Lessons Learned in Managing IT Risk

Slides:



Advertisements
Similar presentations
Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
Advertisements

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
The State of Security Management By Jim Reavis January 2003.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Computer Security: Principles and Practice
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Network security policy: best practices
Automating Endpoint Security Policy Enforcement Computing and Networking Services University of Toronto.
Incident Response Updated 03/20/2015
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
SEC835 Database and Web application security Information Security Architecture.
Information Security Update CTC 18 March 2015 Julianne Tolson.
Evolving IT Framework Standards (Compliance and IT)
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Security Introduction. Security is a system It is important to realize that security is a system of individual measures, each of which is not fully effective.
RINGS (ResNet Integrated Next Generation Solution) Educause Security Professionals Conference 2006.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
K E M A, I N C. Ten Steps To Secure Control Systems APPA 2005 Conference Session: Securing SCADA Networks from Cyber Attacks Memphis, TN April 18, 2005.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Blueberry Software IT Security Audit Results. Results: Good.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Appendix C: Designing an Operations Framework to Manage Security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Cryptography and Network Security (CS435) Part One (Introduction)
Chapter 2 Securing Network Server and User Workstations.
What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.
Security Awareness – Essential Part of Security Management Ilze Murane.
Understand Network Isolation Part 2 LESSON 3.3_B Security Fundamentals.
Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Information Security tools for records managers Frank Rankin.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
Welcome Information Security Office Services Available to Counties Security Operations Center Questions.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Taking on Tomorrow's Challenges Today Taking on Tomorrow's Challenges Today Almost every organisation has been attacked …. But most don’t know about it!
Security and resilience for Smart Hospitals Key findings
Performing Risk Analysis and Testing: Outsource or In-house
Cybersecurity - What’s Next? June 2017
Phare EIONET Centralised Training Session
Backdoor Attacks.
Compliance with hardening standards
Information Security 101 Richard Davis, Rob Laltrello.
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
Security Engineering.
Privacy and Security in the Employment Relationship
Reduce Security Risks to Protect Your Network
NERC CIP Implementation – Lessons Learned and Path Forward
Forensics Week 11.
Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,
Office 365 Security Assessment Workshop
NRC Cyber Security Regulatory Overview
Auburn Information Technology
UConn NIST Compliance Project
IS4680 Security Auditing for Compliance
Check Point Connectra NGX R60
Network Security Best Practices
David J. Carter, CISO Commonwealth Office of Technology
How to Mitigate the Consequences What are the Countermeasures?
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO
Drew Hunt Network Security Analyst Valley Medical Center
Increase and Improve your PC management with Windows Intune
Cybersecurity Threat Assessment
In the attack index…what number is your Company?
Unit # 1: Overview of the Course Dr. Bhavani Thuraisingham
Presentation transcript:

Lessons Learned in Managing IT Risk EDUCAUSE Security Professionals Conference 2013 Jane Drews, CISO The University of Iowa Lessons Learned in Managing IT Risk

Topics Understanding IT Risk Key Areas and Lessons Learned Information Risk Endpoint Risk System/Server Risk Educause SPC 2013

Understanding IT Risk Educause SPC 2013

An “Economic” aspect Educause SPC 2013

A “Safety” aspect Educause SPC 2013

A “Probability” perspective Educause SPC 2013

An “Impact” perspective Educause SPC 2013

IT Risk Sources Information (CIA) Physical failures Software errors Non-Compliance Human elements Environmental Educause SPC 2013

An IT Risk Management Model Impact Transfer Avoid Probability Accept Reduce Educause SPC 2013

Information Risk Educause SPC 2013

Preservation Educause SPC 2013

Litigation Educause SPC 2013

Lessons about Information Risk Preserve important information Resources, methods/formats, and instructions Discard what you don’t need Controls cost, information sprawl Automate records management if possible Controls errors and omissions Be prepared for litigation Educause SPC 2013

Endpoint Risk Educause SPC 2013

User as the Endpoint Educause SPC 2013

Client Devices Websense reports only 5 percent of actively used browser installations have the most up-to-date version of the Java plug-in… Organizations face malware-related events that bypass traditional defense technologies on their networks every three minutes, according to a new report released Wednesday by security vendor FireEye. Educause SPC 2013

Lessons about Endpoints Threats are constantly evolving A-V model is no longer very effective Standardize and automate client security Professionally manage all devices Lockdown as much as possible User Training and Awareness Learn safe computing practices and policies Recognize and avoid risks Stronger authentication should be considered Educause SPC 2013

System (Server) Risk Educause SPC 2013

System Compromises Credentials, Keys, SSO Patching Configuration and trusts System Monitoring Educause SPC 2013

Defense in Depth Educause SPC 2013

Lessons about systems We are an interconnected IT ecosystem Common good, general protections for all Small system changes can reap large benefits Strong authentication for all accounts Don’t be the weak link! Enforcement is tricky Educate on guidelines and policy Utilize assessment methods and tools to check Educause SPC 2013

Specific Lessons Recap: Implement a records management program Address normal preservation and litigation, as they are equally important Automate management of all clients Expand user security awareness training Employ stronger authentication Isolate systems or services from Internet Improve system-level monitoring Provide more training for IT staffs Perform more system checks/assessments Educause SPC 2013

For more information: jane-drews@uiowa.edu http://itsecurity.uiowa.edu http://www.educause.edu/security/guide Educause SPC 2013

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.