Cornell holds 2-Day IT Security Summit
by Liz Field, IT@Cornell Communications
Cornell Information Technologies and the IT Security Office (ITSO) held an IT Security Summit on June 28 and June 29 at the Statler Hotel. Driven by the University Risk Council’s identification of cybersecurity and data protection as top threats facing Cornell, the summit brought together campus IT directors and service managers from central IT and all of the colleges and units, the University Audit Office, college business officers, central HR, and college financial officers to discuss and work on a draft of Cornell’s Written Information Security Program (WISP).
The goals of the conference were to:
- Compare the Cornell information security program to our Ivy League peers.
- Establish a common understanding of the current security landscape at Cornell.
- Identify and prioritize information security risks and establish 3-5 efforts all units will undertake next year to mitigate them.
Guest panelists included: Joel Rosenblatt from Columbia University; Harry Hoffman from Harvard University; Paul Herrmann, Christine Brisson, and Scott Schafer from the University of Pennsylvania; and John Ruffing, Brian Tschinkel, and Tom McMahon from Weill Cornell Medical College.
The summit consisted of open discussions, panels, and a working session in which campus IT groups ranked their security risks. Discussions centered around best practices for protecting university assets, data, and computing environments, while supporting the university’s educational and research mission.
The WISP includes information for campus leadership, IT directors, and service managers on the current threat landscape, information about the ITSO, appropriate governance and oversight of IT assets and resources, and best security practices. The WISP is intended to be a living document and participants from the summit will be invited to submit comments on it during the month of July.
The ITSO will also help units develop their own security programs and WISP documents. ITSO will create a unit-level WISP template and make it available to IT Directors and Security Liaisons by July 31. The units will then have 3-4 months to complete the unit-level WISP.
The ITSO will also work concurrently on a plan for addressing the prioritized risks identified at the summit, as well as methods to track progress, and develop a communication and outreach plan as part of overall IT security and outreach efforts.
Every year, IT units on campus will be expected to identify and prioritize potential risks, and to submit updates to the WISP, with an external review every three years.