1 / 22

What Every CBO Should Know About IT Security

Robert Clark Director of Internal Auditing Georgia Institute of Technology Jack Suess VP of Information Technology University of Maryland, Baltimore County. What Every CBO Should Know About IT Security. Monday, July 10, 2006. Overview.

dana
Télécharger la présentation

What Every CBO Should Know About IT Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Robert ClarkDirector of Internal AuditingGeorgia Institute of Technology Jack SuessVP of Information TechnologyUniversity of Maryland, Baltimore County What Every CBO Should Know About IT Security Monday, July 10, 2006

  2. Overview • Why IT Security should be everyone’s concern – not just the IT staff • Plethora of legal compliance issues • Potential risk factors facing organizations • Case studies and high profile examples • Fiduciary role of managers in safeguarding these assets • Effective practices from which to leverage • Resources and guidance available

  3. Introduction to the Security Task Force of EDUCAUSE • Formed in July 2000 • Current Co-chairs: • Jack Suess, UMBC (2003-2006) • Joy Hughes, George Mason University (2004-2007) • Executive Committee of CIO’s, Security Professionals, and Professional Staff • EDUCAUSE & Internet2 Staff Support • Coordination with Higher Education IT Alliance • ACE, AAU, NASULGC, AASCU, NAICU, AACC, NACUBO

  4. Strategic Goals of the Security Task Force Overarching Goals • Education and Awareness across the campus and within our IT organizations • Standards, Policies, and Procedures • Security Architecture and Tools • Organization, Information Sharing, and Incident Response Focused Activities • Data privacy and protection • Incident detection and response

  5. Rapid increase in regulatory issues over data • Gramm-Leach-Bliley Act • FERPA • HIPAA • Sarbanes-Oxley (not “directly” applicable to higher ed, but indirectly) • California SB 1386 and 23 other state data disclosure laws • VISA/Mastercard PCI requirements • OMB sets guidelines for Federal employee laptop security

  6. Imperative for Action • Over fifty universities have had public data disclosures the last 18 months • Total number of individuals impacted is over 2.5 million • At least a half-dozen incidents have had direct costs for remediation and notification exceeding one million dollars

  7. What Are The Causes of Personal Information Release? • Most of these releases were in tertiary systems supporting a single department or were associated with an individual’s laptop or desktop computer • The reason for these releases run the gamut - stolen laptops, virus and worms, unpatched software, programming errors, and human error • CIFAC, an NSF sponsored study on security incidents found in reviewing incidents that the overwhelming cause was inadequate management oversight (insufficient procedures or processes) or inadequate training

  8. When Bad Stuff Happens… • Ohio University – 5 intrusions resulting in compromise of personal data for 300,000 students and alumni • Will spend over $4M to upgrade IT security and policies • GMU – compromise of personal data on campus card server for over 30,000 • UC Berkeley - stolen laptop with 1.4 million ID’s resulted in largest higher-ed notification to date • Georgia Tech – 57,000 credit card numbers accessed

  9. Whose Problem Is IT? GIT Example • IT staff – (Examining systems; forensic analysis) • Internal Auditing – (Investigating incident; examining controls; facilitating discussions with appropriate management; dealing with VISA; interacting with law enforcement) • CBO – (Examining GIT policies; VISA threatened to pull the plug on ALL credit card processing at GIT; would have had significant impact on other areas of GIT operations) • Legal Affairs – (Negotiations with VISA; dealing with Attorney General; FBI, GBI, Secret Service) • Ferst Center for the Arts Management – (All ticketing operations suspended; major PR issues with customers; over 30,000 first class letters sent to customers affected; Help Line staffed) • Auxiliary Services management; Institute Communications and Public Affairs (dealing with media); Chief of Police; Office of the President

  10. Lessons Learned • Well designed process for responding to IT incidents provided clear guidance • http://www.audit.gatech.edu/IAcollabrative2.pdf • Evident that this was an “Institute issue,” not just an “IT issue” (shared responsibility) • Strong collaboration amongst management to ensure consistent action • Costly – total “cost” in time for those involved over $100K • Led to other initiatives to locate sensitive info across campus • Led to committee to establish Data Access Policy • Led to increased awareness of IT risk assessment

