Presentation is loading. Please wait.

Presentation is loading. Please wait.

Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.

Published byConrad McKinney Modified over 8 years ago

Similar presentations

Presentation on theme: "Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst."— Presentation transcript:

1 Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe (smwahe@wisc.edu) Sr. Information Security Analyst

2 Realizing our Principles Answering the question, “Why?” To have a common understanding of building a secure architecture. Developed based on NIST 800-27,, ISO 20071, CIC schools, and other publications.

3 OCIS IT Security Principles 4.Security is a Common Understanding –Due Diligence; Manage Threats, Risks, and Costs; and Incident Management. 3.Security is Asset Management –Classify Information; Least Privilege; and Separation of Duties. 2.Security is Part of the Development Life Cycle –Information Privacy and Assurance; Usability; and Defense in Depth. 1.Security is Everyone’s Responsibility

4 Risk Assessment Process Step 1: Letter of Engagement Step 2: Conduct the Assessment Step 3: Draft Report on Findings Step 4: Communicate Findings Step 5: Re-Assess

5 Building a Common Understanding: Managing Risk Risk ImpactLikelihood Mitigation Controls $ Care $ $

6 Example Question Does the system maintain Configuration Management methodology that includes: 1.A documented process for reviewing, approving and implementing changes 2.Version control for software system components 3.Timely identification and installation of all applicable patches for any software used in the provisioning of the CS.

7 Common Gaps Common Security Gaps (examples) –The system infrastructure needs to be segmented with robust firewall controls. –Encryption controls and key management procedures should be implemented for data at rest. –Restricted data needs to be sanitized in non- production environments. –Intrusion detection, prevention and log management devices should be installed and maintained with appropriate alerting processes.

8 Integrating a Security Culture Awareness and Training –SANS Secure Web Development Policy Development and Best Practices –Restricted Information Management Practices –Desktop Encryption Policy Centralized Resources –Security Event Management –Network Management –Desktop Tools –PKI

9 Questions How can we help you?

Download ppt "Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst."

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Control and Accounting Information Systems

Control and Accounting Information Systems
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Advanced Metering Infrastructure AMI Security Roadmap April 13, 2007.

Advanced Metering Infrastructure AMI Security Roadmap April 13, 2007.
© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005.

© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Prepared: October, 2005 1 Ann Garrett, State Chief Information Security Officer Statewide Security Update October 25, 2005 Information Technology Advisory.

Prepared: October, Ann Garrett, State Chief Information Security Officer Statewide Security Update October 25, 2005 Information Technology Advisory.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security.

Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Security Guide for Interconnecting Information Technology Systems

Security Guide for Interconnecting Information Technology Systems
1 Enforcing Compliance: A Patch Management Strategy That Works.

1 Enforcing Compliance: A Patch Management Strategy That Works.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

Similar presentations

Ads by Google