Office of the Chief Information Security Officer

Assumption of Breach

The Office of the CISO‘s “assumption of breach” methodology is a practical approach that supports the University by balancing risks and creating situational awareness about critical information assets and sophisticated cyberattacks.

It challenges the traditional security practices that are fixed and rigid.

It forces us to examine real conditions, be adaptable and nimble, and think about what constitutes due care through the “assumption of breach” practices listed below.

Assumption of Breach Practices

  • Adopt a repeatable risk management framework for reporting and prioritizing work efforts.
  • Document and assess the value of critical data assets, technology services, people, business relationships, and partners.
  • Prioritize assets and related risk-mitigation efforts that make the most sense based on available resources.
  • Establish clear responsibility and communication plans for information security, including incident response.
  • Enable innovation and control contract risk with fair, clear, and practical terms and conditions that reduce liabilities related to asset loss or compromise.
  • Implement an intelligence program based on reliable sources for evolving threats, incidents, industry trends, adversary profiles, and related analysis.
  • Establish a network of trusted strategic partners and experts.
  • Implement “advanced” incident response and management capabilities and tools.
  • Minimize the electronic attack surface for all critical assets.
  • Explore options for responding to and defending against intrusions.