1 / 30

Rodney Petersen Security Task Force Coordinator EDUCAUSE

Enterprise data (decentralized control, data security and privacy) Prevention: People and Process. Rodney Petersen Security Task Force Coordinator EDUCAUSE. Framing the Problem. INFORMATION Privacy and Security Paper and Electronic Reliance on Networks and Technology

cleave
Télécharger la présentation

Rodney Petersen Security Task Force Coordinator EDUCAUSE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enterprise data (decentralized control, data security and privacy)Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE

  2. Framing the Problem • INFORMATION Privacy and Security • Paper and Electronic • Reliance on Networks and Technology • Business CONTINUITY • Critical Infrastructure PROTECTION • Part of National Strategy to Secure Homeland

  3. Security Processes • Deter • Prevent • Detect • React • Adapt Burton Group: A Systematic, Comprehensive Approach to Information Security (Feb. 2005)

  4. Points of Emphasis • People • Processes • Technology

  5. Risk Management Risk = Threats x Vulnerabilities x Impact

  6. Threat An adversary that is motivated to exploit a system vulnerability and is capable of doing so National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002)

  7. Examples of Threats • Hackers • Insiders • “Script Kiddies” • Criminal Organizations • Terrorists • Enemy Nation States

  8. Vulnerability An error or a weaknessin the design, implementation, or operation of a system. National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002)

  9. Examples of Vulnerabilities • Networks – wired and wireless • Operating Systems – especially Windows • Hosts and Systems • Malicious Code and Viruses • People • Processes • Physical Environments

  10. Impact Refers to the likelihood that a vulnerability will be exploited or that a threat may become harmful. National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002)

  11. Examples of Impact • Strategic Consequences • Financial Consequences • Legal Consequences • Operational Consequences • Reputational Consequences Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).

  12. Handling Risks • Risk Assumption • Risk Control • Risk Mitigation • Risk Avoidance Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).

  13. Framework for Risk Assessment • Phase 1: Identify Critical Assets and Security Strategies • Strategic Perspective • Operational Perspective • Practice Perspective • Consolidated View of Security Requirements • Phase 2: Identify Infrastructure Vulnerabilities (Technological View) • Key Technology Components • Selected Technology Components Evaluation • Phase 3: Develop Security Strategy and Plans (Risk Analysis) • Risk Assessment • Protection Strategy and Mitigation Plan

  14. Institutional Policies Policies are statements that reflect the philosophies, attitudes, or values of an organization related to a specific issue. They are generally represented in a paragraph or perhaps two but not pages. They might say “what” but not “how”. Checklists, procedures, standards, and guidelines all must implement, reflect, and support the applicable policy or policies. The entire set of statements is sometimes considered to be the “Policy” Bruhn and Petersen, A Primer on Policy Development for Institutions of Higher Education, 2003.

  15. Data Protection Policies • Acceptable Use Policy • Security Policy • Privacy Policy • Data Policy

  16. Security Policies • RFC2196: A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide. • RFC2196: The main purpose of a security policy is to inform users, staff and managers of their obligatory requirements for protecting technology and information assets.

  17. Security Policy ComponentsRFC2196 • Computer Technology Purchasing • Privacy (i.e., sets reasonable expectations) • Access Rights and Privileges • Accountability (i.e., responsibilities) • Authentication • Availability (sets user expectations) • IT System and Network Maintenance • Violations Reporting • Contact Information

  18. Privacy Policies • Setting “reasonable expectations” • With respect to types of “personal info” • Student Education Records (FERPA) • Protected Health Information (HIPAA) • Nonpublic Personal Financial Information (GLB Act) • Primary identifiers and use of SSN’s • With respect to collection of information – i.e., privacy statements • With respect to disclosure of information, including public records requirements

  19. Data Policies • Enterprise data management structure • Data classification – for example: • Unrestricted Data • Sensitive Data • Critical Data • Roles and responsibilities – for example • Data Trustees • Data Stewards • Data Managers • Access rights and privileges – i.e., data users

  20. Protection of Sensitive Personal Information Develop, implement, maintain, and enforce a written program for the security of sensitive personal information that you collect, maintain, sell, transfer, or dispose of, containing: • administrative safeguards • technical safeguards • physical safeguards to: 1. ensure the security and confidentiality of such data; 2. protect against any anticipated threats or hazards to the security or integrity of such data; and 3. to protect against unauthorized access to, or use of, such data that could result in substantial harm to any individual. S. 1408: Identity Theft Protection Act (109th Congress)

