Since 2008 two separate and distinct units managed IT Security for the UW-Madison campus: the Office of Campus Information Security (OCIS) and DoIT Security. Effective July 1, 2014, these two organizational groups have been combined and report to the CIO. The newly organized team will implement a risk-based and metrics-driven approach to the information security strategy at UW-Madison that will support on-going improvements and provide the community timely and relevant guidance related to information security issues.
The new department, called UW-Madison IT Security, is organized across four domains:
|Governance, Risk and Compliance||Identify and assess IT security risks. Design and architect security strategy and infrastructure. Establish, monitor and maintain IT policies and security standards, baselines and plans across advisory groups.|
|Threat Management||Pro-actively identify, assess and manage vulnerabilities through testing systems and providing a set of mitigation controls.|
|Incident Monitoring & Reporting||Monitor the network and systems for attacks, respond to incidents and recommend or preform incident remediation.|
|Security Awareness Programs||Create and maintain a portfolio of security awareness efforts for students, staff, faculty and other community groups.
“It’s our goal to be responsive and engaging with all departments and IT units to address and reduce IT security risks,” said Lori McElroy, the new Chief Information Security Office (CISO) and IT Security Director. “We plan to be inclusive though our governance processes and by establishing security controls to address security threats.” McElroy reports to the UW-Madison CIO.
Each of the four domains will have a lead that will coordinate the work efforts and establish consistent processes and frameworks. Governance groups such as the Madison Technical Advisory Group, Madison Information Security Team and the Common Systems Review Group will continue to provide advisory roles to help establish, support and implement the group’s strategy.