Copyright Information Copyright John Bruggeman, Gary Dobbins, Jim Lowe 2009. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Building a Standards Based Information Security Program Tuesday, March 24, 2009 10:45 a.m. - 11:30 a.m.

Agenda Presenters John Bruggeman, Director of Information Systems, Hebrew Union College Gary Dobbins, Director, Information Security, University of Notre Dame Jim Lowe, CISO, University of Wisconsin-Madison Overview John Bruggeman University of Notre Dame Experience Gary Dobbins University of Wisconsin-Madison Experience Jim Lowe Review / Question and Answers

Overview Why standards and frameworks are useful How do we know we are doing the right things? Are we doing the right things? How are my peers doing things? What the Security Task Force is doing to promote / leverage standards www.educause.edu/security Where you can find more information Security Task Force Effective Practices http://wiki.internet2.edu/confluence/display/secguide

EDUCAUSE / Internet2 Security Task Force Effective Practices John Bruggeman - Hebrew Union College October 23, 2007 EDUCAUSE / Internet2 Security Task Force Effective Practices July 2000, Internet2 and EDUCAUSE formed the Computer and Network Security Task Force The task force works to improve cyber security across the higher education sector and actively promotes effective practices and solutions for the protection of information assets and critical infrastructures. http://wiki.internet2.edu/confluence/display/secguide Created six sub-groups: Awareness and Training (Annual awareness video contest) Effective Practices and Solutions (dozens of EP’s) Policy and Legal Issues (sample policies ) Risk Assessment (guides and toolkits) Internet2 Security Initiative called SALSA (Security at Line Speed ) http://security.internet2.edu/salsa REN-ISAC (Research and Education Networking – Information Sharing and Analysis Center (www.ren-isac.net) In July 2000, Internet2 and EDUCAUSE formed the Computer and Network Security Task Force. Read the goal on the slide Six sub-groups were created to focus on the areas designated by both groups. The Awareness and Training Working Group identifies and take steps to implement and publicize various methods by which awareness of information technology security issues are raised among university and college computer and network users, administrators, and executives. The Effective Practices and Solutions Working Group is focused on identifying and promoting practices, tools, and procedures that higher education institutions have found to be practical solutions to preventing or responding to security problems, with an emphasis on technology and process solutions. The Policies and Legal Issues Working Group identifies security issues that may be affected by current and proposed laws and the implications for institutional policies. The group identifies and develops material to promote understanding of security-related policies and laws among security professionals, computer administrators, and users. It also identifies and develops examples of effective institutional policies and procedures related to security issues. The Risk Assessment Working Group is focused on identifying and promoting practices, tools, techniques, and procedures to support institutions of higher education in the application of security risk management, including risk identification, evaluation, mitigation, strategic and operational planning, and monitoring to address information security and assurance. Security Professionals Conference Program Committee Internet2's security initiative (SALSA) brings together technical representatives from the higher education community to advise on leading-edge technology issues, priorities, and new directions for security. Working groups within SALSA tackle specific issues, such as the SALSA-NetAuth Working Group, which explores various security technologies related to authorized network access, style and behavior of transit traffic, and forensic support for investigation of abuse. The SALSA-FWNA (Federated Wireless NetAuth) Working Group is a subgroup of SALSA-NetAuth that addresses the substantial technical details of deploying a pilot federated wireless network authentication system. A new initiative, Computer Security Incidents - Internet2 (CSI2), executed in close cooperation with the REN-ISAC, is looking at the secure sharing of real-time security information among members of the higher education community. REN-ISAC is hosted by Indiana University and with the support and cooperation of Internet2, Louisiana State University, EDUCAUSE, and contributors. REN-ISAC is short for Research and Education Networking – Information Sharing and Analysis. REN-ISAC is an integral part of higher education's strategy to improve network security through information collection, analysis, dissemination, early warning, and response. REN-ISAC services and products are specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks, and supports efforts to protect the national cyber-infrastructure by participating in the formal U.S. ISAC structure. REN-ISAC is a vetted group and subscription is not open, you need to be known before you can join REN-ISAC. The form to join can be found on the REN-ISAC site. EDUCAUSE 2007 - Seminar 06A 5

EDUCAUSE / Internet2 Security Task Force Effective Practices John Bruggeman - Hebrew Union College October 23, 2007 EDUCAUSE / Internet2 Security Task Force Effective Practices This slide has a picture of the IT Security Home page. If you have Internet Access you might want to go to site by going to this link: http://wiki.internet2.edu/confluence/display/secguide Show them the four areas on the left hand side, IT Security Guide, then below it, Effective Practices, then below that Toolkits, then Resources. If not, just point out the IT guide on the top left under the EDUCAUSE and I2 logo. EDUCAUSE 2007 - Seminar 06A 6

