Shared Information Security Officer (ISO) MOU

Summary

This is an in-depth look at the Shared Information Security Officer (ISO) program.

Body

Purpose 

The Information Security Officer (ISO) Services provides VCCS colleges and agencies with the opportunity to supplement their IT staff with one or more experienced ISOs skilled in IT information security best practices.  The ISOs provide these services to multiple colleges or agencies to support their needs and are not intended to be full-time employees of the college or agency.  The ISOs will provide support for the college or agency’s information security program.    

Having a skilled individual dedicated to this position helps to ensure the college’s compliance with all applicable VCCS and Commonwealth of Virginia security policies, standards, and regulations.  This MOU allows the college or agency to benefit from the services of an ISO without incurring the high costs associated with hiring and retaining a full-time, qualified ISO.  While the focus is on providing the security services outlined, the goal is to continually seek out additional opportunities to increase productivity and reduce costs.  Upon agreement, the System Office will provide the following Information Security Officer support services to the college. 

Problem 

Many VCCS agencies find it difficult, if not impossible, to find individuals in their service regions that have the necessary skillsets and experience required to effectively manage the agency’s information security program.  In addition, many agencies choose to designate an Information Security Officer (ISO) either full time or part time who is also involved in system administration and operations.  This results in a conflict between the information security responsibilities and the responsibility of the ISO to provide oversight and governance of the Information Security Program.  Finally, the expenses normally associated with recruiting, training, and maintaining a highly skilled ISO are cost prohibitive for most VCCS agencies.  

Solution 

ITaaS offers an Information Security Officer (ISO) as a service whereby the College can obtain from the VCCS System Office the services of a trained and experienced Information Security Officer.  The College will also have access to additional ISO resources, so the College is never without the services of an ISO even when their assigned resource is unavailable due to illness or leave of absence.   The System Office will provide this resource to the college and manage the service to provide guidance and management for the College’s Information Security Program free any unconscious bias or conflict of interest resulting from other job responsibilities.  This service will also ensure that the College’s Information Security Program maintains continuity of operations in accordance with the VCCS Information Security Program requirements. 

Roles and Responsibilities 

The VCCS System Office agrees to: 

Responsibility/Activity 

Responsible Staff 

Ensure all objectives and deliverables outlined in this MOU are provided. 

Chief Information Officer, ITS 

Coordinate activities for the Information Security Officer (ISO) in relation to agency needs. 

Chief Information Security Officer (CISO), ITS  

Conduct a comprehensive initial review of the agency information security program to determine level of compliance prior to the start of service delivery.  Provide a written and verbal report outlining a work plan with identified personnel from both the agency and the ISSS staff to bring the college into compliance.  

Chief Information Security Officer (CISO), ITS Chief Information Security Office (CISO), ITS 

Coordinate administrative needs for the Information Security Officer (ISO), including HR, payroll, expense reporting, and other services as needed. 

System Office HR 

Provide permanent office space along with computer (if needed) and phone equipment needed to complete the job. 

Chief Information Officer, ITS 

Participate in meetings as needed. This could include in person meetings, virtual/ video meetings, or conference calls. 

ISO 

Provide referrals for technical assistance and/or contracted services for existing or new projects not related to this service, when requested. 

ISO 

Provide a quarterly report to the College President outlining progress on meeting the objectives of the Information Security Program and each of the deliverables as outlined in the MOU.  

 VCCS CISO and ISO 

Provide a final report at the end of each Fiscal Year (July) to summarize the accomplishments for the Fiscal Year and the status of the College’s Information Security Program. 

VCCS CISO and ISO  

 

College agrees to: 

Responsibility/Activity 

Responsible Staff 

Provide access to security management tools and other required information to ISO personnel to assist in identifying information security risks and helping resolve problems. 

Agency Personnel 

Provide temporary space and secure network connectivity for the ISO and/or team to work when onsite.  

Agency Personnel 

Implement necessary changes (additions, modifications, agency approval, etc.) necessary for the agency to meet the security requirements in a timely and efficient manner. 

Agency Personnel 

Designate a single point of contact who is responsible for day-to-day activities required to provide the services. 

Agency Head 

Institute and maintain an open line of communication with System Office ITS personnel. 

Agency Head or designated point of contact. 

Notify the VCCS Chief Information Security Officer or Chief Information Officer of ITS of any outstanding issues related to the delivery of services. 

Agency Head or designated point of contact. 

Specific Deliverables by ITaaS - Information Security Officer Services

Staff resources are not allocated to individual colleges or agencies but rather focused on delivering the necessary ISO personnel resources to achieve the following objectives and to provide the related deliverables: 

Objectives 

Deliverable 

Prepare and coordinate an annual review and update of the agency Information Security Program and provide a Statement of Compliance to the CISO due on or before January 16 of each calendar year. 

Agency compliant Information Security Program. 

Prepare, coordinate and actively participate (with the agency Planning Coordinator) in the annual review of the Business Impact Analysis (BIA), Risk Assessments (RA), and Information Technology Disaster Recovery Plan (ITDRP). 

Annual review of current BIA/RAs/DRP. 

Prepare, coordinate and actively participate (with the agency Planning Coordinator) in the completion of the BIA, RAs, and ITDRP every 3 years. 

A re-written BIA/RAs/DRP every 3 years. 

Conduct and complete the agency annual response to the ARMICS (Agency Risk Management Internal Controls Standard) IT self-assessment. 

