IT risk assessment and technical review
A large institution with more than 10,000 students and 2,000 faculty.
Given the number of data breaches in the higher education space, leaders at the university wanted to strengthen its IT and data security to avoid becoming a victim. Through an RFP process, they engaged our team to perform an IT risk assessment to identify security and technology enhancements to minimize the risk. The assessment spanned the entire organization, including multiple schools and administrative departments.
The solutionWe met with key project sponsors, including the IT director, project manager, department heads, and senior staff to gain a deeper understanding of their individual needs and concerns. It was critical to have each university unit represented since the staff held different perspectives on security and IT needs.We then proceeded with a five-week effort to improve the university’s security posture. Those initial conversations led to much enthusiasm and staff engagement during the two-phase project:
- Risk assessment
While using NIST 800 series and ISO 27001 frameworks, we analyzed the environment and conducted interviews with academic department members, business staff, deans, managers, and others to learn what measures and processes were currently in place to protect the network and data — and where vulnerabilities might lie.
- Technical review and simulated hacking
Our team then conducted network security testing to uncover gaps, including a simulated hack and data breach. We reviewed the university’s security infrastructure design, applications and settings, and the wireless environment. We also tested for evidence of, and vulnerability to, social engineering and phishing.
Our team provided a comprehensive report of findings, giving the university’s executive team a detailed understanding of vulnerabilities and risk.
The university gained the information and tools needed to execute a plan to minimize its exposure. The IT department and internal customers gained a fuller appreciation for the need for ongoing work and vigilance to maintain a secure environment. This stronger security awareness led senior management to better allocate resources to remediate gaps identified and to ensure security remains a high priority across campus.