BAKER TILLY AND ACUA WEBINAR

How to perform a National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) Assessment in Seven Easy Steps

November 18, 2021

The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. Tax information, if any, contained in this communication was not intended or written to be used by any person for the purpose of avoiding penalties, nor should such information be construed as an opinion upon which any person may rely. The intended recipients of this communication and any attachments are not subject to any limitation on the disclosure of the tax treatment or tax structure of any transaction or matter that is the subject of this communication and any attachments. Baker Tilly Virchow Krause, LLP trading as Baker Tilly is a member of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities. © 2021 Baker Tilly US, LLP

SPONSORED BY:

ACUA Virtual Learning Director

Lisa Gendusa, CIA, CFE

Internal Auditor

Texas State University System

▪ Don’t forget to

connect with us on

social media!

ACUA Virtual Learning Volunteer

Jeremy Lynch, CIA

Sr. Internal Auditor

University of Missouri System

Meet the presentersINTRODUCTION

3

Jimmy EdmundsonManager

Baker Tilly jimmy.edmundson@bakertilly.com

Rosa LaraChief Information Officer

Pennsylvania State System of Higher Education

rlara@passhe.edu

Meghan SenseneyManager

Baker Tilly meghan.senseney@bakertilly.com

– Introductions

– Webinar objectives

– Pennsylvania’s State System of Higher Education background

– NIST CSF background

– Seven easy steps

AgendaINTRODUCTION

Webinar objectivesBACKGROUND

5

Specialized information technology (IT) and cybersecurity risks prevalent in higher education

How to execute a NIST CSF assessment

Tips for articulating the value of these assessments to their campus colleagues

In this webinar, participants will learn:

2

3

1

PA State System Background

Pennsylvania State System of Higher Education

– State agency of the Commonwealth of Pennsylvania that oversees 14 state-owned colleges and universities

– Largest provider of higher education in the Commonwealth of Pennsylvania

– 43rd largest university system in the world

7

How familiar are you with NIST CSF?

A. Very familiar

B. Somewhat familiar

C. I have heard of it before in passing

D. I have never heard of NIST CSF before

Question #1POLLING QUESTION

8

Common higher education IT/cybersecurity risks

10

IT Risk Area Definition

Information Security and Privacy The policies, practices, and tools implemented on the University’s systems and data to maintain confidentiality of information, specifically sensitive data about students, faculty, staff, donors, alumni, and research activities.

Data Management The processes and software implemented to manage, analyze, and report on data used to operate and manage the University, as well as report to external entities.

IT Governance The processes and structure for planning, implementing, communicating, and monitoring of IT strategy to meet the University’s mission and goals.

People Resources The personnel resources, both employed and contracted, that provide IT services to various constituencies within and outside of the University.

Enterprise applications The process of implementing new, upgrading existing and maintaining enterprise applications.

Funding The monetary resources allocated to acquire, maintain, and retain the people and technology resources required to operate and manage University systems.

Device Management The policies, practices, and tools implemented to manage, track, and secure University and personally owned laptops, desktops, phones, and tablets that collect, process, or store University data.

Project Management The processes and tools implemented for planning, managing, and reporting on IT projects to ensure a successful outcome.

Academic Computing The practices and tools implemented to support academic computing.

Identity and Access Management The processes in place to facilitate access to University resources. The identity is created through business processes, policies, data governance, and supporting technologies.

IT Systems Administration The policies, practices, and tools implemented to plan, implement, operate, change, and monitor University networks, applications, databases, and servers.

System Availability The policies, practices, and tools implemented for maintaining the availability of systems during or after impactful events.

Application Development The processes and tools used to acquire, build, test, and maintain software applications.

Research Computing The practices and tools implemented to support research computing.

Physical and Environmental Controls The policies, practices, and tools used to maintain the security of and environmental protections for physical spaces containing computing resources (e.g., data center facilities).

Common higher education IT/cybersecurity risks

NIST CSF introduction

NIST Cybersecurity Framework (CSF)

12

Has a cybersecurity assessment ever been performed at your institution?

