University of Massachusetts Learns Cyber-Defense
The University of Massachusetts turns to a more structured approach to security using SANS critical controls.
By Samuel Greengard
Today, most organizations live under the constant threat of a data breach. Even with stringent multilayered security, it's next to impossible to ensure airtight protection. At the University of Massachusetts, it's more than a theoretical concept, however. In 2008, the university suffered a breach that exposed sensitive information about past students and alumni. The incident led to significant changes in the way the school approaches system protection.
"We recognized that we needed more consistent controls and we had to get everyone on the same page," says Larry Wilson, information security lead for the University of Massachusetts President's Office. He was hired in November 2009 to design and document a comprehensive Written Information Security Program across five campuses with approximately 72,000 students. He initially established a control review committee with representatives from the various campuses. The university adopted a framework based on ISO 27002, and that led to the selection of SANS Critical Security Controls, which now serves as the foundation for the university's security program. Its partner for the project was EiQ Networks.
The school introduced a university-wide security policy in late 2010. It began introducing the practices in 2011. The controls cover a wide range of issues revolving around devices, malware defenses, application software security, boundary defense, account monitoring and control, data loss prevention, incident response and management, secure network engineering and penetration testing methods. SANS relies on metrics to gauge performance and align policies and procedures with known best practices.
The process has helped the Massachusetts university focus resources more narrowly on four critical areas: budgeting, identifying tools and technology that would better fit the university's requirements, establishing university-wide and campus specific resources to implement and operate the technologies, and developing a clear timeline for implementation. "We were able to identify the controls that most benefited the university and put them into place first,” Wilson says. “We were able to put more complex and resource intensive controls in place as a second phase. Throughout the process we were able to identify and better manage our costs and staffing requirements,"
Preventing Data Loss
One area the school focused on was data loss prevention. "There was a strong need to improve awareness and the locating of our sensitive data, while developing a comprehensive inventory of assets," Wilson explains. As part of the program, the university scanned desktop and laptop computers for sensitive shadow data. When the university spotted sensitive data residing outside a source system, it encouraged users to delete it. It also conducted a thorough analysis of wireless infrastructure and devices. As a result, "we are building a uniform wireless network across all the campuses, with strong controls in place." As an added benefit, "any employee will be able to travel to any other campus and get the same wireless experience," he says.
The University of Massachusetts is continuing to implement the SANS controls while maintaining a focus on ISO 27002. Ultimately, Wilson says, the program is based on three primary pillars: program management and communications involving faculty, staff and students; overseeing the implementation of general controls and compliance processes for applications and the overall infrastructure; and improving implementation and operations focused on cyber-security defenses and related technology solutions.
"The use of ISO standards and SANS controls has provided a more holistic way to manage the portfolio of issues related to IT and security," Wilson points out. "The university has moved to a system that provides the maximum level of protection—while providing a framework for the future."