Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing Information Security and Compliance Four Questions and a Roadmap to Guide the Way Copyright University of Texas System, 2008. This work is.

Published byQuentin Fereday Modified over 9 years ago

Similar presentations

Presentation on theme: "Implementing Information Security and Compliance Four Questions and a Roadmap to Guide the Way Copyright University of Texas System, 2008. This work is."— Presentation transcript:

1 Implementing Information Security and Compliance Four Questions and a Roadmap to Guide the Way Copyright University of Texas System, 2008. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided this copyright statement appears on the reproduced materials. To disseminate otherwise or republish requires written permission of the authors. EDUCAUSE Security Professionals Conference 2008 Miguel Soldi msoldi@utsystem.edu Lewis Watkins, CISO lwatkins@utsystem.edu

2 Who are we? ~ 186,000 students ~ 78,000 faculty & staff 9 Academic Institutions 6 Medical Institutions U. T. System Administration U. T. Investment Management Company (UTIMCO) [a 501(c)(3) corporation to manage endowment] MISSIONS Research Instruction Patient Care Public Service 2 The University of Texas System

3 In response to repeated breaches, The University of Texas System Board of Regents launched a system-wide information security program, creating a system-wide CISO position and CISO Council. What’s Our Problem? Lost Thumb Drive Puts Data at Risk 1000’s of Records Stolen from University Database University Website Compromised University Database Breach Threatens Student Identities Hacker Steals University Data Profs Home Computer Stolen with Student ID’s and Grades 3

4 “IT Security is a monster!” Charles Chaffin, Chief Audit Executive and Compliance Officer, The University of Texas System, August 10, 2006 4 Very Thoughtfully ! How do we approach this monster? A Structured Approach is Essential!

5 Four Guiding Questions Q1 - What’s Happening? What type of incidents are occurring? What’s “not happening” that hinders security? Q2 - What’s Important? What’s most important to protect? What’s important to do in order to bolster information security? Q3 - What’s Effective? What strategies return the biggest payoff? What metrics are useful for tracking effectiveness? Q4 - What’s Next? What will we likely encounter tomorrow? What can we do now to prepare? What are we missing? 5

6 1.Most major incidents have been of three types: Lost or Stolen Computers Application Breaches (as opposed to network) Misconfigured / Poorly Patched Computers 2.Security practices vary greatly across and within our Institutions. 3.Other trends:  Perimeters dissolving  Business Partner Breaches What’s Happening? What’s happening around here? 6

7 What’s Important? Remain Focused on Mission! The mission of the information security program: Improve information security across all UT institutions, Do this in a way that is verifiable, and Help ensure compliance with information security related regulations. 7

8 What’s Important?  Service Availability  Intellectual Property  Brand Name  Privacy  Compliance Protect the Integrity of the Institution! 8

9 What’s Important? 9 Verification! At the incident level. At the Program level.

10 What’s Important? What do we mean by Information Security Compliance? HIPAA PCI FERPA GLBSOX TAC 202 We must comply with and be able to demonstrate compliance with regulations having information security requirements. With more to come! 10

11 As a prerequisite to success, it’s important to know the following: 1.the threats to your environment; 2.the location of your high risk data and information resources; 3.the architecture of your technology environment including configuration and protection state of your devices. What’s Important? 11

12 What’s Effective? Standards Metrics & Outcomes OversightTechnology A Roadmap is a useful tool for steering the program: 12

13 What’s Effective? Tasks not started Tasks underway Tasks completed Which strategies really work? 13

14 Provides the needed information for prioritizing corrective actions. Identifies the high risk data and assets Identifies the vulnerabilities Is scalable and easy to administer What’s Effective? What really needs to be protected? A Sound Risk Assessment Process that: 14

15 Ensure the Program Covers the Problem Space! 9.Data Backup and Recovery 10.Disaster Recovery 11.Incident Management 12.Physical Security 13.Device Use and Security 14.Application Development and Acquisition 15.Electronic Records Management What’s Effective? 1.Information Security Governance 2.Policies, Procedures, Standards 3.Asset / Data Classification 4.Risk Assessment and Management 5.Compliance 6.Access Management 7.Change Management 8.Configuration Management 15