A. Yes

B. No

C. I don’t know

Question #2POLLING QUESTION

13

Seven easy steps of NIST CSF assessment

Overview of the stepsSEVEN EASY STEPS OF NIST CSF ASSESSMENT

15

1. Planning

2. Survey

3. Working sessions

4. Assessing cybersecurity risks

5. Assessing NIST CSF maturity

6. Validation with stakeholders

7. Reporting

Planning activities to be conducted at the start of the assessment include:

– Conducting a project kick-off meeting with key stakeholders to validate the scope and approach and determine the end deliverable format

– Establish dates and protocols for each major milestone of the assessment (e.g., the survey, working session, reporting)

– Identify key personnel to participate in the assessment

The goal of planning activities is to establish a road map and direction to perform the assessment.

16

Step 1: Planning

Step 1: Planning

17

Identify

Asset Management

Business Environment

Governance

Risk Assessment

Risk Management Strategy

Supply Chain Risk Management

Protect

Identity Management and Access Control

Awareness and Training

Data Security

Information Protection Processes and

Procedures

Maintenance

Protective Technology

Detect

Anomalies and Events

Security Continuous Monitoring

Detection Processes

Respond

Response Planning

Communications

Analysis

Mitigation

Improvements

Recover

Recovery Planning

Improvements

Communications

Purpose: Gather background information prior to the initial discussion interviews to help you prepare for and conduct the interviews effectively

18

Surveys should be a maximum of ~40

questions and include dynamic/open-ended follow-up questions

Surveys should be provided with a hard due date/deadline for completion

Institutions should spend no more than a few hours

completing

If entity does not know how to respond, offer options to select like: “I don’t know” or

“Unsure”

Step 2: Survey

Topics to be covered in each working session:

– Introductions and recap assessment background and objectives

– Validation and expansion upon the provided survey results

– NIST CSF structured discussion

The purpose of working sessions is to validate and expand upon the initial survey results. The number of working session and length of each working session will be determined by the institution itself.

19

Step 3: Working Sessions

Step 3: Working sessions

20

Function Risk Category Question

2. Protect Access Control How are credentials managed for authorized devices and users?

2. Protect Access Control How is physical access to assets managed?

2. Protect Access Control How is remote access to assets managed?

2. Protect Access Control How are access permissions managed to minimize privileges and separate duties?

2. Protect Access Control How is network integrity maintained, including segmentation?

2. Protect Awareness and Training How are users informed and trained on their information security roles and responsibilities, including

privileged users, third-parties, and leadership?

2. Protect Awareness and Training How well do security professionals understand their roles and responsibilities?

2. Protect Data Security How is data protected "at-rest" on systems, "in-transit" when transferred, and during disposition?

2. Protect Data Security How is adequate capacity maintained to ensure availability?

2. Protect Data Security How are data loss prevention protections employed?

2. Protect Data Security How are integrity checking mechanisms used?

2. Protect Data Security How are development, testing, and production environments segmented?

2. Protect Information Protection Processes and Procedures How is the baseline configuration for systems created and maintained

2. Protect Information Protection Processes and Procedures How are information security practices incorporated into human resources processes, such as

recruiting, hiring, on-boarding, evaluation, off-boarding)?

2. Protect Information Protection Processes and Procedures How was the vulnerability management plan developed and implemented?

2. Protect Information Protection Processes and Procedures What systems development lifecycle method is implemented?

2. Protect Information Protection Processes and Procedures What configuration change control processes are implemented?

2. Protect Information Protection Processes and Procedures How are backups of information conducted, maintained, and tested?

2. Protect Information Protection Processes and Procedures What are the requirements for the physical environment of systems?

2. Protect Information Protection Processes and Procedures How is data destroyed, does this follow policy?

2. Protect Information Protection Processes and Procedures How are protection processes continuously improved?

2. Protect Information Protection Processes and Procedures How is the effectiveness of protection technologies communicated to leadership?

2. Protect Information Protection Processes and Procedures How are incident and disaster recovery plans created, managed, and tested and how are you

involved in response activities?

What areas of performing a NIST CSF maturity assessment at your institution present the most challenges?

A. Lack of understanding from board/audit committee

B. Lack of IT/cybersecurity knowledge in internal audit

C. Push back from IT/information security

D. Other/I don’t know

Question #3POLLING QUESTION

21

Analyze cybersecurity processes and

synthesize IT risks noted via working

sessions

Determine the potential likelihood and

impact of the IT risks based on survey and

working sessions

Document an inventory of IT risks

prioritized by likelihood and

impact

Analyze and review survey results

Step 4: Assessing cybersecurity risks

Step 5: Assessing NIST CSF maturity

23

Recommended or Desired Maturity Level

Current State Maturity Level

Step 5: Assessing NIST CSF maturity

24

Based on the results of the surveys and working sessions, determine the maturity of the NIST CSF categories and overall functions based on the CMMI maturity ratings below:

Do you believe your institution would benefit from a NIST CSF maturity assessment?

