Introducing Annual Cybersecurity Assessments to an Obstreperously Decentralized Campus

We will share lessons learned from launching the first campus-wide cybersecurity assessment program for the University of Chicago’s decentralized IT environment. We will describe the ways in which we: defined program scope, modeled our organization’s structure, identified units’ data assurance levels, selected an assessment tool and an assessment framework, created a communications strategy to incentivize unit participation, developed executive reporting requirements, and addressed feedback from unit IT staff, all while planning to expand our assessment process into a customizable certification program. We’ll discuss some assumptions we made at the outset, which ones proved true, and what’s next for our annual assessment program.