A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations - PowerPoint PPT Presentation

Loading...

PPT – A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations PowerPoint presentation | free to view - id: 890c6-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations

Description:

Malicious Code and Viruses. People. Processes. Physical Environments. Impact ... Student honor code. Strong faculty influence ... – PowerPoint PPT presentation

Number of Views:89
Avg rating:3.0/5.0
Slides: 83
Provided by: rodneyp3
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations


1
A Blueprint for Handling Sensitive Data
Security, Privacy, and Other Considerations
  • Shirley Payne Krizi Trivisani
  • Director for Security Chief Security Officer
  • Coordination And Policy
  • University of Virginia The George Washington
    University
  • EDUCAUSE Seminar Series
  • Denver, Colorado

2
Introductions
  • Ice-breaker BINGO!!
  • 5 minutes
  • First 10 people to get BINGO win a prize!
  • Introductions
  • Name
  • Title or Functional Description of Duties
  • Organizational Affiliation
  • What do you want to get out of this session?

3
Overview to Seminar
  • Information security risks at colleges and
    universities present challenging legal, policy,
    technical, and operational issues.
  • Security incidents have resulted in compromises
    of personal information which have led to bad
    publicity and the potential for identity theft.
  • Risks to information security at colleges and
    universities continue to persist and necessitate
    that individuals at all levels of the institution
    become engaged to prevent further data breaches
    from occurring.
  • This seminar will outline a blueprint for
    protecting sensitive data according to the
    EDUCAUSE/Internet2 Security Task Force.

4
Seminar Goals
  • At the end of this session
  • You should feel comfortable discussing common
    cybersecurity threats plaguing higher education
    and computer users in general.
  • You will have a list of key strategies to follow
    for stopping the leakage of confidential/sensitive
    data.
  • You will be introduced to several security
    resources and best practices to help you apply
    the key strategies.

5
Todays Roadmap
  • Foundations of Cybersecurity in Higher Ed
  • The Blueprint
  • Creating a Security Risk-Aware Culture
  • Defining Institutional Data Types
  • Clarify Responsibilities and Accountability
  • Reducing Access to Data Not Absolutely Essential
  • Establishing and Implementing Stricter Controls
  • Providing Awareness and Training
  • Verifying Compliance
  • Putting it All Together  Moving from Planning to
    Action

6
Higher Ed IT Environments
  • Technology Environment
  • Distributed computing and wide range of hardware
    and software from outdated to state-of-the-art
  • Increasing demands for distributed computing,
    distance learning and mobile/wireless
    capabilities which create unique security
    challenges
  • Leadership Environment
  • Reactive rather than proactive
  • Lack of clearly defined goals (what do we need to
    protect and why)
  • Academic Culture
  • Persistent belief that security academic
    freedom are antithetical
  • Tolerance, experimentation, and anonymity highly
    valued

7
Higher Ed IT Environments
  • Current Status The information security
    environment has become increasingly more
    dangerous. News accounts have reported Higher
    Education institutions involved in dozens of
    incidents of compromised confidential information
    over the past year. The cost of notifying and
    offering assistance to those individuals who have
    had their privacy information compromised can run
    into the hundreds of thousands of dollars for
    each incident. Increased regulatory requirements
    also make it imperative that the University be
    able to show a level of due diligence in the
    protection of its systems and confidential data.
  • Why is this in quotes?

8
Goals of Cybersecurity
  • Confidentiality - information requires protection
    from unauthorized use or disclosure.
  • Integrity - information must be protected from
    unauthorized, unanticipated, or unintentional
    modification.
  • Availability - computers, systems, networks, and
    information must be available on a timely basis
    to meet mission requirements or to avoid
    substantial losses.

9
Security Processes
  • Deter
  • Prevent
  • Detect
  • React
  • Adapt
  • Burton Group A Systematic, Comprehensive
    Approach to Information Security (Feb. 2005)

10
Security ImplementationRelies On
Systems must be built to technically adhere to
policy
Policies must be developed, communicated,
maintained and enforced
Process
Technology
People
Processes must be developed that show how
policies will be implemented
People must understand their responsibilities
regarding policy
11
Framing the Problem
  • Discussion Breaches in Higher Education
  • How did they occur?
  • Who was impacted?
  • How much did it cost?
  • Are there themes?
  • Whats changed?

