1 Northwestern University Feinberg School of Medicine Information Security at Feinberg School of Medicine Past, Present, Future Advisory Council for Clinical Research Monthly Lecture Series October 18, 2013 Carl Cammarata Chief Information Security Officer, Feinberg School of Medicine, Northwestern Medical Faculty Foundation Interim Chief Information Security Officer, Northwestern Medicine
2 Information Security at Feinberg School of Medicine Past, Present, Future Learning Objectives Why data security is important in clinical research? What are our most serious security risks? What is Feinberg School of Medicine doing to improve its data security posture? What security services are being planned to support the clinical research process? Who is responsible for data security? Q&A
3 Information Security at Feinberg School of Medicine Past, Present, Future We live in an age where you are private by effort and public by default Your risks, your consequences Human factors self-disclosure of private information, weak/shared too many passwords Importance of your data Reliance on others for privacy Social Media sites, wrong security, security changed without notice, confidentiality, ex- friends Malicious code viruses, spyware Social engineering phishing, spam, too much data Compromised devices Lost or stolen data Identity theft Reputation Lost job or financial opportunities
4 Information Security at Feinberg School of Medicine Past, Present, Future Who is responsibility for data security? You are We are Everyone is by Aaron Muszalski
5 Information Security at Feinberg School of Medicine Past, Present, Future Consequences of unauthorized disclosure can be significant Potentially delayed patient benefits from research Distractions from core mission Real direct and indirect costs resulting from mistakes, lack of awareness, negligence, remediation Public/Internal embarrassment, negative publicity, reputation, furious patients Investigations, fines, penalties Financial Losses (jobs, future/renewed grants, alumni giving)
6 Information Security at Feinberg School of Medicine Past, Present, Future Why is security important in clinical research? Patient privacy, preventing unauthorized disclosure Patient safety, availability of research data to address adverse events Data integrity from collection to analysis, reporting and regulatory submission Compliance with regulations, contracts/grants criteria & University policy
7 Information Security at Feinberg School of Medicine Past, Present, Future What are our most serious security risks? Research and PHI data being used as conduit for medical identity theft, compromising research, effecting patient privacy and safety: Data - unencrypted Data - on personal devices Data - on portable devices Data - in the cloud Data - in personal Data unmanaged, unsecured
8 Information Security at Feinberg School of Medicine Past, Present, Future Other than data, our risks.. Policies & Procedures require revision to improve clarity, expectations of behavior and compliance posture (Risk: Content varies considerably and are not consistently applied or understood). Technology must be managed to Policy and accepted standards to minimize risk of exposure of PHI and disruption of research (Risk: Security configuration of technology varies considerably. There is a non-trivial risk of PHI being inadvertently disclosed because of a misconfiguration, malware infected device or proliferation of mobile devices). As custodians of Research and Protected Health Information (PHI) we must ensure it be consistently and rigorously secured (Risk: PHI is widely dispersed and is secured to varying degrees. There is a non-trivial risk of research data and PHI being inadvertently disclosed due the absence of adequate protection or an incomplete knowledge of its location).
