Designing Services for Security: Information Security Management throughout the Service Lifecycle Sarah Irwin & Craig Haynal 2015 Penn State Security Conference,

Slides:

Advertisements

Similar presentations

Working with Information Governance

Advertisements

1 Service Providers Capacity Assessment Framework Presentation to the Service Delivery Advisory Group August 28, 2008.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.

Information Security Policies Larry Conrad September 29, 2009.

Security Controls – What Works

The State of Security Management By Jim Reavis January 2003.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Program Management Overview (An Introduction)

Centralized vs. Decentralized: Pros, Cons & Best Practices

WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)

IT Security Challenges In Higher Education Steve Schuster Cornell University.

Brian Markham Director, DIT Compliance and Risk Services May 1, 2014

Common Help Desk Deep Dive Tom Bourgeois / Laurel Wadlund

Financial Management For Project Administrators. How Feds View Themselves.

Integrated Process Model - v2

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Project Human Resource Management

© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.

Information Security Framework & Standards

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

Information ITIL Technology Infrastructure Library ITIL.

The Challenge of IT-Business Alignment

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.

Roles and Responsibilities

ITIL and the Help Desk Craig Bennion University of Utah

1 The Auditor’s Perspective Division of Sponsored Research Research Administration Training Series Presented by: Joe Cannella Audit Manager,

CSI - Introduction General Understanding. What is ITSM and what is its Value? ITSM is a set of specialized organizational capabilities for providing value.

ITIL Overview 1 Configuration Management Working Group February 8, 2011.

Assessment Workshop Title of the Project (date). Project Title Assessment Workshop October 25, 2015© Company Name All rights reserved2 Agenda Purpose.

ITIL Drivers for Government Scott Spencer Vice President, Program Management, GTSI.

IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.

Version 3.3 ITIL – IT Service Management An overview program for IT Service Management good practices.

IT SERVICE MANAGEMENT (ITSM). ITIL\ITSM OVERVIEW  ITIL Framework.

Robert Mahowald August 26, 2015 VP, Cloud Software, IDC

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

John Weigelt, MEng, PEng, CISSP, CISM National Technology Officer Microsoft Canada November 2005 Fighting Fraud Through Data Governance.

The Service Monitoring and Control Toolkit 1 Protect your business with an effective alert management system and high service availability.

ITIL ♥ PM ITIL and Project Management: Friends Throughout the Lifecycle.

Safeguarding Sensitive Information. Agenda Overview Why are we here? Roles and responsibilities Information Security Guidelines Our Obligation Has This.

© | Hansan Global | All Rights Reserved 1 INTRODUCTION TO IT SERVICE MANAGEMENT Hansan Global Pte Ltd.

Personal Leadership Serving Customers Managing Resources Leadership Serving Customers Serving Customers Managing Resources Managing Resources Working for.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

ICS Area Managers Training 2010 ITIL V3 Overview April 1, 2010.

Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.

Service Design.

Serving IT up with ITIL By Thane Price. IT is the laboratory’s pit crew  Goal : Make technology transparent while accomplishing valuable internal customer.

Training Objectives Obtain knowledge of the ITIL terminology, structure and basic concepts and to comprehend the core principles of ITIL practices To.

Service Catalog Management and ITIL. The Service Catalog Objective: To enable the service provider and the customer to clearly understand the services.

An Information Security Management System

Latest Developments and Impact on the Financial Sector

Performing Risk Analysis and Testing: Outsource or In-house

ITIL SERVICE LIFECYCLE

BIL 424 NETWORK ARCHITECTURE AND SERVICE PROVIDING.

Auditing Cloud Services

I have many checklists: how do I get started with cyber security?

Matthew Christian Dave Maddox Tim Toennies

Cyber security Policy development and implementation

Presentation transcript:

Designing Services for Security: Information Security Management throughout the Service Lifecycle Sarah Irwin & Craig Haynal 2015 Penn State Security Conference, October 14, 2015

Session Roadmap Security Landscape Current Challenges Service Management at Penn State Designing for Security Call to Action

Security Landscape

When I say “Sensitive Data”…. You probably think of: Photo credit: frankleleonfrankleleon Photo credit: NEC Corporation of America NEC Corporation of America Photo credit: Alan LevineAlan Levine Photo credit: GotCreditGotCredit

/ You probably also think of:

