Information Security Program 4/13/2018 Information Security Program March 22, 2017 Tom Ambrosi Chief Information Security Officer Template D Plain-white-dark

https://er.educause.edu/articles/2017/1/top-10-it-issues-2017-foundations-for-student-success

Penn State University President – Eric Barron “We all will need to take additional steps to protect ourselves, our identities and our information from a new global wave of cybercrime and cyberespionage," Barron said in his statement. "Well-funded and highly skilled cyber criminals have become brazen in their attacks on a wide range of businesses and government agencies, likely in search of sensitive information and intellectual property.“ "In this particular case we are dealing with the highest level of sophistication," Barron said. "Unfortunately, we now live in an environment where no computer network can ever be completely, 100 percent secure.“ Mandiant "Advanced cyberattacks like this -- sophisticated, difficult to detect and often linked to international threat actors -- are 'the new normal,'" said Nick Bennett, Mandiant's senior manager of professional services. "No company or organization is immune -- the world's leading banks, energy companies, retailers and educational institutions have all been and will be targets."

Program Requirements/Drivers 4/13/2018 Program Requirements/Drivers Required to comply with Federal, State & Industry Standards & Regulations FERPA HIPAA PCI DSS v3.1 – 6.1, 10.6, 12.2 GLBA Washington State OCIO Policy 141 – Securing Information Technology Assets Template D Plain-white-dark

Program Governance Initiatives Governance Structure Information Security Program Strategy Information Security Policies University Security Policy Update to University Data Policies Security & Privacy Accountabilities, Roles & Responsibilities Standards & Compliance Frameworks PCI, HIPAA Requirements / Drivers

Executive Perspectives on Top Risks for 2017 https://www.protiviti.com/US-en/insights/protiviti-top-risks-survey

Executive Perspectives on Top Risks for 2017

Institutional Risk Areas For Public Research Institutions Financial & Economic Conditions Ability to Recruit Quality Students, Faculty & Staff Business Continuity Physical Infrastructure WSU IT Infrastructure Legal & Regulatory Compliance Safety & Security Research Reputation & Brand Requirements / Drivers

Information Security & Privacy Risk Areas Cyber Attacks & Data Security Advanced Threats to C-I-A Data Privacy Breaches Federal, State, Industry Regulations Legal & Regulatory Compliance Outsourcing & Cloud Computing Mobile Devices Incident Response Identity & Access Mgmt Education, Training & Awareness Business Continuity & Disaster Recovery Requirements / Drivers

Managing Security & Privacy Risk Establish Risk Mgmt Framework Consistent with Enterprise Risk Mgmt Identify, Assess, Respond, Monitor Risk Mgmt Objectives Support Strategic Decision Making & Planning Allocate Resources Effectively Better able to meet Compliance Requirements Provide Optimized set of Risk Mitigations Enable University Mission & Business Objectives with acceptable level of risk Security & Privacy Risks are Institutional Risks Requirements / Drivers

Risk = Likelihood x Impact Each Vulnerability/Threat Pair will be evaluated for Likelihood of Occurrence Impact Classification Risk Level Assigned

Responsibilities Protecting Data Security & Privacy is a shared responsibility Promote a Risk-Aware Culture Understand risks to your business & potential impacts to the University Be Proactive – Avoiding risk is Accepting risk Escalate critical risks to Senior Leadership Include risk assessment processes into business processes Ensure all employees are aware of their responsibilities Provide training for employees that is appropriate to their roles & responsibilities

4/13/2018 Questions? Template D Plain-white-dark

Executive Perspectives on Top Risks for 2017

Executive Perspectives on Top Risks for 2017