Presentation is loading. Please wait.

Presentation is loading. Please wait.

Property of the University of Notre Dame Building a Risk-Based Information Security Program Mike Chapple University of Notre Dame May 5, 2008.

Published byErnest Chapman Modified over 8 years ago

Similar presentations

Presentation on theme: "Property of the University of Notre Dame Building a Risk-Based Information Security Program Mike Chapple University of Notre Dame May 5, 2008."— Presentation transcript:

1 Property of the University of Notre Dame Building a Risk-Based Information Security Program Mike Chapple University of Notre Dame May 5, 2008

2 Property of the University of Notre Dame Obligatory Notice Copyright Michael J. Chapple, 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. 2

3 Property of the University of Notre Dame Overview Background Campus IT Risk Assessment (CITRA) Digesting the Results Implementing the Security Program Preliminary Results 3

4 Property of the University of Notre Dame Notre Dame Private, coeducational Catholic research university located in Northern Indiana Population of 10,000 students, 1,200 faculty and 5,300 staff Defining characteristics – Long tradition of undergraduate excellence – Dedicated to residential life (81% undergrads on campus) – Rapidly expanding research community and graduate programs ; Over the past decade: 35% increase in PhDs awarded 225% increase in sponsored research 4

5 Property of the University of Notre Dame IT at Notre Dame OIT is a centralized IT organization – Supports enterprise systems – Provides end user support for about 1/3 of campus Some colleges and business units have their own IT support groups – Varying levels of custom infrastructure – Several have their own networks Up until 2006, Information Security was a combination of implementing internal controls and external consulting 5

6 Property of the University of Notre Dame One Day Everything Changed… 6

7 Property of the University of Notre Dame Historical Context 77 Initial PCI DSS Discussions Incident CITRA Incident Response 2002 – Information Security Office Established 2003 – Data Oversight Committee Established Data Center Firewall Implemented Data Access Policy Approved 2005 – Strong Password Initiative PCI DSS Assessment CCSP Planning Credit Card Network Inventory

8 Property of the University of Notre Dame Overview Background Campus IT Risk Assessment (CITRA) Digesting the Results Implementing the Security Program Preliminary Results 8

9 Property of the University of Notre Dame CITRA Overview At the request of University Leadership, we commissioned a campus-wide IT risk assessment Partnered with “Big Four” consulting firm Scope included all uses of sensitive University data, in any form Tools used: – Network Scanning – Surveys and Interviews – Site visits 9

10 Property of the University of Notre Dame Assessment Process 10

11 Property of the University of Notre Dame Surveys 19 pages, 74 questions (mixture of multiple choice and open-ended) Pilot deployment with our own OIT business office, followed by a select handful of “friends” Full deployment included business managers from all academic and administrative units Accompanied by cover letter from Executive Vice President and Provost Achieved 100% response rate (after quite a few follow-up calls!) 11

12 Property of the University of Notre Dame Selected Questions What type(s) of sensitive data does your department store/process? What groups/roles have access to that data? Where do you store that data (physical and/or electronic)? Do you use encryption to protect stored information? How do you transmit sensitive data? How do you receive it? Do you use any web-based applications to collect data? How long do you retain sensitive information? How do you dispose of it? Do you share sensitive information with third parties? 12

13 Property of the University of Notre Dame Survey Results AttributePercentage Use Social Security Numbers88% Share Passwords81% Store Sensitive Data Locally77% Transmit Sensitive Data Externally Without Encryption68% Not Aware of Security Policies65% Retain Sensitive Data Indefinitely63% 13 Together with the consultants, we surveyed respondents from 53 campus departments on data handling practices.

14 Property of the University of Notre Dame Business Unit Interviews 53 departments selected for individual or group interviews based upon survey responses Combination of academic and administrative units Intended to serve as a one-hour “deep dive” into survey responses Conducted by a team consisting of representatives from Information Security, University Archives and the consultant 14

15 Property of the University of Notre Dame Discussion Guide Walk through survey responses Types of sensitive data within the department Applications used to process data Electronic and paper-based data flow walkthrough Physical security of departmental spaces 15

16 Property of the University of Notre Dame CITRA Findings End result was 68 findings covering 10 key areas: For example… 16 Information Security FrameworkData Classification and Handling Access ControlEncryption Strategy Configuration StandardsPhysical Security Technical Security ArchitectureDisaster Recovery ComplianceInformation Security Awareness

17 Property of the University of Notre Dame CITRA Findings 17

18 Property of the University of Notre Dame Overview Background Campus IT Risk Assessment (CITRA) Digesting the Results Implementing the Security Program Preliminary Results 18