9 Northwestern University Feinberg School of Medicine Information Security Management Approach Supporting Clinical Research Past, Present and Future Advisory Council for Clinical Research Monthly Lecture Series October 18, 2013 Carl Cammarata Chief Information Security Officer, Feinberg School of Medicine, Northwestern Medical Faculty Foundation Interim Chief Information Security Officer, Northwestern Medicine
10 Information Security at Feinberg School of Medicine Improving our Security Posture - Timeline & Projects HIPAA Security Rule Consulting Risk Assessment, September 2010 FISMA / NIST secure projects (source: Warren Kibbe) o National Children's Study (NCS) Information Management Hub, March 2011 o NCS South Regional Operational Center, September 2012 HIPAA Compliance of Research Data Committee, November 2011 CIO appointed, January 2012 IT Security Policy including encryption requirements published, February 2012 IT Security Policy all user acknowledgment initiated, February 2012 Executive IT Steering committee formed, March 2012 NUIT secure disk storage, offered August 2012 Security dashboard reporting (encryption compliance), September 2012 NMFF secure physical facilities, offered January 2013 NMFF secure server farm, offered January 2013 NMFF secure disk storage, offered March 2013 CISO hired, March 2013 IT Leadership and IT Working group committees formed, March 2013 Information Security Strategy and Plan, August 2013 Network Security infrastructure project, complete August 2013 Active Directory, Windows domain project, started August 2013, ongoing Managed secure device project, planning started September 2013 Northwestern Medicine formed, August 2013 Central IT Support environment, anticipated Past Present Policy and technical foundational to reduce risk of exposing research and PHI data
11 Information Security at Feinberg School of Medicine Information Security Strategy & Plan Improving our Security Posture Establish a managed and secure technology environment Publish revised and synchronized policies and procedures Clinical research information security services Clinical research - data security plans FISMA Clinical partners integration Executive Oversight & IT Security Committee Implement a risk assessment process PHI/PII asset management
12 Information Security at Feinberg School of Medicine Network Security Infrastructure Project Improving our Security Posture Description Deliver an improved network connection between NU (FSM) and NMFF/NMH 1. Installation of new network hardware 2. Creation of 3 service tiers: Tier 1 - NMFF network extension Tier 2 - FSM Managed Network Tier 3 - Unmanaged Network Project Team Julian Koh Warren Harding Matt Wilson John Brow Ben Nicholson Rocky Xu Brian Griffin Carl Cammarata Jon Lewis Danny Garza Todd Nelson Implementation Julian Koh Warren Harding Matt Wilson John Brow Ben Nicholson Rocky Xu Danny Garza Enable network connectivity from the Northwestern University (NU) network to the Northwestern Medical Faculty Foundation (NMFF) network to improve security and staff productivity through security tiers. Status Completed Benefits Tier 1 Device becomes part of NMFF/NMH network, direct access to clinical resources Tier 2 Direct access to FSM central resources, indirect access to clinical resources Tier 3 Limited access to FSM central resources Security Posture Controls access to clinical resources based upon the integrity of the device and access point on the network.
13 Information Security at Feinberg School of Medicine Active Directory, Windows Domain Project Improving our Security Posture Description Deliver an upgraded central FSM domain focused on improving security and standardizing endpoint support. Project Team Dong Fu Jignesh Patel Rocky Xu Noah Xu Michael Tittle Brian Griffin Carl Cammarata Jon Lewis Todd Nelson Implementation FSM IT Support Groups Update the existing FSM technical environment to enable centralized management of devices and standardized device configuration and security policy. Status Active Benefits Enables uniform management of devices to software standards and enhanced security policy (e.g., software and security updates, encryption). Allows more efficient cross departmental IT support services Establishes pre-requisite for future two-way device trust with NMFF/NMH. Security Posture Devices can be managed and controlled from central support management consoles (application of security patches, installation and management of software such as encryption.)
14 Information Security at Feinberg School of Medicine Managed, Secure Device Project Improving our Security Posture Description The migration and standardization of FSM endpoints to the new Tier Managed environment defined by the related Network and Domain projects (Nexus and Zenith). Project Team Tim Hite Alex Cohn Frank Schleicher Bob Valadka Karen Kelly Patrick Canevello Brian Griffin Carl Cammarata Jon Lewis Troy Alexander Matt Newsted Todd Nelson Implementation FSM IT Support Groups Standardize configuration and management of end point devices to allow for security trust (and improved access productivity) between NU and NMFF through network security tiers and managed devices. Status Planning Benefits Deploys standard images to end point devices. Enables central management and more efficient problem resolution. Device software updated and patched from central services. Improved device reliability, serviceability, and integrity. Security Posture Reduced risk of data disclosure resulting from mal-ware infections. Efficient central management of end point device and security software such as encryption.