  11. What’s Keeping Us From Doing This Right? • Organizational challenges for IT security • The tension between the academy and the enterprise • Lack of adequate knowledge about the nature of IT issues • Over reliance on techno-centric solutions • IT security not recognized a shared responsibility • Security viewed as counter to organizational productivity • Reactive responses vs. systemic framework for sustainable solutions • No budgets established and resources allocated to conduct IT risk assessments • Unclear on guidance to adopt and effective practices to follow

  12. Review of Industry Frameworks • COSO (Committee of Sponsoring Organizations of the Treadway Commission) 1987-1992 • COBIT (Control Objectives for Information and related Technology) 1996-2000 • OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) 2001 • ISO 17799 (International Organization for Standardization – Information Technology: Code of Practice for Information Security) 2000

  13. New (2004) ERM COSO Framework Org. structure (e.g., Board, policies, mgmt’s risk appetite Objectives in Strategy, Operations, Reporting,Compliance What can go wrong? Likelihood and impact of risks How to manage risks? (Share, avoid, reduce, accept?) Procedures to ensure risk mitigation is effective Education & awareness of policies, effective practices Mgmt reviews & Auditors assess

  14. STRATEGIC ALIGNMENT VALUE DELIVERY IT GOVERNANCE PERFORMANCE MEASUREMENT RISK MANAGEMENT RESOURCE MANAGEMENT COBIT: Evaluation of Three Key Areas • Information Criteria • Quality (Cost, delivery) • Fiduciary responsibility (Reliability, compliance, Efficiency and effectiveness) • Security (confidentiality, integrity, availability) • IT resources (Data, Application systems, Technology, Facilities, People) • IT Processes (Domain, Processes, Tasks/Activities)

  15. OCTAVE • Phase I: Build asset-based threat profiles • What’s important to the org; how are assets protected? • Phase II: Identify infrastructure vulnerabilities • IDing classes of IT components related to each critical asset; how resistant to network attacks? • Phase III: Develop security strategy and plans • ID risks to org’s critical assets; what is being done to protect them?

  16. ISO 17799: Defines Best Practice and Certification Process Detailed security standard; organized into ten major sections: • Security policy • Security organization • Asset classification & control • Personal security • Physical & environmental security • Communications & operations management • Access control • Systems development & maintenance • Business continuity management • Compliance

  17. Risk Assessment Models • NIST – Security Self-Assessment Guide for Information Technology Systems • NIPC (National Infrastructure Protection Center; part of Dept. of Homeland Security) • NSA (National Security Agency) • ISO 17799 (International Standards Organization, "a comprehensive set of controls comprising best practices in information security“) • All solid guidance but none are higher-ed focused

  18. Higher-Ed focused risk assessment tools: • OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) - developed at the CERT Coordination Center at Carnegie Mellon University • STAR (Security Targeting and Analysis of Risks) – developed and used at Virginia Tech • Information Security Governance (ISG) Assessment Tool (http://www.educause.edu/ir/library/pdf/SEC0421.pdf) • EDUCAUSE Effective Practices Guidehttp://www.educause.edu/EffectivePracticesandSolutionsinSecurity/1246 • Risk Assessment Framework: http://www.educause.edu/LibraryDetailPage/666?ID=CSD4380

  19. Outline of Risk Assessment Framework • Phase 0 : Establish Risk Assessment Criteria for the Identification and Prioritization of Critical Assets (a one-time process) • 1: Establish Risk Assessment Criteria • 2: Apply the Critical Asset Criteria to Classify Data Collections and Related Resources • Phase 1: Develop Initial Security Strategies • 1: Strategic Perspective – Senior Management • 2: Operational Perspective – Departmental Management • 3: Practice Perspective – Staff • 4: Consolidated View of Security Requirements

  20. Outline of Risk Assessment Framework (cont.) • Phase 2: Technological View - Identify Infrastructure Vulnerabilities • 5: Key Technology Components • 6: Selected Technology Components Evaluation • Phase 3: Risk Analysis - Develop Security Strategy and Plans • 7: Risk Assessment • 8: Protection Strategy and Mitigation Plans

  21. Recommendations for CBO’s • Data disclosures put your institution at great financial risk and CBO’s need to understand the risks and issues • Foster collaborative relationships with the Provost, CIO, CFO, and Chief Auditor to make IT security a campus priority. Consider using the building organizational capacity model to analyze your approach to IT Security. • Research has shown that policies, procedures, and management oversight are the critical factors for success. This is often a strength of CBO’s that can be shared with IT. • Partner with IT to integrate IT security throughout your own organization and promote the message that IT security is a “shared responsibility”

More Related