Elevate Minimum Security Controls to CIS IG2

This project aims to elevate the cybersecurity posture of the Virginia Tech IT Enterprise by implementing the Center for Internet Security’s (CIS) Critical Security Controls version 8, to include all safeguards identified in Implementation Group 2 (IG2), for university units, systems, and/or applications that handle “moderate” or “high” risk data as defined by the Virginia Tech Risk Classification Standard.

The CIS "Critical Security Controls" started as a project to identify the most common cyber-attacks present in today’s internet and to create a set of defensive steps for organizations to implement to help secure their data and systems. Implementation Groups (IGs) were introduced in version 8 of the CIS Critical Security Controls and are essentially self-assessed categories for enterprises. They provide recommended guidance to prioritize implementation of the CIS Controls. There are three IGs and each one identifies a subset of the CIS Controls that can be applied to an enterprise with similar risk profiles and the resources to implement them. There are 153 total safeguards in CIS Controls v8, with IG2 comprising 130 of those safeguards. IG2 is designed for an enterprise of multiple departments with differing risk profiles and this is typical of the IT environment at Virginia Tech. 

The project is organized into three phases with several key target dates as follows: 

Phase I

March 3, 2023*: All university organizational units complete the inventory and risk classification steps in the IT Security Office’s IT Risk Assessment (ITRA) process using Isora GRC.

May 5, 2023*: Deadline for units to complete the 2023 CIS v8 IG2 assessment in Isora GRC; including both final verification of asset risk classification/data categorizations and the CIS v8 IG2 survey. 

Phase II

June 30, 2024: Deadline for units to draft implementation plans to address gaps discovered in the Phase 1 assessment/analysis. Reminder: most IG2 safeguards will be required for resources classified as “high” or “moderate” risk. 

Phase III  

June 30, 2025: Deadline for all organizational units to complete the actions required by their plan of action (implementation plan) and are compliant with the CIS v8 IG2 safeguards applicable to their unit. Reminder: most IG2 safeguards will be required for resources classified as “high” or “moderate” risk.

* Phase I deadlines were expedited by senior leadership from their original dates.

Yes. University Policy no. 7010 – Policy for Securing Technology Resources and Services requires university departments and individual users to adhere to the Minimum Security Standards maintained by the IT Security Office, and stipulates that university departments must regularly analyze risks for their technology assets using the Virginia Tech IT Risk Assessment process (https: //security.vt.edu/policies/itra.html).  

The Minimum Security Standards will be undergoing a significant revision as a part of this project to reflect the university's alignment with CIS v8 IG2, and thus departments will need to demonstrate compliance with the new standard and the IG2 safeguards applicable to their unit by the June 30, 2025 deadline.

IT Risk Assessments are currently completed using the Isora GRC tool from SaltyCloud, administered by the IT Security Office. ITRAs are scoped to university organizations, and the assessment consists of three general steps:  

1. Inventory - The unit inventories its IT systems (endpoints, servers, network devices, etc.) and any applications developed in-house (if applicable).
   
2. Risk Classification - The unit identifies the risk classification for each asset in the inventory using the Virginia Tech Risk Classification Standard; and for any high-risk assets will also identify the applicable data types handled by the asset.
   
3. Survey - The unit completes a survey questionnaire based on the CIS v8 IG2 safeguards. These survey questions are scoped, in various ways, to a unit’s data, technology resources (physical, virtual, cloud), software applications, network infrastructure, and processes.
   
   Please review the Isora GRC Assessment Guide for more details on the processes involved. 

An “Org Unit” (OU) in Isora GRC is defined by the IT Risk Assessment team and may represent a single university department or organization (represented by a management, department, or org code from Banner) or an entire senior management area or college (“S” codes from Banner), depending on how IT is managed by the unit(s). Isora GRC structures orgs in a parent-child hierarchy, and so, as long as org units roll up to the correct senior management area or college then there is some flexibility in how OUs are defined. Typically, each OU enrolled will complete a separate IT Risk Assessment for their Org Unit. Your organizational structure will be determined when you meet with the IT Security Office to be enrolled in the assessment, and the structure can be adjusted as needed based on organizational changes.

Many university units or departments build custom software applications that vary widely in their complexity, scope, criticality, function, and ability to interface or integrate with other VT systems and data at all risk levels. Essentially, a software application is a computer software package that performs a specific function directly for an end user or, in some cases, for another application. Applications can be self-contained or can include a group of programs, are often network-accessible (e.g. web apps) and can perform anything from basic functions specific to your unit up to supporting a complex/critical university enterprise process. If your unit(s) build and maintain software applications, then these applications should be inventoried and classified in Isora GRC and you should answer the applicable questions on the CIS v8 IG2 assessment survey. For units that do not develop software applications, this part of the survey will not apply.