Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Review Panel Report

Published byCori York Modified over 6 years ago

Similar presentations

Presentation on theme: "Information Security Review Panel Report"— Presentation transcript:

1 Information Security Review Panel Report
CIO Council February 23, 2017

2 Agenda Background Review panel conclusions
Review panel recommendations Proposed next steps

3 Background In their last visit in 2015, Harvard’s Committee to Visit Information Technology reported that “IT security has been significantly strengthened” but also felt that more in-depth conversations were needed on the topic. As a result, Harvard convened a review panel consisting of three experts in the field: Joshua Beeman, Information Security Officer, University of Pennsylvania Andy Ellis, Chief Security Officer, Akamai Technologies Ravi Pendse, Vice President for Computing and Information Services and Chief Information Officer, Brown University The panel focused on three important questions: Does Harvard have the right information security strategy? How is Harvard doing executing on its plan? Are there things we are not doing that we should be to enhance Harvard’s security posture?

4 Conclusions The following are excerpts from the panel’s report on these three questions: “The review team concluded that Harvard has an excellent strategy for information security.” “The review team concluded that Harvard has been very successful in executing its plans.” “Because of the changing nature of Information Security, no matter how mature a program is, there are always opportunities for improvement.”

5 Recommendations The review panel made four recommendations:
Leverage a standards-based framework for information security controls Ensure that the CISO’s office has appropriate authority over information security across the organization, in particular around procurement, hiring, training and standards Continue to formalize and mature how risks are identified, analyzed and turned into recommendations for investment Perform continual evaluation of staffing and security roles, with particular attention to surge capacity and emerging compliance requirements

6 Proposed next steps Evaluate and adopt an information security control framework The NIST Cybersecurity Framework (CSF) is the leading contender We are convening a small group with representation across the University to make a formal recommendation to the Information Security Council The impact of moving towards a framework is that we will likely have to update and align policies and procedures, including the Harvard Information Security Policy, and we may need to invest in tools where we currently have gaps We expect to have a recommendation and a plan to implement by end of June Take the following steps to improve our collective ability to keep Harvard’s information assets secure: Formalize the School CIO’s authority for information security for all IT entities in their Schools (including those that don’t report to them) Require CISO approval of all information security staff hired in the Schools Require CISO approval for information security related technologies and services Provide common information security training to all information security staff in order to foster a common language and common security incident processes and protocols We can begin this immediately, pending your feedback

7 Proposed next steps Create a more deliberate process to evaluate emerging risks that allows us to plan for a moment in time that is not well understood in the present. Three important components are: Engage with Harvard faculty involved in cybersecurity to create a Faculty Advisory Group for information security. One of the charges of this group would be to produce an annual “emerging risks report” for the University. Partner with Risk Management and Audit Services to ensure that the information security component of the institutional risk management process is more formalized and closely aligned with our work. Partner with the Schools to create a local information security management structure (ISMS) that helps to identify risks and align our work to address them. We will form the faculty advisory group shortly and create a first draft of ISMS by end of June Produce an annual report to the Information Security Oversight Committee detailing resources and demand, current surge capacity, and any new resource requirements that we anticipate in the coming year. We will provide the first annual report at the end of FY17

Download ppt "Information Security Review Panel Report"

Similar presentations

Www.theiia.org External Quality Assessments Frequently Occurring Findings Observed by The IIA QA Teams.

External Quality Assessments Frequently Occurring Findings Observed by The IIA QA Teams.
Overview of Priorities and Activities: Shared Services Canada Presentation to the Information Technology Infrastructure Roundtable June 17, 2013 Liseanne.

Overview of Priorities and Activities: Shared Services Canada Presentation to the Information Technology Infrastructure Roundtable June 17, 2013 Liseanne.
IMFO Audit & Risk Indaba June 2012

IMFO Audit & Risk Indaba June 2012
Enterprise Security A Framework For Tomorrow Christopher P. Buse, CPA, CISA, CISSP Chief Information Security Officer State of Minnesota.

Enterprise Security A Framework For Tomorrow Christopher P. Buse, CPA, CISA, CISSP Chief Information Security Officer State of Minnesota.
Chesapeake Bay Program Goal Development, Governance, and Alignment Carin Bisland, GIT6 Vice Chair.

Chesapeake Bay Program Goal Development, Governance, and Alignment Carin Bisland, GIT6 Vice Chair.
Chesapeake Bay Program Goal Development, Governance, and Alignment Carin Bisland, GIT6 Vice Chair.

Chesapeake Bay Program Goal Development, Governance, and Alignment Carin Bisland, GIT6 Vice Chair.
SEM Planning Model.

SEM Planning Model.
1 LBNL Enterprise Computing (EC) January 2003 LBNL Enterprise Computing.

1 LBNL Enterprise Computing (EC) January 2003 LBNL Enterprise Computing.
IT Governance Portfolio and Project Management in State Government Chris Cruz, Chief Information Officer, California Department of Food and Agriculture.

IT Governance Portfolio and Project Management in State Government Chris Cruz, Chief Information Officer, California Department of Food and Agriculture.
CHIEF INFORMATION OFFICER DEPARTMENT OF HEALTH AND HUMAN SERVICES OFFICE OF THE U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES John Teeter Deputy Chief Information.

CHIEF INFORMATION OFFICER DEPARTMENT OF HEALTH AND HUMAN SERVICES OFFICE OF THE U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES John Teeter Deputy Chief Information.
IT Governance and Management

IT Governance and Management
Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.

Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.
UWM CIO Office A Collaborative Process for IT Training and Development Copyright UW-Milwaukee, 2007. This work is the intellectual property of the author.

UWM CIO Office A Collaborative Process for IT Training and Development Copyright UW-Milwaukee, This work is the intellectual property of the author.
Strategies to prevent and respond to violence against children who are in contact with the justice system APJJC Second Meeting “Towards child-friendly.

Strategies to prevent and respond to violence against children who are in contact with the justice system APJJC Second Meeting “Towards child-friendly.
Information Security for the Data Management Professional Micheline Casey Chief Data Officer Federal Reserve Board.

Information Security for the Data Management Professional Micheline Casey Chief Data Officer Federal Reserve Board.
The topics addressed in this briefing include:

The topics addressed in this briefing include:
Information Technology Audit

Information Technology Audit
Peer Information Security Policies: A Sampling Summer 2015.

Peer Information Security Policies: A Sampling Summer 2015.
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.

INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.
FISMA 2.0: A CISO Perspective

FISMA 2.0: A CISO Perspective

Similar presentations

Ads by Google