Traditionally… Sensitive data includes things like: Personally identifiable information (PII) Payment Card Industry (PCI) data Health Insurance Portability and Accountability Act (HIPAA) Family Educational Rights and Privacy Act (FERPA)

But it’s more than just PII Research Human subjects Deductive disclosure risk Contract data Geographic ID’s Student information Transgender community Confidentiality holds Mental health counseling Administrative HR records Budget information Salary and review information Laws and Regulations Federal and state laws and regs University policies Third party contracts

It’s also becoming more prevalent

Current Challenges

Our Data Security Environment Highly decentralized, disparate IT environments and support Inconsistent standards and policies Lack of awareness and understanding

Pain Points IT Lack of communication or notice between IT and users IT is an afterthought, typically brought in after project starts Historic lack of trust that IT can provide what users need Users Currently, few central IT services for restricted data Local IT staff assist in some colleges/departments Many users left to sort out IT needs on their own

Secure Technology + Safe People + Sound Process = Security

Reactive IT

Retrofitting

Service Management at Penn State

IT Services PeopleTechnologyProcess

Services A means of delivering value to customers by facilitating outcomes customers want to achieve without the ownership of specific costs and risks. Service ≠ Product Unlike products, services often have no intrinsic value.

Service Management at Penn State IT Transformation Program (ITX) The program tasked with developing and implementing the Penn State Service Management Program. Penn State Service Management Program (PSSMP) An accepted standard for University service models, processes, and tools that improves the consistency and efficiency of Penn State services. By using a common language and set of procedures, Penn State units will unite in providing efficient, high-level customer service, while reducing service redundancy and cost across the University.

ITIL Framework Service Strategy Service Design Service Transition Service Operation Continual Service Improvement

ITX/PSSMP Processes Current: Incident Management Change Management Service Catalog Management Request Fulfillment Future: Service Portfolio Management Project Portfolio Management Resource Portfolio Management Knowledge Management Problem Management Project Management Service Asset and Configuration Management

ITX/PSSMP Processes – Greatest Security Impact Current: Incident Management Change Management Service Catalog Management Request Fulfillment Future: Service Portfolio Management Project Portfolio Management Resource Portfolio Management Knowledge Management Problem Management Project Management Service Asset and Configuration Management

Designing for Security

Designing Services

Warranty Availability Capacity Continuity Security Quality Service

Value UtilityWarranty Value

Design Coordination Define & maintain policies and methods Plan design resources and capabilities Coordinate design activities Manage design risks & issues Improve service design Plan individual design Coordinate individual design Monitor individual design Review design and ensure handover of service design package Overall service design process: Per design process:

Service Design Package Major components Requirements Service design Organizational readiness assessment Service lifecycle plan Security checkpoints Gather security requirements Plan for security Ensure adequate security training Incorporate security checkpoints into the plan

Information Security Management System Control PlanImplementEvaluateMaintain

Information Security Management Produce/maintain information security policy Assess/categorize risks and vulnerabilities Report security risks and threats Implement/review security controls and risk mitigation Monitor/manage security incidents Enforce security policy Review/report/reduce security incidents Design focus Operation focus

Security management information system (SMIS) Information security policy Security reports and information Security controls Security risks and responses

RESILIA™ Cyber Resilience Best Practice A practical framework for building and managing cyber resilience, reflecting the changing need not only to detect and protect against cyber-attacks but also to respond and recover from them. Provides security guidance aligned with the service lifecycle from the ITIL books: Service strategy Service design Service transition Service operation Continual service improvement

Call to Action

Start Small: Learn Learn about Penn State’s policies that pertain to security, especially data categorization: (and the related guideline: Understand the minimum security baseline and be ready to incorporate it into your services: security-baseline.htmlhttp://sos.its.psu.edu/minimum- security-baseline.html

Focus on People Have conversations about the types of data that will be handled by IT services up front You may have to educate your customers and users on data categorization in order to discover their information security needs Negotiate the right level of security before you plan, purchase, or build anything Always plan for user education, especially when it comes to securely using services

Design Better Services Plan your services; don’t just rush to solutions without fully understanding the problems, particularly when it comes to security Remember that good IT services focus on helping customers achieve outcomes and consider people and process in addition to technology Make sure your services not only have the needed features (utility) but also live up to their commitments (warranty) Taking the time to design services for security will be much less expensive than retrofitting or replacing them later

Any Questions?