How Do You Create a Successful Information Security Program? Hire a GREAT ISO!! Tammy L. Clark, CISSP, CISM, CISA Information Security Officer Georgia State University
A Little Background on Me… • Hired as a consultant to design a security program for GSU in April 2000 • Started the program in July 2000 • Began with a strategic 3-5 year plan • “Sold” the program to campus constituents and implemented security solutions that would make an immediate impact--the big bang! • Apathy has changed to empathy on our campus!
Developing an Information Security Program • The best approach is a strategic one • Throwing together various solutions without adequate planning may work in the short term, but is disastrous in the long term! • Similar but more granular than the role the CIO plays in the overall IT organization—you need a CISO to lead your information security program • The key is selecting the right person and empowering them to effect positive changes
Taking a Strategic View of Things • START with a 3-5 year strategic security plan, as well as a plan outlining the tactical approach that will be taken, and annual project plans to project what priorities will be tackled and what resources and budget will be necessary each year • OVER 95% of universities I’ve surveyed over the past 5 years do not have a strategic information security plan that details how the information security department or function will align itself as an enabler of the information technology, business and academic objectives • PRIORITIZE your needs when it comes to budgeting for information security—unless you are one of those entities fortunate enough to have millions to spend on security solutions and endeavors, you will find it necessary to carefully select the solutions, resources, and program initiatives that your university will focus on each year
Confidentiality, Integrity, and Availability • The goals of an effective program • Develop clear and unambiguous policies, guidelines and standards • Protect sensitive data • Prevent unauthorized intrusions, access, tampering • Ensure business continuity and operational efficiency • Assess risks, threats and vulnerabilities accurately • Detect and remediate security incidents quickly
People, Processes, and Technology • Technical solutions without processes are ineffective • Processes without trained and motivated people to implement them are useless • People without training, motivation, or understanding can negate the effectiveness of technology and processes
An In-depth and Layered Defense • The information security strategic, tactical and annual project plans should focus on developing an in-depth and layered approach to integrating information security tools into the existing network infrastructure, as well as making key decisions about how your university will choose to protect your information technology resources • For example, at GSU, we’ve chosen to focus on a strategy of IPS and AV at the edge of the network, firewalls and ACLs to protect key segments of the campus, IPS and AV on desktops and many campus servers, VPN and Bluesocket boxes in the wireless areas, and the Perfigo security gateway solution to ensure that housing residents’ systems are running specific security software we require to grant them network access • The tools we are leveraging today started with an overall strategy of securing campus hosts rather than deploying a network firewall at the edge, and have evolved over time as security solutions have seasoned and added new capabilities—we build relationships with the vendors we do business with and thoroughly evaluate a new vendor’s technology and their capacity to provide continued support and enhancements. We have limited dollars to spend and must do so wisely.
Evangelizing the Masses • ALL it takes is hackers exploiting a single workstation or server that processes sensitive student information or stores user credit card info to land your university on the 6:00 p.m. newscast! • CONFUSION reigns among many campus users about how to protect their workstations from the numerous methods employed to install backdoors, IRC bots, worms, and spyware—they seek leadership and guidance to help prevent these problems. • THANKS to all the attention garnered by the MyDoom, Blaster, Sasser, etc., the university community as a whole cares more now about information security than ever before!
Why Committees and IT Staff Members Can Assist But Not Lead • Important to include these constituents in policy, procedural and potentially security solutions evaluations—they are well suited to assist or provide feedback in these important areas BUT.. • Generally speaking—committees are composed of individuals with responsibilities that are not focused around information security; therefore, their number one priority is their own job responsibilities, not developing and nurturing an information security program, which takes a huge amount of care and feeding upfront • Information technology professionals often lack the business management background to tackle program issues from a C-level standpoint—additionally, many have built up expertise in one or two areas of technology and lack the overall breadth of information technology and specific information security experience to tackle the challenging role of the ISO
Why You Need an ISO • Leadership • Vision • Integrity • Dedication • Catalyst for change • Promote the perception of information security as a value add • Negotiate effectively with security solutions vendors to procure the best solution for your university at the best price • Evangelize the masses
Real World Examples • A university without an ISO charges the network manager to deploy some security solutions—since they are a Cisco “shop,” the manager buys a number of Cisco’s security tools including some Pix firewalls, IDS, and the Cisco Security Agents. A year later, the hardware procured is in a storage closet and the CSA’s have not been deployed. The manager is of the opinion that this will have to wait until necessary funding for training can happen. • A CIO decides that “something” has to be done about the university’s lack of a way to detect or prevent attacks on the network and lately, the network has been crippled by Sasser infections, IRC bots, P2P distributions and spyware running on university workstations. He talks to a firewall vendor and the vendor talks him into placing a firewall appliance at the edge of the campus network to block all the “bad” stuff. After a couple of days of numerous help desk calls and complaints, the firewall is basically configured to allow rather than permit most traffic coming in and out of the campus
What is it Going to Cost You… • It may actually cost you more to deploy various security solutions without a clear and focused strategy or evaluation from a technical, risk, and business continuity standpoint than it would to hire an ISO! • Time and time again, I’ve seen universities buying solutions without having a strategic security plan in place, without evaluating these tools, without integrating and layering them into the existing network infrastructure ONLY to have to replace these solutions or abandon them and spend money to buy new ones • Uncontained RPC worm infections, IRC bots, illegal warez servers, given the man hours (in terms of salary dollars for IT staff members) that must be spent reinstalling compromised workstations or fixing network performance problems caused by denial of service attacks and other security related problems are a recovery cost that you want to avoid. Hire an ISO and start tackling these problems NOW!