12
The Blueprint
  • Confidential Data Handling Blueprint
  • Purpose
  • To provide a list of key strategies to follow for
    stopping the leakage of confidential/sensitive
    data.
  • To provide a toolkit that constructs resources
    pertaining to confidential/sensitive data
    handling. 
  • https//wiki.internet2.edu/confluence/display/secg
    uide/ConfidentialDataHandlingBlueprint

13
The Blueprint
  • Confidential Data Handling Blueprint
  • Introduction
  • Steps and ensuing sub-items are intended to
    provide a general roadmap
  • Institutions will be at varying stages of
    progress
  • Organized in a sequence that allows you to
    logically follow through each step
  • Each item is recommended as an effective
    practice state/local legal requirements,
    institutional policy, or campus culture might
    leave each institution approaching this
    differently

14
Step 1
  • Create a security risk-aware culture that
    includes an information security risk management
    program
  • Sub-steps
  • 1.1 Institution-wide security risk management
    program
  • 1.2 Roles and responsibilities defined for
    overall information security at the central and
    distributed level
  • 1.3 Executive leadership support in the form of
    policies and governance actions

15
Why Do We Care?
  • HIPAA
  • FERPA
  • GLBA
  • Sarbanes Oxley Act
  • Grant requirements
  • Compliance
  • Other local state and federal regulations

16
Risk Management
  • Risk Threats x Vulnerabilities x Impact

17
Threat
  • An adversary that is motivated to exploit a
    system vulnerability and is capable of doing so
  • National Research Council CSTB Report
    Cybersecurity Today and Tomorrow Pay Now or Pay
    Later (2002)

18
Examples of Threats
  • Hackers
  • Insiders
  • Script Kiddies
  • Criminal Organizations
  • Terrorists
  • Enemy Nation States

19
Vulnerability
  • An error or a weaknessin the design,
    implementation, or operation of a system.
  • National Research Council CSTB Report
    Cybersecurity Today and Tomorrow Pay Now or
    Pay Later (2002)

20
Examples of Vulnerabilities
  • Networks wired and wireless
  • Operating Systems especially Windows
  • Hosts and Systems
  • Malicious Code and Viruses
  • People
  • Processes
  • Physical Environments

21
Impact
  • Refers to the likelihood that a vulnerability
    will be exploited or that a threat may become
    harmful.
  • National Research Council CSTB Report
    Cybersecurity Today and Tomorrow Pay Now or Pay
    Later (2002)

22
Examples of Impact
  • Strategic Consequences
  • Financial Consequences
  • Legal Consequences
  • Operational Consequences
  • Reputational Consequences
  • Qayoumi, Mohammad H. Mission Continuity
    Planning Strategically Assessing and Planning
    for Threats to Operations, NACUBO (2002).

23
Risk Management
  • Risk Threats x Vulnerabilities x Impact

24
Handling Risks
  • Risk Assumption
  • Risk Control
  • Risk Mitigation
  • Risk Avoidance
  • Qayoumi, Mohammad H. Mission Continuity
    Planning Strategically Assessing and Planning
    for Threats to Operations, NACUBO (2002).

25
Source University of Virginia IT Security Risk
Management Program http
//www.itc.virginia.edu/security/riskmanagement
26
What Defines Culture?
  • Strategic Planning and Decision-Making
  • Examples
  • Top-down
  • Bottom-up
  • Consensus-based
  • Institutional Values
  • Examples
  • Student honor code
  • Strong faculty influence
  • Emphasis on accountability at all levels of
    institution
  • High bond rating

27
What Defines Culture?
  • Control of Operational Functions
  • Examples
  • Centralized
  • Decentralized
  • Long-term Institutional Priorities
  • Examples
  • Increase research
  • Increase community outreach
  • Other influences on culture?

