1. Educause Security 2006 © Baylor University 2006 1 Security Assessments for Information Technology Bob Hartland Director of IT Servers and Network Services Jon Allen Information Security Officer By

2. Educause Security 2006 © Baylor University 2006 2 Baylor University Chartered in 1845 Largest Baptist University in the world 13,799 Students 2,000 Full Time Employees 85 Buildings Networked Waco, Texas

3. Educause Security 2006 © Baylor University 2006 3 Organizational Chart Reagan Ramsower CIO/CFO Bob Hartland Director of IT Servers and Networking Systems Data NetworkVoice NetworkVideo NetworkServers Jon Allen Information Security Officer

4. Educause Security 2006 © Baylor University 2006 4 BU Network 2005

5. Educause Security 2006 © Baylor University 2006 5 Why an Assessment? Several high profile security compromises in the news. Potential Identity theft issues for cliental Legal costs Public relation nightmare Help you stay out of the news! Defines a risk level base line

6. Educause Security 2006 © Baylor University 2006 6 Choosing a Vendor

7. Educause Security 2006 © Baylor University 2006 7 Why an outside vendor? Struggled with even making the recommendation Better equipped to handle a complex environment. Documentation- Formal report Good – documents your vulnerabilities and gets your people engaged. Bad – documents your vulnerabilities and you are now on the hook. Unbiased look at your system Best of breed expertise

8. Educause Security 2006 © Baylor University 2006 8 Three Types of Vendors Tier Three Simple Scans (commercial or open source packages) Predefined scopes Inside scans only No Verification of vulnerabilities Canned report with little insight Relatively inexpensive

9. Educause Security 2006 © Baylor University 2006 9 Three Types of Vendors Tier Two Simple Scans (commercial or open source packages) Scope is somewhat limited Both inside and outside scans Some verification of vulnerabilities Thorough report Medium to high cost

10. Educause Security 2006 © Baylor University 2006 10 Three Types of Vendors Tier One Scans are customizable Scope is customizable Both inside and outside scans Full verification of vulnerabilities Detailed report with recommended course of action Higher cost

11. Educause Security 2006 © Baylor University 2006 11 Planning

12. Educause Security 2006 © Baylor University 2006 12 Defining the Assessment Define scope before picking vendor Exercise none disclosure to protect both parties Redefine scope after meeting with chosen vendor Identify critical systems with associated timelines Predefine areas of potential issues Identify point person to handle issues Schedule update meetings Develop project plan with associated time line

13. Educause Security 2006 © Baylor University 2006 13 Key Components of Offsite Assessment Strong test of detection technologies on Internet connection Know the source IP address space the assessment will originate from Should not be a drag on bandwidth

14. Educause Security 2006 © Baylor University 2006 14 Key Components of Onsite Assessment Make sure to know requirements and have a site ready for the consultants The site should be separate from IT staff to avoid raising suspicion The network connection should be open to access the systems to be targeted

15. Educause Security 2006 © Baylor University 2006 15 Baylor’s Assessment 2 week external scan 2 week internal scan 1 week personnel interviews 1 week social engineering Scan included PBX Draft report with meeting Final report and presentation

16. Educause Security 2006 © Baylor University 2006 16 Getting Started

17. Educause Security 2006 © Baylor University 2006 17 Follow the Plan

18. Educause Security 2006 © Baylor University 2006 18 Assessment Execution Remember - confidentiality of the assessment happening will give a more realistic snapshot of security Make sure that DPS and at least one lead IT administer are aware Clearly define the order of the assessment to limit the occurrences of unexpected outages

19. Educause Security 2006 © Baylor University 2006 19 Daily reviews Make sure to keep aware of how the assessment is progressing React if necessary to glaring critical issues discovered Timelines may need to be adjusted due to extended scan times

20. Educause Security 2006 © Baylor University 2006 20 The results are in…which direction are you headed?

21. Educause Security 2006 © Baylor University 2006 21 Vulnerabilities Identified Technical Behavioral

22. Educause Security 2006 © Baylor University 2006 22 Remediation All your dirty laundry is now exposed Be inclusive of findings Executives IT departments School/Department IT managers General Counsel Prioritize vulnerabilities to be resolved. Vulnerability Severity Resource cost Business impact Set schedules and milestones Create a response document to the assessment discoveries

23. Educause Security 2006 © Baylor University 2006 23 By Products Security Team Security Training Security awareness campaign

24. Educause Security 2006 © Baylor University 2006 24 Was it worth it?

25. Educause Security 2006 © Baylor University 2006 25 Desired Results Achieved Got the attention of the right people Documented a baseline Remediation of exposed issues Long term strategy

26. Educause Security 2006 © Baylor University 2006 26 Looking Forward Multiyear agreement can reduce cost. Assessment follow-ups will allow for trending data to show policy and remediation impact Assessments do not replace normal security vigilance

27. Educause Security 2006 © Baylor University 2006 27 Questions? Bob Hartland Director for IT Servers and Network Services Bob_Hartland@Baylor.edu Speakers: Jon Allen Information Security Officer Jon_Allen@Baylor.edu