Presentation is loading. Please wait.

Presentation is loading. Please wait.

Georgia State University 2003 A Ten Step Approach to Developing an Information Security Program Bill Paraska Director of University Computing.

Published byRylan Whitlock Modified over 10 years ago

Similar presentations

Presentation on theme: "Georgia State University 2003 A Ten Step Approach to Developing an Information Security Program Bill Paraska Director of University Computing."— Presentation transcript:

1 Copyright @ Georgia State University 2003 A Ten Step Approach to Developing an Information Security Program Bill Paraska Director of University Computing & Communications Services Georgia State University

2 Copyright @ Georgia State University 2003 Just do it so I dont have to hear about it again This is a management issue –IT staff cant decide whats important, who needs to protect it, whats acceptable behavior from employees and what the penalties are for non-compliance Its not going to go away –Putting up a firewall doesnt make it go away – you need a plan that is maintained and evolves When you get hacked, its usually not IT they are after

3 Copyright @ Georgia State University 2003 Boy are you going to be popular This stuff costs real dollars that were never budgeted You cant show any positive impact on the student retention or semester hours registered You say you can never really fix the entire problem You dont know where the next attack is coming from One of your instructional departments may even be teaching the tools to launch the attacks

4 Copyright @ Georgia State University 2003 A pair of students were blocked by a Georgia state court from presenting information at a security and hackers' conference on how to break into and modify a university electronic transactions system

5 Copyright @ Georgia State University 2003 Plan, execute, evaluate, fine- tune, repeat Biggest long term mistake you can make is quick fixes with unfounded expectations Do the homework and go after where its going to hurt the most User inconvenience should not be an evaluation criteria Dont take it personal

6 Copyright @ Georgia State University 2003 Ten Step Approach 1.Determine the "state of security" 2.Write a DRAFT Information Security Strategic Plan 3.Review existing policies and standards 4.Get Institution management buy-in 5.Write the annual Information Security Plan 6.Evaluate your security staff composition 7.Engage the active involvement of campus departments and IT leaders 8.Implement an incident response team 9.Start a security awareness program 10.Integrate security into the business and academic processes of the institution

7 Copyright @ Georgia State University 2003 Determine The State of Security Using automated tools to discover information about your campus network Use your own assessment plus contacts around campus to get a straw-man of whats important, to who and why Make preliminary assessment of vulnerabilities

8 Copyright @ Georgia State University 2003 Develop a DRAFT Information Security Strategic Plan Your ideas of how to approach what you have just identified Link it to the Institution Strategic Plan or Master Plan – portray information security as a key enabler Let them shoot holes in it No plan means everything you bring to the table is ad-hoc and suspect

9 Copyright @ Georgia State University 2003 Review Existing Policies and Standards Policy (Principle)What the expected end result is Standards (Rules)What will be allowed to meet those end results Procedures (Process)How to do what is allowed Assumes you have some already. If not use what you can find that fits your institution goals and missions and management attitude These are essential to determining appropriate tools to alleviate risks, threats and vulnerabilities

10 Copyright @ Georgia State University 2003 Characteristics of Good Policy Foundation in business practice not technology Acts in the best interest of the institution Does not prevent the attainment of subordinate organization objectives, goals Has an element of compliance less costly than non-compliance Once its completed, it sounds like common sense

11 Copyright @ Georgia State University 2003 The Process of Policy Needs to be done at the top of the organization Define areas of common benefit Agree to architectural components of common benefit Agree to applications of common benefit Agree on policies

12 Copyright @ Georgia State University 2003 The Mechanics of Policy Simple, direct statements (principles) No more than one page per principle Not written by the security officer or CIO Not a set of technical rules (that comes later)

13 Copyright @ Georgia State University 2003 Examples Every manager is responsible for the accuracy, security and integrity of the information used by his/her organization All corporate information is an asset of the university and will be protected as such

14 Copyright @ Georgia State University 2003 Get Management Buy-in You did all the stuff before this step because you are the technical expert Sell it on their terms – not with IT techno babble Get their validation of where the most pain would be based on the threats you have outlined

15 Copyright @ Georgia State University 2003 Write the Information Security Annual Plan They told you what is important so find the approach to protect it – throw their words back at them Establish the procedure, the goals and the measurements Show how it fits into your existing information technology environment Dont hide the costs

16 Copyright @ Georgia State University 2003 Evaluate Your Security Staff Composition Minimum Staffingan Information Security Officer to develop and manage your security initiatives Utilizing a cross-section of information technology staff members with backgrounds in networking, application and server management Ramp up to what makes sense for the Strategy Is outsourcing right for you?

17 Copyright @ Georgia State University 2003 Engage the Active Involvement of Campus Departments, IT Leaders Dont dictateEducate! Its their problem too! Appeal to the diverse needs and requirements of students, faculty, department heads and information technology staff members Qualify and quantify risks where possible to provide a realistic assessment of what is at stake

18 Copyright @ Georgia State University 2003 Implement An Incident Response Program Refer back to the assessments you did at beginning Define policy and procedures for incident handling Put together the response team Monitor your network and critical hosts for evidence of intrusions and compromises Detect, respond, manage and mitigate (damages) incidents Roll what you learn back into the Annual Plans

19 Copyright @ Georgia State University 2003 Start a Security Awareness Program Teach, motivate, inspire… Use real-world examples to your benefit Variety is keywebsites, newsletter articles, classes, posters, seminars Spread the word through personally visiting and engaging college staff and faculty Provide a service to your user community

20 Copyright @ Georgia State University 2003 I ntegrate Information Security into the Business and Academic Processes of the Institution Conduct information security audits of departments Be involved in system implementations, organizational changes, process re-engineering Use a strategic layered approach to implement new security measures

Download ppt "Georgia State University 2003 A Ten Step Approach to Developing an Information Security Program Bill Paraska Director of University Computing."

Similar presentations

A Valuable Asset School districts put a valuable asset of the nation’s schools at risk when they ignore the health of their employees. WHY? BECAUSE… Actions.

A Valuable Asset School districts put a valuable asset of the nation’s schools at risk when they ignore the health of their employees. WHY? BECAUSE… Actions.
The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
March 23, 2011. Todays Outcomes By the end of todays workshop, participants will be able to... Revise and/or finalize SAOs within their areas Discover.

March 23, Todays Outcomes By the end of todays workshop, participants will be able to... Revise and/or finalize SAOs within their areas Discover.
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
NSAA Information Technology Conference Planning the Scope of Your IT Audit _____________________________________ October 1, 2014 Jennifer Schreck, Audit.

NSAA Information Technology Conference Planning the Scope of Your IT Audit _____________________________________ October 1, 2014 Jennifer Schreck, Audit.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Managing A Secure Infrastructure – Tales From the Trenches November 6, 2003.

Managing A Secure Infrastructure – Tales From the Trenches November 6, 2003.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference.

The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference.
Information Systems Security Officer

Information Systems Security Officer
The 5 Characteristics Successful Nonprofits Have in Common

The 5 Characteristics Successful Nonprofits Have in Common

Similar presentations

Ads by Google