1. Making the Case for Security: An Application of the NIST Security Assessment Framework to GW January 17, 2003 David Swartz Chief Information Officer Guy Jones Chief Technology Officer Krizi Trivisani Chief Security Officer Copyright Krizi Trivisani 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2. Agenda Starting a Security Program The Security Landscape – The Violation Situation Security Implementation Reliance Benefits of Using the NIST Framework Security Projects to Achieve NIST Level 3 Cultural Impacts of Security Programs Information Resources

3. Starting a Security Program What are you trying to protect? What will be your security philosophy? Need to know? Need to protect? What level of security do you want vs. need to achieve? What industry guidelines will you use to determine if your program is on track? NIST? What is your risk vs. benefit, including cost and compliance analysis?

4. The Security Landscape – The Violation Situation 2001 Total Violations went from 354 to 5526 – an increase of 1,560%

5. The Security Landscape – The Violation Situation 2002 Average number of violations per month in 2002 is 7197

6. The Violation Situation Continued Email Viruses Filtered 22,271 in December of 2001 increased to 150,936 in November of 2002

7. Process People Technology Systems must be built to technically adhere to policy People must understand their responsibilities regarding policy Policies must be developed, communicated, maintained and enforced Processes must be developed that show how policies will be implemented Security Implementation Relies On:

8. What is security awareness? Security awareness is knowledge of potential threats. It is the advantage of knowing what types of security issues and incidents members of our organization may face in the day-to-day routine of their University functions. Technology alone cannot provide adequate information security. People, awareness and personal responsibility are critical to the success of any information security program.

9. Why is awareness important?

10. Poor awareness exposed… “It’s a frightening fact, but nine out of ten employees would unwittingly open or execute a dangerous virus-carrying email attachment” “Two-thirds of security managers felt that the overall level of security awareness is either inadequate or dangerously inadequate” “Six out of ten employees revealed an inadequate level of security awareness” These things don’t happen as a result of malicious intent, but rather a lack of awareness of security risks.

11. Benefits of Using the NIST Framework Considered an industry best practice Shows standard of due care Allows risk assessment to determine program elements Flexibility in application Can be used for assessment criteria Aligns with proposed HIPAA security regulations Can reduce risk while balancing academic freedom

12. NIST – National Institute of Standards and Technology Level 1Documented Policy Level 2Documented Procedures Level 3Implemented Procedures and Controls Level 4Measured Program Level 5Pervasive Program Universities expected to operate at this level Security Assessment Framework:

13. Security Procedures And Controls Are implemented GW Security Timeline Some security in place but does not meet Level 1 Criteria Level 0: GW Most Universities Formally documented and Disseminated policy Responsibilities Assigned Compliance Identified Documented procedures for implementing security controls identified in policies Level 1: GW – Achieved Level 2: GW – Jan 03 Level 3: GW – Dec 04 Host/router Security Password Management Central Security Office Compliance Office Policy Manager Virus Filters Incidence Response Data Center Firewalls Security Architecture 3 rd Party Assessment Disaster Recovery Change Control Assignment of Duties Awareness & Training Personal Firewalls Scanning Lab Monitoring Strong Authentication Remote Access - VPN Intrusion Detection Enterprise Firewall NIST: Security Assessment Framework

14. Culture Analogy - Seatbelts “ It should be noted that it took many years to get the seatbelt usage up to its present level, and it takes a heavy hand from the police to persuade the stupid to do the obvious.” — Peter N. Wadham "Out at sea it takes 30 miles for an oil tanker to reverse its direction. It takes time and commitment to change, based on foundational values, principles and quality relationships to positively affect your company's culture -- its way of doing things. " — The Freeman Institute Changing the Culture of Your Organization "Culture does not change because we desire to change it. Culture changes when the organization is transformed; the culture reflects the realities of people working together every day." — Frances Hesselbein Key to Cultural Transformation

15. Questions and Presentation Wrap-up Recommended information sources http://nist.gov/ http://cs-www.ncsl.nist.gov/ http://www.educause.edu/security/ http://www.humanfirewall.org/ http://www.nipc.gov/ http://www.cio.gov/documents/info_security assessment_framework_Sept_2000.htmlhttp://www.cio.gov/documents/info_security http://www.hipaadvisory.com http://www.pwchealth.com/hipaa.html