Implementing Information Security and Compliance Four Questions and a Roadmap to Guide the Way Copyright University of Texas System, 2008. This work is.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
CIP Cyber Security – Security Management Controls
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
SL21 Information Security Board Mission, Goals and Guiding Principles.
Security and Personnel
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Data Ownership Responsibilities & Procedures
Security Controls – What Works
Information Security Policies and Standards
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Computer Security: Principles and Practice
Pam Downs Ajay Gupta The Pennsylvania Prince George’s State University Community College "Copyright Penn State University This work is the intellectual.
IT Strategic Planning From Technical Dreams to Institutional Reality
1 IT Security-related Legislation Judy Borreson Caruso CUMREC 2004 May 18, 2004 Copyright Judy Borreson Caruso, This work is the intellectual property.
Session 3 – Information Security Policies
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Security Issues on Campus: Government Initiatives Rodney J. Petersen University of Maryland Educause/Internet2 Security Task Force Copyright Rodney J.
Information Security Governance in Higher Education Policy2004 The EDUCAUSE Policy Conference Gordon Wishon EDUCAUSE/Internet 2 Security Task Force This.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.
Information Technology Audit
Internal Auditing and Outsourcing
A SOUND INVESTMENT IN SUCCESSFUL VR OUTCOMES FINANCIAL MANAGEMENT FINANCIAL MANAGEMENT.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Copyright Course Technology 1999
An Educational Computer Based Training Program CBTCBT.
Module 3 Develop the Plan Planning for Emergencies – For Small Business –
NIST Special Publication Revision 1
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
1.  Describe an overall framework for project integration management ◦ RelatIion to the other project management knowledge areas and the project life.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Copyright © 2007 Pearson Education Canada 1 Chapter 1: The Demand for Auditing and Assurance Services.
Safeguarding Research Data Policy and Implementation Challenges Miguel Soldi February 24, 2006 THE UNIVERSITY OF TEXAS SYSTEM.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
U.S. Department of Education Safeguarding Student Privacy Melanie Muenzer U.S. Department of Education Chief of Staff Office of Planning, Evaluation, and.
SecSDLC Chapter 2.
1 Effective Incident Response Presented by Greg Hedrick, Manager of Security Services Copyright Purdue University This work is the intellectual property.
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
Health Management Dr. Sireen Alkhaldi, DrPH Community Medicine Faculty of Medicine, The University of Jordan First Semester 2015 / 2016.
NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.
The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Security Methods and Practice Principles of Information Security, Fourth Edition CET4884 Planning for Security Ch5 Part I.
Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC Semester 1.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Information Security Program
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Cybersecurity - What’s Next? June 2017
Adapting Enterprise Security to a University Environment
Introduction to the Federal Defense Acquisition Regulation
Information Security Board
I have many checklists: how do I get started with cyber security?
IT Development Initiative: Status and Next Steps
Security Policies and Implementation Issues
Presentation transcript:

Implementing Information Security and Compliance Four Questions and a Roadmap to Guide the Way Copyright University of Texas System, This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided this copyright statement appears on the reproduced materials. To disseminate otherwise or republish requires written permission of the authors. EDUCAUSE Security Professionals Conference 2008 Miguel Soldi Lewis Watkins, CISO

Who are we? ~ 186,000 students ~ 78,000 faculty & staff 9 Academic Institutions 6 Medical Institutions U. T. System Administration U. T. Investment Management Company (UTIMCO) [a 501(c)(3) corporation to manage endowment] MISSIONS Research Instruction Patient Care Public Service 2 The University of Texas System

In response to repeated breaches, The University of Texas System Board of Regents launched a system-wide information security program, creating a system-wide CISO position and CISO Council. What’s Our Problem? Lost Thumb Drive Puts Data at Risk 1000’s of Records Stolen from University Database University Website Compromised University Database Breach Threatens Student Identities Hacker Steals University Data Profs Home Computer Stolen with Student ID’s and Grades 3

“IT Security is a monster!” Charles Chaffin, Chief Audit Executive and Compliance Officer, The University of Texas System, August 10, Very Thoughtfully ! How do we approach this monster? A Structured Approach is Essential!