28
Ideas For Using Culture
Decentralized Control Over Computing
Formalize and leverage network of departmental
system administrators
How? Some Examples University of Virginia LSP
Program http//www.itc.virginia.edu/dcs/lsp Georg
e Mason University SALT Group http//itu.gmu.edu/
security/sysadmin/salt-description.html
29
Ideas For Using Culture
Increasing Emphasis on Compliance
Spotlight Federal Regulations Related to Security
Privacy
How? Some Examples IT Security for Higher
Education A Legal Perspective http//www.educaus
e.edu/ir/library/pdf/csd2746.pdf Family
Educational Rights Privacy Act http//www.ed.gov
/policy/gen/guid/fpcp/ferpa/index.html Gramm
Leach Bliley Act http//www.ftc.gov/privacy/glbact
/index.html Health Insurance Portability
Accountability Act http//www.hhs.gov/ocr.hipaa
30
Ideas For Using Culture
Strong Leadership at the Top
Make Executive-level Awareness a Top Priority
How? ACE Letter to Presidents Regarding
Cybersecurity http//www.acenet.edu/washington/let
ters/2003/03march/cyber.cfm Information Security
A Difficult Balance http//www.educause.edu/pub/er
/erm04/erm0456.asp Gaining the Presidents
Support for IT Initiatives at Small
Colleges http//www.educause.edu/apps/eq/eqm04/eqm
0417.asp Presidential Leadership for Information
Technology http//www.educause.edu/ir/library/pdf/
erm0332.pdf
31
Morning Break
  • Break 1015 AM
  • Return 1030 AM

32
Step 2
  • Define institutional data types
  • Sub-steps
  • 2.1 Compliance with applicable federal and state
    laws and regulations - as well as contractual
    obligations - related to privacy and security of
    data held by the institution (also consider
    applicable international laws)
  • 2.2 Data classification schema developed with
    input from legal counsel and data stewards
  • 2.3 Data classification schema assigned to
    institutional data to the extent possible or
    necessary

33
Institutional Data Types
  • Discussion
  • Do you have a data classification schema?
  • Do you have a policy?
  • Why is this step important?

34
Data Classification Policy
  • Provides the framework necessary to identify and
    classify data in order to assess risk and
    implement an appropriate level of security
    protection based on categorization.
  • Provides the framework necessary to comply with
    legislation, regulations, and internal policies
    that govern the protection of data
  • Provides the framework necessary to facilitate
    and make the Incident Response process more
    efficient. The level in which the data is
    classified determines the level of response.

35
Data Classification Policy Objectives
  • Communicates data categories to the University
    community and provides examples of how data
    should be classified
  • Communications the high level requirements
    necessary to protect data based on category
  • Communicates the roles and responsibilities of
    various members of the University community and
    external associates as it relates to GW owned
    data

36
Data Classification at GW
Privacy Levels
Operations Levels
Confidential
Official
Public
Highest Security Highest Operations
Enterprise System
2
2
1
1
Department Server
3
2
Lowest Security Lowest Operations
2
Desktop/ Laptop
3
4
Note, numbers in boxes suggest the priority
levels for mitigating risks.
37
Step 3
  • Clarify responsibilities and accountability for
    safeguarding confidential/sensitive data
  • Sub-steps
  • 3.1 Data stewardship roles and responsibilities
  • 3.2 Legally binding third party agreements that
    assign responsibility for secure data handling

38
Example University of North Carolina
  • Data Trustee Data trustees are senior University
    officials (or their designees) who have planning
    and policy-level responsibility for data within
    their functional areas and management
    responsibilities for defined segments of
    institutional data. Responsibilities include
    assigning data stewards, participating in
    establishing policies, and promoting data
    resource management for the good of the entire
    University.
  • Data Steward Data stewards are University
    officials having direct operational-level
    responsibility for information management
    usually department directors. Data stewards are
    responsible for data access and policy
    implementation issues.
  • Data Custodian Information Technology Services
    is the data custodian. The custodian is
    responsible for providing a secure infrastructure
    in support of the data, including, but not
    limited to, providing physical security, backup
    and recovery processes, granting access
    privileges to system users as authorized by data
    trustees or their designees (usually the data
    stewards), and implementing and administering
    controls over the information.
  • Data User Data users are individuals who need
    and use University data as part of their assigned
    duties or in fulfillment of assigned roles or
    functions within the University community.
    Individuals who are given access to sensitive
    data have a position of special trust and as such
    are responsible for protecting the security and
    integrity of those data.
  • http//its.uncg.edu/Policy_Manual/Data/