19 Property of the University of Notre Dame Planning Workshop Cross-functional team Analyzed CITRA results and created project specifications designed to remediate all medium/high risk findings Produced comprehensive project plan with resource estimates and sequencing 19

20 Property of the University of Notre Dame Resource Planning Discussed project objectives with resource managers Simple approach to resource ($$$ and staff) estimation: – Determine “best case” and “worst case” time and cost estimates – Average those endpoints – Surprisingly accurate! 20

21 Property of the University of Notre Dame Ranking System Each project ranked on costs (financial and staff), importance and urgency 21

22 Property of the University of Notre Dame Outcome Projects sequenced to prioritize high-risk findings and balance resource consumption Overall costs: $4.6M one-time, $630K recurring Presented to University leadership and funded in full 22

23 Property of the University of Notre Dame Overview Background Campus IT Risk Assessment (CITRA) Digesting the Results Implementing the Security Program Preliminary Results 23

24 Property of the University of Notre Dame Program Mission 24 Identify confidentiality, integrity and availability risks to sensitive University information, and mitigate those risks to acceptable levels.

25 Property of the University of Notre Dame Program Objectives 25 The objectives of the program are to: Evaluate risks to the confidentiality, integrity and availability of sensitive information Establish and implement controls to fill critical gaps, as determined by institutional risk tolerance Create awareness of information security and proper data handling practices Establish and communicate security-related policies, procedures and standards

26 Property of the University of Notre Dame Program Plan 26

27 Property of the University of Notre Dame Policy It all begins with policy…really! 27 Security Policies and Standards (FY 2007) Establish University-wide Information Security policies and handling standards based on ISO 17799 Configuration Standards (FY 2007) Develop configuration standards for applications and mobile systems Software Development Lifecycle (FY 2010) Select and implement a SDLC model for use with OIT systems

28 Property of the University of Notre Dame Awareness, Training and Education 28 Employee Awareness (FY 2007-2008) Provide security awareness, communication and training for faculty & staff Student Awareness (FY 2008) Provide security awareness, communication and training for students Classification Workshops (FY 2008) Conduct workshops to aid Data Stewards in classifying their data Sensitive Data Handler Training (FY 2008) Provide specialized training for those who work with sensitive University Data Technical Security Training (FY 2009) Provide specialized technical security training for IT Professionals

29 Property of the University of Notre Dame Workstation Security 29 Initial Desktop Remediation (FY 2007) Apply a basic set of security controls to University workstations Malware Management (FY 2008) Provide a solution for management and monitoring of antivirus and anti- spyware software on University systems File Security (FY 2009) Conduct a vulnerability assessment and apply security controls to NetFile Messaging Security (FY 2009-2010) Apply security controls to electronic mail and instant messaging

30 Property of the University of Notre Dame Server Security 30 Data Center Architecture Enhancements (FY 2008) Enhance security controls on the OIT Data Center front end Server Integrity Monitoring (FY 2008) Formalize OIT server integrity monitoring infrastructure and processes Database Security (FY 2008) Conduct a vulnerability assessment of University databases and implement appropriate controls Departmental Server Consulting (FY 2008-2009) Conduct a security assessment of each departmental server and provide recommendations on alternative technologies and/or appropriate controls. OIT Server Management (FY 2008-2009) Implement security management practices for OIT servers with separation of duties and data segregation, where appropriate

31 Property of the University of Notre Dame Network Security 31 Border Security (FY 2007) Implement campus network border firewall to block unsolicited inbound connections Network Device Management (FY 2007-2008) Implement security standards on campus network devices Zoned Network and Wireless Security (FY 2008-2009) Design and implement a zoned network architecture with appropriate security controls on the wired and wireless networks Intrusion Prevention (FY 2009) Replace the University’s existing intrusion detection system with a comprehensive intrusion prevention system Network Admission Control (FY 2010) Implement controls to ensure that network- connected systems meet security standards

32 Property of the University of Notre Dame Security Infrastructure 32 Vulnerability Scanning (FY 2007) Create a scanning facility to proactively detect technical vulnerabilities in University systems Security Review Process (FY 2007) Create a process for consistently conducting information security reviews Sensitive Data Scanning (FY 2008) Create a scanning facility to proactively detect CC/SSNs stored in institutional file systems

33 Property of the University of Notre Dame Security Infrastructure (cont’d) 33 Application Logging (FY 2009) Capture enterprise application events in the OIT central log repository Network Logging (FY 2009) Capture records of off-campus connections involving University systems Security Log Analysis (FY 2009) Create a security log analysis capability for use with the central log repository Firewall Management (FY 2009) Audit existing firewall rulebase and implement standard management practices Rogue Wireless AP Detection (FY 2010) Provide the ability to identify unauthorized wireless access points on the University network

