1. Information Security at Waterloo: Past, Present, and Future Jason A. Testart, BMath, CISSP Director, Information Security Services Information Systems & Technology

2. Hacked by an iron. #watitis2013

4. Five Eyes #watitis2013

7. Security Portfolio: 1998 A single FTE UWDir (identity management) Best Practices for OS and Application Security Awareness Certificate Authority #watitis2013

8. Security Portfolio: 2008 A single FTE Best Practices for OS and Application Security Awareness Certificate Authority Compliance (PCI DSS, FIPPA) Network Security #watitis2013

9. Tools: 2008 Netflow for IDS Nessus scanner Focus on baselines Email for incident response Email for certificate management #watitis2013

10. Status 2011 Added 4 FTEs (5 total) Renamed “Information Security Services” Security reports to senior IT leader Security Operations Centre Policy 8 approved and in force More formal incident response (RTIR) #watitis2013

11. 2011 continued VPN Self-serve certificates (Globalsign) Proactive vulnerability management –AppScan –QualysGuard Encryption support Investigations Support #watitis2013

12. 2012/2013 NetID SIEM (log correlation) Metasploit Threat Intelligence #watitis2013

13. 2014 and Beyond Evolve current capabilities in IDS, IR, and vulnerability management More standards (all layers of stack) PSIA WatIAM:TNG IAMNG More compliance –Anti-spam law –New copyright legislation #watitis2013

14. ISS Previous Structure Director Systems Integration Specialist #watitis2013

15. ISS Current Structure #watitis2013 Director Manager, Information Security Operations Security Operations Analyst (co-op student) Information Security Specialist IAM Specialist

16. Key Partnerships Secretariat –Privacy –Records Management –Law IST Portfolio Group –Policy, Standards, Compliance, Risk Management Finance –PCI DSS Compliance Office of Research –Compliance UW Police –Investigations #watitis2013

17. PSIA What is it? –Mechanism for the identification, assessment, and mitigation of privacy and security risks for information-centric university initiatives –Assessors: Privacy Officer, Information Security Officer #watitis2013

18. Proposed PSIA Process Stage of Initiative Privacy Action(s)Security Action(s) Sign-off? Proposal/Busines s Case Review/AssessReviewSponsor + Privacy Solution Design (or “RFP Response”) Review/Assess Sponsor/Project Team + Privacy + Security Development/Pre- production Review/AssessProject Team + Security Implementation/Pr oduction Review Sponsor + Project Team + Privacy + Security

19. Jason’s Principles of Identity Management 1.A person can assume more than one role at one time (badges, not hats). 2.There is no “primary role”. 3.Every role has a sponsor (i.e. someone needs to attest to you being here). 4.“Expired” means you are status VSA. #watitis2013

20. Identity Management 1.Enumerate Roles 2.Determine lifecycles of each role 3.Business process analysis 4.Requirements Definition 5.Architecture 6.RFP #watitis2013

21. Access Management CAS may not be the ultimate solution. Centralize/automate where possible. Require multi-factor authentication for certain types of access/transactions. Approach problem with EA-like abstractions. #watitis2013

22. Enterprise Architecture (Zachman) (from zachman.com) #watitis2013

23. Networking Models #watitis2013

24. Testart’s EA-Lite Business ViewLogical ViewPhysical View

25. EA-Lite for Access Control Role Definition/RequirementsACL in generic languageImplementation

26. Simplified Example Academic Advisor Bio+Marks: RO Access Program/Plan: RW Access Peoplesoft Security Controls Online Advising Tool (OAT) ACLs Active Directory Security Group

27. For your consideration… ISS is not just about IT infrastructure. Let us know about current challenges you see with WatIAM Stay-tuned for the potential IT impact of new legislation. You MUST report breaches. We have legal obligations to uphold. #watitis2013

28. THANK YOU Jason Testart Email: jason.testart@uwaterloo.cajason.testart@uwaterloo.ca Telephone: Ext. 38393 #watitis2013