3.

Executive Summary
 In 2020, York University fell victim to what appears to be a cyberattack, which corrupted several of
its servers and workstation. York University has considered Canada’s fourth-largest university
having more than 55000 students, 7000 faculty and staff and more than 325000 alumni worldwide.
Therefore, to protect and secure the information senior management executive committee has
recently earmarked funding to implement an enterprise-wide cybersecurity program that aligns with
the NIST (National Institute of Standards and Technology) Cybersecurity Framework.

 As a cybersecurity team of risk analysts and coop students, we have designed a cybersecurity
program and strategy aligned with the corporate strategy.

4. Introduction

5. Purpose of Report
 The purpose of this report is to determine and develop a cybersecurity program for York University
which has multiple lines of business and academic programs as well as campuses including
international offices. The report also includes the strategy as well as the implementation and
execution roadmap to the Executive Committee (EC).

 After reading this report you will gain knowledge of the NIST (National Institute of Standards and
Technology) cybersecurity framework, an enterprise cybersecurity awareness strategy and cloud
analysis.

6. Background
 Cyberattack on the educational institution is not something new. According to the research, the first
cyberattack that happened at Princeton University, get to know about admission decisions. Followed
by this, a couple of attacks happened to target the personal information of students and faculty
members. In 2004, the State of California releases the ‘Data-breach notification’ law as a result of
security incidents and breaches that happened equally in every organization and the sum of
2,000,000 records was stolen followed by these 80,000 records stolen in the University of California
at Los Angeles (UCLA). In June 2006, the University of Utah lost 100,000 names and Social
Security numbers of former employees from archival databases in the library. A hacker accessed the
personal information of 236,000 women and the social security numbers of 163,000 at the University
of North Carolina. In 2014, Metropolitan State University came to know about the breach on their
servers which paved the hacking of the website. In 2017, the count of attacks grew rapidly to 393
which was 5 in 2012. On the contrary, DDoS also set a trend in 2017, which resulted in a giant attack
on over 300 universities worldwide, performed by nine Iranian hackers in 2018 that includes 144 US
universities, and 176 educational institutions from Canada, the UK, Germany, Israel and Japan. More
than 100,000 professors’ emails were targeted and about 8000 were compromised. In 2020 York
University, released extremely serious cyberattacks, even though, sensitive information was not

1|Page
 stolen, some of the programs remained offline and students and faculty members lost their
connection to the portals. As a result, York advised everyone to reset their university passwords. The
number of attacks in the universities is going faster, because of its massive data which includes
universities' current and former students as well as employee details. And in every new cyberattack
new strategies multiply, these are the most well-known techniques utilized by cybercriminals;
phishing, malware, crypto-jacking, denial-of-service, a man in the middle, and Brute-force attacks
but the amount of data stolen in the educational industry was less compared to other industries
Recently, EasyJet was involved in a cyberattack which cost them 9 million customers' personal
information. In order to protect the organization's data, NIST implemented Framework-steps and
strategies. The Framework can assist organizations in addressing cybersecurity as it affects the
privacy of customers, employees, and other parties. Additionally, the Framework’s outcomes serve
as targets for workforce development and evolution activities.

7. Highlights of enterprise security

1. Enterprise security: -

 Enterprise security is a practice of locking down access and exit points for data to eliminate as many
potential threats as possible and also to ensure appropriate policies are into place.
 The overall importance of enterprise security is protecting data, prevention of data loss and providing
a good reputation for organizations brand.
 To build a strong enterprise security architecture in an organization there are few principles to follow
and below are some of the highlights from enterprise security as follows:

2. Educate employees and business stake holders: -

 It is beyond IT to protect an organizations data and prevent from breaches and cyber-attacks, so
everyone in the network should have a complete knowledge about the security policies, compliance
regulations and potential vulnerabilities.

3. Implement an access control policy: -

 To implement an access control policy all the users should have a specific user role so that access
can be granted according to their specific job. By preventing unauthorized access internal risks and
threats can be stopped that caused by human errors or disgruntled employers.

4. Develop an encryption strategy: -

 A unique encryption strategy to be implemented by the organization such as file permissions, strong
passwords and two factor authentication to protect company’s data in highly distributed
environments.

5. Establish device security policy: -

2|Page
  Bring Your Own Devices (BYOD) can cause harm to security. All the systems in organization
should be updated to the latest firmware and if any employee using their personal device, then it
must have clear protocols and corporate security software’s as mandatory.

