Virginia Tech® home

Elevate Virginia Tech's Minimum Security Standards

This project will elevate Virginia Tech's minimum security standards to align with the Center for Internet Security’s (CIS) Critical Security Controls version 8, Implementation Group 2 safeguards (CIS v8 IG2).

By elevating the university’s security standards to align with the CIS v8 IG2 safeguards, Virginia Tech will be better equipped to prevent, detect, respond to, and recover from cybersecurity incidents which could put the university at risk of financial and/or reputational damage.

Project deliverables

Phase 1
The first phase of the project, elevate safeguards to the Center for Internet Security Critical Security Controls version 8 Implementation Group 2 (CIS IG2) standard, is complete. This included the completion of an enterprise IT asset inventory, and the completion of a risk assessment survey. 

Phase 2a
The Information Technology Security Office (ITSO) completed the Division of IT consolidated/collaborative Plan of Actions and Milestones (POAM) by coordinating with other service owners and subject matter experts within the division to identify any projects, remediation tasks, and resources needed to address gaps against CIS v8 IG2 at the enterprise level. ITSO published Procedure Guides for guidance on complying with the controls. 

Phase 2b
The fourth version of the minimum security standard will be released by ITSO. A review of the draft standard is presently underway. Deadline: July 1, 2024

Phase 3
Universitywide compliance for version four of the minimum security standard. Deadline: June 30, 2025

Project Team Members:

Project Lead: Randy Marchany, Virginia Tech IT Security Officer

Project Manager: Will Jones, Senior Project Manager, IT Transformation Project Management Office

Team Member: Ryan Orren, Senior IT Compliance Manager

Team Member: Michael Surratt, IT Security Risk and Compliance Analyst

Project Steering Committee Members:

Lisa Blackwell, Director of Finance Information Technology and Innovation, Division of Finance

Al Cooper, Executive Director, Business & Management Systems, Division of University Operations

Michael Dean, IT Audit Manager, Office of Audit and Risk Compliance

Scott Farmer, Director of Outreach Information Services, Outreach and International Affairs

Neil Sedlak, Senior Director of Information Technology, Office of Research and Innovation

Ryan Spoon, Director of Information Technology, College of Engineering

Frequently Asked Questions:

This project aims to elevate the cybersecurity posture of the Virginia Tech IT Enterprise by implementing the Center for Internet Security’s (CIS) Critical Security Controls version 8, to include all safeguards identified in Implementation Group 2 (IG2), for university units, systems, and/or applications that handle “moderate” or “high” risk data as defined by the Virginia Tech Risk Classification Standard.

The CIS "Critical Security Controls" started as a project to identify the most common cyber-attacks present in today’s internet and to create a set of defensive steps for organizations to implement to help secure their data and systems. Implementation Groups (IGs) were introduced in version 8 of the CIS Critical Security Controls and are essentially self-assessed categories for enterprises. They provide recommended guidance to prioritize implementation of the CIS Controls. There are three IGs and each one identifies a subset of the CIS Controls that can be applied to an enterprise with similar risk profiles and the resources to implement them. There are 153 total safeguards in CIS Controls v8, with IG2 comprising 130 of those safeguards. IG2 is designed for an enterprise of multiple departments with differing risk profiles and this is typical of the IT environment at Virginia Tech. 

Yes. University Policy no. 7010 – Policy for Securing Technology Resources and Services requires university departments and individual users to adhere to the Minimum Security Standards maintained by the IT Security Office, and stipulates that university departments must regularly analyze risks for their technology assets using the Virginia Tech IT Risk Assessment process (https: //security.vt.edu/policies/itra.html).  

The Minimum Security Standards will be undergoing a significant revision as a part of this project to reflect the university's alignment with CIS v8 IG2, and thus departments will need to demonstrate compliance with the new standard and the IG2 safeguards applicable to their unit by the June 30, 2025 deadline.

Yes. University Policy no. 7010 – Policy for Securing Technology Resources and Services requires university departments and individual users to adhere to the Minimum Security Standards maintained by the IT Security Office, and stipulates that university departments must regularly analyze risks for their technology assets using the Virginia Tech IT Risk Assessment process (https: //security.vt.edu/policies/itra.html).  

The Minimum Security Standards will be undergoing a significant revision as a part of this project to reflect the university's alignment with CIS v8 IG2, and thus departments will need to demonstrate compliance with the new standard and the IG2 safeguards applicable to their unit by the June 30, 2025 deadline.

IT Risk Assessments are currently completed using the Isora GRC tool from SaltyCloud, administered by the IT Security Office. ITRAs are scoped to university organizations, and the assessment consists of three general steps:  

  1. Inventory - The unit inventories its IT systems (endpoints, servers, network devices, etc.) and any applications developed in-house (if applicable).
  2. Risk Classification - The unit identifies the risk classification for each asset in the inventory using the Virginia Tech Risk Classification Standard; and for any high-risk assets will also identify the applicable data types handled by the asset.
  3. Survey - The unit completes a survey questionnaire based on the CIS v8 IG2 safeguards. These survey questions are scoped, in various ways, to a unit’s data, technology resources (physical, virtual, cloud), software applications, network infrastructure, and processes.

    Please review the Isora GRC Assessment Guide for more details on the processes involved. 

An “Org Unit” (OU) in Isora GRC is defined by the IT Risk Assessment team and may represent a single university department or organization (represented by a management, department, or org code from Banner) or an entire senior management area or college (“S” codes from Banner), depending on how IT is managed by the unit(s). Isora GRC structures orgs in a parent-child hierarchy, and so, as long as org units roll up to the correct senior management area or college then there is some flexibility in how OUs are defined. Typically, each OU enrolled will complete a separate IT Risk Assessment for their Org Unit. Your organizational structure will be determined when you meet with the IT Security Office to be enrolled in the assessment, and the structure can be adjusted as needed based on organizational changes.

Contact:

If you have questions or concerns related to this project that are not covered here, please contact itso-g@vt.edu.

Back to top ↑

Program Updates
Frequently Asked Questions
Isora GRC Assessment Guide (PDF)
Isora GRC (Link)
CIS Critical Security Controls Navigator (Link)
Draft VT Minimum Security Standard v4.0 (PDF)
Draft VT Minimum Security Standard v4.0 (Link)