Four Guiding Questions Q1 - What’s Happening? What type of incidents are occurring? What’s “not happening” that hinders security? Q2 - What’s Important? What’s most important to protect? What’s important to do in order to bolster information security? Q3 - What’s Effective? What strategies return the biggest payoff? What metrics are useful for tracking effectiveness? Q4 - What’s Next? What will we likely encounter tomorrow? What can we do now to prepare? What are we missing? 5

1.Most major incidents have been of three types: Lost or Stolen Computers Application Breaches (as opposed to network) Misconfigured / Poorly Patched Computers 2.Security practices vary greatly across and within our Institutions. 3.Other trends:  Perimeters dissolving  Business Partner Breaches What’s Happening? What’s happening around here? 6

What’s Important? Remain Focused on Mission! The mission of the information security program: Improve information security across all UT institutions, Do this in a way that is verifiable, and Help ensure compliance with information security related regulations. 7

What’s Important?  Service Availability  Intellectual Property  Brand Name  Privacy  Compliance Protect the Integrity of the Institution! 8

What’s Important? 9 Verification! At the incident level. At the Program level.

What’s Important? What do we mean by Information Security Compliance? HIPAA PCI FERPA GLBSOX TAC 202 We must comply with and be able to demonstrate compliance with regulations having information security requirements. With more to come! 10

As a prerequisite to success, it’s important to know the following: 1.the threats to your environment; 2.the location of your high risk data and information resources; 3.the architecture of your technology environment including configuration and protection state of your devices. What’s Important? 11

What’s Effective? Standards Metrics & Outcomes OversightTechnology A Roadmap is a useful tool for steering the program: 12

What’s Effective? Tasks not started Tasks underway Tasks completed Which strategies really work? 13

Provides the needed information for prioritizing corrective actions. Identifies the high risk data and assets Identifies the vulnerabilities Is scalable and easy to administer What’s Effective? What really needs to be protected? A Sound Risk Assessment Process that: 14

Ensure the Program Covers the Problem Space! 9.Data Backup and Recovery 10.Disaster Recovery 11.Incident Management 12.Physical Security 13.Device Use and Security 14.Application Development and Acquisition 15.Electronic Records Management What’s Effective? 1.Information Security Governance 2.Policies, Procedures, Standards 3.Asset / Data Classification 4.Risk Assessment and Management 5.Compliance 6.Access Management 7.Change Management 8.Configuration Management 15

