DeVry's Cyber Program

DeVry University is committed to the protection of its assets, including people, processes, data technology and facilities. To this end, the University has designed, built and implemented a formal and documented cybersecurity program that is fit for this purpose. Read on to discover more about the cyber program at DeVry University.

DeVry University Cybersecurity Program

The mission of DeVry University’s internal cybersecurity program is to deliver a world class program in cybersecurity and risk management that enables the secure and timely delivery of solutions and services to our students, colleagues and customers. The University realizes this mission through its partnership with the entire University constituency. All students, colleagues and third parties are responsible for maintaining a secure and resilient environment at DeVry.

DeVry University Cybersecurity Program Overview

DeVry University’s cybersecurity program is driven by appropriate security controls. These controls are present in the following security standards and frameworks:

And others, as needed, for program support.

 

Implementation of cybersecurity program controls are supported by the DeVry University Information Security Policy and its corresponding standards. These policy deliverables are discussed in more detail in the Governance, Risk and Compliance (GRC) program under Policy Management.

CAE Certificate of Completion

Upon successful completion of a qualifying cyber security program at DeVry, students will receive a certificate of completion from the Center for Academic Excellence (CAE), signaling that the program has obtained approval and acknowledgement from the National Security Agency (NSA).

Annual Risk Assessment

In addition to internal assessment of risk conducted periodically throughout the year, the University conducts an independent third-party risk assessment annually. This assessment casts a wide net in terms of the review. Findings from the assessment are rolled into the risk register for tracking, treatment and reporting. The results are reported through the Cyber Risk Management Committee, Executive Committee, Audit and Finance Committee and the Board.

Security Program Maturity Assessment

To ensure that the controls implemented for the cybersecurity program are operating effectively, the University conducts an independent third-party Security Program Maturity Assessment annually. The assessment reviews the control implementation itself to ensure there are no gaps or failures; in addition, the control function is reviewed against the Capability Maturity Model Integration (CMMI) to further assess control, and hence program, maturity. Findings from the assessments are rolled into the risk register for treatment and tracking. Reports are shared with the Cyber Risk Management Committee, executive leadership, the Audit and Finance Committee and the Board.

Cybersecurity Program Reporting

Reporting on the Cybersecurity program is conducted both upstream and downstream at the University. Throughout the academic year. Reporting venues include:

  • Weekly read-out to the Vice President and CISO.

  • Monthly report at the Cybersecurity Risk Management Committee meeting.

  • Monthly report to IT on the state of technical cybersecurity controls.

  • Quarterly report to IT on the state of the cybersecurity program, including a high-level readout of technical controls.

  • Quarterly report to IT on the state of the cybersecurity program, including a high-level readout of technical controls.

  • Bi-annual report to the Audit and Finance Committee.

  • Additional read-out upon request.

Cybersecurity Organization

DeVry University maintains a dedicated cybersecurity organization that creates, implements, maintains and monitors appropriate security controls in the University environment. This organization is composed of multi-disciplinary technology and security professionals with significant experience in both public and private venues, across security disciplines. 

Chris Campbell

Chief Information Officer

 

Fred Kwong

Chief Information Security Officer

 

Bonnie Goins

Director, Information Security

 

Waseem  Mohammed

Senior Manager, IT Security Operations

 

Benny Jacob

IT Risk Manager

 

Nick Pasquantonio

IT Security Analyst

 

Regina McCary

Associate Solutions Analyst

 

Governance, Risk and Compliance

DeVry University recognizes the need for oversight in the performance of its controls and the protection of its assets, including its people, processes, data, technology and facilities. The University maintains a robust Governance, Risk and Compliance (GRC) program to identify and treat risk, maintain compliance objectives, operate a secure and resilient technical environment and to communicate management expectations regarding cybersecurity.

Policy Management

DeVry University has implemented a formal and documented Information Security Policy, which has been approved by the University’s Cyber Risk Management Committee and has been published and acknowledged by University colleagues. The Policy is reviewed, updated and approved at least annually by the Committee.

