Time: 10:00 AM
Location: 8A EWFM, rm 625
Attendees: Eric Zematis, James Monek, Walt Conway, Steve Oblas, Rich Bauer, Alex Radus, Kim Nimmo, Madalyn Eadline, Yenny Anderson, Dan Lopresti, Donna Cressman
Welcome to the committee:
Start up meeting since this committee hasn’t met in several years. Walt Conway, Steve Oblas, Madalyn Eadline & Dan Lopresti were past members of this group
We need to:
What is our current reality?
CIS controls -
A common set of security controls ranked by which ones are most effective against known attacks. As a higher education institution we have weaknesses with these controls. For example, we allow many people to access our network which creates issues with knowing every device on the network (CIS Control #1)
Risk assessment vs other universities - We participated in a risk assessment workshop and scored 3.3 out of 5 (is good) - Lehigh
1.9 out of 5 - other universities.
Overall, Lehigh does a lot of good security activities compared to other universities. Unfortunately it is a race against attackers and not other universities.
Who are we?
Currently defined as: (This is from the previous iteration of the CGRC. Do we need to rewrite this?)
The Cyber Governance, Risk Management and Compliance Oversight Committee provides guidance and oversight to the information security policies, strategies, and initiatives at Lehigh University. The Committee is led by the Chief Information Security Officer and is comprised of representatives from the Faculty, Legal Counsel, Risk Management, Internal Audit, University Communications and Public Affairs, Student Affairs and Library and Technology Services.
What is our relationship to the other committees:
History of the CGRC committee:
Steve Oblas, Walt Conway were in the committee. The committee dropped off after Keith Hartranft started. Keith was active in the community but relied on smaller groups and committees.
The committee discussed privacy policies that were outdated
Walt suggested that we bring in Baker Tilly - Eric reached out and they will represent going forward
Risk Management needs to be involved
Dan Lopresti said that the Cloud is the big question.
Security of using the Cloud.
How can we carve out the network for security?
Steve Oblas - His group does a lot with the media.
Eric - The CGRC committee needs to sit in the middle and connect to the other committees
Opinions from outside LTS - opinions, heard on the street, etc
Committee to community
What are we about and make this a policy
Cloud security - big things will go to cloud - need privacy
Banner will go to Cloud
Social media for class - such as Facebook live accounts
Some faculty will use social media in their classroom. What happens if a student doesn’t have a media account. These students will miss out on information. Having a media account is not mandatory. We should have an alternative for these students. We can not force students to use social media.
Do we have a policy to prevent students from going with a 3rd party.
Professor communication outside of Lehigh.
Team Drive to CGRC - all information is in here. Material is sensitive.
Meeting cycle: End of May; end of Sept; end of November