BUSINESS: Ohio Dominican University is a co-ed, four-year private Roman Catholic liberal arts university in Columbus, Ohio, with nearly 3,000 students from 24 states and 20 foreign countries. The university was founded in 1911 by the congregation of St. Mary of the Springs, Sisters of the Dominican Order. Ohio Dominican currently is funding and supporting an early college high school called The Charles School.
BUSINESS CHALLENGE: Ohio Dominican experienced a security incident, and used the event as a catalyst to transform its IT security program.
- Enterprise TruRisk Platform
WHY THEY CHOSE QUALYS:
- The university was able to quickly move from manual vulnerability assessments to a fully automated vulnerability management and policy compliance program.
- Rapidly remediate vulnerabilities across the university's network, and better manage IT assets through network discovery, detailed mapping, asset prioritization, vulnerability assessment reporting and remediation tracking.
- Effectively put into place a mature security and risk management program, that is a core part of the university's IT governance program necessary for eventual ISO 17799 certification.
Ohio Dominican University Writes a New Security Curriculum
Following a security incident, this university reevaluated and retooled its IT security program
Ohio Dominican University spans more than 64 beautiful acres in Columbus, Ohio. Founded in 1911 as the College of Saint Mary of the Springs, Ohio Dominican University's liberal arts curriculum teaches skills valuable throughout life and any career – critical thinking, proficient writing, and clear communication. The university's nationally acclaimed humanities program is at the core of every student's academic study and Ohio Dominican takes pride in how the university celebrates diversity and individuality.
"Qualys not only helps us to secure our systems better, but it adds value because it makes us more efficient. It streamlines our vulnerability management efforts so that we can better focus on innovative IT initiatives that add value to the university."
CIO at Ohio Dominican University
Even the way the university responded to a recent IT security incident underscores the character of the institution. While Ohio Dominican always has taken its IT security seriously, the university chose to improve its risk management and IT governance efforts by undertaking a deep and thorough reevaluation of all of its various layers of security defenses. "One of the first steps we took was to bring all of our key IT constituents together to conduct an after-action review," explains Mike Young, CIO at Ohio Dominican. With 25 full-time employees, ODU's IT team is lean but able to manage its infrastructure.
"We wanted to turn a negative situation into a positive one the best we could," explains Young. "That meant taking a step back, looking more broadly at our security program, and comparing our practices with the best practices of the industry so we could improve what needed improving." While a security incident never is a welcome event, Young explains how it did act as a catalyst for positive change. "It opened up the door for us so everyone would know what we were doing and enable us to approach security more holistically throughout the organization," he says.
A Catalyst for Security Change
With the goal set to improve and enhance the university's IT security and risk management program, Ohio Dominican began a year-long journey to build an optimized set of security management processes. Some of the initial enhancements included creating a security awareness program and streamlining the university's vulnerability management process, as well as gaining more near real-time insight into network security events. Young and his team also enlisted the help of a local information security consultancy, Jacadis. "We came to trust and rely heavily on Jacadis. It's a professional organization and it pointed us to a number of tools and processes to help us get going swiftly," explains Young.
With the aid of Jacadis, the university selected and deployed a number of new security tools to help automate as many security processes as possible, and maintain a continuous process of weakness identification and remediation – as issues arise. The security technologies that Ohio Dominican deployed include network admission control from Bradford Networks to ensure that users' systems are up to policy before full access is granted; TriGeo's security information and event management suite for log management and event correlation for increased real-time network visibility; and password policy enforcement software from Anixis. "It became clear right away that Ohio Dominican didn't want to just plug the hole that made the breach possible. It set its sights on building a sustainable, multi-layered security infrastructure," says Simon J. Herring, CISSP, and principal at Jacadis.
For vulnerability identification and remediation, Ohio Dominican chose Qualys. Qualys is designed for large, distributed networks and supports an unlimited number of IP device vulnerability assessments. Delivered as an on-demand service over the Web, Qualys simplifies the typical time-consuming deployment, maintenance, and updating of vulnerability management servers and software. Using an efficient and cost-effective Software as a Service (SaaS) approach, Qualys delivers industry-leading vulnerability management and comprehensive IT policy compliance as a turnkey service. For Ohio Dominican, Qualys automates the process of vulnerability management and policy compliance across the university's network, including network discovery, detailed mapping, asset prioritization, vulnerability assessment reporting, and remediation tracking.
Automated, Intelligent Risk and Vulnerability Management
Young explains that of the more than 100 improvements in the university's IT security program, the automation of vulnerability management alone has saved technicians an enormous number of hours otherwise spent cleansing PCs from spyware and restoring PCs to their policy-compliant conditions. "With the help of Qualys, we quickly and thoroughly can identify systems that need to be patched, and then patch them as thoroughly as possible," he says. As a result, Ohio Dominican now is able to proactively and intelligently manage its entire IT security program; vulnerabilities are remedied quickly, and systems that are out of compliance are identified before they're permitted to enter the network. And because the IT team members attend information security awareness training seminars and workshops regularly, they're able to stay on top of the latest defensive technologies and security threats.
As a result of Ohio Dominican's ability to bring its security and risk management program to such a mature level, Young and his team now are able to launch a formal IT governance program and are on the path to ISO 17799 certification. "Once we understood that we had done a good job of putting a holistic approach in place, we asked ourselves: why not go all the way with this and become one of the first Universities to obtain ISO certification?" he says.
"In the end, we managed to take a very negative situation, and transform it into a very positive, experience," says Young. Jacadis' Simon would agree: "Many organizations that experience a breach decide to just put in an additional layer of technology, like an intrusion protection system. This often creates a false sense of security. A small minority, like Ohio Dominican, choose to do it right."