The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference.

Slides:

Advertisements

Similar presentations

Georgia State University 2003 A Ten Step Approach to Developing an Information Security Program Bill Paraska Director of University Computing.

Advertisements

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.

SL21 Information Security Board Mission, Goals and Guiding Principles.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID THE NETWORK SECURITY CHALLENGE Jack Suess CIO University of Maryland Baltimore.

All rights reserved © 2005, Alcatel Enhanced Security situational Awareness for (Enterprise) networks  Bertrand Marquet / François Cosquer  Alcatel.

Secure Computing Network

Information Security Policies and Standards

© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Prepared: October, Ann Garrett, State Chief Information Security Officer Statewide Security Update October 25, 2005 Information Technology Advisory.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Stephen S. Yau CSE , Fall Security Strategies.

Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Accessibility, Integrity, & Confidentiality: Security Challenges for E-Business Rodney J. Petersen University of Maryland & Educause/Internet2 Security.

PCM2U Presentation by Paul A Cook IT SERVICES. PCM2U Our History  Our team has been providing complete development and networking solutions for over.

Patch Management Strategy

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

Chapter 2 Information Security Overview The Executive Guide to Information Security manual.

SEC835 Database and Web application security Information Security Architecture.

1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.

N-Wave Shareholders Meeting May 23, 2012 N-Wave Security Update Lisa

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

Dell Connected Security Solutions Simplify & unify.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.

Patch Management Only part of the solution….. Bob Isaak Mar 04, 2004.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Information Assurance Program Manager U.S. Army Europe and Seventh Army Information Assurance in Large-Scale Practice International Scientific NATO PfP/PWP.

Chapter 6 of the Executive Guide manual Technology.

Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.

Scott Charney Cybercrime and Risk Management PwC.

Pro-active Security Measures

Cyber Security Management Lesson Introduction ●Understand organizational context for cyber security ●Understand the people, process and technology dimensions.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

Csci5233 Computer Security & Integrity 1 Overview of Security & Java (based on GS: Ch. 1)

©Dr. Respickius Casmir Network Security Best Practices – Session 2 By Dr. Respickius Casmir.

Security Environment Assessment. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components.

Information Security tools for records managers Frank Rankin.

© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.

Moving to BYOD Gary Audin 1.

Welcome Information Security Office Services Available to Counties Security Operations Center Questions.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

ISSeG Integrated Site Security for Grids WP2 - Methodology

Cybersecurity - What’s Next? June 2017

BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT

Information Security Board

IT Development Initiative: Status and Next Steps

IS4680 Security Auditing for Compliance

National Cyber Security

Network Security Best Practices

How to Mitigate the Consequences What are the Countermeasures?

In the attack index…what number is your Company?

Presentation transcript:

The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference July 13 th 2005

Key Issues What security threats are higher education institutions facing, and what are the trends? What resources are institutions bringing to bear on the security challenge? What principles should guide institutional IT security planning?

The Gartner/Chronicle of Higher Education IT Security Survey 2004/2005 Mail-based, US survey of Chronicle of Higher Ed subscribers, closed Nov 2004, Based EMEA/Australia survey closed May 2005 Topics: IT security organization, funding, attack/misuse incidence, technology, policy US: 556 total respondents (138 CIOs used) Non-US 63 respondents (40 EMEA, 23 Australia)

Types of Attacks/Misuse Detected in the Past 12 Months US Responses No

Types of Attacks/Misuse Detected in the Past 12 Months Non-US Responses No

Change in Attack/Misuse Incidence Compared to Previous 12 Months US Responses No

Change in Attack/Misuse Incidence Compared to Previous 12 Months Non-US Responses No

US Responses: Calculated Financial Loss No Loss calculation favors “obvious” hard values-- real costs are going almost unmeasured

Non-US Responses: Calculated Financial Loss No

US Percentage of IT Budget Spent on Security Current FY Mean: 6.24% Percentage compared to previous fiscal year Increased Same Decreased

Non-US Percentage of IT Budget Spent on Security Current FY Mean: 4.78% Percentage compared to previous fiscal year Increased Same Decreased

US Information Security Officer: Status and Plans Has institution designated an ISO? If not, plan to designate one within 12 months? Yes No 65% No Yes Don’t Know 75% 12% 30% 70% 13% Yes No Don’t Know Yes No Yes

Non-US Information Security Officer: Status and Plans Has institution designated an ISO? If not, plan to designate one within 12 months? Yes No 65% No Yes Don’t Know 80% 10% 35% 65% 10% Yes No Don’t Know Yes

US Security Planning & Training Yes No Don’t Know Yes No Have a formal IT Security Plan? Plan to resume mission-critical operations during crisis? Offer security awareness training?

