Maturing the campus security posture with CIS
Virginia Tech (VT) is a public land-grant research university with its main campus in Blacksburg, Virginia. It also has educational facilities in six regions statewide, a research center in Punta Cana, Dominican Republic, and a study-abroad site in Riva San Vitale, Switzerland. VT offers 280 undergraduate and graduate degree programs to some 37,000 students.
“At VT, we conduct IT risk assessments via gap analysis,” mentions Ryan Orren, IT Compliance Manager at VT, where the Center for Internet Security (CIS) Controls framework is central to VT’s process.
Until recently, VT relied on a document-based self-assessment process under which CIS control self-assessments were manually completed by departments and submitted to the Information Technology Security Office (ITSO) once every three years.
While this was a valuable exercise for the departments, “capturing those dependencies throughout the distributed enterprise in a document-based approach was very cumbersome…and rarely did it provide limited actionable data and intelligence to the ITSO for trying to manage or even understand where there were gaps in the adoption level of CIS controls across the campus,” mentions Ryan.
It meant that inventory data quickly became outdated, there was a limited ability to track and report on “high-risk” assets and gaps in controls, and cross-departmental dependencies were also difficult to capture accurately.
With a manual process, the VT ITSO was limited by its availability of FTE resources to conduct, manage, and analyze self-assessments across the campus. They needed an automated solution that could help them streamline their CIS self-assessment process, improve the reliability of their data, and produce meaningful gap analysis reports and dashboards.
The VT ITSO found that Isora GRC from SaltyCloud was an ideal solution to help them eliminate their manual process and mature their security posture at scale.
- The preloaded CIS controls questionnaire allowed the VT ITSO to get started out of the box.
- The questionnaire builder gave the VT ITSO the flexibility to customize their questionnaires, allowing them to add and exclude questions as needed.
- The assessment engine made it possible to quickly launch and manage surveys across any number of people, units, and inventory.
- The inventory management module gave the VT ITSO the ability to keep track of a reliable inventory of VT-developed applications.
- The in-app dashboards gave the VT ITSO immediate access to gap analysis reports across specific units and comparison reports across their campus.
Since deploying Isora GRC from SaltyCloud in 2020, the VT ITSO has seen several positive outcomes:
- It enabled consecutive yearly CIS self-assessments.
- They matured critical areas of their campus from the CIS IG1 to IG2 to IG3.
- It provided senior leadership with powerful reports on the campus security posture.
- It saved their team hundreds of valuable FTE hours.