  21. Awareness & Training • Who needs “awareness” (consciousness-raising)? All Users! • Executives • Faculty • Staff • Students • Users of Sensitive Data • IT Staff • Training (skills development) • Especially for data stewards, IT staff, and information security team

  22. ACE Letter to Presidents • Set the tone: ensure that all campus stakeholders know that you take Cybersecurity seriously. Insist on community-wide awareness and accountability. • Establish responsibility for campus-wide Cybersecurity at the cabinet level. At a large university, this responsibility might be assigned to the Chief Information Officer. At a small college, this person may have responsibility for many areas, including the institutional computing environment. • Ask for a periodic Cybersecurity risk assessment that identifies the most important risks to your institution. Manage these risks in the context of institutional planning and budgeting. • Request updates to your Cybersecurity plans on a regular basis in response to the rapid evolution of the technologies, vulnerabilities, threats, and risks.

  23. Cybersecurity Awareness Resources CD • The Awareness and Training Working Group of the EDUCAUSE/Internet2 Security Task Force compiled cybersecurity awareness resources distributed on a CD. • The resources were collected to showcase the variety of security awareness efforts underway at institutions of higher education and to provide resources for colleges and universities that are looking to jump-start a program for their organization. 

  24. What’s on the CD? • Book Marks • Brochures • Checklists • Flyers • Games • Government Resources • Handouts • Industry Resources • Links to School’s Security Web Page(s) • Pamphlets • Post Cards • Presentations • Security Awareness Documents • Security Cards • Security Tools • Security Quizzes • Surveys • Videos

  25. Information Security Governance If businesses, educational institutions, and non-profit organizations are to make significant progress securing their information assets, executives must make information security an integral part of core business operations. There is no better way to accomplish this goal than to highlight it as part of the existing internal controls and policies that constitute corporate governance. Information Security Governance Report: Executive Summary

  26. InfoSec Governance Self Assessment • Organizational Reliance on IT • E.g., What is the impact of major system downtime on operations? • Risk Management • E.g., Has your organization conducted a risk assessment and identified critical assets? • People • E.g., Is there a person or organization that has information security as their primary duty? • Processes • E.g., Do you have official written information security policies and procedures? • Technology • E.g., Is sensitive data encrypted? Information Security Governance Assessment Tool for Higher Education

  27. Best Practices & Metrics Information Security Program Elements: • Governance • Boards/Senior Executives/Shared Governance • Management • Directors and Managers • Technical • Central and Distributed IT Support Staff CISWG Final Report on Best Practices & Metrics

  28. Governance • Oversee Risk Management and Compliance Programs Pertaining to Information Security (e.g., Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley) • Approve and Adopt Broad Information Security Program Principles and Approve Assignment of Key Managers Responsible for Information Security • Strive to Protect the Interests of all Stakeholders Dependent on Information Security • Review Information Security Policies Regarding Strategic Partners and Other Third-parties • Strive to Ensure Business Continuity • Review Provisions for Internal and External Audits of the Information Security Program • Collaborate with Management to Specify the Information Security Metrics to be Reported to the Board

  29. Management • Establish Information Security Management Policies and Controls and Monitor Compliance • Assign Information Security Roles, Responsibilities, Required Skills, and Enforce Role-based Information Access Privileges • Assess Information Risks, Establish Risk Thresholds and Actively Manage Risk Mitigation • Ensure Implementation of Information Security Requirements for Strategic Partners and Other Third-parties • Identify and Classify Information Assets • Implement and Test Business Continuity Plans • Approve Information Systems Architecture during Acquisition, Development, Operations, and Maintenance • Protect the Physical Environment • Ensure Internal and External Audits of the Information Security Program with Timely Follow-up • Collaborate with Security Staff to Specify the Information Security Metrics to be Reported to Management

  30. Technical • User Identification and Authentication • User Account Management • User Privileges • Configuration Management • Event and Activity Logging and Monitoring • Communications, Email, and Remote Access Security • Malicious Code Protection, Including Viruses, Worms, and Trojans • Software Change Management, including Patching • Firewalls • Data Encryption • Backup and Recovery • Incident and Vulnerability Detection and Response • Collaborate with Management to Specify the Technical Metrics to be Reported to Management

More Related