The ITSO's four teams work together to protect Virginia Tech's digital resources from all angles.

The IT Security Office (ITSO) exists to help ensure a safe and secure information technology environment for teaching and learning, research, and outreach, as well as for conducting university business. Over the past fiscal year, the ITSO took several measures to enhance Virginia Tech’s security posture amidst a changing cybersecurity landscape.

New cybersecurity standards and policy enhance risk assessment, raise the bar on security

Two new IT security standards were published this year, an IT Risk Assessment Standard and a Vendor Risk Assessment Standard. These documents highlight our risk-based approach to the university’s cybersecurity program.

In addition, a Gramm-Leach-Bliley Act (GLBA) Risk Assessment standard was developed in collaboration with the Office of the University Bursar and University Scholarships and Financial Aid. This standard supports Virginia Tech Policy 7025: Safeguarding Nonpublic Customer Information, which outlines responsibilities for protecting the security and privacy of student and employee financial information.The Information Technology Security Officer is the designated Qualified Individual responsible for overseeing, implementing and enforcing the university’s information security program, including Safeguarding Customer Information in compliance with 16 CFR Part 314.

Updated cybersecurity policies and standards raise the bar

Several policies and standards were updated this year. Most importantly, the Virginia Tech Minimum Security Standard, version 4.0, was published. This standard was completely rewritten to align with the Center for Internet Security’s (CIS) Critical Security Controls IG2 version 8, which is considered an industry standard in best practices. Aligning Virginia Tech’s systems to meet this updated standard will significantly enhance the security of our electronic systems. 

New tools assist in security analysis and threat detection

The IT Security Office facilitated the procurement of BitSight, a tool used to track the university’s security posture, as well as the security posture of our third-party software vendors. BitSight provides customized reports and analytics to help the ITSO better track risks and response performance over time. BitSight also assists with vendor risk assessments. The ITSO Green team performed 76 software vendor procurement reviews in 2024. Each of these require meticulous attention from ITSO staff, and the BitSight tool is expected to help speed up the review process. 

The IT Security Office also obtained Horizon3.ai, an autonomous penetration testing software platform to supplement the ITSO Red Team penetration test (pentest) service. The Red Team conducted over 20 pentests of university software applications in FY24, and Horizon3.ai helps the team discover and mitigate vulnerabilities much more quickly, closing the window on bad actors.

Investing in cybersecurity training

During FY 2024, the ITSO elevated cybersecurity awareness by enhancing its training materials and encouraging university leadership to help faculty and staff become better aware of and able to respond to cybersecurity threats. Examples include: