Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing Information Security and Compliance Four Questions and a Roadmap to Guide the Way Copyright University of Texas System, 2008. This work is.

Similar presentations

Presentation on theme: "Implementing Information Security and Compliance Four Questions and a Roadmap to Guide the Way Copyright University of Texas System, 2008. This work is."— Presentation transcript:

1 Implementing Information Security and Compliance Four Questions and a Roadmap to Guide the Way Copyright University of Texas System, 2008. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided this copyright statement appears on the reproduced materials. To disseminate otherwise or republish requires written permission of the authors. EDUCAUSE Security Professionals Conference 2008 Miguel Soldi Lewis Watkins, CISO

2 Who are we? ~ 186,000 students ~ 78,000 faculty & staff 9 Academic Institutions 6 Medical Institutions U. T. System Administration U. T. Investment Management Company (UTIMCO) [a 501(c)(3) corporation to manage endowment] MISSIONS Research Instruction Patient Care Public Service 2 The University of Texas System

3 In response to repeated breaches, The University of Texas System Board of Regents launched a system-wide information security program, creating a system-wide CISO position and CISO Council. What’s Our Problem? Lost Thumb Drive Puts Data at Risk 1000’s of Records Stolen from University Database University Website Compromised University Database Breach Threatens Student Identities Hacker Steals University Data Profs Home Computer Stolen with Student ID’s and Grades 3

4 “IT Security is a monster!” Charles Chaffin, Chief Audit Executive and Compliance Officer, The University of Texas System, August 10, 2006 4 Very Thoughtfully ! How do we approach this monster? A Structured Approach is Essential!

5 Four Guiding Questions Q1 - What’s Happening? What type of incidents are occurring? What’s “not happening” that hinders security? Q2 - What’s Important? What’s most important to protect? What’s important to do in order to bolster information security? Q3 - What’s Effective? What strategies return the biggest payoff? What metrics are useful for tracking effectiveness? Q4 - What’s Next? What will we likely encounter tomorrow? What can we do now to prepare? What are we missing? 5

6 1.Most major incidents have been of three types: Lost or Stolen Computers Application Breaches (as opposed to network) Misconfigured / Poorly Patched Computers 2.Security practices vary greatly across and within our Institutions. 3.Other trends:  Perimeters dissolving  Business Partner Breaches What’s Happening? What’s happening around here? 6

7 What’s Important? Remain Focused on Mission! The mission of the information security program: Improve information security across all UT institutions, Do this in a way that is verifiable, and Help ensure compliance with information security related regulations. 7

8 What’s Important?  Service Availability  Intellectual Property  Brand Name  Privacy  Compliance Protect the Integrity of the Institution! 8

9 What’s Important? 9 Verification! At the incident level. At the Program level.

10 What’s Important? What do we mean by Information Security Compliance? HIPAA PCI FERPA GLBSOX TAC 202 We must comply with and be able to demonstrate compliance with regulations having information security requirements. With more to come! 10

11 As a prerequisite to success, it’s important to know the following: 1.the threats to your environment; 2.the location of your high risk data and information resources; 3.the architecture of your technology environment including configuration and protection state of your devices. What’s Important? 11

12 What’s Effective? Standards Metrics & Outcomes OversightTechnology A Roadmap is a useful tool for steering the program: 12

13 What’s Effective? Tasks not started Tasks underway Tasks completed Which strategies really work? 13

14 Provides the needed information for prioritizing corrective actions. Identifies the high risk data and assets Identifies the vulnerabilities Is scalable and easy to administer What’s Effective? What really needs to be protected? A Sound Risk Assessment Process that: 14

15 Ensure the Program Covers the Problem Space! 9.Data Backup and Recovery 10.Disaster Recovery 11.Incident Management 12.Physical Security 13.Device Use and Security 14.Application Development and Acquisition 15.Electronic Records Management What’s Effective? 1.Information Security Governance 2.Policies, Procedures, Standards 3.Asset / Data Classification 4.Risk Assessment and Management 5.Compliance 6.Access Management 7.Change Management 8.Configuration Management 15

