Presentation is loading. Please wait.

Presentation is loading. Please wait.

Peer Cybersecurity Assessments: For and by Higher Education

Published byJonathan Lindholm Modified over 4 years ago

Similar presentations

Presentation on theme: "Peer Cybersecurity Assessments: For and by Higher Education"— Presentation transcript:

1 Peer Cybersecurity Assessments: For and by Higher Education

2 REN-ISAC Peer Assessment Service*
Security Policy Security Operations Organization of Security Communications and Operations Management Information Systems Acquisition, Development, and Maintenance Incident Response Identity Management and Access Human Resources Security Compliance Physical Security Business Continuity Planning *Assessment methodology and materials copyright 2019 by The Research and Education Network Information Sharing and Analysis Center (REN-ISAC) and the Trustees of Indiana University.

3 Introduction Executive Summary Policy Administration Organization Internal Organization Centralization/Decentralization Asset Management Responsibility for Assets Information Classification Human Resources Security Orientation Physical and Environmental Security Identity and Access Control Identity Management Authentication Privileged Accounts Network Access Control and Registration Information Systems Acquisition, Development, and Maintenance Systems Procurement Database Management Endpoint Management Vulnerability Management Third Party Patch Management Security of Equipment Off-Premises Security in Development and Support Processes External Parties and Cloud Services Storage Business Continuity Planning Compliance Management FERPA RED FLAGS RULE (FTC 16 CFR 681) GDPR Controlled Unclassified Information (CUI) and NIST Gramm-Leach-Bliley Act (GLBA) and NIST PCI DSS HIPAA Security Operations Building a Security Operations Team Risk Assessment Protective Processes & Procedures Protective Technology Security Continuous Monitoring Response Day-to-day Activities of Security Operations Information Security Incident Response Report Intake Expert Triage Calling an Incident Incident Response Planning and Execution Team Logistics Information Sharing Notifications and Reporting Containment, Eradication, and Recovery Follow-Up Activities Select Incident Response References General Higher Education Compliance Obligations

4 Assessment Structure – 4-5 weeks
Develop Statement of Work Perform Pre-Discovery Conduct Site Visit – usually 3-4 days Follow-up Questions Writing Narrative Inserting and prioritizing recommendations w/NIST references Sharing Draft – CIO Finalizing Report Report content belongs to the university or college being assessed

5 Peer Assessors Assessors are long-time CISOs or CIOs employed or recently retired from universities or colleges Teams are usually 2-4, depending on the needs of the camps being assessed Campuses are informed in advance of assessor assignments Campus does not have approval Campus can point out conflicts or other issues

6 Add-ons: In-depth analysis
Incident Response Security Operations Policies Compliance Future: Penetration Testing

7 Historical Assessments
20+ assessments, 17 unique organizations Variety of sizes from non-Carnegie Mellon class thru very large R1s. CIOs’ interest in security varies wildly Capabilities of CISOs and security staff varies widely There is usually disconnect between the CIO and the CISO The CIO has usually not told the CISO what to prioritize, and the CISOs ofttimes take it upon themselves to decide CISOs sometimes take on functions beyond those typical to securing the realm The CISO then doesn’t have enough resources…

8 Senior leadership of campuses are not fully aware of risks
From aggregate experience: 5 Security-Related Problem Areas in Higher Education Senior leadership of campuses are not fully aware of risks Security Programs aren’t deliberately planned and organized Incident response is ad hoc Data management structure isn’t defined or followed Decentralized IT environments aren’t considered in risk assessments

9 Session Evaluations There are two ways to access the session and presenter evaluations:
1 2 In the online agenda, click on the “Evaluate Session” link From the mobile app, click on the session you want from the schedule > then click the associated resources > and the evaluation will pop up in the list

Download ppt "Peer Cybersecurity Assessments: For and by Higher Education"

Similar presentations

1 1 Risk Management: How to Comply with Everything July 11, 2013.

1 1 Risk Management: How to Comply with Everything July 11, 2013.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Information & Communication Technologies 08 2014 NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.
Security Controls – What Works

Security Controls – What Works
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Agency Name Security Program FY 2009 John Q. Public Agency Director/CIO/ISO.

Agency Name Security Program FY 2009 John Q. Public Agency Director/CIO/ISO.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Critical Security Controls & Effective Cyber Defense Hasain “The Wolf”

Critical Security Controls & Effective Cyber Defense Hasain “The Wolf”
Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.

Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.
Information Security tools for records managers Frank Rankin.

Information Security tools for records managers Frank Rankin.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.

© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
© ITT Educational Services, Inc. All rights reserved. IS4680 Security Auditing for Compliance Unit 1 Information Security Compliance.

© ITT Educational Services, Inc. All rights reserved. IS4680 Security Auditing for Compliance Unit 1 Information Security Compliance.
February 3, 2009 Bridging Academic and Medical Cultures Academic Research Systems and HIPAA William K. Barnett Anurag Shankar.

February 3, 2009 Bridging Academic and Medical Cultures Academic Research Systems and HIPAA William K. Barnett Anurag Shankar.
Cybersecurity: Risk Management

Cybersecurity: Risk Management
Safeguarding CDI - compliance with DFARS

Safeguarding CDI - compliance with DFARS

Similar presentations

Ads by Google