Property of the University of Notre Dame Building a Risk-Based Information Security Program Mike Chapple University of Notre Dame May 5, 2008.

Slides:



Advertisements
Similar presentations
Confidential Property of the University of Notre Dame Security From The Ground Up David Seidl Information Security Program Manager University of Notre.
Advertisements

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
Web Application Management Moving Beyond CMS Douglas Clark Director, Web Applications Copyright Douglas Clark 2003 This work is the intellectual property.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Confidential Property of the University of Notre Dame Security From The Ground Up David Seidl Information Security Program Manager University of Notre.
Andrea Eastman-Mullins Information & Technology Coordinator University of North Carolina, Office of the President Teaching and Learning with Technology.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Yale University Information Technology Services Administrative Systems Art Hunt 3/22/04 Software Service Level Agreement with Finance, Procurement and.
Educause Security 2007ISC Information Security Copyright Joshua Beeman, This work is the intellectual property of the author. Permission is granted.
Serving the Research Mission: An Approach to Central IT’s Role Matthew Stock University at Buffalo.
Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works
Institutional Effectiveness Operational Update Presentation made to the Indiana State University Board of Trustees October 5, 2001.
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
UWM CIO Office A Collaborative Process for IT Training and Development Copyright UW-Milwaukee, This work is the intellectual property of the author.
Pam Downs Ajay Gupta The Pennsylvania Prince George’s State University Community College "Copyright Penn State University This work is the intellectual.
Copyright Statement © Jason Rhode and Carol Scheidenhelm This work is the intellectual property of the authors. Permission is granted for this material.
Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
Wireless LANs A Case Study of Baylor University’s Wireless Network Copyright Bob Hartland 2002 This work is the intellectual property of the author. Permission.
Risk Assessment 101 Kelley Bradder VP and CIO Simpson College.
Security Issues on Campus: Government Initiatives Rodney J. Petersen University of Maryland Educause/Internet2 Security Task Force Copyright Rodney J.
Information Security Governance in Higher Education Policy2004 The EDUCAUSE Policy Conference Gordon Wishon EDUCAUSE/Internet 2 Security Task Force This.
Putting the We in… We are Penn State! Copyright [Carol Findley, Lisa Dibert] [2003]. This work is the intellectual property of the authors. Permission.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.
C AMPUS-WIDE E -PORTFOLIO I NITIATIVE: WHY DID IT HAPPEN, HOW DID IT WORK? : Monique Fuchs Learning Technology Solutions Project Lead – E-portfolio Initiative.
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Peer Information Security Policies: A Sampling Summer 2015.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Value & Excitement University Technology Services Oakland University Information Technology Strategic Planning Theresa Rowe October 2004 Copyright Theresa.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
IIA_Tampa_ Beth Breier, City of Tallahassee1 IT Auditing in the Small Audit Shop Beth Breier, CPA, CISA City of Tallahassee
Chapter 6 of the Executive Guide manual Technology.
March 21, 2006 NERCOMP 2006 Worcester, Massachusetts 1 Copyright Sunny Donenfeld, This work is the intellectual property of the author. Permission.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.
Copyright [Dr. Michael Hoadley, Chat Chatterji, and John Henderson ] [2004]. This work is the intellectual property of the authors. Permission is granted.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
Quickly Establishing A Workable IT Security Program EDUCAUSE Mid-Atlantic Regional Conference January 10-12, 2006 Copyright Robert E. Neale This.
Information Security tools for records managers Frank Rankin.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Welcome Information Security Office Services Available to Counties Security Operations Center Questions.
Critical Security Controls
Defining an IT Workflow, from Request to Support
I have many checklists: how do I get started with cyber security?
IT Development Initiative: Status and Next Steps
Red Flags Rule An Introduction County College of Morris
ISO/IEC 27001:2005 A brief introduction Kaushik Majumder
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
IT Development Initiative: Status & Next Steps
PLANNING A SECURE BASELINE INSTALLATION
Presentation transcript:

Property of the University of Notre Dame Building a Risk-Based Information Security Program Mike Chapple University of Notre Dame May 5, 2008

Property of the University of Notre Dame Obligatory Notice Copyright Michael J. Chapple, This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. 2

Property of the University of Notre Dame Overview Background Campus IT Risk Assessment (CITRA) Digesting the Results Implementing the Security Program Preliminary Results 3

Property of the University of Notre Dame Notre Dame Private, coeducational Catholic research university located in Northern Indiana Population of 10,000 students, 1,200 faculty and 5,300 staff Defining characteristics – Long tradition of undergraduate excellence – Dedicated to residential life (81% undergrads on campus) – Rapidly expanding research community and graduate programs ; Over the past decade: 35% increase in PhDs awarded 225% increase in sponsored research 4

