Policy, Standards and Guidelines Breakout Co-Chairs Victor Hazlewood OCIO Cyber Security, ORNL Kim Milford ISO, University of Rochester.

Slides:



Advertisements
Similar presentations
Information Technology – Guidelines for the Management of IT Security
Advertisements

The International Security Standard
Agenda COBIT 5 Product Family Information Security COBIT 5 content
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Dr. Julian Lo Consulting Director ITIL v3 Expert
Security Controls – What Works
Information Security Policies and Standards
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Computer Security: Principles and Practice
First Practice - Information Security Management System Implementation and ISO Certification.
NSF CYBER-SECURITY SUMMIT: INFORMATION SECURITY CLAUSE  Influenced by recommendations from previous Cyber-Security Summit meetings, the clause was added.
Complying With The Federal Information Security Act (FISMA)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
Information Security Framework & Standards
Evolving IT Framework Standards (Compliance and IT)
HIPAA COMPLIANCE WITH DELL
Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Federal Aviation Administration Federal Aviation Administration 1 Presentation to: Name: Date: Federal Aviation Administration AMHS Security Security Sub-Group.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Roadmap to Maturity FISMA and ISO 2700x. Technical Controls Data IntegritySDLC & Change Management Operations Management Authentication, Authorization.
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
Eliza de Guzman HTM 520 Health Information Exchange.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.
Engineering Essential Characteristics Security Engineering Process Overview.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Working with HIT Systems
1 MISA Model Douglas Petry Manager Information Security Architecture Methodist Health System Managed Information Security.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
Agency Name Security Program FY 2009 John Q. Public Agency Director/CIO/ISO.
Policy, Standards, Guidelines. NSF draft Article for FATC supplement The awardee is responsible for all information technology (IT) systems security and.
SecSDLC Chapter 2.
Information Security: Model, Process and Outputs Presentation to PRIA WG November 10, 2006.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Configuration Management Process Kit 1 The faster you act the better chance you will have to secure a protected IT service!
NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007.
HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.
Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,
DCSS Information Security Office Partnership for a secure environment Lawrence “Buddy” Troxler Chief Information Security Officer February 13, 2011.
NATIONAL INCIDENT MANAGEMENT SYSTEM Department of Homeland Security Executive Office of Public Safety.
Information Security tools for records managers Frank Rankin.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
NIST SP800 53R4 WMISACA Conferance April 2016 By Dean E Brown CISSP, ISSMP, CSSLP, MCSD Owner – ITSecurityAxioms.com 262 Barrington Cir Lansing, MI
LRC Network Planning for Records Management improvement Kathryn Dan, GM University Records and Policy.
Presenter: Mohammed Jalaluddin
Start Why ISO In WWM CRC?.
Security Planning: Background and Best Practices
Michigan Department of Education
Introduction to the Federal Defense Acquisition Regulation
Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security.
Supplier Information Session Safeguarding Covered Defense Information and Cyber Incident Reporting, DFARS August 16, 2016 Christian Ortego.
Final HIPAA Security Rule
County HIPAA Review All Rights Reserved 2002.
MBUG 2018 Session Title: NIST in Higher Education
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO
Continuous Monitoring
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
IT Management Services Infrastructure Services
Presentation transcript:

Policy, Standards and Guidelines Breakout Co-Chairs Victor Hazlewood OCIO Cyber Security, ORNL Kim Milford ISO, University of Rochester

Summary of discussions  Commend NSF for putting security plan in agreements!! Good step forward  It is recognized the wide range of projects that NSF supports – large, medium, small  Protection of data and risk based analysis is the key for the planning  Security planning requires thought of how security is to be implemented and thought about the associated costs follows as well  It is suggested that awardees and NSF program officers will need guidance

Summary of discussions con’t  Recommendations:  Get more guidance from NSF on security plan  Security frameworks and best practices templates (e.g. NIST, educause, ISC2, etc)  Program officer security plan checklist Need checklist based on risk  Engaging security experts to help awardees and program officers/reviewers  Incident response planning guide, flowcharts, resources (examples from Teragrid, Yale, etc.)  Acceptable Use Policy examples

Summary of discussion so far  Encourage dialogue between awardees and Program Officers  Start discussion about development of protocol for notification about cyber security incidents with program officers (and other events that effects the program)

Security Plan  Language in CA says must have a security plan with, but not limited to,  Policy and procedures  Roles and responsibilities  Risk assessment*  Awareness and training  Incident notification procedures  Technical safeguards  Administrative safegards  Physical safeguards * - ones we discussed in the breakout

Others Policies of Interest Suggested List  Acceptable Use Policy*  Media Protection*  Incident response*  Access Control  Audit and Accountability  Security Assessment  Configuration Mgmt  Contingency Planning  Identification and Authentication

 System Acquisition Policy and Procedures  System and Communication Protection  System and Information Integrity  Personnel Security  System Maintenance Discussions so far… Policies

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.