Virginia Tech® home

Elevate Minimum Security Controls to CIS IG2

This project will elevate Virginia Tech's minimum security standards to align with the Center for Internet Security’s (CIS) Critical Security Controls version 8, Implementation Group 2 safeguards (CIS v8 IG2).

By elevating university security standards to align with the CIS v8 IG2 safeguards, the institution will be better equipped to prevent, detect, respond to, and recover from cybersecurity incidents which could put the university at risk of financial and/or reputational damage.

Open Roundtable Discussions

As the May 5 due date for finalization of the 2023 CIS v8 IG2 IT Risk Assessments approaches, the project team is hosting two open Zoom roundtable discussions for those who are interested in discussing the survey questions in more depth. The sessions will be recorded, and are scheduled for:

Please note that you will need to be logged into Virginia Tech's Zoom instance in order to join these sessions. The sessions will be recorded, and are available upon request. If you’re unable to attend one of these sessions but have questions that you would like to discuss, please reach out to us; we'd be happy to schedule a 1:1 or small group discussion. Also, please do not hesitate to reach out with any questions via email, Slack, or Teams, or by emailing

Project Team Members:

Project Lead: Randy Marchany, Virginia Tech IT Security Officer

Project Manager: Will Jones, Senior Project Manager, IT Transformation Project Management Office

Team Member: Ryan Orren, Senior IT Compliance Manager

Team Member: Luke Watson, IT Security Risk and Compliance Analyst

Project Steering Committee Members:

Lisa Blackwell, Director of Finance Information Technology and Innovation, Division of Finance

Al Cooper, Executive Director, Business & Management Systems, Division of University Operations

Michael Dean, IT Audit Manager, Office of Audit and Risk Compliance

Scott Farmer, Director of Outreach Information Services, Outreach and International Affairs

Neil Sedlak, Senior Director of Information Technology, Office of Research and Innovation

Ryan Spoon, Director of Information Technology, College of Engineering

Frequently Asked Questions:

This project aims to elevate the cybersecurity posture of the Virginia Tech IT Enterprise by implementing the Center for Internet Security’s (CIS) Critical Security Controls version 8, to include all safeguards identified in Implementation Group 2 (IG2), for university units, systems, and/or applications that handle “moderate” or “high” risk data as defined by the Virginia Tech Risk Classification Standard.

The CIS "Critical Security Controls" started as a project to identify the most common cyber-attacks present in today’s internet and to create a set of defensive steps for organizations to implement to help secure their data and systems. Implementation Groups (IGs) were introduced in version 8 of the CIS Critical Security Controls and are essentially self-assessed categories for enterprises. They provide recommended guidance to prioritize implementation of the CIS Controls. There are three IGs and each one identifies a subset of the CIS Controls that can be applied to an enterprise with similar risk profiles and the resources to implement them. There are 153 total safeguards in CIS Controls v8, with IG2 comprising 130 of those safeguards. IG2 is designed for an enterprise of multiple departments with differing risk profiles and this is typical of the IT environment at Virginia Tech. 

The project is organized into three phases with several key target dates as follows: 

Phase I

March 3, 2023*: All university organizational units complete the inventory and risk classification steps in the IT Security Office’s IT Risk Assessment (ITRA) process using Isora GRC.

May 5, 2023*: Deadline for units to complete the 2023 CIS v8 IG2 assessment in Isora GRC; including both final verification of asset risk classification/data categorizations and the CIS v8 IG2 survey. 

Phase II

June 30, 2024: Deadline for units to draft implementation plans to address gaps discovered in the Phase 1 assessment/analysis. Reminder: most IG2 safeguards will be required for resources classified as “high” or “moderate” risk. 

Phase III  

June 30, 2025: Deadline for all organizational units to complete the actions required by their plan of action (implementation plan) and are compliant with the CIS v8 IG2 safeguards applicable to their unit. Reminder: most IG2 safeguards will be required for resources classified as “high” or “moderate” risk.

* Phase I deadlines were expedited by senior leadership from their original dates.

Yes. University Policy no. 7010 – Policy for Securing Technology Resources and Services requires university departments and individual users to adhere to the Minimum Security Standards maintained by the IT Security Office, and stipulates that university departments must regularly analyze risks for their technology assets using the Virginia Tech IT Risk Assessment process (https: //  

The Minimum Security Standards will be undergoing a significant revision as a part of this project to reflect the university's alignment with CIS v8 IG2, and thus departments will need to demonstrate compliance with the new standard and the IG2 safeguards applicable to their unit by the June 30, 2025 deadline.

IT Risk Assessments are currently completed using the Isora GRC tool from SaltyCloud, administered by the IT Security Office. ITRAs are scoped to university organizations, and the assessment consists of three general steps:  

  1. Inventory - The unit inventories its IT systems (endpoints, servers, network devices, etc.) and any applications developed in-house (if applicable).
  2. Risk Classification - The unit identifies the risk classification for each asset in the inventory using the Virginia Tech Risk Classification Standard; and for any high-risk assets will also identify the applicable data types handled by the asset.
  3. Survey - The unit completes a survey questionnaire based on the CIS v8 IG2 safeguards. These survey questions are scoped, in various ways, to a unit’s data, technology resources (physical, virtual, cloud), software applications, network infrastructure, and processes.

    Please review the Isora GRC Assessment Guide for more details on the processes involved. 

An “Org Unit” (OU) in Isora GRC is defined by the IT Risk Assessment team and may represent a single university department or organization (represented by a management, department, or org code from Banner) or an entire senior management area or college (“S” codes from Banner), depending on how IT is managed by the unit(s). Isora GRC structures orgs in a parent-child hierarchy, and so, as long as org units roll up to the correct senior management area or college then there is some flexibility in how OUs are defined. Typically, each OU enrolled will complete a separate IT Risk Assessment for their Org Unit. Your organizational structure will be determined when you meet with the IT Security Office to be enrolled in the assessment, and the structure can be adjusted as needed based on organizational changes.

Many university units or departments build custom software applications that vary widely in their complexity, scope, criticality, function, and ability to interface or integrate with other VT systems and data at all risk levels. Essentially, a software application is a computer software package that performs a specific function directly for an end user or, in some cases, for another application. Applications can be self-contained or can include a group of programs, are often network-accessible (e.g. web apps) and can perform anything from basic functions specific to your unit up to supporting a complex/critical university enterprise process. If your unit(s) build and maintain software applications, then these applications should be inventoried and classified in Isora GRC and you should answer the applicable questions on the CIS v8 IG2 assessment survey. For units that do not develop software applications, this part of the survey will not apply. 


If you have questions or concerns related to this project that are not covered here, please contact

Back to top ↑

Resources and Documents