39
Step 4
  • Reduce access to confidential/sensitive data not
    absolutely essential to institutional processes
  • Sub-steps
  • 4.1 Data collection processes (including forms)
    should request only the minimum necessary
    confidential/sensitive information
  • 4.2 Application outputs (e.g., queries, hard copy
    reports, etc.) should provide only the minimum
    necessary confidential/sensitive information
  • 4.3 Inventory and review access to existing
    confidential/sensitive data on servers, desktops,
    and mobile devices

40
Step 4 continued
  • Reduce access to confidential/sensitive data not
    absolutely essential to institutional processes
  • Sub-steps continued
  • 4.4 Eliminate unnecessary confidential/sensitive
    data on servers, desktops, and mobile devices
  • 4.5 Eliminate dependence on SSNs as primary
    identifiers and as a form of authentication
  • Note SSNs may need to be used for certain
    things (e.g., student employees, student
    financial aid, etc.) and we recommend that
    schools limit the use of SSNs to necessary
    processes only.

41
Elimination of SSNs
  • Federal and state law requires the collection of
    your Social Security number (SSN) for certain
    purposes (for example, IRS reporting forms).
    However, widespread use of an individual's SSN is
    a major privacy concern. With incidents of
    identity theft increasing, steps to secure an
    individual's SSN become more important.
  • A large number of colleges and universities use
    SSNs as primary identifiers for faculty, staff,
    and students, which exposes institutions to risk
    because of changing legal and security
    environments. Therefore, many institutions are
    planning for the migration away from SSN use as a
    primary identifier. Undertaking such a task
    raises issues, challenges, and opportunities for
    any institution.
  • EDUCAUSE has identified links concerning the
    elimination of SSNs as primary identifiers that
    may be useful to the higher education community.
  • http//www.educause.edu/Browse/645?PARENT_ID701

42
Lunch
  • Break 12PM
  • Return 1PM

43
Step 5
  • Establish and implement stricter controls for
    safeguarding confidential/sensitive data
  • Sub-steps
  • 5.1 Inventory and review/remediate security of
    devices
  • 5.2 Configuration standards for applications,
    servers, desktops, and mobile devices
  • 5.3 Network level protections
  • 5.4 Encryption strategies for data in transit and
    at rest

44
Step 5 continued
  • Establish and implement stricter controls for
    safeguarding confidential/sensitive data
  • Sub-steps continued
  • 5.5 Policies regarding confidential/sensitive
    data on mobile devices and home computers and for
    data archival/storage
  • 5.6 Identity management and resource provisioning
    processes
  • 5.7 Secure disposal of equipment and data
  • 5.8 Consider background checks on individuals
    handling confidential/sensitive data

45
EncryptionCollaboration
  • Call for help what are other universities
    doing?
  • Privacy Committee, Compliance Committee, LSPs
  • Key Stakeholders
  • Project management
  • Information Security Office Technology Services
    Technology Engineering OneTeam

46
GW Scoring Criteria/Selection Rationale
Vendors were evaluated on RFP requirements that
covered Whole Disk and Nice to Have
requirements
Vendor 1 Utimaco Vendor 3
Whole Disk - Authentication 38 37 35
Whole Disk - General 127 126 126
Whole Disk - Integration 58 58 54
Whole Disk - Management 44 44 44
Nice to Have 5 9 5
Total 272 274 264
Product
Evaluation Category
Recommended? X - No v
- Yes X - No
Out of a possible total weighted score of 285,
Utimaco scored the highest based on the
requirements defined in the RFP, had the lowest
price and was the only product fully compatible
with VMWare
Note Vendors were asked to respond to File and
Folder Encryption Requirements but were not
scored on them
47
GWs Encryption Pilot
  • Planning
  • Technical set-up
  • Central IT Group 50, Departments 50
  • Communicate, communicate, communicate
  • Pilot results
  • Party!