Number: Security Practice Bulletin #2 (SPB-2) Title: Baseline Standard for Information Security Programs. Date:January 1, 2007 Purpose: Each Entity of the University of Texas System is charged with establishing and maintaining a standards and risk based Information Security Program (Security Program) that:  secures the information assets under its stewardship against unauthorized use, disclosure, modification, damage or loss to reduce risk to acceptable levels;  is documented and verifiable; and  meets regulatory compliance requirements applicable to the Entity. This bulletin identifies essential components to be included in each Entity’s Security Program. Definitions: Chief Administrative Officer: The highest ranking executive officer at each Entity. For most Entities, it is the President Security Incident: An event which results in unauthorized access, loss, disclosure, modification, disruption, or destruction of information resources whether accidental or deliberate. (TAC 202A 202.1) Rationale: U. T. System Information Resources are to be protected based on risk and must be administered in conformance with federal and state law and The University of Texas System Regents’ Rules. This Baseline Standard Security Program is based on an analysis of state, federal and international standards for such programs and the unique characteristics of the higher education environment. Program elements are specified to ensure that each Entity’s Security Program is sufficient in scope to include the functions and activities recognized by standards bodies as being necessary to be effective. Metrics are specified to measure program implementation and effectiveness. Reporting requirements are established to ensure adequate information is provided for compliance oversight and to inform executive management regarding the status and effectiveness of programs. Expectations : 1.Each Entity of the U. T. System must establish and maintain a Security Program that includes appropriate protections, based on risk, for all Information Resources owned, leased, or under the custodianship, including outsourced resources, of any department, operating unit, or employee of the Entity. 2.Each Security Program must be documented and include the following:  The Security Program elements included in this bulletin as prioritized and documented by the Entity based on risk (See Document 1 below),  Documented strategies to address the elements of the Security Program,  The Security Program Metrics specified in this bulletin to be reported to U. T. System at intervals as indicated in this bulletin (See Document 2 below).  Documented action plans, training plans, and monitoring plans,  Reports and timelines (See Document 3 below) o Quarterly Information Security Program Status reports submitted to the U. T. System CISO o Annual Status Report submitted to the Chief Administrative Officer and copied to the, Entity’s CIO and Compliance Officer and the U. T. System CISO by October 31 st following close of the previous fiscal year. 1.Each Entity must collect required metrics data in ways that are documented and verifiable. An explanation must be provided for any metric for which data cannot be collected. 2.The Entity’s Chief Administrative Officer or his or her designated representative(s) must formally approve the Security Program. 3.The Entity’s CISO or ISO will administer the Entity’s Information Security Program with cooperation of organizational units within the Entity that may hold functional responsibility relating to specific program elements. Exceptions: There are no exceptions to the establishment and maintenance of an Entity’s Security Program. It is recognized that gaps may exist between Program elements and an Entity’s Program as deployed. Gaps are to be explained and documented in the Security Program document(s) submitted to the Chief Administrative Officer for approval. Gaps are to be addressed, based on risk, as soon as practical. Intra-Entity Exceptions: Circumstances within a specific organizational unit(s) within an Entity may require an exception to specific elements of the program. These must be documented and justified by the Owner of the Information Resource and the Entity’s CISO or ISO. Documents: 1.U. T. System Information Security Program Elements 2.U. T. System Information Security Program Metrics 3.U. T. System Information Security Program Report Templates (TBD) Baseline Standard for Information Security Program s Programs are to be Entity- wide in Scope Decisions are to be “Risk Based” Programs are to be documented (physical docs) Program’s components and reports must be verifiable Programs will be formally approved. Clearly define what must be included in a program. 16

What’s Effective? 1.Number of Computing Devices 2.Configuration Visibility 3.Encryption Deployment 4.Anti-virus/malware Deployment 5.Number of Outreach Activities 6.Number of Assurance Activities 7.Number of Incidents 9.Incident Costs 10.Systems Lacking Disaster Recovery Plan 11.Number of Employees Receiving Basic Training 12.Number of Technical Employees receiving Specialized Training. 13.Information Security Budget 14.Compliance for TAC 202, UTS 165, HIPAA, PCI Measure Activity and Progress 17

What’s Effective? Audit and Compliance Involvement “Industry leaders are conducting internal audit and IT security monitoring eight times more frequently than are the industry laggards and five times more frequently than firms operating at industry norm.” Improving IT Compliance 2006 IT Compliance Benchmark Report Symantec Corporation Vulnerabilities must be discovered and acknowledged to be addressed. Things that get measured, audited, and/or reviewed get attended to. 18

What’s Effective? CISO Leadership Security and IT Teams Community Where deficiencies exist, the task becomes one of addressing the deficiency. Will Support Permission Trust Skill People 70%, Technology 30% Knowledge Institution, Culture, Compliance, Risks, Technology Governance Roles & Responsibilities, Decentralized IT Staff Resources People, Time, Money, Technology, Base Infrastructure Getting the Ingredients required for success? 19

What’s Next? Assume the SSN problem is solved. What are the emerging threats that we need to prepare for? How do we address these before the big event? How does an evolving social and technology world affect our security strategies?  Assume the enterprise has no boundary.  Assume all data is encrypted at rest and in motion. I wonder what they will do next? 20

Questions? Miguel Soldi Lewis Watkins, CISO 21

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.