Security Task Force Initiatives Hot topics PCI-DSS workshop May 4-6 in Indy http://tinyurl.com/pci-workshop Partnership with NIST on Secure DNS Guide Confidential Data Handling Blueprint http://tinyurl.com/conf-data Data Incident Notification Toolkit http://tinyurl.com/data-incident Risk Management framework http://tinyurl.com/risk-manage

EDUCAUSE / Internet2 Security Task Force Effective Practices John Bruggeman - Hebrew Union College October 23, 2007 EDUCAUSE / Internet2 Security Task Force Effective Practices Current List of Toolkits Business Continuity Planning Toolkit Version 1.0 up currently (May 2008) Guides, templates, examples Confidential Data Handling Blueprint 7 step guideline Data Classification Toolkit 5 step guideline Data Incident Notification Toolkit 5 part guide for a data incident Business Continuity Planning Toolkit BC Planning tools BC Overview for Executives Disaster Recovery Planning Guide Pandemic Planning Communications Planning ------------------------------- Confidential Data Handling Blueprint Introduction The following steps and ensuing sub-items are intended to provide a general roadmap. Institutions will be at varying stages of progress. Some will start with the need to establish actions in the areas of policies, processes, or technology.  Some will be ready to implement, and some will be able to revise and fine-tune their processes.  You will also need to prioritize your actions to mitigate risks because of the comprehensive nature of the recommendations.  We've attempted to organize these in a sequence that allows you to logically follow through each step. Although each item is recommended as an effective practice, we recognize that state/local legal requirements, institutional policy, or campus culture might leave each institution approaching this differently. Steps Step 1: Create a security risk-aware culture that includes an information security risk management program Step 2: Define institutional data types Step 3: Clarify responsibilities and accountability for safeguarding confidential/sensitive data Step 4: Reduce access to confidential/sensitive data not absolutely essential to institutional processes Step 5: Establish and implement stricter controls for safeguarding confidential/sensitive data Step 6: Provide awareness and training Step 7: Verify compliance routinely with your policies and procedures Data Classification: The objective of the Data Classification Toolkit is to provide a body of information, resources, and guidance that can assist higher education officials in addressing the following questions regarding classifying data: Need: Why is it necessary or mandatory to classify data? Roles: Who should classify what data? Methods: How should data be classified? Are there any best (or common) practices available? Impact: What processes are dependent or impacted by data classification? Step1: Determine the need and/or requirements for data classification Step2: Determine the roles involved in data classification Step3: Determine your institution's classification levels Step4: Determine the methodology and procedures for classifying data Step5: Determine and review other information security processes impacted by data classification ----------------------------------- Data Incident Notification Toolkit: These Data Incident Notification Templatesprovide sample materials for dealing with all aspects of a data incident. Building a Press Release (Section One) Notification Letter Components (Section Two) Incident-Specific Web Site Template (Section Three) Incident Response FAQ (Section Four) Generic Identity Theft Web Site (Section Five) EDUCAUSE 2007 - Seminar 06A 8

EDUCAUSE / Internet2 Security Task Force Effective Practices John Bruggeman - Hebrew Union College October 23, 2007 EDUCAUSE / Internet2 Security Task Force Effective Practices Other resources from the Guide Cybersecurity Resource Center 5 main areas, dozens of resources from EDUCAUSE, Internet2, Discussion groups, Mailing lists, Usenet, Blogs, Internet2 Wiki’s, EDUCAUSE library resources Glossary Helpful reference glossary Security Discussion Group Popular discussion group, good signal to noise ratio Security Task Force Homepage Additional resources from the Task Force Business Continuity Planning Toolkit BC Planning tools BC Overview for Executives Disaster Recovery Planning Guide Pandemic Planning Communications Planning ------------------------------- Confidential Data Handling Blueprint Introduction The following steps and ensuing sub-items are intended to provide a general roadmap. Institutions will be at varying stages of progress. Some will start with the need to establish actions in the areas of policies, processes, or technology.  Some will be ready to implement, and some will be able to revise and fine-tune their processes.  You will also need to prioritize your actions to mitigate risks because of the comprehensive nature of the recommendations.  We've attempted to organize these in a sequence that allows you to logically follow through each step. Although each item is recommended as an effective practice, we recognize that state/local legal requirements, institutional policy, or campus culture might leave each institution approaching this differently. Steps Step 1: Create a security risk-aware culture that includes an information security risk management program Step 2: Define institutional data types Step 3: Clarify responsibilities and accountability for safeguarding confidential/sensitive data Step 4: Reduce access to confidential/sensitive data not absolutely essential to institutional processes Step 5: Establish and implement stricter controls for safeguarding confidential/sensitive data Step 6: Provide awareness and training Step 7: Verify compliance routinely with your policies and procedures Data Classification: The objective of the Data Classification Toolkit is to provide a body of information, resources, and guidance that can assist higher education officials in addressing the following questions regarding classifying data: Need: Why is it necessary or mandatory to classify data? Roles: Who should classify what data? Methods: How should data be classified? Are there any best (or common) practices available? Impact: What processes are dependent or impacted by data classification? Step1: Determine the need and/or requirements for data classification Step2: Determine the roles involved in data classification Step3: Determine your institution's classification levels Step4: Determine the methodology and procedures for classifying data Step5: Determine and review other information security processes impacted by data classification ----------------------------------- Data Incident Notification Toolkit: These Data Incident Notification Templatesprovide sample materials for dealing with all aspects of a data incident. Building a Press Release (Section One) Notification Letter Components (Section Two) Incident-Specific Web Site Template (Section Three) Incident Response FAQ (Section Four) Generic Identity Theft Web Site (Section Five) EDUCAUSE 2007 - Seminar 06A 9