48
GW Enterprise Rollout 50,000 Foot View
Rollout Phase Description - Device Type Est Users Est Machines Estimated Timeframe
A Administrative Laptops and some Academic Dept Laptops used for Admin Purposes 1700 400 Laptops Dec 06 Feb 07
B Faculty Machines (Laptops and Desktops) FWI self-identify case by case 300 Machines1(Laptops and Desktops) 300 Machines1(Laptops and Desktops) May 07 May 10 (3 year FWI attrition cycle)
C Administrative Desktops some Academic Dept Desktops used for Admin Purposes TBD TBD June 07 Dec 07
D Other Devices (External Hard Drives, Thumb Drives, etc) TBD TBD TBD
1 Note This assumes a 3 year plan FWI machine
replacement plan for most faculty, except those
that self identify to adopt Safeguard Easy on an
existing machine
49
Encryption Lessons Learned?
  • References provided invaluable advice
  • Project management support crucial
  • Flexibility required
  • Know your culture
  • Integrate with security philosophy and
    architecture
  • Establish generic policy and add
    guidelines/procedures as process matures
  • Communication and partnerships were critical
    success factors

50
Step 5 continued
  • Establish and implement stricter controls for
    safeguarding confidential/sensitive data
  • Sub-steps continued
  • 5.5 Policies regarding confidential/sensitive
    data on mobile devices and home computers and for
    data archival/storage
  • 5.6 Identity management and resource provisioning
    processes
  • 5.7 Secure disposal of equipment and data
  • 5.8 Consider background checks on individuals
    handling confidential/sensitive data

51
EDUCAUSE Identity Management Resources
  • Recent Library Submissions (3)
  • CIC Identity Management Conference Session
    Federated Identity Management and Sharing
    Resources (2007) by Jim Phelps, IT Architect in
    Academia
  • Identity Management Conference Report (2007)by
    Committee on Institutional Cooperation
  • A Report on the Identity Management Summit (2007)
    by Norma Holland, Ann West and Steve Worona,
    EDUCAUSE
  • Most Popular Library Content (3)
  • Top-Ten IT Issues, 2006 (2006) by Barbara I.
    Dewey, Peter B. DeBlois, and the 2006 EDUCAUSE
    Current Issues Committee, EDUCAUSE
  • Safeguarding the Tower IT Security in Higher
    Education 2006 (2006) by Robert B. Kvavik, with
    John Voloudakis, ECAR
  • Identity Management in Higher Education A
    Baseline Study (2006) by Ronald Yanosky, with
    Gail Salaway, ECAR
  • http//www.educause.edu/Browse/645?PARENT_ID679

52
Source "Hackers get bum rap for corporate
America's digital delinquency"
University of Washington News Information
Office, March 12, 2007
53
Step 6
  • Provide awareness and training
  • Sub-steps
  • 6.1 Make confidential/sensitive data handlers
    aware of privacy and security requirements
  • 6.2 Require acknowledgement by data users of
    their responsibility for safeguarding such data
  • 6.3 Enhance general privacy and security
    awareness programs to specifically address
    safeguarding confidential/sensitive data
  • 6.4 Collaboration mechanisms such as e-mail have
    strengths and limitations in terms of access
    control, which must be clearly communicated and
    understood so that the data will be safe-guarded

54
Awareness and Training
  • Goal
  • To increase the awareness of the associated
    risks of computer and network use and the
    corresponding responsibilities of higher
    education executives and end-users of technology
    (faculty, staff, and students), and to further
    the professional development of information
    technology staff.
  • Programs
  • Outreach to Higher Ed Associations and Beyond
  • Annual Security Professionals Conference
  • Education Awareness Working Group
  • Initiatives
  • Leadership Book on Computer Network Security
    for Higher Ed
  • National Cyber Security Awareness Month
  • Cybersecurity Awareness Resources
  • Executive Awareness, Student Awareness,
    Training of IT Staff

55
What is Security Awareness?
Security awareness is knowledge of potential
threats. It is the advantage of knowing what
types of security issues and incidents members of
our organization may face in the day-to-day
routine of their University functions.
Technology alone cannot provide adequate
information security. People, awareness and
personal responsibility are critical to the
success of any information security program.
56
Why is Awareness Important?