34 Property of the University of Notre Dame Credit Card Security 34 CCSP Infrastructure (FY 2007) Create the infrastructure required to migrate card processing applications to the OIT data center CCSP Application Migration (FY 2007-2008) Move card processing servers to the payment card environment located in the OIT data center CCSP Monitoring (FY 2008) Implement ongoing technical monitoring of the payment card environment CCSP Physical Security (FY 2008-2009) Upgrade data center physical security to meet PCI DSS requirements

35 Property of the University of Notre Dame Incident Handling 35 Incident Response Procedures (FY 2010) Create technical procedures for responding to information security incidents to supplement the existing Incident Response Plan Forensics (FY 2010) Identify forensic resources for use in information security incident response. Incident Tracking System (FY 2010) Provide an information security incident tracking system

36 Property of the University of Notre Dame Sustaining Activities 36 Security Operations Center (FY 2008-2009) Create an operations center to monitor and provide initial response to security events Recurring Risk Assessments (FY 2010) Establish a process for recurring, periodic risk assessments to measure risk to University data assets Program Monitoring (FY 2010) Assess the ongoing effectiveness of the information security program

37 Property of the University of Notre Dame Overview Background Campus IT Risk Assessment (CITRA) Digesting the Results Implementing the Security Program Preliminary Results 37

38 Property of the University of Notre Dame Current Status 38

39 Property of the University of Notre Dame Program Highlights For the most part, on-time completion under budget Some “in-flight” changes to the plan to: – Reprioritize project sequencing – Address new risks (e.g. Web application security) – Balance resource utilization with other initiatives 39

40 Property of the University of Notre Dame Policy and Standards Policy complete and awaiting Officer approval Operating system standards in place Application standards complete and published 40 Policy Usage (Spring 2007 – Fall 2007)

41 Property of the University of Notre Dame Vulnerability Scanning 41

42 Property of the University of Notre Dame Awareness 42 Goal: Engage 85% of the faculty and staff at least twice annually 42

43 Property of the University of Notre Dame Questions 43

Download ppt "Property of the University of Notre Dame Building a Risk-Based Information Security Program Mike Chapple University of Notre Dame May 5, 2008."

Similar presentations

Confidential Property of the University of Notre Dame Security From The Ground Up David Seidl Information Security Program Manager University of Notre.

Confidential Property of the University of Notre Dame Security From The Ground Up David Seidl Information Security Program Manager University of Notre.
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
Web Application Management Moving Beyond CMS Douglas Clark Director, Web Applications Copyright Douglas Clark 2003 This work is the intellectual property.

Web Application Management Moving Beyond CMS Douglas Clark Director, Web Applications Copyright Douglas Clark 2003 This work is the intellectual property.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Confidential Property of the University of Notre Dame Security From The Ground Up David Seidl Information Security Program Manager University of Notre.

Confidential Property of the University of Notre Dame Security From The Ground Up David Seidl Information Security Program Manager University of Notre.
Andrea Eastman-Mullins Information & Technology Coordinator University of North Carolina, Office of the President Teaching and Learning with Technology.

Andrea Eastman-Mullins Information & Technology Coordinator University of North Carolina, Office of the President Teaching and Learning with Technology.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Yale University Information Technology Services Administrative Systems Art Hunt 3/22/04 Software Service Level Agreement with Finance, Procurement and.

Yale University Information Technology Services Administrative Systems Art Hunt 3/22/04 Software Service Level Agreement with Finance, Procurement and.
Educause Security 2007ISC Information Security Copyright Joshua Beeman, 2007. This work is the intellectual property of the author. Permission is granted.

Educause Security 2007ISC Information Security Copyright Joshua Beeman, This work is the intellectual property of the author. Permission is granted.
Serving the Research Mission: An Approach to Central IT’s Role Matthew Stock University at Buffalo.

Serving the Research Mission: An Approach to Central IT’s Role Matthew Stock University at Buffalo.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Institutional Effectiveness Operational Update Presentation made to the Indiana State University Board of Trustees October 5, 2001.

Institutional Effectiveness Operational Update Presentation made to the Indiana State University Board of Trustees October 5, 2001.
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
UWM CIO Office A Collaborative Process for IT Training and Development Copyright UW-Milwaukee, 2007. This work is the intellectual property of the author.

UWM CIO Office A Collaborative Process for IT Training and Development Copyright UW-Milwaukee, This work is the intellectual property of the author.

Similar presentations

Ads by Google