16 Number: Security Practice Bulletin #2 (SPB-2) Title: Baseline Standard for Information Security Programs. Date:January 1, 2007 Purpose: Each Entity of the University of Texas System is charged with establishing and maintaining a standards and risk based Information Security Program (Security Program) that:  secures the information assets under its stewardship against unauthorized use, disclosure, modification, damage or loss to reduce risk to acceptable levels;  is documented and verifiable; and  meets regulatory compliance requirements applicable to the Entity. This bulletin identifies essential components to be included in each Entity’s Security Program. Definitions: Chief Administrative Officer: The highest ranking executive officer at each Entity. For most Entities, it is the President Security Incident: An event which results in unauthorized access, loss, disclosure, modification, disruption, or destruction of information resources whether accidental or deliberate. (TAC 202A 202.1) Rationale: U. T. System Information Resources are to be protected based on risk and must be administered in conformance with federal and state law and The University of Texas System Regents’ Rules. This Baseline Standard Security Program is based on an analysis of state, federal and international standards for such programs and the unique characteristics of the higher education environment. Program elements are specified to ensure that each Entity’s Security Program is sufficient in scope to include the functions and activities recognized by standards bodies as being necessary to be effective. Metrics are specified to measure program implementation and effectiveness. Reporting requirements are established to ensure adequate information is provided for compliance oversight and to inform executive management regarding the status and effectiveness of programs. Expectations : 1.Each Entity of the U. T. System must establish and maintain a Security Program that includes appropriate protections, based on risk, for all Information Resources owned, leased, or under the custodianship, including outsourced resources, of any department, operating unit, or employee of the Entity. 2.Each Security Program must be documented and include the following:  The Security Program elements included in this bulletin as prioritized and documented by the Entity based on risk (See Document 1 below),  Documented strategies to address the elements of the Security Program,  The Security Program Metrics specified in this bulletin to be reported to U. T. System at intervals as indicated in this bulletin (See Document 2 below).  Documented action plans, training plans, and monitoring plans,  Reports and timelines (See Document 3 below) o Quarterly Information Security Program Status reports submitted to the U. T. System CISO o Annual Status Report submitted to the Chief Administrative Officer and copied to the, Entity’s CIO and Compliance Officer and the U. T. System CISO by October 31 st following close of the previous fiscal year. 1.Each Entity must collect required metrics data in ways that are documented and verifiable. An explanation must be provided for any metric for which data cannot be collected. 2.The Entity’s Chief Administrative Officer or his or her designated representative(s) must formally approve the Security Program. 3.The Entity’s CISO or ISO will administer the Entity’s Information Security Program with cooperation of organizational units within the Entity that may hold functional responsibility relating to specific program elements. Exceptions: There are no exceptions to the establishment and maintenance of an Entity’s Security Program. It is recognized that gaps may exist between Program elements and an Entity’s Program as deployed. Gaps are to be explained and documented in the Security Program document(s) submitted to the Chief Administrative Officer for approval. Gaps are to be addressed, based on risk, as soon as practical. Intra-Entity Exceptions: Circumstances within a specific organizational unit(s) within an Entity may require an exception to specific elements of the program. These must be documented and justified by the Owner of the Information Resource and the Entity’s CISO or ISO. Documents: 1.U. T. System Information Security Program Elements 2.U. T. System Information Security Program Metrics 3.U. T. System Information Security Program Report Templates (TBD) Baseline Standard for Information Security Program s Programs are to be Entity- wide in Scope Decisions are to be “Risk Based” Programs are to be documented (physical docs) Program’s components and reports must be verifiable Programs will be formally approved. Clearly define what must be included in a program. 16

17 What’s Effective? 1.Number of Computing Devices 2.Configuration Visibility 3.Encryption Deployment 4.Anti-virus/malware Deployment 5.Number of Outreach Activities 6.Number of Assurance Activities 7.Number of Incidents 9.Incident Costs 10.Systems Lacking Disaster Recovery Plan 11.Number of Employees Receiving Basic Training 12.Number of Technical Employees receiving Specialized Training. 13.Information Security Budget 14.Compliance for TAC 202, UTS 165, HIPAA, PCI Measure Activity and Progress 17

18 What’s Effective? Audit and Compliance Involvement “Industry leaders are conducting internal audit and IT security monitoring eight times more frequently than are the industry laggards and five times more frequently than firms operating at industry norm.” Improving IT Compliance 2006 IT Compliance Benchmark Report Symantec Corporation Vulnerabilities must be discovered and acknowledged to be addressed. Things that get measured, audited, and/or reviewed get attended to. 18

19 What’s Effective? CISO Leadership Security and IT Teams Community Where deficiencies exist, the task becomes one of addressing the deficiency. Will Support Permission Trust Skill People 70%, Technology 30% Knowledge Institution, Culture, Compliance, Risks, Technology Governance Roles & Responsibilities, Decentralized IT Staff Resources People, Time, Money, Technology, Base Infrastructure Getting the Ingredients required for success? 19

20 What’s Next? Assume the SSN problem is solved. What are the emerging threats that we need to prepare for? How do we address these before the big event? How does an evolving social and technology world affect our security strategies?  Assume the enterprise has no boundary.  Assume all data is encrypted at rest and in motion. I wonder what they will do next? 20

21 Questions? Miguel Soldi msoldi@utsystem.edu Lewis Watkins, CISO lwatkins@utsystem.edu 21

Download ppt "Implementing Information Security and Compliance Four Questions and a Roadmap to Guide the Way Copyright University of Texas System, 2008. This work is."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
SL21 Information Security Board Mission, Goals and Guiding Principles.

SL21 Information Security Board Mission, Goals and Guiding Principles.
Security and Personnel

Security and Personnel
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Pam Downs Ajay Gupta The Pennsylvania Prince George’s State University Community College Copyright Penn State University-2008. This work is the intellectual.

Pam Downs Ajay Gupta The Pennsylvania Prince George’s State University Community College "Copyright Penn State University This work is the intellectual.
IT Strategic Planning From Technical Dreams to Institutional Reality

IT Strategic Planning From Technical Dreams to Institutional Reality
1 IT Security-related Legislation Judy Borreson Caruso CUMREC 2004 May 18, 2004 Copyright Judy Borreson Caruso, 2004. This work is the intellectual property.

1 IT Security-related Legislation Judy Borreson Caruso CUMREC 2004 May 18, 2004 Copyright Judy Borreson Caruso, This work is the intellectual property.
Session 3 – Information Security Policies

Session 3 – Information Security Policies

Similar presentations

Ads by Google