Presentation is loading. Please wait.

Presentation is loading. Please wait.

Designing Services for Security: Information Security Management throughout the Service Lifecycle Sarah Irwin & Craig Haynal 2015 Penn State Security Conference,

Published byBrice Whitehead Modified over 8 years ago

Similar presentations

Presentation on theme: "Designing Services for Security: Information Security Management throughout the Service Lifecycle Sarah Irwin & Craig Haynal 2015 Penn State Security Conference,"— Presentation transcript:

1 Designing Services for Security: Information Security Management throughout the Service Lifecycle Sarah Irwin & Craig Haynal 2015 Penn State Security Conference, October 14, 2015

2 Session Roadmap Security Landscape Current Challenges Service Management at Penn State Designing for Security Call to Action

3 Security Landscape

4 When I say “Sensitive Data”…. You probably think of: Photo credit: frankleleonfrankleleon Photo credit: NEC Corporation of America NEC Corporation of America Photo credit: Alan LevineAlan Levine Photo credit: GotCreditGotCredit

5 http://www.databreachtoday.com/experian-faces-congressional-scrutiny-over-breach-a-8580http://www.databreachtoday.com/experian-faces-congressional-scrutiny-over-breach-a-8580 / http://www.databreachtoday.com/etrade-dow-jones-issue-breach-alerts-a-8586http://www.databreachtoday.com/etrade-dow-jones-issue-breach-alerts-a-8586 You probably also think of:

6 www.target.com

7 www.homedepot.com

8 http://www.engr.psu.edu/

9 http://www.la.psu.edu/

10 Traditionally… Sensitive data includes things like: Personally identifiable information (PII) Payment Card Industry (PCI) data Health Insurance Portability and Accountability Act (HIPAA) Family Educational Rights and Privacy Act (FERPA)

11 But it’s more than just PII Research Human subjects Deductive disclosure risk Contract data Geographic ID’s Student information Transgender community Confidentiality holds Mental health counseling Administrative HR records Budget information Salary and review information Laws and Regulations Federal and state laws and regs University policies Third party contracts

12 It’s also becoming more prevalent

13 Current Challenges

14 Our Data Security Environment Highly decentralized, disparate IT environments and support Inconsistent standards and policies Lack of awareness and understanding

15 Pain Points IT Lack of communication or notice between IT and users IT is an afterthought, typically brought in after project starts Historic lack of trust that IT can provide what users need Users Currently, few central IT services for restricted data Local IT staff assist in some colleges/departments Many users left to sort out IT needs on their own

16 Secure Technology + Safe People + Sound Process = Security

17 Reactive IT

18 Retrofitting

19 Service Management at Penn State

20 IT Services PeopleTechnologyProcess

21 Services A means of delivering value to customers by facilitating outcomes customers want to achieve without the ownership of specific costs and risks. Service ≠ Product Unlike products, services often have no intrinsic value.

22 Service Management at Penn State IT Transformation Program (ITX) The program tasked with developing and implementing the Penn State Service Management Program. Penn State Service Management Program (PSSMP) An accepted standard for University service models, processes, and tools that improves the consistency and efficiency of Penn State services. By using a common language and set of procedures, Penn State units will unite in providing efficient, high-level customer service, while reducing service redundancy and cost across the University.

23 ITIL Framework Service Strategy Service Design Service Transition Service Operation Continual Service Improvement

24 ITX/PSSMP Processes Current: Incident Management Change Management Service Catalog Management Request Fulfillment Future: Service Portfolio Management Project Portfolio Management Resource Portfolio Management Knowledge Management Problem Management Project Management Service Asset and Configuration Management

25 ITX/PSSMP Processes – Greatest Security Impact Current: Incident Management Change Management Service Catalog Management Request Fulfillment Future: Service Portfolio Management Project Portfolio Management Resource Portfolio Management Knowledge Management Problem Management Project Management Service Asset and Configuration Management

