Information Security – Technology Report

Information Security Council

Per GLBA requirements, on March 16, 2018, Daemen College convened its Information Security (InfoSec) Council. Consisting of members from Systems Administration, Networking, Enterprise applications, and developer teams, the council is charged with the items below:

Information Security Plan

Daemen’s InfoSec Council has developed a formal Information Security Plan. It is the guiding document for information security concerns at the college.

https://docs.google.com/document/d/1BCIQNuhvF7GaMwRZiA3Mtd4vrBDdrm_T1CO5ug1Yqqs/edit?usp=sharing

Risk Management Plan

As specified in the InfoSec Plan, Daemen’s InfoSec team conducts an internal risk assessment annually. Each year, the results of this assessment are compiled into a Risk Management Plan (RMP). The RMP for 2020 is available below:

https://docs.google.com/document/d/15JgxmKz0Chyj2j9KhsNwieFZYM4BHEXKTHbkGCDw6hw/edit?usp=sharing

Corrective Action Plans

The risk assessment and RMP for 2020 resulted in a series of Corrective Action Plans (CAPs). The CAPs are derived from the NIST 800-171 controls document. The full list of CAPs and matching controls are available in the NIST 800-171 Compliance Plan:

https://docs.google.com/spreadsheets/d/1rjH_oAHDgn6YgKhOzlp2npPmM65IbejeJ0K9d57NWYs/edit?usp=sharing

Vulnerability Assessment & Penetration Testing

Daemen’s InfoSec Council has implemented Tenable’s Nessus assessment tool for internal vulnerability assessment. The InfoSec Council has worked with 3rd parties (Vandis) to plan annual penetration testing for our most important systems. The most recent external pen test occurred in December, 2019.

Training

Daemen has implemented several end-user training programs with the aim of improving information security:

Phishing Training – the InfoSec team conducts monthly phishing simulations, with additional training for any user that fails the simulation by clicking or responding to the simulated email.

Information Security Awareness Training – Starting August, 2018 and continuing annually afterwards, the InfoSec council has implemented a required training for each employee. It covers GLBA and related regulations, with information on safeguarding all forms of PII.

https://my.daemen.edu/offices/computing/it_training.php

Confidentiality Agreement – Starting in August, 2018, Daemen has required all current and new employees to sign a confidentiality agreement. The agreement is available on MyDaemen:

https://my.daemen.edu/offices/computing/confidentiality_agreement/index.php