6. Monitor network performance: -

 Manage endpoint security with technologies that monitor network performance continuously for
anomalous data traffic.

8. Enterprise Cloud Analysis and Governance

 The way businesses and individuals use and acquire information technology is quickly transforming,
thanks to cloud computing. "Cloud computing" refers to a collection of scalable virtualized resources
capable of hosting applications, delivering necessary services to customers, and billed according to
usage, much like a utility. Cloud computing is "a paradigm in which information is permanently
saved in servers on the Internet and momentarily cached on clients, including desktops,
entertainment centres, table computers, notebooks, wall computers, handhelds, etc.," according to the
IEEE Computer Society. Based on the service provided and the contracting organization's
data/security requirements, cloud computing can be hosted in various ways. The primary objective of
cloud computing is to deliver ICT services using shared infrastructure and a vast number of systems.
Every facility is available in cloud computing service agreements, such as Infrastructure as a Service,
Platform as a Service, Network as a Service, and Software as a Service, data storage as a service. The
primary tenet of cloud computing is to offer all necessary items as a service. In personal computing,
the cloud refers to the availability of web-based email, photo-sharing, and productivity tools, which
are cost-free. Switching to the cloud for businesses means being able to hire computer services as
needed rather than needing to make investments in hosting everything is the equipment, software,
and required assistance to offer services at a certain level. Additionally, given the shifting demands
for IT and the challenging economic climate, the value proposition of the cloud is particularly
alluring for the government. Cloud computing allows users to access hardware and software
remotely over the Internet rather than buying them outright. Three tiers of cloud computing are:

a) Infrastructure as a Service (IaaS).

 It involves providing computing infrastructure as a service. Systems software like operating systems
and database systems can be a part of the infrastructure, along with servers, storage, network
hardware, and other components. A virtual environment is used to supply the infrastructure. Through
a thin client interface, such as a web browser, the applications are accessible from various client
devices. Although it appears and functions exactly like standard infrastructure from the client's
perspective, it is one of many virtual environments hosted concurrently on the same physical
infrastructure resources.

b) Platform as a Service (PaaS)

 It entails providing application development services. It supports the entire design life cycle, putting
into practice, evaluating, and releasing web applications and services. Project managers, developers,
and testers are not necessary to obtain or set up any development software on their neighborhood
PCs. The ability made available to the consumer must deploy consumer-created or bought

3|Page
 applications made using programming onto the cloud infrastructure. The provider's supported
languages and tools.

c) Service-based software

 However, cloud computing allows for the usage of faraway data centers by service providers. It
entails offering entire applications over the Internet, including customer relationship management or
enterprise resource planning. Instead of buying licenses and using them locally, a customer
purchases access to these programs. The consumer is given the power to set up processing, storage,
networks, and other essential computer resources to deploy and run any software, such as operating
systems and apps. Nevertheless, while some have projected that the advent of the cloud computing
paradigm will spell the end of the PC age, many think that most businesses and even individuals will
continue to use conventional PCs and laptops.

 Cloud governance refers to a collection of procedures that help users function in the cloud as they
like that operations are effective, and that users may track and adjust processes as necessary. A cloud
governance framework is merely the application of current governance techniques to cloud
operations, not a new set of ideas or procedures. A cloud management approach must include several
important cloud governance components. Consider implementing them necessary to set up
appropriate controls and maximise the use of cloud services:

1) Financial administration

 The first sky-high cloud computing payment is an undesirable rite of passage in enterprise IT.
Rightfully, cloud service providers and supporters claim that using cloud services is more cost-
effective than purchasing and maintaining your infrastructure. That is true, but only if you diligently
monitor and report your cloud costs. Policies for financial management offer a framework for
choosing cloud resources for corporate purposes. As an illustration, a company uses managed
services as much as feasible to cut the price of administrative costs. Before launching a new service
to a public cloud, another company specifies a checklist of cost management procedures to follow.

2) Operations administration

a) Operations management aims to manage the service delivery from cloud resources. Think about the
following recommendations:

 Describe the procedures and guidelines that govern the development of new cloud-based workloads
or apps;
 SLAs should be established to allocate resources; to different contexts, especially production
environments, deploy application code; and to ensure SLAs are met, keep an eye on the state of the
services.

b) The response to the question, "How can we offer this new application to our customers?" may come
from a product manager or developer. A clear operations policy should include the following

 Ways to communicate effectively with the operations staff.

 How to define the criteria for identity and access management.

