Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference."— Presentation transcript:

1 The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference July 13 th 2005

2 Key Issues What security threats are higher education institutions facing, and what are the trends? What resources are institutions bringing to bear on the security challenge? What principles should guide institutional IT security planning?

3 The Gartner/Chronicle of Higher Education IT Security Survey 2004/2005 Mail-based, US survey of Chronicle of Higher Ed subscribers, closed Nov 2004, Email Based EMEA/Australia survey closed May 2005 Topics: IT security organization, funding, attack/misuse incidence, technology, policy US: 556 total respondents (138 CIOs used) Non-US 63 respondents (40 EMEA, 23 Australia)

4 Types of Attacks/Misuse Detected in the Past 12 Months US Responses No

5 Types of Attacks/Misuse Detected in the Past 12 Months Non-US Responses No

6 Change in Attack/Misuse Incidence Compared to Previous 12 Months US Responses No

7 Change in Attack/Misuse Incidence Compared to Previous 12 Months Non-US Responses No

8 US Responses: Calculated Financial Loss No Loss calculation favors “obvious” hard values-- real costs are going almost unmeasured

9 Non-US Responses: Calculated Financial Loss No

10 US Percentage of IT Budget Spent on Security Current FY Mean: 6.24% Percentage compared to previous fiscal year Increased Same Decreased

11 Non-US Percentage of IT Budget Spent on Security Current FY Mean: 4.78% Percentage compared to previous fiscal year Increased Same Decreased

12 US Information Security Officer: Status and Plans Has institution designated an ISO? If not, plan to designate one within 12 months? Yes No 65% No Yes Don’t Know 75% 12% 30% 70% 13% Yes No Don’t Know Yes No Yes

13 Non-US Information Security Officer: Status and Plans Has institution designated an ISO? If not, plan to designate one within 12 months? Yes No 65% No Yes Don’t Know 80% 10% 35% 65% 10% Yes No Don’t Know Yes

14 US Security Planning & Training Yes No Don’t Know Yes No Have a formal IT Security Plan? Plan to resume mission-critical operations during crisis? Offer security awareness training?

15 Non-US Security Planning & Training Yes No Don’t Know Yes No Have a formal IT Security Plan? Plan to resume mission-critical operations during crisis? Offer security awareness training?

16 US: Frequency of Testing Plan to Resume The Operation of Mission-Critical Information Systems and Protect Related Data During a Crisis 01020304050 >Once a Month Once a Month Once Every 2-3 Months Once a Semester Once a Year Not Been Tested

17 Non-US: Frequency of Testing Plan to Resume The Operation of Mission- Critical Information Systems and Protect Related Data During a Crisis 01020304050 >Once a Month Once a Month Once Every 2-3 Months Once a Semester Once a Year Not Been Tested

18 CISO CIO Policy Management Policies and standards Risk assessment/profiling Policy compliance and consulting Awareness training Business security architecture Intellectual property management Security Administration Platform/application user management Security Engineering Minimum platform standards Technical security architecture Incident Response ID threat + solution BISO President Business/Academic Unit Management Expertise in Practice: CISO Organisation Board of Trustees

19 US Anti-Viral Software: Mandatory, Optional, Not Available

20 Non-US Anti-Viral Software: Mandatory, Optional, Not Available

21 US: VPN for Remote Access: Mandatory vs Optional

22 Non-US: VPN for Remote Access: Mandatory vs Optional

23 US: Personal Firewall: Mandatory, Optional or Not Available

24 Non-US: Personal Firewall: Mandatory, Optional or Not Available

25 Policy and Training Security policies need to be concise, clear, role- based and enforceable –Nontech user issues: acceptable use, privacy, business continuity –Tech staff: privileged access & ethical statement, PW management, change management, role –A policy that isn’t signed can’t be enforced Focus security training on network and system administrator Create a security culture

26 Establishing the Baseline

27 Building for Whom? Omniscient Nomadic Connected Telepathic

28 Defense in Depth in Practice: Scan and Block Scan Good: Allow Connect Scan Bad: Block Home PC Corporate Laptop Contractor Laptop VPN Switch Radius Server DHCP Server Policy Server Scan Results

29 Vulnerability Management Technologies Baseline/ Discover Audit and Policy Compliance Tools Security Management Monitor Network System Application Vulnerability Assessment External Threat Services Prioritize Asset Inventory and Classification Patch Install Mitigate Mitigation Workflow Shielding Provisioning Configuration Management Maintain Firewall IPS Scan and Block

30 Understanding the Environment Environ- mental Trends Environ- mental Trends Forces in the universe Trace the Value Business Drivers Business Drivers How they affect your organization Business Strategies and Tactics How you react What, who, when, how Information Require- ments Information Require- ments “Thou shalt...” Architecture Design Principles Business and Technology Architecture Business and Technology Architecture

31 Understanding the Environment Environ- mental Trends Environ- mental Trends How you react What, who, when, how “Thou shalt...” Trace the Value Information Require- ments Information Require- ments Business Drivers Business Drivers Business Strategies and Tactics Architecture Design Principles Forces on your organization How you react Business and Technology Architecture Business and Technology Architecture What do we know? What do we need? Where do we get it? Where does it need to be? When does it need to be there? Who should not see it? PeopleSystemsProcessesData INFORMATIONREQUIREMENTS

32 A New World

33 Seven Guiding Principles of IT Security Defense in Depth –Combine proactive & reactive mechanisms Principle of Least Privilege –Users, processes, & resources get minimum necessary access The Weakest Link –Train against social engineering Security Expertise is Key –Establish a CISO office; mix central policy w. distributed implementation Build Security in Early –The earlier a defect is found, the cheaper it is to fix Be Paranoid –Don’t just build for legitimate or “correct” usage Simplify, Simplify, Simplify –Simpler systems are easier to deploy, manage, & maintain

34 The Way Ahead for Information Systems Security Christopher Baum Research Vice President Global Government NYSCIO Conference July 13 th 2005

Download ppt "The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference."

Similar presentations

Georgia State University 2003 A Ten Step Approach to Developing an Information Security Program Bill Paraska Director of University Computing.

Georgia State University 2003 A Ten Step Approach to Developing an Information Security Program Bill Paraska Director of University Computing.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
SL21 Information Security Board Mission, Goals and Guiding Principles.

SL21 Information Security Board Mission, Goals and Guiding Principles.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID THE NETWORK SECURITY CHALLENGE Jack Suess CIO University of Maryland Baltimore.

1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID THE NETWORK SECURITY CHALLENGE Jack Suess CIO University of Maryland Baltimore.
All rights reserved © 2005, Alcatel Enhanced Security situational Awareness for (Enterprise) networks  Bertrand Marquet / François Cosquer  Alcatel.

All rights reserved © 2005, Alcatel Enhanced Security situational Awareness for (Enterprise) networks  Bertrand Marquet / François Cosquer  Alcatel.
Secure Computing Network

Secure Computing Network
Information Security Policies and Standards

Information Security Policies and Standards
© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005.

© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Prepared: October, 2005 1 Ann Garrett, State Chief Information Security Officer Statewide Security Update October 25, 2005 Information Technology Advisory.

Prepared: October, Ann Garrett, State Chief Information Security Officer Statewide Security Update October 25, 2005 Information Technology Advisory.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.

Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Similar presentations

Ads by Google