Property of the University of Notre Dame IT at Notre Dame OIT is a centralized IT organization – Supports enterprise systems – Provides end user support for about 1/3 of campus Some colleges and business units have their own IT support groups – Varying levels of custom infrastructure – Several have their own networks Up until 2006, Information Security was a combination of implementing internal controls and external consulting 5

Property of the University of Notre Dame One Day Everything Changed… 6

Property of the University of Notre Dame Historical Context 77 Initial PCI DSS Discussions Incident CITRA Incident Response 2002 – Information Security Office Established 2003 – Data Oversight Committee Established Data Center Firewall Implemented Data Access Policy Approved 2005 – Strong Password Initiative PCI DSS Assessment CCSP Planning Credit Card Network Inventory

Property of the University of Notre Dame Overview Background Campus IT Risk Assessment (CITRA) Digesting the Results Implementing the Security Program Preliminary Results 8

Property of the University of Notre Dame CITRA Overview At the request of University Leadership, we commissioned a campus-wide IT risk assessment Partnered with “Big Four” consulting firm Scope included all uses of sensitive University data, in any form Tools used: – Network Scanning – Surveys and Interviews – Site visits 9

Property of the University of Notre Dame Assessment Process 10

Property of the University of Notre Dame Surveys 19 pages, 74 questions (mixture of multiple choice and open-ended) Pilot deployment with our own OIT business office, followed by a select handful of “friends” Full deployment included business managers from all academic and administrative units Accompanied by cover letter from Executive Vice President and Provost Achieved 100% response rate (after quite a few follow-up calls!) 11

Property of the University of Notre Dame Selected Questions What type(s) of sensitive data does your department store/process? What groups/roles have access to that data? Where do you store that data (physical and/or electronic)? Do you use encryption to protect stored information? How do you transmit sensitive data? How do you receive it? Do you use any web-based applications to collect data? How long do you retain sensitive information? How do you dispose of it? Do you share sensitive information with third parties? 12

Property of the University of Notre Dame Survey Results AttributePercentage Use Social Security Numbers88% Share Passwords81% Store Sensitive Data Locally77% Transmit Sensitive Data Externally Without Encryption68% Not Aware of Security Policies65% Retain Sensitive Data Indefinitely63% 13 Together with the consultants, we surveyed respondents from 53 campus departments on data handling practices.

Property of the University of Notre Dame Business Unit Interviews 53 departments selected for individual or group interviews based upon survey responses Combination of academic and administrative units Intended to serve as a one-hour “deep dive” into survey responses Conducted by a team consisting of representatives from Information Security, University Archives and the consultant 14

Property of the University of Notre Dame Discussion Guide Walk through survey responses Types of sensitive data within the department Applications used to process data Electronic and paper-based data flow walkthrough Physical security of departmental spaces 15

Property of the University of Notre Dame CITRA Findings End result was 68 findings covering 10 key areas: For example… 16 Information Security FrameworkData Classification and Handling Access ControlEncryption Strategy Configuration StandardsPhysical Security Technical Security ArchitectureDisaster Recovery ComplianceInformation Security Awareness

Property of the University of Notre Dame CITRA Findings 17

Property of the University of Notre Dame Overview Background Campus IT Risk Assessment (CITRA) Digesting the Results Implementing the Security Program Preliminary Results 18

Property of the University of Notre Dame Planning Workshop Cross-functional team Analyzed CITRA results and created project specifications designed to remediate all medium/high risk findings Produced comprehensive project plan with resource estimates and sequencing 19

Property of the University of Notre Dame Resource Planning Discussed project objectives with resource managers Simple approach to resource ($$$ and staff) estimation: – Determine “best case” and “worst case” time and cost estimates – Average those endpoints – Surprisingly accurate! 20

Property of the University of Notre Dame Ranking System Each project ranked on costs (financial and staff), importance and urgency 21

Property of the University of Notre Dame Outcome Projects sequenced to prioritize high-risk findings and balance resource consumption Overall costs: $4.6M one-time, $630K recurring Presented to University leadership and funded in full 22

Property of the University of Notre Dame Overview Background Campus IT Risk Assessment (CITRA) Digesting the Results Implementing the Security Program Preliminary Results 23

Property of the University of Notre Dame Program Mission 24 Identify confidentiality, integrity and availability risks to sensitive University information, and mitigate those risks to acceptable levels.

