Information Technology Standards at the University of Illinois Common Challenges and Solutions Shea Nangle, Security Standards and Compliance Officer Michael Corn, CPO/CSO
Presentation Outline A little context and history Three Elements of a standards program Drill down during each Feel free to interrupt during any portion Encourage alternate solutions or overlooked challenges during discussion
Background and Context
Background Policy vs. Standards vs. Guidelines vs. Procedures No campus understanding No tradition of central IT Governance Usual issues of distributed IT Well established role for the security office
Context Diverse environment Forced to be collaborative
Slow Progress Timeline PCI DSS
Three Legs of a Standards Program Elements Governance Compliance Risks Controls Standards Policy Oversight Vetting/Socialization Accountability Technology Risk Acceptance Challenges Elements Governance Compliance
Controls| Standards | Risks Elements
Elements of a Standards Program Controls 13. All University-owned laptops must be configured and operate with Full Disk Encryption (FDE) software or hardware. Standards Laptop Standard Risks [GEN-001] Risk of data breach, release, or loss through the theft or loss of a laptop.
Controls ISO 27002 NIST
Standards Not organizing/writing in ISO 27k domains Very low bar due to University culture Acceptability will increase over time
Risks Changing perspective (forest vs. trees) Developing Risk Knowledgebase
Element Challenges I Palatability of controls Everyone’s an expert Standards are platform-agnostic Exception process Everyone’s an expert Risk first? Standards first? Controls first?
Element Challenges II Quantification vs. Qualification of risk Discussion of choice to do lightweight, qualitative risk analysis initially (examples) Move towards quantitative risk analysis as much as possible
Current Risk Analysis
Policy| Oversight | Vetting Governance
Governance - Policy Policy “The responsibility for Information Security includes the authority to assume leadership and responsibility to develop, implement, and monitor for compliance the policies, standards, and procedures necessary to achieve the objectives detailed within this policy.”
Governance – Oversight Standards Advisory Board 2-3 faculty Service/admin representative 1 college CIO; 1 IT line staff Auditor + Security Office
Governance - Vetting Standards Focus Group Range of constituents Visiting SMEs Monthly meetings Draft discussion Revision discussion Endorsement (as interim standards)
Governance Challenges Policy != Standard Faculty and non-IT engagement
Accountability| Technology | Risk Acceptance Compliance
Accountability Control Accountability
Compliance Technology Ad hoc GPOs CIS benchmarks Scanners Centralized tools
Risk Acceptance Only a percentage of your environment can be measured Extrapolate Map your “compliance topology” Compare with high risk zones Focus efforts with a higher ROI “Accept” what you can’t measure
Compliance Challenges Defining accountability outside of central unit How do we measure compliance? Evaluate each control, average across standard Leverage any existing tools, even if weak
Compliance Challenges How do we increase compliance? Sales & Marketing Audit Cyber-Insurance requirements Incident follow up Identify centralized management as strategic (e.g., endpoint management) Provide simple tools: GPOs, CIS benchmark, Scanners, Hardening scripts
Fear | Uncertainty | Doubt Challenge Summary
Contact Shea Nangle nangle@illinois.edu Mike Corn mcorn@illinois.edu http://go.illinois.edu/itstandards