In support of the Policy, the University has created a comprehensive set of standards, reviewed, updated and approved annually by the Office of the CISO, that provide more detailed guidance on cybersecurity for the University community. These standards include, but are not limited to:

  • Access Management

  • Application Security

  • Asset Management

  • Business Continuity/Disaster Recovery

  • Incident Response

  • Change Management

  • Encryption

  • Information Classification, Labeling and Handling

  • Vulnerability and Patch Management

  • Wireless Security

  • Operations Security

  • Risk Management

  • Logging and Monitoring

  • Mobile Device Management

  • Password Management

  • Physical Security

  • Remote access

  • Security Awareness

  • Third Party Risk Management

  • Technical Configuration Standards

  • Communications and Network Security

Risk Management

The University has implemented rigorous processes and practices for cybersecurity risk management, resulting in the establishment of a Cyber Risk Management Committee, tasked with executive level functions such as the determination of risk tolerance and oversight of the cybersecurity risk management program. Program activities include:

  • Annual risk assessment.

  • Tactical assessment of risk as determined by the Program and its objectives.

  • Assignment of risk treatment based on the severity of the underlying risk.

  • Prioritization of risk treatment.

  • Tracking of risk treatment on a formal risk register and corresponding deliverables.

  • Periodic reporting on risk to executive leadership and affected stakeholders.

Third Party Risk Management

DeVry University recognizes the potential risk introduced to the University from third parties. As such, it has created a formal and documented Third Party Risk Management program and standard. IT Security carries out the risk management process, in partnership with Contracts Management.

  • Incoming affected third parties are tiered based on University criteria and are submitted for formal assessment. 

  • Third parties create screening questionnaires and submit evidence to support their answers. Additional follow-up may be needed to answer any questions that arise as a result of the documentation review.

  • Risk scoring is performed based on the University’s Risk Management Standard.  

  • Third parties that score within risk tolerance proceed through contracting; those outside of stated risk tolerance are forwarded to the Cyber Risk Management Committee for review and approval or rejection. 

  • Once assessment is completed, onboarding is completed by Legal and Contracts Management.

Compliance Management

DeVry University is obligated to maintain compliance with legal and regulatory requirements affecting its students, colleagues and business operations. Compliance obligations for the University include, but are not limited to: 

Exception Management

The University understands that, from time to time due to a business justification or technical infeasibility, a business or IT requestor may request an exception to a policy, standard or control. A formal exception process has been implemented for this purpose.  

  • Exceptions may be requested using the designated Exception Request form, submitted to IT Security for review and risk calculation.

  • Exceptions with a calculated risk score at or below DeVry University’s stated risk tolerance may be approved for up to three months with departmental leadership approval and a corrective action plan.

  • At three months, the exception will be revisited and may be extended or denied, based on risk. 

  • For exceptions where risk is determined to exceed the University’s stated risk tolerance, the exception request is forwarded to the Cyber Risk Management Committee for review and approval or rejection of the exception request.

Business Continuity/Disaster Recovery

DeVry University acknowledges the need for resilient and sustainable business processes and technical platforms, as noted by Disaster Recovery Institute International (www.drii.org) and The Business Continuity Institute (www.thebci.org), along with ISO 22301. To promote the resilience of critical business processes and systems, formal Business Continuity and Disaster Recovery Plans have been implemented that include: 

  • Team composition and method(s) for notification of colleagues 

  • Documented Business Impact Analyses (as well as departmental Business Impact Analyses) that are composed of:

    • Contact information

    • Identification of critical business functions

    • Identification of critical applications/hardware/technologies

    • Recovery Time Objectives (RTO)

    • Recovery Point Objectives (RPO)

    • Required employees/contractors

    • Manual process procedures, where possible

    • Identification of dependencies within and external to the University

    • Departmental risks

    • Alternate work locations

    • Third parties and associated service levels/contracts

    • Required facilities/supplies

  • Departmental recovery procedures (including technical recovery for the Disaster Recovery Plan)

  • Results of testing procedures

Vulnerability Management Program

An important part of the management of risk is the identification, treatment and tracking of vulnerabilities. This is particularly true for technical vulnerabilities, both in infrastructure and applications, as each may provide a potential path into an organization’s environment. DeVry University takes vulnerability management very seriously and has implemented a formal program for the identification, analysis, treatment and ongoing management of vulnerabilities, including the minimization of technical debt.

