Cybersecurity has become one of the hot topics in the state and national discourse and is the responsibility of all University administrators of information technology, particularly those responsible for sensitive data. Governor Bryant recently signed House Bill 999, codified as Miss. Code Ann. § 25-53-201 (2017), which establishes an enterprise security program for entities of the State of Mississippi to ensure the protection of data gathered by these entities. The University is also subject to federal regulatory schemes such as the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accounting Act (HIPAA), and the Gramm-Leach-Bliley Act (GLBA). Although each of these laws has its own cybersecurity standards, there are common requirements such as the protection of sensitive data on servers.
After a review of our procedures, effective immediately the Office of Information Technology (OIT) will implement a new procedure for departmental servers containing sensitive data pursuant to the University Information Confidentiality/Security Policy.
- OIT recently licensed server monitoring software, Tenable Nessus Agent, which will be installed without charge on all departmental servers registered in the Campus Server Registry as hosting sensitive data. This software collects vulnerability, compliance and system data and reports the information back to OIT. No sensitive data is collected or sent to OIT.
- OIT will also run periodic Nessus scans to detect cybersecurity vulnerabilities.
- In addition, the Information Confidentiality/Security Policy will be modified to require a triennial departmental risk assessment according to National Institute of Standards and Technology (NIST) Special Publications 800-30 and 800-171. A template will be provided.
- Department heads and server administrators will be advised of any vulnerabilities or non-compliance with federal standards.
- OIT security and technical staff will establish a deadline for remediation depending on severity and will assist in bringing the server into compliance.
- In the unlikely event that a server cannot be brought into compliance by the deadline, the server will be completely quarantined from the campus network until brought into compliance to avoid a data breach.
Our desire is to implement this new procedure with as little impact as possible and still meet the applicable state and federal cybersecurity standards. OIT staff will be in touch with departmental server administrators to start the process. Your cooperation is greatly appreciated. Please direct any questions or concerns to Mike Hall, Information Technology Security Coordinator, mikeh@olemiss.edu, Tel: 662-915-5217.
Tags: infosec, IT Security