15 Information Security at Feinberg School of Medicine Anticipated Technology Initiatives Improving our Security Posture Mobile device security Wireless security Data loss prevention (DLP) Network access control (NAC) Two factor authentication Vulnerability assessment tools Device theft risk mitigation (RFID, LoJack)
16 Information Security at Feinberg School of Medicine Anticipated Policy Portfolio Improving our Security Posture FSM IT Policy Category Procurement Integration Collaboration Secure Storage Backup & Retention Departmental Support Local Networks Network Architecture IT Security Named Policy IT Goods & Services Device Standards File Sharing Secure Storage Backup & Retention Departmental Support Domain Device Lab Device Network Architecture IT Security
17 Information Security at Feinberg School of Medicine Departmental IT Support Alignment Improving our Security Posture Alex Cohn IPHAM Daniel Erickson Preventive Medicine Dawood Ali Medical Social Sciences Frank Schleicher Medicine, Surgery, a few others Fang Gao Physical Therapy J C Thomas Rogers Anesthesiology Jasmin Shah Obstetrics/Gynecology Jeremy Fox Physical Medicine and Rehabilitation Jeremy Prevost Galter Library Jignesh Patel, Dong Fu NUCATS Matthew Newsted Center for Genetic Medicine Robert Valadka Basic Science Sean Withrow Radiology Troy Alexander Pediatric Research Jonathan Lewis Dean s Administration Neurology Psychiatry Pathology Lurie Cancer Center FSM/NMFF collaboration FSM/NMFF collaboration FSM/NMFF collaboration FSM/NMFF collaboration Otolaryngology Ophthalmology Orthopaedic Surgery Urology Neurological Surgery Emergency Medicine Global Health Radiation Oncology Dermatology
18 Clinical Research Information Security Services Data Security Plan Review Human Subject Research Data Security Plans Objective: to ensure all personally identifiable information and protected health information which is entered, stored, transmitted, analyzed, and reported as part of an approved IRB research protocol is properly and adequately secured throughout the research process Data Security Plans The plan would describe the data flow and how the data is secured throughout the life of the research project from initial data collection to reporting, publishing, registration and archiving. A plan would include, at least, the following and describe the security capabilities of each. Plans may vary in complexity consistent with the complexity of the research: - How and by whom will data be collected, transmitted and stored. - How will data be secured at each stage in the workflow - How will access be controlled and through what mechanisms - Describe where and how data will be encrypted - How will data be backed up and at what frequency - Where will backup data be stored - Describe the type of computing equipment that will be part of the information work flow and will each type be secured - How will data be disposed and using what disposal mechanism
19 Clinical Research Information Security Services Data Security Plan Review Challenges - Volume - Workflow impact - Change Critical Success Factors - Agreement among key stakeholders - Fine-tuning a reliable (technology driven) workflow with minimal disruption - Triaging review process based upon subject, data risk, study complexity - Agreement on what approving a data security plan means - Expedited process - Exception process - Staff resources
20 Clinical Research Information Security Services Data Security Plan Review Integration Considerations - Exempt protocols (non-human subject) - Expedited (low risk, human subject) - Rigor of review - emr data - ephi - consented (PII, research data) - Record of approval linked to research portfolio - Rejection re-review cycle - Technical integration of work flow Next Steps - Data security approaches currently reviewed on a case-by-case basis - Continue to work toward developing a formal plan
21 Clinical Research Information Security Services - FISMA What is FISMA (Federal Information Security Management Act of 2002)? From Wikipedia, the free encyclopedia The Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. 3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (Pub.L , 116 Stat. 2899). The act recognized the importance of information security to the economic and national security interests of the United States.  The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.  FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a "risk-based policy for costeffective security."  FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency s information security program and report the results to Office of Management and Budget (OMB). FISMA assigns specific responsibilities to federal agencies, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) in order to strengthen information system security. In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level.  Why FISMA at Northwestern? Required by some Federal agencies (e.g., NIH) as pre-requisite, stipulation of grant awards. This requirement is becoming more common place.
