Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.

Published byAmy Pitts Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University."— Presentation transcript:

1 Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University of California David Walker Jacqueline Craig Office of the President University of California © Copyright Regents of the University of California 2006. Permission is granted for this material to be shared for non- commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors.

2 Information Resources and Communications University of California, Office of the President University of California System Distributed Autonomy 10 campuses 5 medical centers 3 national laboratories

3 Information Resources and Communications University of California, Office of the President University of California System Abundant Opportunity for Security Breaches 200,00 students 53,000 academic employees 117,000 staff Number of Network nodes? 500,000?

4 Information Resources and Communications University of California, Office of the President University of California in the News Security breaches involving highly sensitive information  Stolen laptop 98,000 records  Exploit of known vulnerability 800,000+ records  System compromise 387,000 records

5 Information Resources and Communications University of California, Office of the President UC President demands solutions University-wide Security Workgroup Formed  Professors  Vice Chancellors and Deans  General Counsel  Security Officers  Chief Information Officers and Directors

6 Information Resources and Communications University of California, Office of the President Security Workgroup Recommendations Leadership actions to achieve accountability University-wide communication, security education and training Stronger IT security policies  Minimum connectivity standards and guidelines Risk assessment guidelines and mitigation  Focus on both academic and administrative strategies Campus-based encryption strategies Improved security incident guidelines

7 Information Resources and Communications University of California, Office of the President Recommendations for Campus Strategies Encryption Forensics  Incident Response  Audit Logs

8 Information Resources and Communications University of California, Office of the President Encryption

9 Information Resources and Communications University of California, Office of the President Encryption “...encryption is the process of obscuring information to make it unreadable without special knowledge.” - Wikipedia  In general, the “special knowledge” is an encryption key. Encryption is a powerful tool, but not a panacea. Encryption at the University of California: Overview and Recommendations

10 Information Resources and Communications University of California, Office of the President Things You Can Do with Data There are three things you can do with data  Store  Transmit  Process

11 Information Resources and Communications University of California, Office of the President Things You Can Protect with Encryption

12 Information Resources and Communications University of California, Office of the President Encryption for Data Storage Restricted data should be encrypted when stored in a location that does not have appropriate physical security and access controls.  Whole disk encryption (mobile devices)  File encryption  Database encryption Potential need for encrypted backups  Key management

13 Information Resources and Communications University of California, Office of the President Encryption for Data Transmission Restricted data should be encrypted when it is transmitted across an untrusted network, and very few networks can be trusted. For example,  File transfers  Electronic mail  Network printer communication  Remote file services  Virtual private network (VPN)

14 Information Resources and Communications University of California, Office of the President Key Management Improper loss or disclosure of encryption keys can result in improper loss or disclosure of data. Must consider:  Access to data in the event of lost keys  Improper disclosure of keys  Unique responsibilities of people charged with custody of keys

15 Information Resources and Communications University of California, Office of the President International Considerations for Encryption Some governments (e.g., China, Korea, and Israel) regulate the import and use of encryption technology. The United States regulates the export of encryption software source code.

16 Information Resources and Communications University of California, Office of the President Selected Recommendations for Encryption - 1 All copies of restricted data must be assessed.  Shadow copies  Spreadsheets  Backups Implement “whole disk” encryption for mobile devices.

17 Information Resources and Communications University of California, Office of the President Selected Recommendations for Encryption - 2 Network printer communication should be encrypted, and the printer should be in a secure location. Network file service communication should be encrypted. (e.g., WebDAV) Campuses should implement central key management infrastructures.