Application Security Program

The design, development and ongoing maintenance of robust, secure code is a priority for DeVry University. This is achieved through the implementation of a Secure Software Development Lifecycle, appropriate security training for developers, adoption of a fit for purpose software assurance maturity model, identification and treatment of potential and existing vulnerabilities through both manual and automated means and ongoing monitoring of applications for health and security. The University is focused on delivering world-class, secure applications to its students, colleagues and third parties.

Cybersecurity Operations

The Cybersecurity Operations function implements, maintains and monitors technology controls and solutions that protect DeVry University. These controls include the processes and tools by which the University responds to incidents, monitors its technical environments for anomalous behavior, conducts testing to discover vulnerabilities, facilitates scanning and monitoring of DeVry University data at rest, in transit and for data classification, access control and change notification purposes.

Incident Management

DeVry University has implemented and maintains an incident management capability that is informed by both the SANS/Foundstone and US CERT models for incident response and management. The University maintains a formal Incident Response Plan and corresponding process and technical procedures designed to bring the plan into action. Incident responders are diverse and represent the business, IT Security, executive leadership and third party partners. Communications are facilitated through the University’s Crisis Communications Plan and the Incident Management Standard.

Technical Operations

DeVry University has implemented and maintains significant technical controls in its environment. These controls are preventive, detective and corrective in nature and are comprehensive in the protection of people, processes, data, technology and facilities. IT and Security are partners in the implementation and maintenance of these controls. Third parties are also employed for expertise and to enhance or expand the reach of the technical control environment. Control configuration and customization is informed by the Center for Internet Security, the National Institute of Standards and Technology, the Payment Card Industry Data Security Standard, DeVry University approved standards, third party recommendations and other sources, as appropriate.

Logging and Monitoring

Controls implemented and maintained in the DeVry University environment must be monitored to ensure that they are properly implemented and are operating effectively. In addition, monitoring of the University environment ensures that anomalous behavior does not go unnoticed with the potential to evolve into a disruption of critical departmental functions or an attack on the University. Logging and monitoring is performed on both a continuous and a tactical basis through the use of automation such as Security Information and Event Management tools, network and security monitoring and scanning tools and the input of highly experienced resources, both internal and third party.  

Vulnerability Assessment/Penetration Testing

DeVry University is focused on the identification, treatment and management of vulnerabilities that may impact services to, or the security of, our students, colleagues and third parties. To that end, the University conducts both tactical assessment and continuous monitoring of its environment. Formal vulnerability assessments and penetration tests are conducted by both DeVry University and by third party providers periodically throughout the academic year. Tests include both external and internal scanning.  Findings from the assessments and penetration tests are rolled into the risk register for treatment and monitoring. Findings are also reported through IT leadership, the Cyber Risk Management Committee, the Executive Committee, the Audit and Finance Committee and the Board.

Physical Security

Protection of its physical assets, including its facilities, is a point of focus for DeVry University. The University has implemented both external and internal perimeter protections and monitoring in its facilities. Access to sensitive areas within DeVry facilities is based on least privilege and is aligned to job responsibilities. Proper HVAC, climate, fire suppression and life safety controls are implemented and monitored.  

Emergency Management

DeVry University has implemented and maintains a formal Emergency Management Plan. The Plan is informed by the Federal Emergency Management Agency (www.fema.gov), the Center for Disease Control and Prevention (www.cdc.gov) and other relevant sources. The Emergency Management Program at DeVry University covers the four phases of emergency management, as defined by the Department of Health and Human Services (HHS):

  • Mitigation encompasses all activities that reduce or eliminate the probability of a hazard occurrence, or eliminate or reduce the impact from the hazard if it should occur.

  • Preparedness encompasses actions designed to build organizational resiliency and/or organizational capacity and capabilities for response to and recovery from hazard impacts. It includes activities that establish, exercise, refine, and maintain systems used for emergency response and recovery.

  • Response activities directly address the hazard impact, including actions taken in anticipation of an impending event (e.g., hurricane, tornado) and actions during and after an impact has occurred.

  • Recovery activities restore the community to "normal" after a major incident.