22 Clinical Research Information Security Services FISMA Required Standards & Guidelines FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, April 2004, 13 pages o Required to determine system category FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, 17 pages o Required to derive impact from system category NIST Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013, 457 pages o Baseline security controls guidance applied to subject system s category and impact NIST A Revision 1, Guide for Assessing the Security Controls in Federal Systems and Organizations, June 2010, 399 pages outdated as of April 2013 o Guide for building effective security assessment plans
23 Clinical Research Information Security Services FISMA Categorization & Impact FISMA Life Cycle Categorize Analyze Impact Determine & Apply Minimum Security Standards Assess Risk & Gaps Remediate Re-assess Certify
24 Clinical Research Information Security Services FISMA Controls Baseline NIST (FISMA) HIPAA HITRUST Crosswalk NIST Control Specification Program Management Access Control HIPAA Security Standard Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Access Control Person or Entity Authentication HITRUST CSF Direct Control Categories NIST Security Baseline Controls by FISMA Category Low Medium High 0,2,3,5,6,7,9, ,2,5,6,8,9,10, Awareness & Training Security Awareness & Training 1,2,5,6,9, Audit & Accountability Audit Controls Integrity 6, Security Assessment & Authorization Evaluation 0,3,5, Configuration Management Evaluation 0,3,5, Contingency Planning Contingency Plan 2,7,9, Identification & Authentication Person or Entity Authentication Incident Response Security Incident Procedures 2, Maintenance Evaluation 0,3,5, Media Protection Device & Media Controls 2,7,8,9, Physical & Environmental Protection Facility Access Controls Workstation Use Workstation Security 1,2,5,7,8,9, Planning Security Management Process Assigned Security Responsibility 0,2,3,5,6,7,9, Personnel Security Workforce Security 1,2,5,8, Risk Assessment Evaluation 0,3,5, System & Services Acquisition System & Communications Protection System & Information Integrity Business Associate Contracts 2,5, Transmission Security 6,9, Security Management Process Integrity Security Awareness & Training 0,1,2,3,5,6,7,9, Totals 135 Control Specifications Controls Baselines NIST (FISMA), HITRUST is overarching of HIPAA Small percentage of available supplemental controls NIST (FISMA) are guidelines but driven by ATO contracts Extensive breadth & depth Multi-purpose benefit Broad compliance posture Risk & self assessment baselines drive measurable improvement Drives down ephi risks Drives up Grant intake opportunities
25 Clinical Research Information Security Services FISMA General Recommendations Institutionalize FISMA capabilities implement FISMA service delivery model o Integral to FSM academic and technology processes o With HITRUST foundation of IT compliance and policy o Competitive advantage o Internal and possibly external service model with revenue and ROI FISMA is an overarching approach while HIPAA security improvements run in parallel o Risk assessment approaches address HIPAA and FISMA requirements o Department self (risk)-assessments become integral to the process o Integrates academic and clinical considerations o Broad approach maximizes compliance coverage Develop initial policies addressing entry-level requirements and synchronize with HIPAA, HITRUST requirements Document the Security Plan and risk assessment process Complete baseline gap analysis and propose remediation efforts
26 Clinical Research Information Security Services FISMA Current Commitments National Children's Study Information Management Hub, in use by 15 study centers across the country. In production (Warren) National Children's Study South Regional Operations Center, overseeing 10 study centers across the country (a different 10 centers than the Hub). Institute for Healthcare Studies. In operation. National Children's Study Adaptive Test Design. Part of the National Children's Study Health Measurement Network. Medical Social Sciences. Planned to go live by Jan Cancer Prevention Agent Development Program: Early Phase Clinical Research. Creating a FISMA version of the RHLCCC NOTIS clinical trials management system. Lurie Cancer Center. Go Live July 2013