Selecting an ISO • Choose wisely as this position is pivotal to the success of your information security program. Look for a wide breadth of information technology experience, solid evidence of leadership, project management, business management and/or analysis skills and training, and (optionally) security certifications. • HIRE an ISO who can evaluate and deploy numerous types of security (IDS/IPS/firewall) solutions. The ISO needs to have the skill set to analyze and understand the data culled from various security solutions and logs in order to develop effective incident prevention and management strategies. • HIRE an ISO who can write sound policies and procedures, communicate effectively with diverse constituent groups, develop strategic and project plans, security awareness presentations and materials, facilitate and create committees and working groups, provide direction and guidance to information technology employees responsible
Typical Duties of an ISO • Develop policies and guidelines • Incident prevention, response and management • Security awareness • Security tool selection and deployment • Security audits and reviews • Focal point for providing information and guidance to the campus about threats and vulnerabilities • Management of key security operational systems, such as anti virus, IDS/IPS, firewalls
Most Effective Reporting Structure • Although there are ISO’s (including myself) who report to a director or manager level information technology staff member, the measure of influence that can be gained by being aligned underneath the CIO is invaluable • However, if you are able to get your “message” across to multiple constituent groups and build strong alliances on campus with information technology staff members, faculty, students, and campus leaders in the police, legal affairs, public relations, human resources, student information and financial organizations, you can also effect positive outcomes and really motivate these organizations and people to collaborate with you in ensuring your information security program is accomplishing major goals and objectives established • By the way, your “message” needs to address and appeal to the issues and needs of each constituent organization or individual that you deal with—One message does not fit all!
What Background is Most Desirable? • Harry Shah, CISO of Marsh, a risk and insurance services provider, sums it up this way: "A CSO has to be a futurist, an evangelist, a technology manager, a cheerleader, a change agent, a good bureaucrat, a very good policy-maker, a negotiator and a legal expert. And on a good day, he also has to be a security engineer."
Are Certifications Important? • CISSP – Certified Information Systems Security Professional • SSCP – Systems Security Certified Practitioner • CISM – Certified Information Security Manager • CISA – Certified Information Systems Auditor • GIAC – Global Information Assurance Certification • CPP – Certified Protection Professional • CompTIA Security+ Certification • Forensics and Ethical Hacking (various) • Vendor security certifications (ISS, Cisco, etc.)
Specific and Unique Qualities • Actively seeks challenges and obstacles to overcome • Embraces the need to dynamically evolve and stay current in knowledge of the technology and information security arenas • Able to think outside the box • Strong at problem solving, multi-tasking, juggling multiple projects and conflicting priorities • Understands the role technology plays in furthering the mission of the academic, business, financial, and administrative units and how to integrate and align strategic goals and objectives of these areas with those in the information security organization
The “Ideal” Security Staff • In terms of numbers of dedicated staff, you may find that you never have all the resources that you require • Therefore, it is critical to hire security staff members with diverse backgrounds and skill sets that you can leverage along with existing information technology staff to manage and handle the requirements of various programs and initiatives created, such as security awareness, incident response, security tool implementation and management, policy and procedure development, security reviews and audits…
Wrapping Up… • A great Information Security Officer can evolve and shape your campus information security program into a dynamic and effective entity! • This individual will have a major focus on bringing needed attention to campus security problems and needs and will effectively promote the information security program and seek funding for major initiatives. • Don’t take a piecemeal and fractured approach—with various constituent groups developing policies and other groups buying security tools. Hire a leader for your program, develop a sound 3-5 year strategy and integrate security into the existing framework.