Property of the University of Notre Dame Program Objectives 25 The objectives of the program are to: Evaluate risks to the confidentiality, integrity and availability of sensitive information Establish and implement controls to fill critical gaps, as determined by institutional risk tolerance Create awareness of information security and proper data handling practices Establish and communicate security-related policies, procedures and standards

Property of the University of Notre Dame Program Plan 26

Property of the University of Notre Dame Policy It all begins with policy…really! 27 Security Policies and Standards (FY 2007) Establish University-wide Information Security policies and handling standards based on ISO Configuration Standards (FY 2007) Develop configuration standards for applications and mobile systems Software Development Lifecycle (FY 2010) Select and implement a SDLC model for use with OIT systems

Property of the University of Notre Dame Awareness, Training and Education 28 Employee Awareness (FY ) Provide security awareness, communication and training for faculty & staff Student Awareness (FY 2008) Provide security awareness, communication and training for students Classification Workshops (FY 2008) Conduct workshops to aid Data Stewards in classifying their data Sensitive Data Handler Training (FY 2008) Provide specialized training for those who work with sensitive University Data Technical Security Training (FY 2009) Provide specialized technical security training for IT Professionals

Property of the University of Notre Dame Workstation Security 29 Initial Desktop Remediation (FY 2007) Apply a basic set of security controls to University workstations Malware Management (FY 2008) Provide a solution for management and monitoring of antivirus and anti- spyware software on University systems File Security (FY 2009) Conduct a vulnerability assessment and apply security controls to NetFile Messaging Security (FY ) Apply security controls to electronic mail and instant messaging

Property of the University of Notre Dame Server Security 30 Data Center Architecture Enhancements (FY 2008) Enhance security controls on the OIT Data Center front end Server Integrity Monitoring (FY 2008) Formalize OIT server integrity monitoring infrastructure and processes Database Security (FY 2008) Conduct a vulnerability assessment of University databases and implement appropriate controls Departmental Server Consulting (FY ) Conduct a security assessment of each departmental server and provide recommendations on alternative technologies and/or appropriate controls. OIT Server Management (FY ) Implement security management practices for OIT servers with separation of duties and data segregation, where appropriate

Property of the University of Notre Dame Network Security 31 Border Security (FY 2007) Implement campus network border firewall to block unsolicited inbound connections Network Device Management (FY ) Implement security standards on campus network devices Zoned Network and Wireless Security (FY ) Design and implement a zoned network architecture with appropriate security controls on the wired and wireless networks Intrusion Prevention (FY 2009) Replace the University’s existing intrusion detection system with a comprehensive intrusion prevention system Network Admission Control (FY 2010) Implement controls to ensure that network- connected systems meet security standards

Property of the University of Notre Dame Security Infrastructure 32 Vulnerability Scanning (FY 2007) Create a scanning facility to proactively detect technical vulnerabilities in University systems Security Review Process (FY 2007) Create a process for consistently conducting information security reviews Sensitive Data Scanning (FY 2008) Create a scanning facility to proactively detect CC/SSNs stored in institutional file systems

Property of the University of Notre Dame Security Infrastructure (cont’d) 33 Application Logging (FY 2009) Capture enterprise application events in the OIT central log repository Network Logging (FY 2009) Capture records of off-campus connections involving University systems Security Log Analysis (FY 2009) Create a security log analysis capability for use with the central log repository Firewall Management (FY 2009) Audit existing firewall rulebase and implement standard management practices Rogue Wireless AP Detection (FY 2010) Provide the ability to identify unauthorized wireless access points on the University network

Property of the University of Notre Dame Credit Card Security 34 CCSP Infrastructure (FY 2007) Create the infrastructure required to migrate card processing applications to the OIT data center CCSP Application Migration (FY ) Move card processing servers to the payment card environment located in the OIT data center CCSP Monitoring (FY 2008) Implement ongoing technical monitoring of the payment card environment CCSP Physical Security (FY ) Upgrade data center physical security to meet PCI DSS requirements

Property of the University of Notre Dame Incident Handling 35 Incident Response Procedures (FY 2010) Create technical procedures for responding to information security incidents to supplement the existing Incident Response Plan Forensics (FY 2010) Identify forensic resources for use in information security incident response. Incident Tracking System (FY 2010) Provide an information security incident tracking system

Property of the University of Notre Dame Sustaining Activities 36 Security Operations Center (FY ) Create an operations center to monitor and provide initial response to security events Recurring Risk Assessments (FY 2010) Establish a process for recurring, periodic risk assessments to measure risk to University data assets Program Monitoring (FY 2010) Assess the ongoing effectiveness of the information security program

Property of the University of Notre Dame Overview Background Campus IT Risk Assessment (CITRA) Digesting the Results Implementing the Security Program Preliminary Results 37

Property of the University of Notre Dame Current Status 38

Property of the University of Notre Dame Program Highlights For the most part, on-time completion under budget Some “in-flight” changes to the plan to: – Reprioritize project sequencing – Address new risks (e.g. Web application security) – Balance resource utilization with other initiatives 39

Property of the University of Notre Dame Policy and Standards Policy complete and awaiting Officer approval Operating system standards in place Application standards complete and published 40 Policy Usage (Spring 2007 – Fall 2007)

Property of the University of Notre Dame Vulnerability Scanning 41

Property of the University of Notre Dame Awareness 42 Goal: Engage 85% of the faculty and staff at least twice annually 42

Property of the University of Notre Dame Questions 43

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.