University Wide Vulnerability Scanning Program

Slides:



Advertisements
Similar presentations
University of Minnesota Duluth Design and Implementation of a Comprehensive Campus Assessment System Jackie.
Advertisements

1 Program Performance and Evaluation: Policymaker Expectations 2009 International Education Programs Service Technical Assistance Workshop Eleanor Briscoe.
Coordinating Center Overview November 18, 2010 SPECIAL DIABETES PROGRAM FOR INDIANS Healthy Heart Project Initiative: Year 1 Meeting 1.
INSTRUCTIONAL LEADERSHIP FOR DIVERSE LEARNERS Susan Brody Hasazi Katharine S. Furney National Institute of Leadership, Disability, and Students Placed.
Luminis (Campus Portal) Overview Presented by: Gary Ham – Chief Information Officer North Shore Community College.
Katherine Kingston EDLD May 15, 2011 This presentation will see just how well Galena Park ISD’s technology plan compares with the National.
Information Technology Assessment Review Presented to the Board of the State Center Community College District.
Academic & Career Success Instant access for all faculty, staff, students, and parents—day or night. Online Training to Meet the Needs of Today’s Campus.
PROJECT OBJECTIVES Identify, procure, and implement software that provided a common system for students, faculty, and staff to enter and measure.
Institutional Advancement As of December 7, 2009.
6 Key Priorities A “scorecard” for each of the 5 above priorities with end of 2009 deliverables – with a space beside each for a check mark (i.e. complete)
Tier 2/ Tier 3 Planning for Sustainability Rachel Saladis WI PBIS Network/Wi RtI Center Katrina Krych Sun Prairie Area School District.
By Monica Y. Peters, Ph.D. Coordinator of Institutional Effectiveness/QEP Office of Quality Enhancement.
Project 3 Supporting Technology. Project Proposal.
Staff Assessment Technology Services Department Palmyra Area School District.
Information Technology Assessment Findings Presented to the colleges of the State Center Community College District.
Focus for the Future Technology-Related Proposals Daniel Ewart, CIO.
FACE | 20 FULL-TIME POSITIONS 1 (1) Assistant Superintendent for Family and Community Engagement Leads a team to engage parents in their child’s education.
WELCOME.
AdvancED Accreditation External Review October 23-26, 2016
BruinTech Vendor Meet & Greet December 3, 2015
Academic integrity at UB: Report & recommendations
Making Cross-campus, Inter-institutional Collaborations Work
The Importance of Managing Space Effectively
Lessons Learned: Planning and Implementation of a Web Accessibility Initiative at The University of Alabama Dr. Rachel Thompson Director of Emerging.
Campuses in Brainerd and Staples Minnesota.
Planning a Quality Roadmap to Reinvent and Improve Services
Today’s Agenda The importance of a conversation
Strategic Service Delivery Component Disability Employment Initiative
Strategic Planning Council (SPC)Update
You Say You Want a Revolution:
Putting All The Pieces Together: Developing a Cyberinfrastructure at the Georgia State University Library Tim Daniels, Learning Commons Coordinator Doug.
L EARNING M ANAGEMENT S YSTEM E VALUATION Marion Pope EDT5122: u05a1 February 11, 2018.
Rachel Akisada & Melanie Kingsley
Strategic Planning Update
President’s Administrative Innovation Fund: Connecting IT Subject Matter Expertise CIO Council Update
Research Program Strategic Plan
Making Information Security Manageable with GRC
Experiential Learning Module Overview and Benefits
BUSINESS CASE TEMPLATE How to advocate for an Employee Communication and Engagement Platform with your internal audience.
Making Information Security Actionable with GRC
Cluster, Multi-Site, and Multi-Level Evaluation Systems and Frameworks
Warren K. Wray Provost Faculty Senate
Action Plans Your teaching – individual
ECC Excels ECC’s Strategic Plan.
Loyola University Chicago & Williams College
By Jeff Burklo, Director
History of the GPS LifePlan
Executive Committee Meeting May 18, 2018
FINANCE. FINANCE FINANCE YEAR 1 PRIORITY 1 PRIORITY 1 San Benito CISD will work to provide a full day pre-kindergarten program with highly qualified.
Strategic Plan FY 2019 – FY 2023 Update
“We don’t have enough staff assigned to making IT accessible!”
Finance & Planning Committee of the San Francisco Health Commission
Your session will begin shortly
November AUL Open House
BCS Template Presentation February 22, 2018
Business Services Goals and Objectives for /20/2019.
Harvard Web Publishing Web Publishing for the Harvard Community
Looking Ahead 4 priorities
Welcome to Your New Position As An Instructor
Internal Audit Who? What? When? How? Why? In brief . . .
STRATEGIC PLAN UPDATE Board of Education May 2018
Professional Learning Network
Fiscal policy program Presented by Cindy Draper, Fiscal Policy Officer – Training Days 2018 Introduce myself This session is to provide an overview of.
Curriculum and Programs
Curriculum and Programs
Building Positive Relationships Between Home and School
(Insert Title of Project Here) Kickoff Meeting
IT Next – Transformation Program
NMDWS Internship Portal
Presentation transcript:

University Wide Vulnerability Scanning Program Partnering with the campus to secure the campus Gil Salazar | May 16th, 2012 University of Arizona

State of the Internet Recent studies show that websites are exposed to serious vulnerabilities every day. The University of Arizona has numerous webpages that serve as the face of its academic programs, research centers, and the University at large. Many of these have web applications that are embedded in the web pages and are exposed to the internet.

