Presentation is loading. Please wait.

Presentation is loading. Please wait.

Performing Risk Analysis and Testing: Outsource or In-house

Published byQuentin Ferguson Modified over 6 years ago

Similar presentations

Presentation on theme: "Performing Risk Analysis and Testing: Outsource or In-house"— Presentation transcript:

1 Performing Risk Analysis and Testing: Outsource or In-house
Performing Risk Analysis and Testing: Outsource or In-house? A Towson University Case Study Lynn Ray CISO Towson University

2 Introduction Background Outsource – Why or why not? Steps taken by TU
Lessons learned Recommendations

3 Background Towson University
Second largest in state next to University of Maryland at College Park 21K students (as of 2008) Baltimore-based 400+ distributed servers and network security devices Culture is based on traditional and online education

4 Originally in-house Utilized a full time experienced security engineer to perform tests Utilized open-source and commercial tools (Nessus, Canvas, etc.) Established some policies and procedures Devised and used an inhouse-developed incident tracking system - SharePoint Test results culturally challenged

5 Reasons for decision The security engineer left and replaced with students Software was too costly and complicated University System of Maryland internal audit started requiring results from scans and tests Payment Card Industry (PCI) compliance requirements Hackers increased focus on Web-based attacks Maryland state auditors and secuity standards requiring testing and monitoring University culture on security

6 Outsource pros Bring certified and trained expertise
Use more advanced tools and bring their own In certain circumstances they can be more cost effective Easier compliance to federal and state regulations

7 Outsource cons There is some loss of control over the tests
There is a lack of getting the results back bacause of company internal procedures Generally cost more than in-house Services are restricted to what is stated in the contract A level of trust will have to be established with the vendor

8 Step 1: Determined what to do
Looked at what other universities were doing Determined what systems processed, transmitted or stored used credit card data Looked at the PCI Security Standard

9 PCI data security standards requirements
Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications

10 PCI data security standards requirements (cond't)
Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security

11 PCI Compliance Comply with Data Security Standard
May use PCI vendor - Users complete an annual questionnaire Include all systems that handle credit card information

12 Step 2: Research vendors
Researched over 87 vendors because of a lack of knowledge of who is in the business Discovered some of the vendors were PCI certified Established some general requirements when looking for vendors Vulnerability test methods Hands-off testing (vendor does all testing) Use simple purchase methods (credit card or contract?) Reference checks

13 Step 3: Setup testing Initially used credit card to obtain verndor services Identified 50 servers including ones covered under PCI Coordinated installation of vendor scanning appliance Establish firewall rules to support testing Scheduled quarterly vulnerability tests

14 Step 4: Devised procedures
Created vulnerability/incident tracking procedures Implemented SharePoint tracking system to track vulnerabilities found Performed an annual questionnaire with functional areas using credit card data

15 Sharepoint tracking system

16 Step 5: Expanded analysis and testing criteria
Decided to increse the number of servers to include the whole campus (approx 400 servers) Added penetration testing Minimum web testing Tested network security devices Established set dates and time-limits on vendor security appliance access to do testing

17 Lessons learned All requirements not addressed up front
Compliance after thought Didn't test web systems for vulnerabilities Rough procurement Need to be more risk-centric Need check user access to 3rd party software applications that may be handling financial information

18 Compliance What’s applicable?
Lack of knowledge - use outside expertise Implement security self-assessment program that involves others cross-campus Have effective institutional officers in Compliance Privacy Security

19 Recommendations Gather all testing and analysis requirements
Determine compliance needs Contract for each type of test needed Get support from others – CIO champion Focus on risk-centered methodology Include in INFOSEC strategic plan Establish procedures and tracking system

20 For more information Lynn Ray, CISO, Towson University
Phone – -

21 Questions

Download ppt "Performing Risk Analysis and Testing: Outsource or In-house"

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.

Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?

Similar presentations

Ads by Google