IS Strategic Plan

Information Security

Mission

The mission of Information Security is to protect Penn State’s information assets from threats and safeguarding confidentiality, integrity, and availability of its systems and data while ensuring appropriate privacy and compliance with regulatory and contractual requirements.

Vision

We will create a culture of information security throughout Penn State that balances the University’s need to innovate and experiment with teaching, learning, and research.

Values

 

  • HELPFULNESS– We are here to help. People count on us to provide analysis and expertise. We need to develop a culture of helpfulness, positive stakeholder interactions, and subject matter expertise.
  • CONSISTENCY – We are depended upon, so we must operate in a consistent and dependable manner.
  • CONTINUOUS IMPROVEMENT – We need to make the most of our resources by measuring our performance, seeking efficiencies, striving to be more effective, and achieving resilience.

 

Goal 1: Improve Information System Resilience


Goal Description: Information systems are core to all Penn State operations for academic, administrative, and research computing. The reliability and availability of these systems and their data are often assumed. Ensuring that systems have appropriate documentation, recovery planning, and security controls will help avoid outages, improve recoverability, and reduce downtime. Improving system resilience will lead to a more reliable and dependable information systems that are resilient against cyber-attacks and other events that threaten Penn State’s data and systems.

 

Objective 1.1 Improve Information Technology Disaster Recovery Capabilities

Objective Description: Disaster Recovery (DR) planning is a component of business continuity planning that focuses on information system recovery to ensure their restoration after severe damage or destruction. A disaster recovery plan is a formal document created within organizations that contains instructions on how to respond to unplanned catastrophic incidents involving information technology caused by events such as cyber-attacks (Ransomware), human error, or natural disasters. Penn State’s information technology environment is complex and has evolved over many years in a de-centralized manner. This has led to an inconsistency in the university’s information technology disaster recovery preparation and capabilities.

IS will develop and lead a disaster recovery program that works with units to ensure adequate documentation, preparation, and testing of disaster recovery plans within Penn State units.

Objective Years:
Start Date: 03/2020
Target Completion Date:
Objective Mapping: OP1, DI3, IS2

 

Objective 1.2 Implement Continuous Risk Evaluation

Objective Description: Many cyberattacks, or system failures can be avoided by identifying and mitigating threats and vulnerabilities before issues occur. Identifying, evaluating, and mitigating risk will reduce Penn State’s attack surface, reduce system downtime, and improve system and data security.

IS will lead cyber risk assessment program that will anticipate and seek gaps in information system security that may put systems and data at risk.

Objective Years:
Start Date: 12/2020
Target Completion Date:
Objective Mapping: DI3, OP2, F6

 

Objective 1.3 Ensure Data Backups

Objective Description:  Ensuring that the Penn State’s academic, administrative, and research data is available is critical to minimizing disruptions to university operations. Backups have become even more critical as more destructive cyber-attacks (Ransomware) have emerged. Documented and tested data backup strategies help ensure that data availability. Consolidating backup strategies and solutions helps improve consistency and cost effeteness of backups.

IS will collaborate with Penn State IT and administrative, college, and campus IT units to ensure effective and cost-efficient data backup strategies.

Objective Years:
Start Date: 6/2021
Target Completion Date:
Objective Mapping: OP1, DI3, IS2

 

Goal 2: Protect Research and Intellectual Property

Goal Description: Penn State has positioned itself as a global leader in research by leveraging its talent and technology to foster ideas and drive innovation. These efforts often lead to research that creates value in the data, intellectual property, and patents that it produces. At the same time, the cyber threats against Penn State’s intellectual property have increased as technology and cybercrime has evolved. Increases in security requirements and compliance have followed to counter the increased threat. IS will work to increase protection of Penn State’s research and intellectual property.

 

Objective 2.1 Securing Research Awareness and Training

Objective Description: IS will work to create effective cyber and privacy awareness and training opportunities specific to the research community.
Objective Years: 2021-2022
Start Date: 06/2020
Target Completion Date: December 2021
Objective Mapping: OP1, D13, CO4

 

Objective 2.2 Integrate into risk-based strategy

Objective Description: Penn State leverages a risk-based approach for information security. This approach classifies data according to risk and then matches security and privacy controls. Improvements will be made to identify research and intellectual property and classify them accordingly to make sure that protections are aligned with risk. IS will work with research stakeholders from across Penn State to identify under protected research and intellectual property ensure appropriate security.
Objective Years:
Start Date: 10/2021
Target Completion Date:
Objective Mapping: OP2

 

Objective 2.3 Support Compliance

Objective Description: Regulatory and contractual security/privacy requirements have increased as cyber threats evolve. Anticipation of these requirements and the adaptability of their implementation will be key to Penn State operating in a manner that remains agile and responsive to the industries it supports. Developing secure research computing enclaves that isolate research systems using sensitive data will be an expected trend. The DoD’s CMMC (Cyber Maturity Model Certification) serves as an example.