27 Clinical Research Information Security Services FISMA Critical Success Factors Managed technology environments are basic prerequisites to FISMA (and HIPAA) baseline requirements Documented FISMA polices and risk assessment procedures Department ability to define baseline control requirements Viable risk measurement tool Acceptance and adoption of FISMA requirements FSM-wide service delivery model with sufficient resources to meet projected capacity
28 Clinical Research Information Security Services Clinical Partners Integration NUCATS 2.0 Leadership Structure Clinical Partners Information Security Partner Governance Best Practices Sponsorship Accountability Clinical Partners Information Security Integrated Leadership Group Collaboration Service Management Objectives (Charter) Unify information security principles Integrate security for cross-partner clinical research activities Contribute to grant award applications Resolve complex security issues Proactively address emerging threats and security technology evolution Process Improvement
29 Clinical Research Information Security Services Clinical Partners Integration Align information security strategy with clinical partners Northwestern University Feinberg School of Medicine NUCATS Northwestern Medicine Lurie Children s Hospital Rehabilitation Institute of Chicago NM EDW Establish Leadership Group comprised of partner representation Proactive collaboration and exchange of strategy formulating information Active participant of NUCATS Organization and Governance Accountable to the NUCATS Steering Committee Leadership Group Charter Establish unified information security principles and federated policies to support collaborative initiatives Define and support an information security integration strategy for cross-partner clinical research activities (e.g., CTSA, FISMA) Contributing author of information security material for grant award applications Evaluate and propose common resolutions to complex security issues Proactively evaluate emerging threats and security technology evolution
30 Clinical Research Information Security Services Clinical Partners Integration Leadership Group Northwestern University Feinberg School of Medicine NUCATS Northwestern Medicine Lurie Children s Hospital Rehabilitation Institute of Chicago NM EDW Anticipated outcomes Unified information security principles (e.g., federated policy structure) Information security integration strategy for cross-partner clinical research activities Structured information security material for grant award applications Leverage best practices & experience to resolve complex security issues Ongoing educational forum which discuss risks, threats, technology evolution Proactively evaluate emerging threats and security technology evolution
31 May I steal your data please? Clinical Research Information Security Services Security responsibilities Use only encrypted memory sticks and portable devices Keep your computer and antivirus software up-to-date Never store PHI or PII on portable devices unless encrypted Never share memory sticks Reportable breaches can occur As USB drives become cheaper and information is distributed freely, the possibility of Trojans and other malware increases
32 I am free and easy Clinical Research Information Security Services Security responsibilities Unparalleled technological and educational advancement opportunity Equally unparalleled security risks Understand the risks before putting your own personal data (e.g. tax data) into the cloud Keep PHI and PII off cloud computing platforms unless there is a NU approved legal contract Reportable breaches can occur The incredible cost savings and flexibility cloud computing affords also opens up a superhighway for cybercrime. As cloud use increases, so, too, will the number of opportunities for data infection or theft.
33 I just stole your data The Insider Threat Clinical Research Information Security Services Security responsibilities this is the way we ve always done it I didn t know I couldn t wait security takes time I care about my personal data but why should I care of that belonging to others Lack of separation of responsibilities, management oversight and consequences of actions, excess access, mistakes, lack of training, non-compliance with policies and procedures, under utilization of existing security technology, laziness, convenience and covert activities increase data risks to the University.
