Presentation is loading. Please wait.

Presentation is loading. Please wait.

BruinTech Vendor Meet & Greet December 3, 2015

Published byMarsha Ryan Modified over 6 years ago

Similar presentations

Presentation on theme: "BruinTech Vendor Meet & Greet December 3, 2015"— Presentation transcript:

1 BruinTech Vendor Meet & Greet December 3, 2015
IT Services Information Security BruinTech Vendor Meet & Greet December 3, 2015

2 Agenda… IT Security Program – Mike Story
Penetration Testing – Alex Podobas Questions and Answers

3 Interim Director, Chief Information Security Officer
IT Security Program Mike Story Interim Director, Chief Information Security Officer

4 UC Cyber-Risk Mandate President Napolitano – July 2015
1. Inventory and assess cybersecurity vulnerabilities Campus plan to inventory IT assets (data and inventory), map risks and vulnerabilities, and assess IT security 2. Develop a strategy, governance approach, and action plan to consistently evaluate and reduce cyber-risk UC Cyber-Risk Governance Committee (CRGC) Joint cyber-risk governance across the UCLA campus and Health Sciences 3. Participate in systemwide planning efforts to facilitate and promote cyber-risk reduction UC risk reporting and escalation process UC cybersecurity training for staff and students (TBD) UC prevention, detection, and remediation protocols; minimum security standards 4. Arrange for regular executive-level discussion of cyber-risk management Cyber-Risk Responsible Executive (Scott Waugh) planning and communication 5. Confirm the commitment to adequate staffing and budget to support cybersecurity initiatives Cybersecurity resource plan and implementation timeline

5 Cybersecurity Framework
Framework for Improving Critical Infrastructure Cybersecurity Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event Develop and implement the appropriate activities to take action regarding a detected cybersecurity event Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to cybersecurity event We are working closely with the UCLA Privacy Board to ensure balance between an open academic / research environment, privacy, and security.

6 Program Objectives Immediate Priorities: Longer-Term Goals:
Identify, locate, and protect sensitive data and systems Remediate & patch known system and application vulnerabilities Improve Information Security awareness and education Longer-Term Goals: Improve information security monitoring and intelligence Establish a differentiated security control framework Implement state of the art IT security tools and processes Build a staff of Information Security specialists Provide expert Information Security consulting and guidance to the campus Establish a formal Information Security compliance program

7 IT Security Team Expand the scope of IT security services
To effectively leverage the appropriate tools, technologies, and processes needed to properly secure the environment Provide the skills necessary to design and support the next-generation security strategy Enhance relationships with key stakeholders and provide the security expertise and support needed to reduce cybersecurity risk On boarded 4 additional resources (1 Project Manager and 3 Information Security Analysts) in addition to 2 existing resources Assessing additional resource requirements against projects

8 Penetration Testing Alex Podobas IT Security Analyst

9 Vulnerability vs. Penetration Testing
(Not synonymous) Vulnerability Testing: Deployed to detect, but not necessarily verify or exploit, software or configurations Typically a “point and shoot” security tool Penetration Testing (“Pentest[ing]”) Deployed with the specific intent to detect and actively exploit application code or configurations of various software in a web application stack May DoS a resource, corrupt data, or expose sensitive code or data Ideally involves human direction of the detection and exploitation process

10 Offerings UCLA IT Security offers penetration testing services free of charge We utilize a wide array of tools…. AppScan, Burp Suite, Kali Linux OS (sql ninja, Vega, nmap, skipfish, rainbow table attacks), and much more …But we also can human-review application code and software configurations and suggest changes to comply with law, UC and UCLA policy, and data security and privacy best practices (such as NIST)

11 Pentesting Objectives
Our objective is to provide a central, internal service that any official UCLA group, department, unit, or employee can request to improve their technical InfoSec practices As a result of each pentesting engagement, we provide specific action items, highlight and rank vulnerability issue severity, provide the original reports from our tools, and provide pragmatic recommendations for your environment The Information Security Office is here to improve UCLA’s InfoSec posture, not punish those that seek our technical assistance

12 Questions ?

Download ppt "BruinTech Vendor Meet & Greet December 3, 2015"

Similar presentations

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
DHS, National Cyber Security Division Overview

DHS, National Cyber Security Division Overview
National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]

National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Program Management Overview (An Introduction)

Program Management Overview (An Introduction)
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
IT Governance and Management

IT Governance and Management
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Peer Information Security Policies: A Sampling Summer 2015.

Peer Information Security Policies: A Sampling Summer 2015.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
ISMMMO, Antalya 25-29 April Internal Audit, Best Practices Özlem Aykaç, CIA,CCSA CAE Coca-Cola İçecek.

ISMMMO, Antalya April Internal Audit, Best Practices Özlem Aykaç, CIA,CCSA CAE Coca-Cola İçecek.
The Challenge of IT-Business Alignment

The Challenge of IT-Business Alignment
Item 5d Texas RE 2011 Budget Assumptions April 19, 2010 2011 Texas RE Preliminary Budget Assumptions Board of Directors and Advisory Committee April 19,

Item 5d Texas RE 2011 Budget Assumptions April 19, Texas RE Preliminary Budget Assumptions Board of Directors and Advisory Committee April 19,
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.

℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.

Similar presentations

Ads by Google