A. Yes

B. No

C. I’m not sure

Question #4POLLING QUESTION

25

– Project status recap

– Initial draft results of the NIST CSF maturity assessment, including an assessment of cybersecurity risks (likelihood and impact)

– Address/vet any questions and additional follow-ups

A meeting with key stakeholders should be held that includes the following discussion areas:

26

Step 6: Validation with Stakeholders

Consider the following when reporting on the

final results:

– Include a summary assessment with both the NIST CSF maturity ratings and prioritized cybersecurity risk inventory

– Include a heat map of IT risks to identify and prioritize IT risks

– Offer recommendations that would help the institution advance their maturity further

– Point to advisable areas that would benefit for subsequent technical reviews or “deep dives” and audits

After validation, the results of the assessment should be documented.

27

Step 7: Reporting

Tips for articulating the value of these assessments

There are many reasons why a cybersecurity assessment

is valuable for higher education institutions. Consider

specifically articulating the following to campus

stakeholders:

– Can help the institution prioritize cybersecurity risks and pinpoint where investments should be made

– In decentralized environments, assessments can help show where certain centralized services and/or processes can benefit the institution (or system)

– Provides leadership with a holistic picture of cybersecurity maturity they may have never seen before

– Helps internal audit, IT/information security determine where effort and resources should be spent

Value of NIST CSF assessments

29

Questions?

Connect with usTHANK YOU!

31

Jimmy Edmundsonjimmy.edmundson@bakertilly.com

Rosa Lararlara@passhe.edu

Meghan Senseneymeghan.senseney@bakertilly.com

ACUA Kick StartersUse a Kick Starter to launch your next audit!

• Developed by ACUA members with subject matter expertise

• Focused on higher education specific topics

https://acua.org/Audit-Tools/ACUA-Kick-Starters

Do you have a great idea for an

ACUA Kick Starter? Contact John

Winn at HJWINN@mailbox.sc.edu.

New Kick Starter Available!

Control of Hazardous Energy:

Lock Out Tag Out

Download today in the members-only Audit Tools

section of www.ACUA.org

Next Kick Starter Release is Dec. 15th!

FERPA

Will be available in the members-only Audit Tools

section of www.ACUA.org

• Mentorship is a proven method to help colleagues feel supported, drive workplace satisfaction, and foster member engagement in higher ed auditing.

• The program is no longer focused on only small audit shops! The program has been expanded to be more inclusive of all types of shops.

• The program is only a one-year commitment, but we encourage the mentorship to continue even after one year.

• Consider signing up! Watch for registration deadlines to be communicated via email. For more information, go to https://acua.org/Member-Resources/Mentorship-Program

ACUA Mentorship Program

Stay Updated

• The College and University Auditor is

ACUA's official journal. Current and past

issues are posted on the ACUA website.

• News relevant to Higher Ed internal audit

is posted on the front page. Articles are

also archived for your reference under the

Resources/ACUA News.

Connect with Colleagues

• Subscribe to one or more Forums on the

Connect ACUA to obtain feedback and

share your insights on topics of concern

to higher education internal auditors.

• Search the Membership Directory to

connect with your peers.

• Share, Like, Tweet & Connect on social

media.

Get Involved

• The latest Volunteer openings are posted on

the front page of the website.

• Visit the listing of Committee Chairs to learn

about the various areas where you might

participate.

• Nominate one of your colleagues for an

ACUA annual award.

• Submit a conference proposal.

• Present a webinar.

• Become a Mentor

• Write an article for the C&U Auditor.

• Write a Kick Starter.

Solve Problems

• Discounts and special offers from ACUA's Strategic Partners

• Kick Starters

• Risk Dictionary

• Mentorship Program

• NCAA Guides

• Resource Library

• Internal Audit Awareness Tools

• Governmental Affairs Updates

• Survey Results

• Career Center......and much more.

Get Educated

• Take advantage of the several FREE

webinars held throughout the year.

• Attend one of our upcoming conferences:

Audit Interactive

March 27 – 20, 2022

Raleigh, NC

AuditCon

September 11 - 15, 2022

Las Vegas, NV

• Contact ACUA Faculty for training needs.www.ACUA.org

Upcoming ACUA Events

Audit Interactive

March 27 – 30, 2022