FY06 First Quarter Update

1
FY06 First Quarter Update

• Implementation Plan

2
Agenda

• Vision
• Mission
• Current Situation
• Common Goals, and SPICE Unit Objectives
• Workshops, Procedures and Communication
• Unit Implementation Plan
• Network Security Update

3
Vision
SECURITY IS ROUTINE

• Near extinction of external threat incidents
• Recoverability is standard operating procedure
• Secure accessibility for authorized users

4
Mission

• Preservation of the confidentiality, integrity
  and availability of UFHSC restricted and critical
  information.

5
Current Situation

• Challenges
• Largely incident driven and reactive
• Highly decentralized
• Uneducated User
• Frail processes sparse documentation
• Pockets of unknown ownership or thin ISA/ISM
  coverage

• Assets
• Policies and standards
• ISA and ISM structure
• Aware User
• Solid security practices in some Units
• SPICE Council

6
6 Common Security Goals

• Handle incidents
• Plan and be ready
• Train end users
• Harden the IT infrastructure
• Control access
• Evaluate security of new products and services

Incident Driven
Forms our Future
7
Goal Handle Incidents

• Through an effective security incident response
  and reporting process
• Provide a metric to measure the effectiveness of
  the security program, and
• Demonstrate continuous improvement in our ability
  to handle and learn from security incidents.

8
Unit Handle Incidents

• Publish Unit IR process procedure
• Respond to alerts
• Report your incidents
• Respond to, document, investigate and close your
  incidents

9
Program Handle Incidents

• Alerts
• Install/configure/test IR tracking system
• IR workshop
• IR process procedure implementation
• Level 2 3 IR coordination documentation
• Satisfy UF IR requirements for HSC
• IR reports

10
Goal Plan and be ready
Know what we have and how important it is to
protect, where it is located, and what must be
done in the event of a reasonably anticipated
threat or hazard.
11
Unit Plan and be ready

• Classify your information types
• Identify and inventory your information systems
• Identify your crucial assets
• Evaluate your physical environment
• Execute backup and secure offsite store process
• Test full system restore process (workstation
  image and server)
• Prepare for likely hazard events of
• Water damage to your crucial system or
  non-electronic restricted or critical information
  asset
• Major hardware failure of your crucial systems
  server
• Compromise or infection of your crucial systems
  server
• Temporary loss of power, cooling or access to
  your crucial system
• Document

12
Program Plan and be ready

• Information classification procedures and
  template
• Crucial systems inventory instrument and update
  procedures
• Information Classification and Inventory Workshop

13
Goal Train Users

• Improve the effectiveness of the security program
  through well informed and trained staff, faculty
  and students.

14
Unit Train Users

• Distribution of general awareness communication
  materials to users
• Posters
• Portable Device Security handout
• Information Security Essentials handout
• PDA Secure Use EduGuide EG0001
• Link Privacy Security Web sites to unit,
  department and college web sites
• Develop, communicate and publish user procedures
• Coordination of general awareness training within
  Unit

15
Program Train Users

• General security awareness training product
• GA Presentation
• EduGuides
• Information Security reminders or annual GA
  campaign
• Presence at orientations
• Maintain relevant all user general information
  security awareness information on SPICE web site

16
Goal Harden the IT Infrastructure

• Reduce the surface area through which HSC
  resources can be attacked by external threats of
  compromises and malware.

17
Unit Harden the IT Infrastructure

• Protect devices from malware
• Automate distribution of signature file updates
• Automate process for detecting updated signature
  file lapses
• Protect hosts from exploits
• Implement affordable physical fixes
• Firewall your hosts
• Implement process for detecting OS
  vulnerabilities
• Implement host patching process
• Review and rationalize privileged accounts
• Enforce password strength rules on privileged
  accounts
• Find and Secure remote access points

18
Program Harden the IT Infrastructure

• Non disruptive boundary firewall implementation
• Firewall rules change management process
• Device registration documentation process problem
  analysis
• Remote access security standards
• Definition and implementation plan for enterprise
  security zones
• Host/Server Security Workshop
• Malware Prevention Workshop