57
When I Go To U.Va.
http//www.itc.virginia.edu/pubs/docs/RespComp/vid
eos/when-I-go-to-UVA-lg.mov
58
Who is your Audience?
  • Faculty
  • Staff
  • Students
  • Parents
  • Contractors
  • Visitors
  • Community/industry partners - outreach

59
Security Awareness
  • Discussion
  • What security topic is not well understood at
    your institution?
  • Who needs to understand this issue?
  • What techniques would be effective to build
    awareness in this area keeping this audience in
    mind?

60
Step 7
  • Verify compliance routinely with your policies
    and procedures
  • Sub-steps
  • 7.1 Routinely test network-connected devices and
    services for weaknesses in operating systems,
    applications, and encryption
  • 7.2 Routinely scan servers, desktops, mobile
    devices, and networks containing
    confidential/sensitive data to verify compliance
  • 7.3 Routinely audit access privileges
  • 7.4 Procurement procedures and contract language
    to ensure proper data handling is maintained

61
Step 7 continued
  • Verify compliance routinely with your policies
    and procedures
  • Sub-steps continued
  • 7.5 System development methodologies that prevent
    new data handling problems from being introduced
    into the environment
  • 7.6 Utilize audit function within the institution
    to verify compliance
  • 7.7 Incident response policies and procedures
  • 7.8 Conduct regular meetings with stakeholders
    such as data stewards, legal counsel, compliance
    officers, public safety, public relations, and IT
    groups to review institutional risk and
    compliance and to revise existing policies and
    procedures as needed

62
Security Scenarios
  • Data breach exercises and realistic role playing
    scenarios
  • Provided by Yale University
  • Hand-out

63
Afternoon Break
  • Break 245 PM
  • Return 300 PM

64
GW Security Tool Kit
  • To provide departments managing systems outside
    of the GW Data Center with standard guidelines
    and procedures
  • Policies
  • Systems Checklist - Departmental Servers and
    Enterprise Systems - an inventory of the systems,
    functionality, system administration and security
    settings
  • Best Practices for Department Server and
    Enterprise System Checklist - these are the
    specific security categories that were assessed
    during the PWC Audit.
  • Server Management Best Practices - from the
    Center for Internet Security There are currently
    minimum security configurations for 14 types of
    systems

65
GW Security Tool Kitcontinued
  • To provide departments managing systems outside
    of the GW Data Center with standard guidelines
    and procedures
  • Security Controls Matrix for Data Classification
    - to determine security controls based on the
    type of information on the system (Public,
    Official Use, Confidential) and the type of
    system itself (Desktop, Departmental Server,
    Enterprise System).
  • Information Security Training and Awareness -
    information about online training available to
    all employees.
  • Resources encryption, incident response,
    presentations, etc.

66
Compliance Scenario
  • GW conducted an audit project of 236
    departmentally controlled servers for security
    and PII (aka Server Information Security
    Project, or SISP)
  • Project commissioned by EVPT and CIO
  • Audited configuration of computers and detection
    of SSNs

67
Compliance Scenario
  • PII on almost 50 of servers admins thought is
    was NOT on
  • About 75 of computers that were compromised had
    completely up-to-date antivirus and/or firewalls
  • Security efforts focused mostly on protecting
    servers as opposed to data

68
Compliance Scenario
  • Address problems in first pass
  • Include all computers with access to sensitive
    data, not only known storage
  • Contrast locations of PII to current security
    architecture
  • Desktops versus servers...
  • Integration with patch management systems?
  • Secure reporting
  • Log parsing by junior-level security staff

69
Safety Analyzer
  • Free tool for higher education
  • Sensitive Data Detection
  • SSNs with heuristics
  • Credit Card numbers with Luhn algorithm
    validation
  • Compromise Detection
  • Trojan file detection
  • Kernel-level rootkit detection
  • IR-related data harvesting

70
The Blueprint
  • Discussion
  • Will you use the blueprint?
  • Do you have suggestions to improve it?
  • Do you have resources to submit?

