Network cable plugged into a router.
Implementing the Center for Internet Security’s (CIS) “Critical Security Controls” Implementation Group 2 (IG2) safeguards will better equip Virginia Tech to prevent, detect, and respond to cybersecurity threats. Photo by Lee Friesland for Virginia Tech.

As part of IT Transformation, the university is implementing the Center for Internet Security’s (CIS) “Critical Security Controls” version 8, Implementation Group 2 (IG2) safeguards. These safeguards will better equip Virginia Tech to prevent, detect, respond to, and recover from cybersecurity incidents which could put the university at risk of financial and/or reputational damage. The goal for universitywide compliance is June 30, 2025.

"This project will provide the university with the ability to prioritize the protection of its IT assets according to data sensitivity and critical importance to the university's business functions,” said Randy Marchany, Virginia Tech’s information technology security officer. “In addition, it will allow us to comply with the various security frameworks. So far, it's given us a good estimate of the number of high risk and ‘critical to Virginia Tech’ assets connected to the network. User and technical training, implementing the security standards’ role-based training requirements, will definitely help protect Virginia Tech data stored and/or processed by university owned IT assets."

Phase one of this project saw the completion of an enterprise IT asset inventory, and a risk assessment survey. As of October 2023, there are over 47,000 technology resources at Virginia Tech, with 4,526 of these resources labeled as “High Risk” and 20,461 labeled as “Moderate Risk.”

Pie chart showing Risk Asset Classifications
Risk level classifications of Virginia Tech's technology assets, based on a 202 enterprise IT asset inventory and risk assessment survey.
Pie chart showing High Risk Categories
Breakdown of items identified in the 'high risk' category of IT assets.

Currently the project is in the second phase. The Information Technology Security Office (ITSO) will complete the Division of IT consolidated/collaborative Plan of Actions and Milestones within the division to identify any projects, remediation tasks, and resources needed to address gaps against CIS v8 IG2 at the enterprise level. ITSO has published procedure guides for information that should help university stakeholders with complying with the controls. ITSO continues to welcome comments and feedback on the procedure guides. The department has also released the draft of the fourth version of the minimum security standards, which is open for comment and feedback and will take effect July 1, 2024, with a universitywide compliance goal of July 1, 2025.

In phase three, ITSO will continue to collaborate with partners and service providers within the Division of IT as well as distributed IT regarding implementation or adjustment of security controls to address identified gaps in our journey to compliance with IG2.

For more information and updates on the project and the revised minimum security standards, visit Elevate Minimum Security Controls to CIS IG2.