4|Page
  How to calculate your computing, storage, and network needs; and ways to meet

3) Management of security and compliance

 Risk assessment, identity and access management, data encryption and key management, application
security, contingency planning, and other security-related subjects are all included in cloud
governance. From a governance standpoint, a combination of corporate goals and laws shapes the
purposes of information security processes.

 Maintain a balance between your company's security and governmental requirements and product
development. Know that you must compromise between business necessity and security concerns
when developing information security policies. For instance, you could try to fix all moderate and
severe vulnerabilities in your apps, but doing so would require you to divert IT resources from
creating new features to improving existing ones. A governance model should expand on the
frameworks and regulations already in place for governance, such as risk management, privacy, and
cybersecurity. For instance, frameworks for those three can be found in National Institute of
Standards and Technology (NIST) cybersecurity materials. Utilize the specific security services
offered by your public cloud provider to reduce the risk of data leaks, denial-of-service attacks, and
other typical threats.

4) Management of data

 The challenge of successfully managing such data increases as the capacity to gather, store, and
analyze data grows. Clear instructions on handling your business's whole lifetime of data should be
included in the governance strategy and procedures. Create a data-classification scheme first. Not
every piece of data is as valuable or requires the same level of security. More security measures are
necessary for sensitive and confidential data than public information. Encrypting all data in transit
and at rest is the best practice for data in the cloud; make this your default setting. According to the
classification of the data and the functional needs for how the data is used, other controls, such as
who can access or alter specific data categories, may vary.

5) Performance evaluations

 In order to deliver desired levels of IT services and make optimum use of cloud infrastructure,
performance management in cloud computing focuses on monitoring apps and infrastructure
resources. Application-specific performance metrics are different. Typical examples include: the
time it takes to open a webpage, obtain data, or use an API function.

6) Management of assets and configurations

 Maintaining a dynamic array of cloud infrastructure resources within the constraints of what they
anticipate deploying is a major challenge for enterprises. It's not a major worry if developers or cloud
engineers manually deploy a VM for an ad hoc necessity and neglect to shut it down. Teams need to
rely on controlled processes to build massive clusters or employ pricey cloud services. Using
infrastructure as code is one method of managing infrastructure (IaC). IaC describes what to operate
or deploy in your environment to support the application rather than relying on cloud engineers to

5|Page
 start and stop resources. The status of the infrastructure, which is different from the state of
configuration, can then be monitored by the IaC application.

 An organization can manage the use and storage of secrets like passwords and encryption keys with
the help of configuration management. Instead of using unsafe procedures like storing login
information in programs or scripts, where anyone with access to the script could see it, use
centralized repositories to keep secrets.

 Security and data management are intertwined. However, these components impact and, in some
situations, constrain one another; they are not autonomous, stand-alone goals. Cost controls and
operations management interact and impact one another, and operations management also influences
how an organization implements data lifecycle management policies. Developers and product
managers can choose a specific data loss prevention solution to increase security; however, this
service can be prohibitively expensive on a large scale.

 Standards and models for cloud governance

 COBIT: A general approach to governance called COBIT integrates nicely with other norms like
ITIL. The Information Systems Audit and Control Association developed the COBIT governance
standard to aid companies, and other organizations manage IT operations. A framework of
procedures and practices, an explanation of each procedure, control goals, management principles,
and maturity models are all included in the model.

 ITIL: It provides a framework with thorough process definitions to standardize how businesses
choose, deliver, and maintain IT services and assist them in strategically planning for new
technological projects.

 ISO/IEC 38500: A global standard for corporate IT governance, ISO/IEC 38500 addresses
processes, communications, and decision-making. The standard covers how to establish roles,
support IT operations, utilise technology, make associated acquisitions, keep track of performance,
and adhere to policies. Businesses may avoid encouraging users to ignore policies and procedures by
understanding how users interact with applications and systems.

 Challenges

 The range of issues that cloud governance must handle is a significant task. A complete governance
framework should be implemented gradually rather than all at once because it is more realistic. Start
with the most critical issues for the organization; compliance and security are top considerations in
sectors with rigorous regulations. If you have excessive and unsustainable cloud spending,
concentrate on cost management from the beginning of the project.

 Cloud systems' resources, components, and services can scale to huge numbers and are dynamic. The
use of automation in governance is crucial. Take advantage of data lifecycle management policies,
which can help guarantee that data is stored in appropriate storage services and purged on a
predetermined schedule and other aspects of cloud services enable governance. Use third-party tools

6|Page
 to analyse the contents of code repositories and identify vulnerabilities in your applications, such as
vulnerability scanners.

