Professional Documents
Culture Documents
Justin T. Noble
Director of Internal Audit
Virginia Tech
IT Security: The Virginia Tech Journey
Learning Objectives
Q&A
Conclusion
IT Security: The Virginia Tech Journey
Learning Objectives
● Understand the common IT
security frameworks.
● Use the foundational knowledge
and resources gained to conduct
IT controls reviews.
● Understand how internal audit
can partner with IT to strengthen
their organization’s information
security programs.
IT Security: The Virginia Tech Journey
Poll Question #1
a. Yes
b. No
c. I don’t know
IT Security: The Virginia Tech Journey
What Is a Framework?
What Is a Framework?
Frameworks:
● Provide a starting point for the establishment of robust
administrative activities.
● Assist with showing compliance with overlapping regulatory
requirements through effective crosswalks.
● Are customizable to your organization, needs, or problems.
IT Security: The Virginia Tech Journey
Common Frameworks
● International Organization for Standardization (ISO) 27000 series
● National Institute of Standards and Technology (NIST)
○ NIST 800-53: An InfoSec benchmark for U.S. Government agencies
that is widely used in the private sector.
○ NIST 800-171: More popular, based on the U.S. Dept. of Defense
requirements on contractors.
● Control Objectives for Information and Related Technologies (COBIT)
● Center for Internet Security (CIS) Critical Security Controls
● Committee of Sponsoring Organizations (COSO)
IT Security: The Virginia Tech Journey
Poll Question #2
a. Yes
b. No
c. I don’t know
IT Security: The Virginia Tech Journey
02 Framework Mapping
IT Security: The Virginia Tech Journey
CIS v8 to NIST
IT Security: The Virginia Tech Journey
CIS v8 to COBIT
IT Security: The Virginia Tech Journey
Virginia Tech’s IT
03
Security Journey
IT Security: The Virginia Tech Journey
● Have you reached out and ● Do you know your framework? ● How are things governed at
established a working your university?
relationship with your CIO, ● Have you read the framework?
ITSO, and other key IT ● What are the policies and
● Did you Google how to standards that you need to be
personnel? conduct an assessment with able to articulate an
● Do you have an “in” with your framework? awareness of?
research computing,
academic computing, and
auxiliary computing?
IT Security: The Virginia Tech Journey
Approaches
Similar to a non-IT audit, you can approach IT
security in different ways.
Determine the Methodology: Determine the Scope:
● Single Process ● Enterprise-level
○ Inventory ● Unit Level
○ Firewall Configuration ● Hybrid
● Comprehensive
○ Security Review
IT Security: The Virginia Tech Journey
Poll Question #3
a. Single, comprehensive
b. Hybrid/Crosscutting
c. I don’t know
IT Security: The Virginia Tech Journey
VT Examples
● Single Process/Enterprise-level
○ IT Network Security
○ Incident Response
● Single Process/Unit-level
○ Secured Research Computing
● Single Process/Hybrid
○ Risk Assessment
○ Server Security
● Comprehensive
○ Typically, only on the unit level.
IT Security: The Virginia Tech Journey
● Safeguard Descriptions
○ A detailed table, based on implementation groups, that
outline actions that should be taken.
IT Security: The Virginia Tech Journey
Poll Question #4
Were you familiar with the CIS Controls prior to this presentation?
a. Yes
b. No
IT Security: The Virginia Tech Journey
Safeguards as
Fieldwork
Take the safeguard
descriptions and turn them
into an audit program. The
safeguards outline the
controls, the inverse is the
audit program.
IT Security: The Virginia Tech Journey
Hybrid Example:
Linux Server Security
IT Security: The Virginia Tech Journey
Objectives
● Determine whether operating systems were supported and patched.
● Audit Log Management: Determine whether servers were configured to collect required
log information, and whether logs were monitored and sent to a remote server.
Project Challenges/Strategies
● Inventory of Servers
○ We sent a survey to every college/unit/institute asking basic
questions on if they had Linux servers and if yes, how many. We
also asked about if servers were rated as ‘high risk’.
● Remote IT Support
○ We did a lot of Zoom remote screen sharing.
● Configuration Review
○ We used a tool called CIS-CAT available from the Center for
Internet Security.
○ There is a learning curve to understand the results.
IT Security: The Virginia Tech Journey
IT Security: The Virginia Tech Journey
● Backup
○ How are you backing up your systems?
○ How are you backing up remote systems?
○ How do you know the backups are effective?
● Patching/Encryption/Malware
○ How are you monitoring patching on high-risk systems?
○ How are you enforcing encryption?
○ How are you ensuring up-to-date malware protection?
IT Security: The Virginia Tech Journey
● Administrative Access
○ How do you manage elevated privileges?
○ How are you ensuring that what you deploy doesn’t get undone?
● Logging
○ Are they aggregated in any meaningful way?
○ Are they actually reviewed?
IT Security: The Virginia Tech Journey
Thank You
Justin T. Noble
Director of Internal Audit
Virginia Tech