IS will work to work to align aspects of its security program to pivot toward anticipated security and privacy legislative and contractual compliance requirements.

Objective Years:
Start Date: Spring 2021
Target Completion Date:
Objective Mapping: OP2, DI3

Goal 3: Improve Identity and Access Management (IAM)

Goal Description: Improving identity and access management capabilities will be key for the university as it looks for agility and adaptability while adopting modern technologies. IS will lead Penn State colleges, campuses, and administrative areas for the strategic consolidation and convergence Penn State’s identify systems to improve security and user experience.

 

Objective 3.1 Unify Authentication and Authorization

Objective Description:  Penn State currently relies on numerous independent authentication systems to control everything from virtual to physical access. These systems lack the necessary interconnectivity needed to quickly and accurately provision or change access for employees and students. Conversely, they lack the ability to remove access in a timely fashion that ensure adequate protection for Penn State systems, data, and facilities. This increases risk to the university by numerous systems that grant and remove access independent of consistent processes, quality control efforts, university wide insight.

IS will converge aspects of physical and digital identities to take advantage of modern technology capabilities when granting virtual and physical access.

Objective Years: 2020-2024
Start Date:
Target Completion Date:
Objective Mapping: OP1, IS4, F6

 

Objective 3.2 Modernize IAM

Objective Description: Many of Penn State’s legacy authentication and authorization systems do need meet the university’s security needs, provide for poor user experience, and do not integrate well with modern systems. IS will lead an effort that replace legacy IAM infrastructure with systems that meet modern industry standards and seek improve business practices that improve user experience while meeting current security requirements.

Objective Years: 2020-2024
Start Date:
Target Completion Date: 06/2022
KPIs: Sun setting of legacy systems, savings recognized through efficiencies gained
Objective Mapping: OP1, D13, IS4, D1

 

Goal 4: Implement a Culture of Information Security

Goal Description:  Successful information security programs rely on the alignment of people, processes, and technology. Implementing a culture of information security will help align stakeholders across the university will help reduce risk and improve the security of its information systems.

 

Objective 4.1 Improve Information Security Fundamentals

Objective Description: The tempo of emerging cyber threats and the tools and techniques to counter them challenge even the most skilled technologist.  Competing work priorities can distract unit IT staff from focusing on necessary skills needed to defend Penn State systems against cyber-attacks. IS will identify and provide role-based training opportunities of information security skills for Penn State’s information technology professionals.

Objective Years: 2022-2025
Start Date: 01/2022
Target Completion Date: 06/2024
Objective Mapping: CO1, DI3, IS3

 

Objective 4.2 Strengthen Diversity, Equity, Inclusion Efforts

Objective Description: Seek to incorporate values of diversity, equity, and inclusion into Penn State’s Information Security and the information security community it leads.
Objective Years:
Start Date: 01-2021
Target Completion Date:
Objective Mapping: F3

 

Objective 4.3 Improve Communication and Awareness

Objective Description: Create and deliver and effective communication programs that recognizes the diversity of Penn State’s stakeholder areas of academia, administration, and research to raise cyber awareness.
Objective Years: 2021-2022
Start Date: 03-2021
Target Completion Date: 10-2022
Objective Mapping: OP1, CO3

 

Objective 4.4 Create Opportunities for Students

Objective Description:  Create opportunities to provide operational cyber security experience for Penn State students. Seek to develop engaging internship opportunities.
Objective Years:
Start Date: 06-2021
Target Completion Date:
KPIs: Hire 2 interns per year for each team, present to classes, market opportunities
Objective Mapping: F2, TE4

Mapping Guide

This mapping guide is a reference for connecting Unit plans to the University plan components. More details for each component can be found in the full university plan at: https://strategicplan.psu.edu

Foundations:

Code
Foundation
F1 Enabling Access to Education
F2 Engaging Our Students
F3 Advancing Inclusion, Equity, and Diversity
F4 Enhancing Global Engagement
F5 Driving Economic Development
F6 Ensuring a Sustainable Future
F0 No Foundation Connection