ISO 2.0
The ISO 2.0 initiative is a "‘One Team’ Approach to Information Security @ CMU”. Recognizing that information security relies on an inter-dependent set of services provided by many different units, ISO 2.0 will engage service providers to inventory and document their specific contributions to CMU’s information security program.
Expected Outcomes
- Demonstrate the full complement of people, process, technology, and facility-based controls that produce operational resilience, reduce risk, enable opportunity, and achieve compliance
- Enhance transparency, understanding, and confidence in the controls structure and institutional services
- Ensure continuous improvement and timely response to emerging threats, new opportunities, and evolving compliance obligations
Timeline and Milestones
Phase 1: Assessment of Information Security Program Components
FY21 — COMPLETE
- Adopt an assessment framework (selected NIST Cybersecurity Framework (CSF))
- ISO baseline assessment against the NIST CSF
FY22 — COMPLETE
- Pilot assessment framework approach with partner organization (ERM)
- Tweak the approach
FY23
- Reassess NIST CSF with partner organizations
- Inventory and/or document contributing partner organization components
Phase 2: Inclusive Information Security Program
FY23 — FY24
- Weave all contributing campus services and operations into a written information security program
- Document and track improvement roadmaps
- Define and manage program metrics