Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fusion Center ITS security and Privacy Operations Joe Thomas

Published byAshley Cannon Modified over 6 years ago

Similar presentations

Presentation on theme: "Fusion Center ITS security and Privacy Operations Joe Thomas"— Presentation transcript:

1 Fusion Center ITS security and Privacy Operations Joe Thomas
October 2016

2 Overview Incident Response
Security Goals Incident Benefits University Policies General Procedures Reporting to FSUPD, HR, FDLE,

3 Incident Response Phishing - Accounts Compromised Compromised File
Ransomware Stolen Property Final Comments

4 What is an Incident A computer security incident is any action or activity – accidental or deliberate – that compromises the confidentiality, integrity, or availability of data and information technology resources. Incidents also include the use of technology for criminal activities such as: fraud, child porn, theft, etc… Policy violations may also be considered security incidents.

5 Incident Response Goals
Preserving the confidentiality, integrity and availability of enterprise information assets. Minimizing the impact to the university. Providing management with sufficient information to decide on appropriate course of action. Providing a structured, logical, repeatable, and successful approach.

6 Incident Response Goals (con’t)
Increase the efficiency and effectiveness of dealing with an incident Reduce the impact to the university from both financial and human resources perspectives. Provide evidence that may become significant should legal and liability issues arise.

7 University Policies The university has policies requiring action from IT administrators to report and respond to Security Incidents. 4-OP-H-5 Information Technology Security 4-OP-D-2-G Payment Cards 4-OP-H-12 Information Privacy policy

8 Team Leadership and Duties
CISO or Operations Team Lead usually acts as CSIRT Leader Convene the CSIRT (Computer Security Incident Response Team). Select additional support members as necessary for the reported incident. Contact the Chief Information Officer. Conduct meetings of the CSIRT. Ensure meetings are documented. Direct team training on an ongoing basis. Periodically report status of incidents to the CIO. Manage incidents. Ensure Class 2 and Class 3 incidents are documented. Coordinate team incident research and response activities. Conduct a debriefing of lessons learned and report to the CIO.

9 Team Expertise Chief Information Office (CIO) Chief Auditor Office
Legal Human Resources Information Security (CISO or Representative) Registrar Public Information Officer Platform Specialists Financial Administrators Law Enforcement

10 Role of the CSIRT The role of the CSIRT is to serve as the first responder to computer security incidents within and to perform vital functions in identifying, mitigating, reviewing and reporting findings to management.

11 Responsibilities of the CSIRT
Classify security incidents. Convene upon notification of a reported computer security incident. Conduct a preliminary assessment to determine the root cause, source, nature, extent of damage. Recommend response to a computer security incident. Select additional support members as necessary for the reported incident. Maintain confidentiality of information related to incidents. Assist with recovery efforts and provide reports to the CIO. Document incidents as appropriate. Examples include: lessons learned and recommended actions. Report incidents to the Information Security and Privacy Office. Maintain awareness of and implement procedures for effective response to computer security incidents. Stay current on functional and security operations for the technologies within their area of responsibility.

12 Classification of Security Incidents
The CSIRT will classify each incident as a Class 1, Class 2, or Class 3 incident based upon risk severity. The following criteria are used to determine incident classification: Expanse of Service Disruption Data Classification Legal Issues Policy Infraction Public Interest Threat Potential Business Impact

13 Class 1 Incident: Low Severity
A Class 1 incident is any incident that has a low impact to university information technology resources and is contained within the unit. The following criteria define Class 1 incidents: Data classification: Unauthorized disclosure of confidential information has not occurred. Legal issues: Lost or stolen hardware that has low monetary value or is not part of a mission critical system. Business impact: Incident does not involve mission critical services. Expanse of service disruption: Incident is within a single unit. Threat potential: Threat to other information technology resources is minimal. Public interest: Low potential for public interest. Policy infraction: Security policy violations determined by the university.

14 Class 2 Incident: Moderate Severity
A Class 2 incident is any incident that has a moderate impact to university information technology resources and is contained within the unit. The following criteria define Class 2 incidents: Data classification: Unauthorized disclosure of confidential information has not been determined. Legal issues: Lost or stolen hardware with high monetary value or that is part of mission critical system. Business impact: Incident involves mission critical services. Expanse of service disruption: Incident affects multiple units within the university. Threat potential: Threat to other university information technology resources is possible. Public interest: There is the potential for public interest. Policy infraction: Security policy violations determined by the university.

15 Class 3 Incident: High Severity
A Class 3 incident is any incident that has impacted or has the potential to impact other external information technology resources and/or events of public interest. The following criteria define Class 3 incidents: Data classification: Unauthorized disclosure of confidential information has occurred outside the university. Legal issues: Incident investigation and response is transferred to law enforcement. Business impact: Threat to other university information technology resources is high. Expanse of service disruption: Disruption is wide spread across the university and/or other entities. Threat potential: Incident has potential to become wide spread across the university and/or threatens external, third-party information technology resources. Public interest: There is active public interest in the incident. Policy infraction: Security policy violations determined by the university.

