Initial Assessment:  Assessments conducted in each of the past three years, including four (4) external assessments, have identified a need for increased scrutiny of the district network and data security posture.  The District takes information security seriously and has a mature Information Security Officer (ISO) organization providing oversight and security vulnerability monitoring and remediation direction.  Currently, the district network architecture standards appear to be inconsistent with network security best practices. The current district firewall infrastructure does not meet industry standard minimum requirements for enterprise-grade and purpose-built security appliance firewalls.  Additionally, gaps in network access control (wired and wireless networking) and in the use of data loss prevention tools affect the district security posture.  Finally, successful phishing and successful spear-phishing attempts at accessing district network resources are clear indicators of a need for additional end-user security awareness training.

Plans:

  1. Complete a district-wide full IT security audit to identify risks to and vulnerabilities in network architecture and implementation, data acquisition and management, data storage and disposal, and user account creation and management.
    1. Lead(s): DOIT Technical Services with district ISOs
    2. Funding Resources: One-time Program Development Funds (contracted services)
    3. College and District Roles: DOIT and college IT will provide full disclosure in response to audit requests at each level of the audit which may include: Network access control procedures (both wired and wireless – from activation to termination), district and college network architecture, network security architecture from physical security to application security, sensitive data handling procedures, data management and storage procedures, and data disposal.
  2. Prioritize and identify resources to complete network security remediation projects identified in external assessments of district firewall architecture, internet architecture, network core architecture, and technology environment conducted in 2014, 2015, and 2016.
    1. Lead(s): DOIT Technical Services with district and college information security officers  (ISOs)
    2. Funding Resources: One-time and on-going operational Program Development Funds
    3. College and District Roles: Network architecture, network equipment and business practices affecting the access to and use of network services will be affected by network security remediation efforts. DOIT and college IT, in collaboration with network users at each college will identify, schedule and implement necessary security enhancements.
  3. Review the process for creating, granting, and terminating user account access to data through security permissions and identify opportunities to improve control over access to sensitive data in all environments that handle sensitive data.
    1. Lead(s): District and college ISOs with DOIT (All Service Units)
    2. Funding Resources: Current staff
    3. College and District Roles:  District and college ISOs will review current data security processes at their respective sites and collectively analyze the results.
  4. Identify and implement network security management standards, visibility and notification tools, data loss prevention tools, and secure environment virtualization solutions dedicated to improving the LRCCD security posture.
    1. Lead(s): DOIT (All Service Units)
    2. Funding Resources: On-going operational Program Development Funds
    3. College and District Roles: District and college ISOs will use the results of the security review to identify needed improvements and work together as appropriate to implement new security standards and tools.
  5. Expand security awareness training
    1. Lead(s): District and college ISOs
    2. Funding Resources: Current staff
    3. College and District Roles: District and college ISOs will annually review and update as necessary security awareness training content.  Working with Human Resources, information security awareness training will be required of all new employees; and periodic updated/refresher training will be required of all permanent employees as appropriate to their job requirements.

Indicators of Success:

  1. DOIT actively monitors and regularly reports network security activities comparing current security posture to baseline security guidelines.
  2. Each college actively monitors and regularly reports college network security activities including account access and security group membership changes.
  3. All colleges and outreach centers have appropriate enterprise grade, purpose-built, firewall appliances from a single scalable product line of current products.  All production firewall equipment is under current 24X7X365 maintenance and support contract and is managed through consistent and highly scalable management and reporting consoles.
Successful attacks upon the district-wide network, including Phishing and Spear Phishing attacks, are extremely rare and have and extremely limited attack posture.