Information Security Standards Update
During calendar year 2022, all 30 Illinois IT Security Standards will be reviewed and updated as necessary to remain in compliance with the university’s industry-standard security controls framework from the National Institute of Standards and Technology (NIST) listed in their publication 800-53. A little over a year ago, NIST issued a new revision to the framework and the review will attempt to take changes in that document into account.
The updates have a new document format that make them more readable. You may already know that there are three levels of system risk: Low, Medium, and High, each with its own security controls. Within each security control in the standard there is a table to indicate which risk level(s) that control applies to. Perhaps most useful is a clickable Table of Contents to assist in finding the specific controls you are looking for.
In January 2022, reviews were completed and updates approved by the university, for:
- IT01 – Disaster Recovery (https://go.illinois.edu/secstd-IT01)
- IT02 – Infrastructure Security (https://go.illinois.edu/secstd-IT02)
- IT06 – Malicious Software Protection (https://go.illinois.edu/secstd-IT06)
There are very few substantive changes in IT01 and IT02, other than the term “Priority System” (which caused confusion since it was a separate designation for a system without a clear definition) has been changed to “High risk system”. There is a registration requirement as well as enhanced security requirements that applied to “Priority Systems” in the earlier standards. That term is being phased out in favor of referring to systems that fall into the High risk category. A system can fall into that category by either involving High Risk data (e.g., SSN, health, Driver’s License #), or by involving Sensitive data (e.g., student data) with a high criticality score for the business process the system serves.
IT06 Malware Protection has changed more significantly, now requiring a centrally managed anti-malware solution that provides extended detection and response capabilities (EDR/XDR) fr all system. Systems with Crowdstrike installed meet this standard.
About the Illinois Cybersecurity Program
The Information Technology Security Policy (INFOSEC) establishes high-level information security requirements. The INFOSEC provides the mandate for the Security Program. It establishes the overall intent of the university to support and promote information security in all its practices.
The Information Security Standards define 30 risk areas for the university. Each risk area includes a security objective. Risk areas are used to organize, measure, and manage risk levels consistently across the university. These standards are built around data classification. Some of these standards are intended to be implemented by IT professionals and others place requirements on business units. The standards take their mandate from the Information Technology Security Policy.
The Information Security Controls provide implementation information for each standard at various risk levels. The controls could be interpreted as a “how-to” version of the standards.Aa coding scheme makes it easy to cross-reference between the documents. To better guide prioritization efforts, the detailed controls are specified according to the level of data being protected, as defined by the Data Management Policy.
We will continue to develop job aids in the form of documentation (procedures, checklists, templates) and software tools to support implementation of standards and controls.
- Simplified. The program’s standards and framework are a simplified version of the National Institute of Standards and Technology (NIST) Special Publication 800-53 Our standards cover 30 specific risk areas that map back to one or more NIST requirements. NIST was chosen because The Federal Information Security Management ACT (FISMA) designates NIST as the organization responsible for developing standards and guidelines for most federal grants and agencies.
- Unified. Settle the “best practices” question by tying information security requirements to an externally recognized framework of security controls, the NIST standards.
- Prioritized. Standards typically don’t offer a way to prioritize risks. The program specifies three risk levels, making it clear which risk to address first:
- Critical Priority (P1)
- High Priority (P2)
- Medium Priority (P3)
- Shared. The Illinois Information Risk Management Program is built on the premise that information security and risk management is a shared university responsibility, not exclusively an IT responsibility.