34 May I steal your data please? Clinical Research Information Security Services Security responsibilities Who is responsibility for data security? Everyone is We are You are
United States Government Accountability Office Report to Congressional Requesters April 2014 INFORMATION SECURITY Agencies Need to Improve Cyber Incident Response Practices GAO-14-354 April 2014 INFORMATION
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
Reducing the Cyber Risk in 10 Critical Areas Information Risk Management Regime Establish a governance framework Enable and support risk management across the organisation. Determine your risk appetite
United States Government Accountability Office Report to Congressional Requesters April 2015 AIR TRAFFIC CONTROL FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to
New York State Office of the State Comptroller Division of Local Government and School Accountability LOCAL GOVERNMENT MANAGEMENT GUIDE Information Technology Governance Thomas P. DiNapoli State Comptroller
Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise
NIST Special Publication 800-66 Revision 1 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule Matthew Scholl, Kevin Stine, Joan
Delgado Community College Information Technology Security Policy Approved: *November 5, 2010 ) Delgado Community College IT Security Policy Page 2 *November 5, 2010 Table of Contents Title Page 1.0 Introduction
FEDERAL HEALTH IT STRATEGIC PLAN 2015 2020 Prepared by: The Office of the National Coordinator for Health Information Technology (ONC) Office of the Secretary, United States Department of Health and Human
Consumerization of IT: Risk Mitigation Strategies [Deliverable 2012-12-19] Consumerization of IT: Risk Mitigation Strategies I Acknowledgements This report has been produced by ENISA using input and comments
Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise
National Spatial Data Infrastructure Strategic Plan 2014 2016 Federal Geographic Data Committee December 2013 Federal Geographic Data Committee Federal Geographic Data Committee, Reston, Virginia: 2013
A Cooperative Agreement Program of the Federal Maternal and Child Health Bureau and the American Academy of Pediatrics Acknowledgments The American Academy of Pediatrics (AAP) would like to thank the Maternal
C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n G o v e r n a n c e a n d I n t e r n a l C o n t r o l C O S O I N T H E C Y B E R A G
Special Publication 800-125 Guide to Security for Full Virtualization Technologies Recommendations of the National Institute of Standards and Technology Karen Scarfone Murugiah Souppaya Paul Hoffman NIST
Cybersecurity and Business Vitality What Every Houston-Area Business Leader Needs to Know 2nd Edition September 2014 PAUL HOBBY Chairman of the Board BOB HARVEY President and CEO UMESH VERMA Cybersecurity
The Impact of Electronically Stored Information on Corporate Legal and Compliance Management White paper The impact of electronically stored information on corporate legal and compliance management: An
GAO United States General Accounting Office Executive Guide March 2004 Version 1.1 INFORMATION TECHNOLOGY INVESTMENT MANAGEMENT A Framework for Assessing and Improving Process Maturity a GAO-04-394G March
Priority III: A National Cyberspace Security Awareness and Training Program Everyone who relies on part of cyberspace is encouraged to help secure the part of cyberspace that they can influence or control.
Standards for Internal Control in New York State Government October 2007 Thomas P. DiNapoli State Comptroller A MESSAGE FROM STATE COMPTROLLER THOMAS P. DINAPOLI My Fellow Public Servants: For over twenty
[DRAFT] A Model Curriculum for Programs of Study A Model Curriculum for Programs of Study in Information Security and Assurance in Information Security and Assurance v. 6.0 February 2013 [DRAFT] http://infosec.kennesaw.edu/infoseccurriculummodel.pdf
Records Management Best Practices Guide A Practical Approach to Building a Comprehensive and Compliant Records Management Program Protecting and Managing the World s Information. Since 1951, Iron Mountain
GUIDANCE ON EXHIBITS 53 AND 300 INFORMATION TECHNOLOGY AND E-GOVERNMENT Table of Contents 1. Why must I report on information technology (IT) investments? 2. What background information must I know? 3.
United States Government Accountability Office Report to the Subcommittee on the Legislative Branch, Committee on Appropriations, U. S. Senate March 2015 INFORMATION TECHNOLOGY Copyright Office Needs to
April 2014 FDASIA Health IT Report Proposed Strategy and Recommendations for a Risk-Based Framework FDASIA Health IT Report Proposed Strategy and Recommendations for a Risk-Based Framework Table of Contents
Transforming the Way Government Builds Solutions > ACT-IAC Institute for Innovation 2013 American)Council)for)Technology Industry)Advisory)Council:)) The American Council for Technology (ACT) is a non-profit
Marist College Information Security Policy February 2005 INTRODUCTION... 3 PURPOSE OF INFORMATION SECURITY POLICY... 3 INFORMATION SECURITY - DEFINITION... 4 APPLICABILITY... 4 ROLES AND RESPONSIBILITIES...
H. R. 2458 48 (1) maximize the degree to which unclassified geographic information from various sources can be made electronically compatible and accessible; and (2) promote the development of interoperable
The Pennsylvania State University IT Assessment Executive Summary Final Summary of Recommendations June 16, 2011 Goldstein & Associates, LLC Contents Section Page Introduction 3 Summary Recommendations