71
Putting it All Together
  • Moving from Planning to Action!

72
Perceived Barriers To IT Security
Information Technology Security Study EDUCAUSE
Center for Applied Research, Sept. 2003
73
Information Security Governance
  • If businesses, educational institutions, and
    non-profit organizations are to make significant
    progress securing their information assets,
    executives must make information security an
    integral part of core business operations. There
    is no better way to accomplish this goal than to
    highlight it as part of the existing internal
    controls and policies that constitute corporate
    governance.
  • Information Security Governance Report
    Executive Summary

74
InfoSec Governance Self Assessment
  • Organizational Reliance on IT
  • E.g., What is the impact of major system downtime
    on operations?
  • Risk Management
  • E.g., Has your organization conducted a risk
    assessment and identified critical assets?
  • People
  • E.g., Is there a person or organization that has
    information security as their primary duty?
  • Processes
  • E.g., Do you have official written information
    security policies and procedures?
  • Technology
  • E.g., Is sensitive data encrypted?
  • Information Security Governance Assessment Tool
    for Higher Education

75
Best Practices Metrics
  • Information Security Program Elements
  • Governance
  • Boards/Senior Executives/Shared Governance
  • Management
  • Directors and Managers
  • Technical
  • Central and Distributed IT Support Staff
  • CISWG Final Report on Best Practices Metrics

76
Governance
  • Oversee Risk Management and Compliance Programs
    Pertaining to Information Security (e.g.,
    Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley)
  • Approve and Adopt Broad Information Security
    Program Principles and Approve Assignment of Key
    Managers Responsible for Information Security
  • Strive to Protect the Interests of all
    Stakeholders Dependent on Information Security
  • Review Information Security Policies Regarding
    Strategic Partners and Other Third-parties
  • Strive to Ensure Business Continuity
  • Review Provisions for Internal and External
    Audits of the Information Security Program
  • Collaborate with Management to Specify the
    Information Security Metrics to be Reported to
    the Board

77
Management
  • Establish Information Security Management
    Policies and Controls and Monitor Compliance
  • Assign Information Security Roles,
    Responsibilities, Required Skills, and Enforce
    Role-based Information Access Privileges
  • Assess Information Risks, Establish Risk
    Thresholds and Actively Manage Risk Mitigation
  • Ensure Implementation of Information Security
    Requirements for Strategic Partners and Other
    Third-parties
  • Identify and Classify Information Assets
  • Implement and Test Business Continuity Plans
  • Approve Information Systems Architecture during
    Acquisition, Development, Operations, and
    Maintenance
  • Protect the Physical Environment
  • Ensure Internal and External Audits of the
    Information Security Program with Timely
    Follow-up
  • Collaborate with Security Staff to Specify the
    Information Security Metrics to be Reported to
    Management

78
Technical
  • User Identification and Authentication
  • User Account Management
  • User Privileges
  • Configuration Management
  • Event and Activity Logging and Monitoring
  • Communications, Email, and Remote Access Security
  • Malicious Code Protection, Including Viruses,
    Worms, and Trojans
  • Software Change Management, including Patching
  • Firewalls
  • Data Encryption
  • Backup and Recovery
  • Incident and Vulnerability Detection and Response
  • Collaborate with Management to Specify the
    Technical Metrics to be Reported to Management

79
Building Security Programs
  • Gain the support of the Administration.
  • Define roles and responsibilities.
  • Review your institutions policies.
  • Build long lasting partnerships with everyone,
    well maybe not everyone.
  • Collaborate with security professionals in your
    region or State.
  • Institutionalize a strong security awareness
    program.

80
Wrap-Up
  • Question Answer
  • Seminar Evaluation Feedback
  • Program ends at 430PM

81
Listservs Newsgroups
  • EDUCAUSE Security Discussion Listserv
  • http//www.educause.edu/SecurityDiscussionGroup/9
    79
  • Microsoft Security Alerts
  • http//www.microsoft.com/security/bulletins/alert
    s.mspx
  • US-CERT Alerts and Tipshttp//www.us-cert.gov/cas
    /signup.htmlchoose
  • NIST Publication Mailing list
  • http//csrc.nist.gov/compubs-mail.html

82
Contacts
  • Shirley Payne
  • payne_at_virginia.edu
  • Krizi Trivisani
  • krizi_at_gwu.edu
About PowerShow.com