and expanded– Announced new required components

• Identity Finder® sensitive data discovery• Penetration testing by IT Security

Outcomes to Date (where’s the beef?)

9

ISAAC @ Texas State

10

ISAAC @ Texas State

11

ISAAC @ Texas State

Cost vs. Benefit (getting more than we ever bargained for)– TAMU’s charge to us is minimal (4 digits/year)

– Annualized assessment process staffing: 25% - 50% of an FTE

– Increases owner and administrator awareness of state standards

– Promotes common understanding and institutional standards

– Enhances the dialogue and relationships among all IT support staff

– Reduction and consolidation of server environments begets:• corresponding reduction in space utilization and power consumption• greater leveraging of data center virtualization technologies• enhanced resource monitoring and availability  

– Provides benchmark and metrics for tracking changes

– Most important, measurably improves campus-wide security posture

The ISAAC Tool and Methodology was key to making these things happen and we are eagerly anticipating the next ISAAC release

12

ISAAC @ Texas State

Contact InformationDon Volz

don.volz@txstate.edu

512-245-9650

More Details about ISAAC @ Texas State– The Journey to a Successful Risk Assessment – One Strategy Unveiled,

presented at the EDUCAUSE Southwest Regional Conference (2/19/2010)

– The Texas State IT Security Web site

http://security.vpit.txstate.edu