About the IST
The mission of the Information Security Team (IST) is to ensure the confidentiality, integrity, and availability of information systems, identity, and data assets by offering proactive security expertise, maintaining a secure and resilient infrastructure, and promoting a culture of security awareness and compliance across the organization.
The core functions most important are highlighted below:
Policy Management
-
The Information Security Team (IST) provides direction for college information security policies and practices to protect critical resources and services and aid campus units with department security goals and compliance requirements. The IST creates security policies and standards for approval by college leadership and evaluates existing and emerging security-related laws, regulations, and policies for compliance goals.
Awareness and Education
- The Information Security Team is responsible for delivering relevant information security knowledge to defined, targeted audiences throughout Trinity to raise awareness of risks and influence behavior to minimize the likelihood of those risks. The methods used to create this awareness include computer-based learning modules, departmental and one-on-one educational opportunities, webinars, and videos.
Vulnerability Management:
- The IST identifies, assesses, and tracks the resolution of security weaknesses throughout the institution. The responsibility for remediating vulnerabilities rests with the Trinity Infrastructure and Applications units. The vulnerability assessment process is a function of regular vulnerability scanning, penetration testing, Security Incident Event Management (SIEM) log analysis, risk assessments, and targeted IT security assurance audits.
Risk Assessment & Management
- The Information Security Team is responsible for conducting security reviews and risk assessments of IT-related purchases, projects, vendors, and contracts. Information Security works within the procurement approval cycle to assess and approve exceptions to Trinity-supported products and services. The primary instrument used to initiate these security reviews is the IT Security Questionnaire (link coming soon). The IST also coordinates risk assessments involving some aspects of the IT environment, including year-end financial audits and incident-specific third-party security investigations and consulting engagements as needed.
Regulatory Compliance:
- The Information Security Team works closely with various operating units at Trinity to meet their regulatory compliance and attestation obligations related to FERPA, GLBA, PCI-DSS, and HIPAA. Information Security collaborates with departments in developing system security plans and monitors adherence to established policies and procedures.
Incident Response:
- The Information Security Director oversees Trinity College’s Information Security Incident Response program and orchestrates each incident response and post-incident review. When an incident is detected, The IST identifies the appropriate incident handler(s) and coordinates the resources needed, external or internal, to address the threat. The Information Security Team guides each incident response from a best-practice perspective. It ensures post-incident reviews are conducted to examine and determine root causes and the quality of the response and confirm if remedial action is necessary. Regarding the overall incident response program, The Information Security Team coordinates incident response training to develop the appropriate skill sets throughout all the Trinity disciplines to respond to various threats as they arise. The responsibility for remediating vulnerabilities rests with the Trinity Infrastructure and Applications units.
Business Continuity and Disaster Recovery Management:
- The Information Security Team ensures that all BC/DR plans are documented and periodically tested. During these tests, the Information Security Team monitors all failures and ensures they are remediated, and any deficiencies are formally and promptly addressed. Information Security is also responsible for regularly updating the Business Impact Analysis report that ranks the criticality of all Trinity applications and services along with an RPO (recovery point objective) and RTO (recovery time objective). In the case of an actual declaration, responsibility for executing the BC/DR plan(s) belongs to the respective operating units within LITS and the institution.