Presentation is loading. Please wait.

Presentation is loading. Please wait.

Georgia State University 2003 A Ten Step Approach to Developing an Information Security Program Bill Paraska Director of University Computing.

Similar presentations

Presentation on theme: "Georgia State University 2003 A Ten Step Approach to Developing an Information Security Program Bill Paraska Director of University Computing."— Presentation transcript:

1 Georgia State University 2003 A Ten Step Approach to Developing an Information Security Program Bill Paraska Director of University Computing & Communications Services Georgia State University

2 Georgia State University 2003 Just do it so I dont have to hear about it again This is a management issue –IT staff cant decide whats important, who needs to protect it, whats acceptable behavior from employees and what the penalties are for non-compliance Its not going to go away –Putting up a firewall doesnt make it go away – you need a plan that is maintained and evolves When you get hacked, its usually not IT they are after

3 Georgia State University 2003 Boy are you going to be popular This stuff costs real dollars that were never budgeted You cant show any positive impact on the student retention or semester hours registered You say you can never really fix the entire problem You dont know where the next attack is coming from One of your instructional departments may even be teaching the tools to launch the attacks

4 Georgia State University 2003 A pair of students were blocked by a Georgia state court from presenting information at a security and hackers' conference on how to break into and modify a university electronic transactions system

5 Georgia State University 2003 Plan, execute, evaluate, fine- tune, repeat Biggest long term mistake you can make is quick fixes with unfounded expectations Do the homework and go after where its going to hurt the most User inconvenience should not be an evaluation criteria Dont take it personal

6 Georgia State University 2003 Ten Step Approach 1.Determine the "state of security" 2.Write a DRAFT Information Security Strategic Plan 3.Review existing policies and standards 4.Get Institution management buy-in 5.Write the annual Information Security Plan 6.Evaluate your security staff composition 7.Engage the active involvement of campus departments and IT leaders 8.Implement an incident response team 9.Start a security awareness program 10.Integrate security into the business and academic processes of the institution

7 Georgia State University 2003 Determine The State of Security Using automated tools to discover information about your campus network Use your own assessment plus contacts around campus to get a straw-man of whats important, to who and why Make preliminary assessment of vulnerabilities

8 Georgia State University 2003 Develop a DRAFT Information Security Strategic Plan Your ideas of how to approach what you have just identified Link it to the Institution Strategic Plan or Master Plan – portray information security as a key enabler Let them shoot holes in it No plan means everything you bring to the table is ad-hoc and suspect

9 Georgia State University 2003 Review Existing Policies and Standards Policy (Principle)What the expected end result is Standards (Rules)What will be allowed to meet those end results Procedures (Process)How to do what is allowed Assumes you have some already. If not use what you can find that fits your institution goals and missions and management attitude These are essential to determining appropriate tools to alleviate risks, threats and vulnerabilities

10 Georgia State University 2003 Characteristics of Good Policy Foundation in business practice not technology Acts in the best interest of the institution Does not prevent the attainment of subordinate organization objectives, goals Has an element of compliance less costly than non-compliance Once its completed, it sounds like common sense

11 Georgia State University 2003 The Process of Policy Needs to be done at the top of the organization Define areas of common benefit Agree to architectural components of common benefit Agree to applications of common benefit Agree on policies

12 Georgia State University 2003 The Mechanics of Policy Simple, direct statements (principles) No more than one page per principle Not written by the security officer or CIO Not a set of technical rules (that comes later)

13 Georgia State University 2003 Examples Every manager is responsible for the accuracy, security and integrity of the information used by his/her organization All corporate information is an asset of the university and will be protected as such

14 Georgia State University 2003 Get Management Buy-in You did all the stuff before this step because you are the technical expert Sell it on their terms – not with IT techno babble Get their validation of where the most pain would be based on the threats you have outlined

15 Georgia State University 2003 Write the Information Security Annual Plan They told you what is important so find the approach to protect it – throw their words back at them Establish the procedure, the goals and the measurements Show how it fits into your existing information technology environment Dont hide the costs

16 Georgia State University 2003 Evaluate Your Security Staff Composition Minimum Staffingan Information Security Officer to develop and manage your security initiatives Utilizing a cross-section of information technology staff members with backgrounds in networking, application and server management Ramp up to what makes sense for the Strategy Is outsourcing right for you?

17 Georgia State University 2003 Engage the Active Involvement of Campus Departments, IT Leaders Dont dictateEducate! Its their problem too! Appeal to the diverse needs and requirements of students, faculty, department heads and information technology staff members Qualify and quantify risks where possible to provide a realistic assessment of what is at stake

18 Georgia State University 2003 Implement An Incident Response Program Refer back to the assessments you did at beginning Define policy and procedures for incident handling Put together the response team Monitor your network and critical hosts for evidence of intrusions and compromises Detect, respond, manage and mitigate (damages) incidents Roll what you learn back into the Annual Plans

19 Georgia State University 2003 Start a Security Awareness Program Teach, motivate, inspire… Use real-world examples to your benefit Variety is keywebsites, newsletter articles, classes, posters, seminars Spread the word through personally visiting and engaging college staff and faculty Provide a service to your user community

20 Georgia State University 2003 I ntegrate Information Security into the Business and Academic Processes of the Institution Conduct information security audits of departments Be involved in system implementations, organizational changes, process re-engineering Use a strategic layered approach to implement new security measures

Download ppt "Georgia State University 2003 A Ten Step Approach to Developing an Information Security Program Bill Paraska Director of University Computing."

Similar presentations

Ads by Google