BruinTech Vendor Meet & Greet December 3, 2015

Slides:

Advertisements

Similar presentations

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.

Advertisements

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.

David A. Brown Chief Information Security Officer State of Ohio

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

DHS, National Cyber Security Division Overview

National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

Program Management Overview (An Introduction)

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

IT Governance and Management

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)

Website Hardening HUIT IT Security | Sep

Peer Information Security Policies: A Sampling Summer 2015.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

ISMMMO, Antalya April Internal Audit, Best Practices Özlem Aykaç, CIA,CCSA CAE Coca-Cola İçecek.

The Challenge of IT-Business Alignment

Item 5d Texas RE 2011 Budget Assumptions April 19, Texas RE Preliminary Budget Assumptions Board of Directors and Advisory Committee April 19,

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.

Electronic Records Management: A New Understanding of Policy, Compliance, and Discovery Robert J. Sobie, Ph.D. Director Information Systems Department.

DATA IT Senate Data Governance Membership IT Senate Data Governance Committee Membership Annie Burgad, Senior Programmer, Central IT Julie Cannon, Director.

Chief Compliance Officer

State of Georgia Release Management Training

Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.

Information Security tools for records managers Frank Rankin.

Valiants Verify Compliance Program Judith W. Spain, J.D., CCEP ® Chief Ethics and Compliance Officer General Counsel (Effective March 2016) 1.

Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.

SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.

Cyber Security Phillip Davies Head of Content, Cyber and Investigations.

Information ITIL Technology Infrastructure Library ITIL.

Law Firm Data Security: What In-house Counsel Need to Know

New A.M. Best Cyber Questionnaire

Presenter: Mohammed Jalaluddin

Iowa Communications Alliance

Cybersecurity - What’s Next? June 2017

JU September Stakeholder Engagement Conference Webinar #1

Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.

Information Security Review Panel Report

Security Standard: “reasonable security”

Compliance with hardening standards

Microsoft 365 Get help with regulatory compliance

Cybersecurity Policies & Procedures ICA

Introduction to the Federal Defense Acquisition Regulation

Responsibilities & Tasks Week 2

NIST Cybersecurity Framework

BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT

Description of Revision

Cyber defense management

CISM Dumps PDF Latest Certified Information Security Manager CISM dumpsCISM dumps pdfCISM braindumpsCISM exam dumps.

I have many checklists: how do I get started with cyber security?

8 Building Blocks of National Cyber Strategies

Bob Siegel President Privacy Ref, Inc.

America’s First National Critical Infrastructure Exercise

The Privacy Cycle A Five-Step Process to Improve Your Privacy Culture

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

National Cyber Security

Information Security Risk Management

FINANCE. FINANCE FINANCE YEAR 1 PRIORITY 1 PRIORITY 1 San Benito CISD will work to provide a full day pre-kindergarten program with highly qualified.

Chapter 8 Developing an Effective Ethics Program

Cyber security Policy development and implementation

Capacity Building for HMIS Leads

Cybersecurity ATD technical

MAZARS’ CONSULTING PRACTICE Helping your Business Venture Further

Cyber Security in a Risk Management Framework

Data Security and Privacy Techniques for Modern Databases

{Project Name} Organizational Chart, Roles and Responsibilities

IT Next – Transformation Program

Anatomy of a Common Cyber Attack

Presentation transcript:

BruinTech Vendor Meet & Greet December 3, 2015 IT Services Information Security BruinTech Vendor Meet & Greet December 3, 2015

Agenda… IT Security Program – Mike Story Penetration Testing – Alex Podobas Questions and Answers

Interim Director, Chief Information Security Officer IT Security Program Mike Story Interim Director, Chief Information Security Officer mstory@it.ucla.edu

UC Cyber-Risk Mandate President Napolitano – July 2015 1. Inventory and assess cybersecurity vulnerabilities Campus plan to inventory IT assets (data and inventory), map risks and vulnerabilities, and assess IT security 2. Develop a strategy, governance approach, and action plan to consistently evaluate and reduce cyber-risk UC Cyber-Risk Governance Committee (CRGC) Joint cyber-risk governance across the UCLA campus and Health Sciences 3. Participate in systemwide planning efforts to facilitate and promote cyber-risk reduction UC risk reporting and escalation process UC cybersecurity training for staff and students (TBD) UC prevention, detection, and remediation protocols; minimum security standards 4. Arrange for regular executive-level discussion of cyber-risk management Cyber-Risk Responsible Executive (Scott Waugh) planning and communication 5. Confirm the commitment to adequate staffing and budget to support cybersecurity initiatives Cybersecurity resource plan and implementation timeline

Cybersecurity Framework Framework for Improving Critical Infrastructure Cybersecurity http://www.nist.gov/cyberframework/ Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event Develop and implement the appropriate activities to take action regarding a detected cybersecurity event Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to cybersecurity event We are working closely with the UCLA Privacy Board to ensure balance between an open academic / research environment, privacy, and security.

Program Objectives Immediate Priorities: Longer-Term Goals: Identify, locate, and protect sensitive data and systems Remediate & patch known system and application vulnerabilities Improve Information Security awareness and education Longer-Term Goals: Improve information security monitoring and intelligence Establish a differentiated security control framework Implement state of the art IT security tools and processes Build a staff of Information Security specialists Provide expert Information Security consulting and guidance to the campus Establish a formal Information Security compliance program

IT Security Team Expand the scope of IT security services To effectively leverage the appropriate tools, technologies, and processes needed to properly secure the environment Provide the skills necessary to design and support the next-generation security strategy Enhance relationships with key stakeholders and provide the security expertise and support needed to reduce cybersecurity risk On boarded 4 additional resources (1 Project Manager and 3 Information Security Analysts) in addition to 2 existing resources Assessing additional resource requirements against projects

Penetration Testing Alex Podobas IT Security Analyst ampodobas@it.ucla.edu

Vulnerability vs. Penetration Testing (Not synonymous) Vulnerability Testing: Deployed to detect, but not necessarily verify or exploit, software or configurations Typically a “point and shoot” security tool Penetration Testing (“Pentest[ing]”) Deployed with the specific intent to detect and actively exploit application code or configurations of various software in a web application stack May DoS a resource, corrupt data, or expose sensitive code or data Ideally involves human direction of the detection and exploitation process

Offerings UCLA IT Security offers penetration testing services free of charge We utilize a wide array of tools…. AppScan, Burp Suite, Kali Linux OS (sql ninja, Vega, nmap, skipfish, rainbow table attacks), and much more …But we also can human-review application code and software configurations and suggest changes to comply with law, UC and UCLA policy, and data security and privacy best practices (such as NIST)

Pentesting Objectives Our objective is to provide a central, internal service that any official UCLA group, department, unit, or employee can request to improve their technical InfoSec practices As a result of each pentesting engagement, we provide specific action items, highlight and rank vulnerability issue severity, provide the original reports from our tools, and provide pragmatic recommendations for your environment The Information Security Office is here to improve UCLA’s InfoSec posture, not punish those that seek our technical assistance

Questions ?