Information Security Program Overview and Status derived from the 2006 Campus Information Technology Risk Assessment (CITRA) Gary Dobbins, Director, Information Security University of Notre Dame

Response to CITRA Expanded Security Program plan: Prioritized and scheduled remediation initiatives Covers high- and medium-risk CITRA observations More than 40 new projects, across 4 years Funded, staffed

Summary CITRA Observations Information Security Framework Observation: Notre Dame lacks a formal, University-wide information security framework that organizes its information security governance, policies, standards, and expectations. Data Classification and Handling Observation: The University’s data classification policy lacks the granularity to accommodate the sensitive data types used throughout the University. Further, the data classification policy does not govern the handling of data assets. Access Control Observation: The University provides excessive, and in some cases, nominally controlled access to sensitive data assets. Encryption Strategy Observation: The University stores and transmits sensitive data in an unprotected, unencrypted fashion. Configuration Standards Observation: The University lacks configuration standards for many IT resources, including desktops, laptops, servers, networking equipment and security devices.

Summary CITRA Observations (continued) Physical Security Observation: The University’s physical security controls are ineffective (particularly at the department level) in inhibiting malicious activities. Technical Security Architecture Observation: The current technical security architecture lacks the granularity to allow for enhanced security controls. Disaster Recovery and Business Continuity Planning Observation: The University has not developed a formal DR and BCP structure and strategy. Compliance Observation: The University lacks formal, approved standards for regular and ongoing assessments and reviews. Information Security Awareness Observation: While OIT publishes a set of information security policies, in general, the University lacks an understanding of information security expectations and requirements.

Risk Management Philosophy Extent of risk-reduction controls Risk Reduction Cost Optimal Value For the Officers to “see” where they want to set their risk management spend level. Institutional understanding of risk management is evolving Some controls are in place and are making a difference but more are needed due to changing risks. We should: Balance concern for security with ND risk tolerance Align with an accepted industry standard (e.g. ISO 17799) Comply with institutional obligations/commitments (e.g. FERPA, HIPAA, PCI DSS, GLBA)

Program Mission Identify confidentiality, integrity and availability risks to sensitive University information, and mitigate those risks to acceptable levels.

Program Objectives The objectives of the program are to: Evaluate risks to the confidentiality, integrity and availability of sensitive information Establish and communicate security-related policies, procedures and standards Establish and implement controls to fill critical gaps, as determined by institutional risk tolerance Create awareness of information security and proper data handling practices

Program Elements Policy Awareness, Training and Education Credit Card Support Program Security Infrastructure Network Security Workstation Security Server Security Incident Handling Sustaining Activities

How we portrayed the various projects, tied them back to the findings on which they were based, and grouped them according to type and plotted across time.

Alternate view – a HEAT map of the same projects, by cost/effect

Sustaining Activities Security Operations Center (FY 2008-2009) Create an operations center to monitor and provide initial response to security events Recurring Risk Assessments (FY 2010) Establish a process for recurring, periodic risk assessments to measure risk to University data assets Program Monitoring (FY 2010) Assess the ongoing effectiveness of the information security program

University of Wisconsin-Madison Jim Lowe, UW-Madison, CISO, lowe@wisc.edu Welcome

Risk Based Decision Making (RBDM) Security Strategy “I don't skate to where the puck is. I skate to where the puck is going to be.” – Wayne Gretzke VS Whac-a-Mole www.youtube.com/watch?v=D0n8N98mpes Risk Based Decision Making (RBDM) www.youtube.com/watch?v=2McKWXZ5VoU

