Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.

Slides:



Advertisements
Similar presentations
The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Advertisements

Control and Accounting Information Systems
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works
Advanced Metering Infrastructure AMI Security Roadmap April 13, 2007.
© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Prepared: October, Ann Garrett, State Chief Information Security Officer Statewide Security Update October 25, 2005 Information Technology Advisory.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Stephen S. Yau CSE , Fall Security Strategies.
Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Security Guide for Interconnecting Information Technology Systems
1 Enforcing Compliance: A Patch Management Strategy That Works.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
General Awareness Training
Information Security Update CTC 18 March 2015 Julianne Tolson.
Confidentiality Integrity Accountability Communications Data Hardware Software Next.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
 Protect customers with more secure software  Reduce the number of vulnerabilities  Reduce the severity of vulnerabilities  Address compliance requirements.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Computer Security “Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware,
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
Security is not just… 1 A Compliance Exercise Certification and Accreditation FISMA.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Business Convergence WS#2 Smart Grid Technologies.
12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,
1 MISA Model Douglas Petry Manager Information Security Architecture Methodist Health System Managed Information Security.
Chapter 2 Securing Network Server and User Workstations.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.
Features Governmental organization Critically important ICT objects Distributed infrastructure Three levels of confidentiality Dozens of subsidiary organizations.
Agency Name Security Program FY 2009 John Q. Public Agency Director/CIO/ISO.
© University of Reading Information Technology Services 23 December 2015 Information Security Policy Mike Roch - Director of IT.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.
IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
IS3220 Information Technology Infrastructure Security
Big Data – Practical Steps Patricia Van Dyke Why do we care…  For the right reasons › Customers  For the forced reasons › Legislation.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Information Security tools for records managers Frank Rankin.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
ASHRAY PATEL Securing Public Web Servers. Roadmap Web server security problems Steps to secure public web servers Securing web servers and contents Implementing.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
Welcome Information Security Office Services Available to Counties Security Operations Center Questions.
CET4884 Dr. Nabeel Yousef.  Dr. Nabeel Yousef  Located at the ATC campus room 107Q  Phone number 
Security and resilience for Smart Hospitals Key findings
Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
UConn NIST Compliance Project
IS4680 Security Auditing for Compliance
How to Mitigate the Consequences What are the Countermeasures?
Drew Hunt Network Security Analyst Valley Medical Center
PLANNING A SECURE BASELINE INSTALLATION
Introduction to the PACS Security
Presentation transcript:

Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst

Realizing our Principles Answering the question, “Why?” To have a common understanding of building a secure architecture. Developed based on NIST ,, ISO 20071, CIC schools, and other publications.

OCIS IT Security Principles 4.Security is a Common Understanding –Due Diligence; Manage Threats, Risks, and Costs; and Incident Management. 3.Security is Asset Management –Classify Information; Least Privilege; and Separation of Duties. 2.Security is Part of the Development Life Cycle –Information Privacy and Assurance; Usability; and Defense in Depth. 1.Security is Everyone’s Responsibility

Risk Assessment Process Step 1: Letter of Engagement Step 2: Conduct the Assessment Step 3: Draft Report on Findings Step 4: Communicate Findings Step 5: Re-Assess

Building a Common Understanding: Managing Risk Risk ImpactLikelihood Mitigation Controls $ Care $ $

Example Question Does the system maintain Configuration Management methodology that includes: 1.A documented process for reviewing, approving and implementing changes 2.Version control for software system components 3.Timely identification and installation of all applicable patches for any software used in the provisioning of the CS.

Common Gaps Common Security Gaps (examples) –The system infrastructure needs to be segmented with robust firewall controls. –Encryption controls and key management procedures should be implemented for data at rest. –Restricted data needs to be sanitized in non- production environments. –Intrusion detection, prevention and log management devices should be installed and maintained with appropriate alerting processes.

Integrating a Security Culture Awareness and Training –SANS Secure Web Development Policy Development and Best Practices –Restricted Information Management Practices –Desktop Encryption Policy Centralized Resources –Security Event Management –Network Management –Desktop Tools –PKI

Questions How can we help you?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.