Non-US Security Planning & Training Yes No Don’t Know Yes No Have a formal IT Security Plan? Plan to resume mission-critical operations during crisis? Offer security awareness training?

US: Frequency of Testing Plan to Resume The Operation of Mission-Critical Information Systems and Protect Related Data During a Crisis >Once a Month Once a Month Once Every 2-3 Months Once a Semester Once a Year Not Been Tested

Non-US: Frequency of Testing Plan to Resume The Operation of Mission- Critical Information Systems and Protect Related Data During a Crisis >Once a Month Once a Month Once Every 2-3 Months Once a Semester Once a Year Not Been Tested

CISO CIO Policy Management Policies and standards Risk assessment/profiling Policy compliance and consulting Awareness training Business security architecture Intellectual property management Security Administration Platform/application user management Security Engineering Minimum platform standards Technical security architecture Incident Response ID threat + solution BISO President Business/Academic Unit Management Expertise in Practice: CISO Organisation Board of Trustees

US Anti-Viral Software: Mandatory, Optional, Not Available

Non-US Anti-Viral Software: Mandatory, Optional, Not Available

US: VPN for Remote Access: Mandatory vs Optional

Non-US: VPN for Remote Access: Mandatory vs Optional

US: Personal Firewall: Mandatory, Optional or Not Available

Non-US: Personal Firewall: Mandatory, Optional or Not Available

Policy and Training Security policies need to be concise, clear, role- based and enforceable –Nontech user issues: acceptable use, privacy, business continuity –Tech staff: privileged access & ethical statement, PW management, change management, role –A policy that isn’t signed can’t be enforced Focus security training on network and system administrator Create a security culture

Establishing the Baseline

Building for Whom? Omniscient Nomadic Connected Telepathic

Defense in Depth in Practice: Scan and Block Scan Good: Allow Connect Scan Bad: Block Home PC Corporate Laptop Contractor Laptop VPN Switch Radius Server DHCP Server Policy Server Scan Results

Vulnerability Management Technologies Baseline/ Discover Audit and Policy Compliance Tools Security Management Monitor Network System Application Vulnerability Assessment External Threat Services Prioritize Asset Inventory and Classification Patch Install Mitigate Mitigation Workflow Shielding Provisioning Configuration Management Maintain Firewall IPS Scan and Block

Understanding the Environment Environ- mental Trends Environ- mental Trends Forces in the universe Trace the Value Business Drivers Business Drivers How they affect your organization Business Strategies and Tactics How you react What, who, when, how Information Require- ments Information Require- ments “Thou shalt...” Architecture Design Principles Business and Technology Architecture Business and Technology Architecture

Understanding the Environment Environ- mental Trends Environ- mental Trends How you react What, who, when, how “Thou shalt...” Trace the Value Information Require- ments Information Require- ments Business Drivers Business Drivers Business Strategies and Tactics Architecture Design Principles Forces on your organization How you react Business and Technology Architecture Business and Technology Architecture What do we know? What do we need? Where do we get it? Where does it need to be? When does it need to be there? Who should not see it? PeopleSystemsProcessesData INFORMATIONREQUIREMENTS

A New World

Seven Guiding Principles of IT Security Defense in Depth –Combine proactive & reactive mechanisms Principle of Least Privilege –Users, processes, & resources get minimum necessary access The Weakest Link –Train against social engineering Security Expertise is Key –Establish a CISO office; mix central policy w. distributed implementation Build Security in Early –The earlier a defect is found, the cheaper it is to fix Be Paranoid –Don’t just build for legitimate or “correct” usage Simplify, Simplify, Simplify –Simpler systems are easier to deploy, manage, & maintain

The Way Ahead for Information Systems Security Christopher Baum Research Vice President Global Government NYSCIO Conference July 13 th 2005