Managing Risk Impact Likelihood Risk Mitigation Controls $ Care $ $

Determining Impact How many? What is our liability, if breached? SSN, Credit Cards, Financial Accounts, Protected Health Information… What is our liability, if breached? Risk Reduction Strategy: Delete what you don’t need Protect what you keep Revisit annually (records retention)

Likelihood of a Threat Threats Private Sector (N=126) Public Sector (N=114) Higher Education (N=52)* Medial Centers (N=30) Outside Hackers 15% 13% 52% 3% Insider Malfeasance 10% 5% 2% 20% Human/Software Incompetence 44% 21% Theft Laptop/Computer 55% 38% 37% 57% J: The statistics compiled by privacyrights.org show categories for vulnerabilities and areas that have been effected. Medical Centers seem to be ahead of the rest of us in protecting themselves from outside hackers -- but they have been at this longer with HIPAA -- since 1996. The private sector has a different set of constraints on their networks than Higher Ed does... We seem to be a target. Insider Malfeasance seems to be low at universities but it may be underreported or undetected. Human error seems to be higher in the public sector and theft is an issue everywhere...Note that when you are on the receiving side, it is called Human/Software Incompetence... sending side, it is called Error. What should we focus on? The data says control for 1) hackers, 2) for theft and 3) for errors. Hackers controls are complex. Desktop/Laptop encryption can help mitigate theft. Training and testing can help mitigate incompetence. http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm * Higher Education total is 112%

Compliance Poster * Google: Symantec IT Controls Reference

Gaps: Which Standard?

Mitigation: Gap Analysis Build and Maintain a Secure Network Protect Restrict Data Maintain a Vulnerability Management Program Implement Strong Access Control Regularly Monitor and Test Maintain an Information Security Policy www.cio.wisc.edu/security/initiatives/restricted.aspx

Gaps: Credential Stores Credential Assessment Framework – Determine mitigation controls for credential stores and LOA http://www.cio.wisc.edu/security/risk.asp NIST 800-63 and InCommon w/ DSS controls

What did we have? Network and some host based firewalls Patch management Antivirus Vulnerability management (Nessus, Appscan) Incident Response (w/ Forensics) Awareness Program Best Practice for restricted data

Where has RBDM lead? Gap Analysis Lead to Prioritization of: Security Event Manager (risk/threat realization) event correlation, threat info, logs, flows, etc Data Sanitization tool (minimize impact) Create test, dev and Q/A environments w/o PI Data Search tool (minimize impact) Find PI, delete it or protect it, at a minumum – awareness of PI Full Disk Encryption (maximize mitigation) Development of IT Training Program (minimize likelihood)

Where is RBDM leading? Continue to fill of gaps (soon) RFI for End Point Security Controls Patch management, AV, HIDS, DLP, etc.. RFI or RFP for vulnerability management tools Network, Endpoint, Database, Application LOA-3 w/ second factor authN (likely X.509) Enhance Monitoring of PI (net, host, DB & apps) Security Event Management Intrusion Detection System Data Leak Prevention Enhanced Incident Response

Review Security Task Force Resources Case studies: http://wiki.internet2.edu/confluence/display/secguide Case studies: Georgia State – Tammy Clark http://net.educause.edu/ir/library/pdf/EPS303.pdf University of Texas System – Miguel Soldi http://net.educause.edu/SEC08/Program/14422?PRODUCT_CODE=SEC08/SESS22 Share your Campus experience Submit an Effective Practice

Internet2 Fall 2008 - John Bruggeman John Bruggeman - Hebrew Union College October 23, 2007 Security Resources Resources http://security.internet2.edu http://www.educause.edu/security http://www.microsoft.com/technet/security http://www.sans.org/ http://www.cert.org http://www.incidents.org http://www.foundstone.com The following is a list of handy Security Resources that people might like to have. They don’t always show up well on the overhead but hopefully folks can print this off or I can make it available later as requested. Please feel free to email me with questions, I can be reached at John@huc.edu or you can call me if you like: 513-487-3269 Thank you for your time an attendance! John October 14th, 2008 Internet2 Fall 2008 - John Bruggeman EDUCAUSE 2007 - Seminar 06A 35

John Bruggeman – john@huc.edu Gary Dobbins – dobbins@nd.edu Questions & Answers John Bruggeman – john@huc.edu Gary Dobbins – dobbins@nd.edu Jim Lowe – lowe@wisc.edu Resources online Educase / Internet 2 Effective Practices Security Guide http://wiki.confluence.internet2.edu/secguide http://educause.edu/security