16 Number: Security Practice Bulletin #2 (SPB-2) Title: Baseline Standard for Information Security Programs. Date:January 1, 2007 Purpose: Each Entity of the University of Texas System is charged with establishing and maintaining a standards and risk based Information Security Program (Security Program) that:  secures the information assets under its stewardship against unauthorized use, disclosure, modification, damage or loss to reduce risk to acceptable levels;  is documented and verifiable; and  meets regulatory compliance requirements applicable to the Entity. This bulletin identifies essential components to be included in each Entity’s Security Program. Definitions: Chief Administrative Officer: The highest ranking executive officer at each Entity. For most Entities, it is the President Security Incident: An event which results in unauthorized access, loss, disclosure, modification, disruption, or destruction of information resources whether accidental or deliberate. (TAC 202A 202.1) Rationale: U. T. System Information Resources are to be protected based on risk and must be administered in conformance with federal and state law and The University of Texas System Regents’ Rules. This Baseline Standard Security Program is based on an analysis of state, federal and international standards for such programs and the unique characteristics of the higher education environment. Program elements are specified to ensure that each Entity’s Security Program is sufficient in scope to include the functions and activities recognized by standards bodies as being necessary to be effective. Metrics are specified to measure program implementation and effectiveness. Reporting requirements are established to ensure adequate information is provided for compliance oversight and to inform executive management regarding the status and effectiveness of programs. Expectations : 1.Each Entity of the U. T. System must establish and maintain a Security Program that includes appropriate protections, based on risk, for all Information Resources owned, leased, or under the custodianship, including outsourced resources, of any department, operating unit, or employee of the Entity. 2.Each Security Program must be documented and include the following:  The Security Program elements included in this bulletin as prioritized and documented by the Entity based on risk (See Document 1 below),  Documented strategies to address the elements of the Security Program,  The Security Program Metrics specified in this bulletin to be reported to U. T. System at intervals as indicated in this bulletin (See Document 2 below).  Documented action plans, training plans, and monitoring plans,  Reports and timelines (See Document 3 below) o Quarterly Information Security Program Status reports submitted to the U. T. System CISO o Annual Status Report submitted to the Chief Administrative Officer and copied to the, Entity’s CIO and Compliance Officer and the U. T. System CISO by October 31 st following close of the previous fiscal year. 1.Each Entity must collect required metrics data in ways that are documented and verifiable. An explanation must be provided for any metric for which data cannot be collected. 2.The Entity’s Chief Administrative Officer or his or her designated representative(s) must formally approve the Security Program. 3.The Entity’s CISO or ISO will administer the Entity’s Information Security Program with cooperation of organizational units within the Entity that may hold functional responsibility relating to specific program elements. Exceptions: There are no exceptions to the establishment and maintenance of an Entity’s Security Program. It is recognized that gaps may exist between Program elements and an Entity’s Program as deployed. Gaps are to be explained and documented in the Security Program document(s) submitted to the Chief Administrative Officer for approval. Gaps are to be addressed, based on risk, as soon as practical. Intra-Entity Exceptions: Circumstances within a specific organizational unit(s) within an Entity may require an exception to specific elements of the program. These must be documented and justified by the Owner of the Information Resource and the Entity’s CISO or ISO. Documents: 1.U. T. System Information Security Program Elements 2.U. T. System Information Security Program Metrics 3.U. T. System Information Security Program Report Templates (TBD) Baseline Standard for Information Security Program s Programs are to be Entity- wide in Scope Decisions are to be “Risk Based” Programs are to be documented (physical docs) Program’s components and reports must be verifiable Programs will be formally approved. Clearly define what must be included in a program. 16

17 What’s Effective? 1.Number of Computing Devices 2.Configuration Visibility 3.Encryption Deployment 4.Anti-virus/malware Deployment 5.Number of Outreach Activities 6.Number of Assurance Activities 7.Number of Incidents 9.Incident Costs 10.Systems Lacking Disaster Recovery Plan 11.Number of Employees Receiving Basic Training 12.Number of Technical Employees receiving Specialized Training. 13.Information Security Budget 14.Compliance for TAC 202, UTS 165, HIPAA, PCI Measure Activity and Progress 17

18 What’s Effective? Audit and Compliance Involvement “Industry leaders are conducting internal audit and IT security monitoring eight times more frequently than are the industry laggards and five times more frequently than firms operating at industry norm.” Improving IT Compliance 2006 IT Compliance Benchmark Report Symantec Corporation Vulnerabilities must be discovered and acknowledged to be addressed. Things that get measured, audited, and/or reviewed get attended to. 18

19 What’s Effective? CISO Leadership Security and IT Teams Community Where deficiencies exist, the task becomes one of addressing the deficiency. Will Support Permission Trust Skill People 70%, Technology 30% Knowledge Institution, Culture, Compliance, Risks, Technology Governance Roles & Responsibilities, Decentralized IT Staff Resources People, Time, Money, Technology, Base Infrastructure Getting the Ingredients required for success? 19

20 What’s Next? Assume the SSN problem is solved. What are the emerging threats that we need to prepare for? How do we address these before the big event? How does an evolving social and technology world affect our security strategies?  Assume the enterprise has no boundary.  Assume all data is encrypted at rest and in motion. I wonder what they will do next? 20

21 Questions? Miguel Soldi Lewis Watkins, CISO 21

Download ppt "Implementing Information Security and Compliance Four Questions and a Roadmap to Guide the Way Copyright University of Texas System, 2008. This work is."

Similar presentations

Ads by Google