18 Information Resources and Communications University of California, Office of the President Incident Response

19 Information Resources and Communications University of California, Office of the President Incident Response problem management or security incident?  workflow plan  communication plan security breach or unauthorized disclosure?  system compromise  software design/configuration errors  stolen equipment  user (operator) error

20 Information Resources and Communications University of California, Office of the President

21 Information Resources and Communications University of California, Office of the President Incident Response Initial Steps  communicate to appropriate staff, team, others as required  maintain a log of actions  secure the area/facility  determine need for forensics analysis collect forensic information  regain control and analyze See http://www.ucop.edu/irc/itsec/uc/incident_handling.html

22 Information Resources and Communications University of California, Office of the President Investigations and Notification Determination Forensics  Use of vendor service to ensure chain-of- evidence? Establish a standing agreement to facilitate instant services  Audit log analysis Logs are a more likely source of information. Challenge: find congruence to track the path.

23 Information Resources and Communications University of California, Office of the President Log Management

24 Information Resources and Communications University of California, Office of the President Log Management Most components of an IT infrastructure are capable of producing logs chronicling their activity over time.  Application logs  System logs  Network device logs  Change management logs  Other logs (surveillance, physical access, etc.) Log Management for the University of California: Issues and Recommendations

25 Information Resources and Communications University of California, Office of the President Log Management Overview

26 Information Resources and Communications University of California, Office of the President Uses for Logs Useful both for long-term baseline analysis and incident investigation  Access  Change Monitoring  Cost Allocation  Malfunction  Resource Utilization  Security Events  User Activity

27 Information Resources and Communications University of California, Office of the President Application Log Content  The business operation that was requested  Whether the request was accepted or denied  The time and date the operation was performed  Who initiated the operation  System and network resources used  Any information needed for business process controls  Client hardware and software characteristics

28 Information Resources and Communications University of California, Office of the President System Log Content  The server operation that was requested  Whether the request was accepted or denied  The time and date the operation was performed (Start and end times, or duration, may be appropriate for long operations.)  Who and/or what system initiated the operation  System and network resources used

29 Information Resources and Communications University of California, Office of the President Network Device Log Content  Network (IP) addresses of the end points  Service identifiers (port numbers) for each of the end points  Whether the flow was accepted or denied  Date, time, and duration of the flow  Number of packets and bytes used by the flow

30 Information Resources and Communications University of California, Office of the President Log Record Life-Cycle Management Logs are University records, subject to the requirements of the University Records Management Program to ensure that they are “...appropriately managed and preserved, and can be retrieved as needed.” Retention periods must balance the following  confidentiality of specific individuals' activities  the need to support investigations  the cost of retaining the records

31 Information Resources and Communications University of California, Office of the President Functions of a Log Management Infrastructure  move log records into the infrastructure  provide secure storage for the records  implement record retention policies  facilitate access to log records  provide analysis tools that enable correlations among records from multiple sources  protect the chain of evidence for the possibility that log records are used in legal proceedings

32 Information Resources and Communications University of California, Office of the President Selected Recommendations for Log Management - 1 A network time protocol should be used to enable relation of log records from multiple sources. Procedures should be in place to ensure that baseline analyses reviewed on a regular and timely basis.

33 Information Resources and Communications University of California, Office of the President Selected Recommendations for Log Management - 2 For investigations, preparations should be made to perform ad hoc queries against multiple sources of information, based on criteria such as the following:  Source(s) of the log records  Time  Network address  Application or service  User

Download ppt "Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University."

Similar presentations

Network Systems Sales LLC

Network Systems Sales LLC
Distributed Data Processing

Distributed Data Processing
COMPREHENSIVE APPROACH TO INFORMATION SECURITY IN ADVANCED COMPANIES.

COMPREHENSIVE APPROACH TO INFORMATION SECURITY IN ADVANCED COMPANIES.
Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.

Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Database Administration and Security Transparencies 1.

Database Administration and Security Transparencies 1.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Network security policy: best practices

Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Copyright 2013 FUJITSU LIMITED. AGENDA Mitigation Considerations 4. Data Security – Examples and Application 2. Data Security Life-Cycle 1 1. Data Management.

Copyright 2013 FUJITSU LIMITED. AGENDA Mitigation Considerations 4. Data Security – Examples and Application 2. Data Security Life-Cycle 1 1. Data Management.

Similar presentations

Ads by Google