 Finally, governance is a multi-pronged undertaking that is continuous. Frameworks like NIST might
influence the governance processes of the firm.

9. Recommendation:

 Following measures has to be followed to neutralize a cyber threat to an organization.

 Threat Detection. Organizations should focus on investigating and learning about breach attempts.
An effective detection and response system should be implemented.

 Network Traffic Inspection. Network traffic inspection is essential for anticipating cyberattacks. A
good network engineer should be asked to perform network traffic analysis as a daily routine.

 Network Segmentation. Many organizations are segmenting business units from the network level,
using VLAN technology. This type of segmentation ensures that in the event of a cyberattack,
problem areas are isolated as they are investigated.

 Penetration Testing. Penetration testing should be performed on a continual basis, to ensure that
network security is maintained at the highest level. In addition to network penetration testing, social
penetration testing should occur, to ensure that employees are trained on safe business
communications practices.

 Mitigate this risk: Implement clear access rules to ensure employees have access to only the
information they require. Put in place an auditing process for access granted to business resources,
including a reporting/review process. Ensure termination processes include functions for disabling
access to business systems

10. Conclusion:

 In the digital realm, data could be precious more than gold yet is much too frequently discarded as
trash.

 Cybersecurity is not simply a technological issue, despite the fact that technical measures are an
essential component. Policy analysts and others can easily become weighed down in the technical
specifics. In addition, information about cybersecurity is frequently compartmentalized along
disciplinary lines, which limits the insights that might be gained from cross-fertilization.

 This introduction aims to clarify some of these links. It aims to leave the reader with two main
thoughts above anything else. The cybersecurity issue will never be completely resolved. Despite
their potential limitations in terms of breadth and durability, the problem can be solved in at least as
many non-technical as technical ways.

7|Page
11. Works Cited:

a) York university: Cyber Security Advisory - Protecting against increased cyber threats

b) CBC News : Students, experts call for explanation after York University suffers 'extremely serious'
cyber attack | CBC News

c) National Institute of Standard and Technology ( NIST) : Software Security in Supply Chains:
Guidance, Purpose, Scope, and Audience | NIST

12. Bibliography:
a) CTV News: York University suffers 'serious' cyber-attack | CTV News

b) IT World Canada : York University cyber-attack looks like ransomware, says security expert | IT
World Canada News

c) Wikipedia: Computer security - Wikipedia

13. Appendices:

1) The role of the Security Operations Centre (SOC)

 Round-the-clock security will be provided by trained security professionals.
 monitoring client networks and websites and instantly reporting Possible malware (malicious
software) infestations and unlawful access.
 Initial response provided by "cyber incident on-site intervention service" to disasters and various
forensic services for examining malware.
 Through the SOC, sources of information leaking will be made available.

2) Access Control
 The procedure for approving or rejecting particular requests for: 1) utilizing and acquiring
information and related information processing services; and 2) entering particular physical facilities
(e.g., office, datacentre).

3) Architecture
 The design of the network of the hotel environment and the components that are used to construct it.

4) Authentication

8|Page
  The process of verifying the identity of a user, process, or device, often as a prerequisite to allowing
access to resources in an information system.

5) 5 Authorized User
 Any appropriately provisioned individual with a requirement to access an information system.

6) Continuous Monitoring
 Maintaining ongoing awareness of information security, vulnerabilities, and threats to support
organizational risk management decisions.

7) Firewall
 A part of a computer system or network that is designed to block unauthorized access while
permitting outward communication

8) Information Security
 The protection of information and information systems from unauthorized access, use, disclosure,
disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

9) Multifactor Authentication
 Authentication using two or more factors to achieve authentication. Factors to achieve
authentication. Factors include: (i) something you know (e.g., password/personal identification
number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii)
something you are (e.g., biometric).

10) Personally Identifiable Information

 Information that can be used to distinguish or trace an individual’s identity, either alone or when
combined with other information that is linked or linkable to a specific individual.

11) Privilege
 A right granted to an individual, a program, or a process.

12) Security Control

 A safeguard or countermeasure prescribed for an information system or an organization designed to
protect the confidentiality, integrity, and availability of its information and to meet a set of defined
security requirements.

13) Vulnerability
 Weakness in an information system, system security procedures, internal controls, or implementation
that could be exploited or triggered by a threat source.

9|Page