26

27 Designing for Security

28 Designing Services

29 Warranty Availability Capacity Continuity Security Quality Service

30 Value UtilityWarranty Value

31 Design Coordination Define & maintain policies and methods Plan design resources and capabilities Coordinate design activities Manage design risks & issues Improve service design Plan individual design Coordinate individual design Monitor individual design Review design and ensure handover of service design package Overall service design process: Per design process:

32 Service Design Package Major components Requirements Service design Organizational readiness assessment Service lifecycle plan Security checkpoints Gather security requirements Plan for security Ensure adequate security training Incorporate security checkpoints into the plan

33 Information Security Management System Control PlanImplementEvaluateMaintain

34 Information Security Management Produce/maintain information security policy Assess/categorize risks and vulnerabilities Report security risks and threats Implement/review security controls and risk mitigation Monitor/manage security incidents Enforce security policy Review/report/reduce security incidents Design focus Operation focus

35 Security management information system (SMIS) Information security policy Security reports and information Security controls Security risks and responses

36 RESILIA™ Cyber Resilience Best Practice A practical framework for building and managing cyber resilience, reflecting the changing need not only to detect and protect against cyber-attacks but also to respond and recover from them. Provides security guidance aligned with the service lifecycle from the ITIL books: Service strategy Service design Service transition Service operation Continual service improvement

37 Call to Action

38 Start Small: Learn Learn about Penn State’s policies that pertain to security, especially data categorization: http://guru.psu.edu/policies/AD71.html (and the related guideline: http://guru.psu.edu/policies/ADG07.html)http://guru.psu.edu/policies/AD71.htmlhttp://guru.psu.edu/policies/ADG07.html Understand the minimum security baseline and be ready to incorporate it into your services: http://sos.its.psu.edu/minimum- security-baseline.htmlhttp://sos.its.psu.edu/minimum- security-baseline.html

39 Focus on People Have conversations about the types of data that will be handled by IT services up front You may have to educate your customers and users on data categorization in order to discover their information security needs Negotiate the right level of security before you plan, purchase, or build anything Always plan for user education, especially when it comes to securely using services

40 Design Better Services Plan your services; don’t just rush to solutions without fully understanding the problems, particularly when it comes to security Remember that good IT services focus on helping customers achieve outcomes and consider people and process in addition to technology Make sure your services not only have the needed features (utility) but also live up to their commitments (warranty) Taking the time to design services for security will be much less expensive than retrofitting or replacing them later

41 Any Questions?

Download ppt "Designing Services for Security: Information Security Management throughout the Service Lifecycle Sarah Irwin & Craig Haynal 2015 Penn State Security Conference,"

Similar presentations

Working with Information Governance

Working with Information Governance
1 Service Providers Capacity Assessment Framework Presentation to the Service Delivery Advisory Group August 28, 2008.

1 Service Providers Capacity Assessment Framework Presentation to the Service Delivery Advisory Group August 28, 2008.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.

Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.
Information & Communication Technologies 08 2014 NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Program Management Overview (An Introduction)

Program Management Overview (An Introduction)
Centralized vs. Decentralized: Pros, Cons & Best Practices

Centralized vs. Decentralized: Pros, Cons & Best Practices
WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.

WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
IT Security Challenges In Higher Education Steve Schuster Cornell University.

IT Security Challenges In Higher Education Steve Schuster Cornell University.
Brian Markham Director, DIT Compliance and Risk Services May 1, 2014

Brian Markham Director, DIT Compliance and Risk Services May 1, 2014
Common Help Desk Deep Dive Tom Bourgeois / Laurel Wadlund

Common Help Desk Deep Dive Tom Bourgeois / Laurel Wadlund
Financial Management For Project Administrators. How Feds View Themselves.

Financial Management For Project Administrators. How Feds View Themselves.
Integrated Process Model - v2

Integrated Process Model - v2

Similar presentations

Ads by Google