CCNY Systems Management Plan

 

Goal

The end goal is to have full visibility into all systems on the CCNY network, a program in place by which system administrators can be notified in a timely fashion of vulnerabilities that need to be addressed, and a process that will monitor/confirm the progress of this work.


Cause Analysis

As suggested in the background section, historically information technology at CCNY has been deployed in silos, many divisions, schools, and researchers decided to support and maintain their own systems. In fact, many of these areas are reluctant to allow OIT access to these machines and it has been difficult to initiate change due to the historical context. This practice does not provide systems administrator credentials to OIT, which would give access and visibility to run cybersecurity vulnerability scans and remediate them when needed. Additionally, OIT has been slow to fully implement the tools at its disposal.


Implementation Plan

Short term plan

For OIT-managed systems, OIT will start mitigating vulnerabilities based on criticality with the highest criticality handled first. As much as possible we will adhere developer recommendations and industry best practices to remediate these issues utilizing OIT’s patch management solutions. OIT will make vulnerability remediation its highest priority and expects to resolve the most important vulnerabilities, as supplied to us by CIS, by the end of January 2023, which includes vulnerabilities listed as critical.

For non-OIT-managed systems, OIT will collaborate with the school, division, department, and research program systems administrators to remediate vulnerability issues. In cases where systems are not managed by an OIT-managed patch management solution, non-OIT technical support personnel will be required to address these issues. Furthermore, OIT expects to collaborate with all non-OIT personnel to resolve issues of patching vulnerabilities rated as high and critical. For systems with critical vulnerabilities, a “fix or disconnect” protocol will be enforced.

We will work with the Purchasing Office and Receiving Office to ensure that all computers are delivered to the appropriate system administrators, who must ensure that new systems have the appropriate security software and agents installed. Going forward, to be granted network access computers will be expected to be joined to OIT’s Active Directory domain. As a minimum, this will require installing software will include OIT-managed Anti-virus installation and Ivanti system/patch management software. If a system is needed that cannot support this software, alternatives must be installed with approval from the CIO.

Long term plan

To ensure out computer network environment remains highly secure and productive, it is essential that the management of CCNY systems be managed by a CCNY centralized vulnerability detection and patch management solution. In order to successfully manage CCNY systems, OIT, in conjunction with non-OIT personnel supporting and maintaining CCNY-owned systems, will need to perform the following:

  • Inventory: There are many systems that OIT is not able to track. Non-OIT personnel that support and maintain their own systems should provide an inventory of their supported systems, including any servers in their areas.
  • Domain: OIT will transfer faculty and staff desktop computer user resources to OIT’s domain (ITCS); this will no longer be optional. OIT will provide access and support to join systems to the OIT domain to non-OIT personnel.
    • During this data migration period, if faculty or staff members are in their office, OIT or non-OIT authorized personnel can transfer faculty or staff files from the local profile to the new domain user profile. If they are not in the office, OIT or non-OIT authorized personnel will continue joining the computer to OIT’s domain and transfer files at a later time.
    • Lab computers that are not in a domain environment will need to join the OIT’s domain, and the computer lab managers will get training and access to manage their systems. Lab computers in a domain environment need to show compliance and provide administrator credentials to be able to successfully run vulnerability scans.
  • Patch Management Agent: In order to systemically schedule and deploy software patch management, City College will install the Ivanti agent on domain systems in batches using group policy or individually when joining computers to the domain. OIT staff will provide training and access to the Ivanti patch management solution to non-OIT system administrators, including computer lab managers.
  • Anti-virus: OIT will install Trellix anti-virus agent on all OIT-managed systems from the anti-virus console or manually when joining computers to the domain. Non-OIT managed systems will also require the Trellix anti-virus agent or if not supported on that platform, a suitable alternative that has been approved by the CIO. OIT will provide training and access to the anti-virus agent to non-OIT personnel.
  • Unsupported Operating Systems: during the inventory process or while joining computers to the domain, any computers found running unsupported operating systems will be upgraded to a supported version by the corresponding technical support personnel. During this upgrade process, OIT will work to provide a loaner device to the faculty or staff to continue to conduct their work.

Due to the coordination efforts that OIT needs to conduct with non-OIT technical support personnel, it is difficult to provide an optimistic or realistic completion date. However, our goal is to perform these actions on faculty and staff computers during the Spring 2023 semester and in special systems such as researchers’ systems or computer labs during Spring and Summer 2023.


Results

Upon completion, OIT, in conjunction with non-OIT technical support personnel, expects:

  • Have a comprehensive inventory of all systems connected to the CCNY network
  • Have better visibility into all CCNY systems
  • Have a system administrator credential to run scans and remediate as required
  • Able to run in-depth cybersecurity scans on all systems
  • Able to remediate vulnerabilities, update or patch CCNY systems
  • Able to monitor systems for viruses or malware
  • Comply with university information security procedures
    • User account management
    • Administrator account password management
    • Device and patch management
    • Vulnerability scans
    • Enterprise-graded anti-virus