State of the UA Web space As the result of a state audit, the Arizona Board of Regents mandated that the three state universities perform annual scans of all internet-facing applications and servers.

WebSite Security Concerns Websites and applications are developed by a wide variety of campus members Often, web development is not their primary job or area of expertise.   Many of the vulnerabilities are contained within custom website code. Websites and applications are developed by a wide variety of campus members: professional staff, faculty, researchers and various levels of graduate and undergraduate students. Many of the vulnerabilities are contained within custom website code. OWASP recognized vulnerabilities are often a result of poor coding.

Challenges The Information Security Office consists of a small staff that is not positioned to take on operational work on behalf of the campus. UA campus is highly distributed in tech support and purpose UA’s recent economic environment has put additional pressures at the department level, resulting in a decrease in technical staff members Finding the right scanning tools was/is a challenge.

Challenges To ensure success, we needed to organize and streamline the processes as much as possible for the campus IT support groups. Funding for licenses for servers and applications scanners. The UA needed to find a creative, efficient way of fulfilling the scanning requirements.

Teamwork The Information Security Office created a project approach to developing and implementing a university-wide scanning program We recruited a working group of 12 IT staff members chosen strategically across the campus. Working together, the campus selected QualysGuard and IBM AppScan tools and recently Qualys Web Application Scanner We recruited a working group of 12 IT staff members chosen strategically across the campus. This group received a free two-day training and certification on IBM AppScan in exchange for assisting in creating a train-the-trainer program. The group met for several months to distill the training program down to four hours and tailor it for a UA-specific scanning program.

Logistics The Information Security Office set up a Communication Plan in order to get buy-in from campus leadership and stakeholders university-wide. Setup Scheduling system to manage licenses for each developer for a specific timeframe. Specific instructions were developed to educate campus IT support and developers on use of scanners Needed to create an application and server inventory database. The Information Security Office set up a Communication Plan in order to get buy-in from campus leadership and stakeholders university-wide. This helped to ensure a level of support and understanding of the effort required by server administrators and developers in colleges and administrative units. Licenses needed to be managed for each developer for a specific timeframe. This led to an online request form and ticket tracking to schedule and prep licenses. Specific instructions were developed on the process of scheduling licenses, how to proceed with the scans, remediate issues, create action plans and send in final scan reports. We utilized Graduate Assistants to create an application and server inventory database. The system serves as an initial critical inventory of servers and applications, assists in tracking the annual scanning requirement and provides a process for transparent reporting on the scanning program. Future plans to link the inventory and scanning databases with other central databases, device owners who manage IP address ranges and the SSL Certificate program.

Outcomes Created an online information security awareness program session that is mandatory for all UA web developers Created an online training video so that appropriate IT staff from across campus can easily access training and information as required Created scanner support group as a resource for campus Creating an online information security awareness program session that is mandatory for all UA web developers. The training is based on OWASP’s Top Ten. A number of staff with good security expertise assisted with reviewing and validating the training content. The workgroup conducted initial sessions and then worked together to create an online training version so that appropriate IT staff from across campus can easily access training and information as required.

Impact to Campus Taking the web development training is a mandatory prerequisite and ensures that both training and scanning work together to create a consistent OWASP Top Ten approach to development of security best practices. The AppScan Train the Trainer Program has been very successful in getting a large cross-section of campus IT staff members trained in using the Application Scan tool. Security has become an integral process in web application development. The communication plan provided a robust and comprehensive way of spreading the word to campus stakeholders of their obligation to ensure that their internet-facing devices and applications are scanned with security tools.

Impact to Campus The Information Security Liaisons are responsive to the program and campus buy-in to security is on the rise. Campus web server code is being cleaned up and security vulnerabilities are reduced. The UA has begun to collect metrics on scanning and remediation of vulnerabilities. ABOR’s scanning initiative is being met. The Information Security Liaisons are responsive to the program because we have provided support for their efforts with stakeholders and provided much needed organization and streamlining to make the process as efficient as possible for them.

Scans Completed

Questions??? Gil Salazar Information Security Analyst, Senior gsalazar@email.arizona.edu

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.