16 Reporting Process The CSIRT Leader reports and documents all incidents classified or reclassified as a Class 2 or Class 3 incidents. The Report should include the following: Executive Summary Description of the Incident CSIRT Members Participating CSIRT Findings Conclusions Recommendations

17 General Procedures End users need to communicate computer incidents to unit ISMs. Information security managers must immediately notify the FSU IT Security Incident Officer of Incident. Payment card data breach – the department head notifies the Security manager who then notifies the Director of Information Security and Privacy of the incident. Information security manager notifies the Police Department involving threats to human beings, property, child pornography, or breach of CJIS information. External Law enforcement if needed will be referred to the FSUPD who will serve as liaison during the Security Investigations. General Counsel, Director of Information Security and Privacy, and FSUPD must be notified when a subpoena is issued.

18 REPORTING OF it Security Incidents
Different departments will become involved in the remediation of an incident. Criminal activities should be reported to FSUPD Employee misconduct, both criminal and otherwise should be reported to HR. Incidents of technical nature from an external source should be reported to the Director Information Security & Privacy. All University data should be classified into one of three levels: Level 1 – Protected Level 2 – Private Level 3 – Public

19 IT security Incidents reported to FSUPD
Electronic transmission / storage of child pornography Electronic transmission of threats to the physical safety of human beings or physical assets Harassment and other criminal offenses involving user accounts Loss or theft of computing device Using FSU computing resource in the commission of a fraudulent activity against the university, individual, or outside entity. Incidents involving a breach of CJIS information.

20 IT security Incidents reported to Human resources
Misuse of FSU IT resources is described in 4-OP-H-5 with some examples below: Commercial use of IT resources that is not pre-approved Advertisement for personal gain in FSU.EDU websites Use of IT resources that interferes with the performance of employee’s job Use of IT resources that result in an incremental cost to the University

21 Breach of Personal Identifiable Information (PII).
Types of major security incidents Reported to the FSU Director of information security and privacy Breach of Personal Identifiable Information (PII). Root or system-level attacks on mission critical information system(s) desktop, laptop, tablet, server, storage device, or network infrastructure. Compromise of restricted protected service accounts or software installations, for data classified as “Protected” or “Private”. Denial of Service attacks that Impair FSU resources. Malicious code attacks including malware infections on devices that allow an unauthorized user access to data.

22 Types of major security incidents Reported (con’t)
Open mail relay used to forward spam or other unauthorized communications with FSU system. Compromise user logon account credentials. Denial of service on individual user accounts Other attacks that may constitute a risk to confidentiality, integrity, or availability of university data or systems.

23 Types of Minor security incidents
Virus infections on servers and end-points

24 Departmental response to IT security incidents
Isolation and Protection of Compromised Devices Discontinue use of that device immediately Do not power off the device Disconnect the Network Cable at the Network Jack Isolate computer to prevent any further use. Preserve logs Contact FSUPD, HR, Director of Information Security and Privacy, to assist in investigation If necessary get a backup of the hard drive. Identification of Personally Identifiable Data Calculation of Campus Unit Fiscal Cost to Remediate

25 Type of Attacks Phishing Ransomware Denial of Service Stolen Property
Compromised File

26 Final Comments Any Questions?

Download ppt "Fusion Center ITS security and Privacy Operations Joe Thomas"

Similar presentations

Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
PII Breach Management and Risk Assessment

PII Breach Management and Risk Assessment
PCard Program Roles and Responsibilities Review Karen Brookbanks, C.P.M., CPPB.

PCard Program Roles and Responsibilities Review Karen Brookbanks, C.P.M., CPPB.
DHS SECURITY INCIDENT REPORTING AND RESPONSE SECURITY INCIDENT REPORTING AND RESPONSE DHS managers, employees, and other authorized information users.

DHS SECURITY INCIDENT REPORTING AND RESPONSE SECURITY INCIDENT REPORTING AND RESPONSE DHS managers, employees, and other authorized information users.
Security Controls – What Works

Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Network security policy: best practices

Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.

Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.
Incident Response From the Ground Up Ellen Young and Adam Goldstein Dartmouth College NERCOMP March 11, 2008.

Incident Response From the Ground Up Ellen Young and Adam Goldstein Dartmouth College NERCOMP March 11, 2008.
Peer Information Security Policies: A Sampling Summer 2015.

Peer Information Security Policies: A Sampling Summer 2015.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
APA of Isfahan University of Technology In the name of God.

APA of Isfahan University of Technology In the name of God.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
General Awareness Training

General Awareness Training
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Similar presentations

Ads by Google