Annual ARMICS assessment submission to CISO. 

Serve as the primary contact for all VCCS internal audit (IA) information technology reviews as well as scheduled APA reviews. Complete all information requests and follow up requests by stated deadlines. 

Provide liaison services between agency and IA/APA. 

Prepare for and coordinate the annual testing of the IT Disaster Recovery Plan (ITDRP), develop testing scenarios, and provide management level reporting. 

Completed ITDRP testing, to include tabletop exercises, drills, after action reports, and corrective action plans when necessary. 

Prepare, coordinate and oversee an annual review of IT-related Non-Disclosure Agreements between the agency and third parties.  

Manage NDA’s for IT-related Third Party Vendors.  

Review Third Party Vendor agreements, contracts, and terms of service for information technology services before procurement of such services where sensitive data will be exchanged between the college, its faculty, or students and a Third Party Vendor as well as supporting documents to establish the vendor’s compliance with a recognized information security framework for data protection. 

Review and manage Third Party Vendor documentation such as the SOC 2 Type 2 Audit Report demonstrating vendor’s compliance with a recognized information security framework. 

Assist and advise the college with technical vulnerability management to include monitoring, reporting of new vulnerabilities, overall risk trends, research and assessment of risks, and review of exception requests. 

Technical vulnerability reports indicating approved exceptions, and overall risk trends for identified IT assets. 

Assist and advise the college with the email security platform to include monitoring, reporting of new phishing attempts, malware trends, research and assessment of risks, and review. 

Email security reports for identifying and remediating risks. 

Assist the college in monitoring the accessibility of the college website and report anything abnormal.  

Email alerts of accessibility ratings. 

Serve as a member of the college’s Computer Incident Response Team (CIRT). 

Representation provided in incident response. 

Assist the college in managing and overseeing the agency’s security awareness training according to the needs of the agency. Provide suggestions for additional security awareness training, phishing campaigns, and/or security awareness documents. 

Agency compliance with security awareness training requirements.  

Develop formal staff communications regarding information security issues to be disseminated by the agency.  

Bulletins, newsletters, technical papers, etc.   

Assist college point of contact with the annual certification of user access.   Assist college point of contact with the quarterly certification of privileged user access. 

Annual security access control compliance.  Quarterly security privileged access control compliance. 

Conduct ongoing assessment services for agency compliance to FERPA, PCI, HIPAA, etc.  

Ongoing agency regulatory compliance. 

Assist the agency and coordinate completion of the annual Self -Assessment Questionnaire (SAQ) for PCI compliance. 

Annual compliance to Payment Card Industry. 

Serve as a Cyber Incident Response Liaison between agency and VCCS CISO.  Assist with cyber incidents when they occur. 

Strengthened security-related communications between agency and the System Office.  Assisted reporting on incident response. 

Current Anticipated Cost 

The total proposed cost for this program includes salaries, benefits, and miscellaneous expenses (travel, training, etc.).  The cost to each college is based on the total estimated costs necessary to support the position(s) and assumes that the participation of a minimum of three colleges/agencies is necessary to fully support the position(s).  The actual cost could vary depending on the salary offered, timeframe for filling position(s), and sustaining potential state mandated changes in compensation and benefits.

Since the responsibilities of an ISO are not dependent on the FTE of the college - divide total cost of the ISO by the number of colleges that the ISO is shared by. 

Participating Colleges   FY24 FY25 FY26 FY27
Blue Ridge Group II $38,483 $48,107 $49,550 $51,037
Central Virginia Group II $34,608 $48,107 $49,550 $51,037
Mountain Gateway Group I $38,483 $43,967 $45,286 $46,645
Danville Group I $35,106 $43,967 $45,286 $46,645
Eastern Shore Group I $39,234 $43,967 $45,286 $46,645
Germanna Group III $52,247 $52,247 $53,814 $55,429
J. Sargeant Reynolds Group III $52,311 $52,247 $53,814 $55,429
BrightPoint Group III $52,311 $52,247 $53,814 $55,429
Laurel Ridge Group III $39,221 $52,247 $53,814 $55,429
Mountain Empire Group I $0 $43,967 $45,286 $46,645
New River Group II $0 $48,107 $49,550 $51,037
Northern Virginia Group VI $0 $64,667 $66,607 $68,605
Patrick & Henry Group I $0 $43,967 $45,286 $46,645
Paul D Camp Group I $39,234 $43,967 $45,286 $46,645
Piedmont Virginia Group III $38,844 $52,247 $53,814 $55,429
Rappahannock Group I $39,234 $43,967 $45,286 $46,645
Southside Virginia Group II $0 $48,107 $49,550 $51,037
Southwest Virginia Group II $38,483 $48,107 $49,550 $51,037
Virginia Peninsula Group III $46,288 $52,247 $53,814 $55,429
Tidewater Group V $0 $60,527 $62,343 $64,213
Virginia Highlands Group I $39,234 $43,967 $45,286 $46,645
Virginia Western Group III $44,277 $52,247 $53,814 $55,429
Wytheville Group I $39,234 $43,967 $45,286 $46,645
Total   $706,832      

Timeframe 

This MOU and cost is for a three-year agreement and will be subject to renewal in three-year increments thereafter. Renewals will coincide with fiscal years of the VCCS (July to June).

Details

Details

Article ID: 149000
Created
Tue 2/6/24 8:29 AM
Modified
Wed 11/6/24 11:25 AM