19
Goal Control Access

• Apply access controls to avert unauthorized
  disclosure of restricted information not stored
  on secure servers

20
Unit Control Access

• Encrypt and password protect, or remove
  Restricted information from
• Workstations, including portables
• Removable media
• Stored equipment
• Do proper disk sanitization
• Review and rationalize privileged accounts
• Review and rationalize generic accounts

21
Program Control Access

• Portable Device and Media Security Workshop
• Access Management/Authentication Credentials
  Security Workshop

22
Goal Evaluate Security of New Products and
Services

• Establish security controls on systems or
  services prior to implementation when they are
  least expensive to implement.

23
Unit Evaluate Security of New Products and
Services

• Evaluate security of any new vendor product or
  service prior to purchase decision
• Test security controls prior to new system go-live

24
Program Evaluate Security of New Products and
Services

• New product/service evaluation survey
• New product/service procedures process
• Participate in new product/service security
  evaluations in your Unit

25
Program Goal Assess Risk

• Conduct an accurate and thorough assessment of
  the potential risks to the confidentiality,
  integrity and availability of our restricted and
  critical information assets, to determine
  relative risks, what to mitigate, what to monitor
  and what to accept.

26
Unit Assess Risk

• Produce inventory report
• Information systems and assets with
  classification designation and crucial
  designation
• Fill out risk assessment survey and return on time

27
Program Assess Risk

• Update risk assessment survey
• Update risk assessment process
• Administer the survey
• Assess risk
• Write risk assessment report
• Communicate recommendations

28
Workshops

• Presentation
• Live auditorium style
• On-line
• Recommended process if applicable
• Written Procedure if applicable
• Sample Procedure if applicable
• EduGuide if applicable

29
Workshops

• Incident Response Handling and Reporting, 9/2005
• Systems Inventory and Information Classification,
  10/2005
• Portable Device and Media Security, 11/2005
• Host/server Security, 01/2006
• Malware Prevention, 02/2006
• Access Management and Authentication Credentials
  Security, 04/2006
• Unscheduled
• Network security standards
• Evaluation
• Policy/standards Update

30
Procedures and Sample Procedures

• Incident Response Procedures (SPICE)
• Information Classification Procedures (SPICE)
• System Backup and Restore Procedures
• System Backup and Restore Test Procedures
• Disaster Preparedness Procedure (Student Health
  Services)
• Business Resumption (of security processes)
  Procedure (Student Health Services)
• Short Term Recovery Procedure (Student Health
  Services)
• Long Term Recovery Procedure (Student Health
  Services)
• Crucial Assets Restoration Procedure (Student
  Health Services)
• Prevention and Detection of Malicious Software
  Procedure
• Device and Media Disposition Procedure (Dept of
  Medicine)
• Facility Access Control Procedure (SPICE)
• Server Room Access Device Issuance Procedure
• Comm Closets Access Device Issuance Procedure

31
Program Communication

• SPICE Council
• Sanitize and recycle sample procedures
• Maintain Policies and Standards
• Maintain Information on SPICE Web Site
• Develop and communicate plans
• Quarterly Update

32
Unit Implementation Plan

• Suggested Activities for Unit ISAs and ISMs
  version 2
• http//security.health.ufl.edu/isaism/index.shtml

33
Network Security Update

• Network Security Strategy Project
• Sponsored by Asst. VPHA for IS/CIO and CIS
• Security zone strategy
• Tighter wired/wireless security
• Intrusion detection, intrusion prevention process
  and tools
• Secure accessibility for users
• AISS, Cross departmental teams, Shands where we
  overlap

34
Network Security Update

• Shands/HSC Firewall Implementation
• Tentative go live mid-September
• No filters, but expect impacts
• Shared decision making and formal change
  management for rule setting

35
Network Security Update

• NetBIOS Filter
• Unsure of removal timeframe
• Patient care system impacts

36
(No Transcript)