Adapting Enterprise Security to a University Environment

Slides:



Advertisements
Similar presentations
CHECK 2012 Bridging the Gap for Mobile Devices: Eager Adoption v. Practical Support Emporia State University The Faculty & Staff Support Perspective Cory.
Advertisements

Data, Policy, Stakeholders, and Governance Amy Brooks, University of Michigan – Ann Arbor Bret Ingerman, Vassar College Copyright Bret Ingerman This.
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
© Copyright Computer Lab Solutions All rights reserved. Do you need usage information about your computer labs? Copyright Computer Lab Solutions.
Cut Costs and Increase Productivity in your IT Organization with Effective Computer and Network Monitoring. Copyright © T3 Software Builders, Inc 2004.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Making the Case for Security: An Application of the NIST Security Assessment Framework to GW January 17, 2003 David Swartz Chief Information Officer Guy.
Southwest Educause 2003 © Baylor University 2003 Adapting Enterprise Security to a University Environment Bob Hartland Director of IT Servers and Network.
Educause Security 2007ISC Information Security Copyright Joshua Beeman, This work is the intellectual property of the author. Permission is granted.
Information Security Policies and Standards
Security+ Guide to Network Security Fundamentals
Principles of Information Security Kris Rosenberg, Chief Technology Officer Oregon State University College of Business Kris Rosenberg, Chief Technology.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Payment Card Industry (PCI) Data Security Standard
Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
Copyright Anthony K. Holden, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Wireless LANs A Case Study of Baylor University’s Wireless Network Copyright Bob Hartland 2002 This work is the intellectual property of the author. Permission.
INDIANAUNIVERSITYINDIANAUNIVERSITY Automated Network Isolation at Indiana University David A. Greenberg Information Technology Security and Policy Office.
Risk Assessment 101 Kelley Bradder VP and CIO Simpson College.
1 Institutions as Allies in the Security Challenge Wayne Donald, Virginia Tech Cathy Hubbs, George Mason University Darlene Quackenbush, James Madison.
Information Security Governance in Higher Education Policy2004 The EDUCAUSE Policy Conference Gordon Wishon EDUCAUSE/Internet 2 Security Task Force This.
Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.
1 Fighting Back With An Alliance For Secure Computing And Networking Wayne Donald, Virginia Tech Cathy Hubbs, George Mason University Darlene Quackenbush,
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
A First Course in Information Security
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.
Discussion Panelists: Justin C. Klein Keane Sr. Information Security Specialist University of Pennsylvania Jonathan Hanny Application Security Specialist.
Chapter 6 of the Executive Guide manual Technology.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Information Systems Security
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Note1 (Admi1) Overview of administering security.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
Center for Planning and Information Technology T HE C ATHOLIC U NIVERSITY of A MERICA Bringing IT All Back Home Centralized Systems in a Decentralized.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
Educause Security 2006 © Baylor University Security Assessments for Information Technology Bob Hartland Director of IT Servers and Network Services.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Quickly Establishing A Workable IT Security Program EDUCAUSE Mid-Atlantic Regional Conference January 10-12, 2006 Copyright Robert E. Neale This.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
© 2009 Pittsburgh Supercomputing Center Server Virtualization and Security Kevin Sullivan Copyright Kevin Sullivan, Pittsburgh Supercomputing.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Incident Response Strategy and Implementation Anthony J. Scaturro University IT Security Officer September 22, 2004.
University of Southern California Identity and Access Management (IAM)
Law Firm Data Security: What In-house Counsel Need to Know
Jill Forrester and David Kelly| October 20, 2011
Julian Hooker Assistant Managing Director Educause Southwest
Educause/Internet 2 Computer and Network Security Task Force
EDUCAUSE 2011 Three Paths, One Goal: Three Institutions’ Journey with Providing and Supporting Mobile Technology Emporia State University The Faculty &
Decentralization in a Centralized IT Environment
INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
University of Southern California Identity and Access Management (IAM)
Project for OnLine Instructional Support (POLIS)
myIS.neu.edu – presentation screen shots accompany:
How to Mitigate the Consequences What are the Countermeasures?
Drew Hunt Network Security Analyst Valley Medical Center
Intrusion Detection system
PLANNING A SECURE BASELINE INSTALLATION
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

Adapting Enterprise Security to a University Environment Bob Hartland Director of IT Servers and Network Services Jon Allen Coordinator of IT Security Tommy Roberson Manager of Servers And IT Security Southwest Educause 2003 © Baylor University 2003

Overview of Presentation Baylor University IT Security Security through technology/hardware Security through People Putting it all together Southwest Educause 2003 © Baylor University 2003

Baylor University 14,221 Students 1,750 Full Time Employees Waco, Texas 14,221 Students 1,750 Full Time Employees Southwest Educause 2003 © Baylor University 2003

Information Technology Organizational Chart Southwest Educause 2003 © Baylor University 2003

What is IT Security? “…the concepts, techniques, technical measures and administrative measures used to protect information assets from deliberate or inadvertent unauthorized acquisition, damage, disclosure, manipulation, modification, loss, or use…” [McDaniel - IBM Dictionary of Computing 1994] It is more beneficial to focus on good planning then it is to rely solely on fancy technology. Southwest Educause 2003 © Baylor University 2003

Risks of Poor Security Loss of university productivity Public Relations problems Private Information (SSN, CC numbers, grades, etc.) Degradation or loss of client services Southwest Educause 2003 © Baylor University 2003

Security– As Viewed by Industry Security is a priority (proactive) The ROI for security has become highly visible in the past 2-3 years. Compromise or downtime results in lost profits Southwest Educause 2003 © Baylor University 2003

Security – As Viewed in an University Environment Threat to Academic Freedom A hindrance to research and education productivity Contention for funding Southwest Educause 2003 © Baylor University 2003

Baylor’s Approach to IT Security Our security strategy can be divided into two parts Technology People Southwest Educause 2003 © Baylor University 2003

Security through Technology Firewalls Intrusion Detection Systems VPN (encryption technologies) Logs Server Configuration Vulnerability Scanning Southwest Educause 2003 © Baylor University 2003

Firewalls First line of network protection from outside world Must be strategically placed to be effective in universities One size does not fit all for firewall policies Southwest Educause 2003 © Baylor University 2003

Firewall Recommendations Multiple firewalls are necessary in a university environment Firewall policies should be written with port level filtering. Southwest Educause 2003 © Baylor University 2003

Intrusion Detection Systems Deployment must be highly targeted Networks and servers must be understood to limit false positives Not a substitute for good security practices Southwest Educause 2003 © Baylor University 2003

Virtual Private Networks Ideal for limiting access and securing data transmission Great for extending the university network to students and remote campuses Southwest Educause 2003 © Baylor University 2003

Logs Vital to identifying and resolving server and network problems Subtle or well planned attacks may only be seen through log evaluation Raises questions of academic freedom and big brother Southwest Educause 2003 © Baylor University 2003

Server Configuration Servers should only run daemons/services that are necessary Use mailing lists and OS update services to maintain server patches Limit the services on servers that contain critical data Southwest Educause 2003 © Baylor University 2003

Vulnerability Scanning Prioritize scans to focus on critical systems first. Be aware that false positives are common with scanning tools Scanning results can be used to point to weak points in networks and servers before they are abused Southwest Educause 2003 © Baylor University 2003

Security through People Policies Procedures Education Southwest Educause 2003 © Baylor University 2003

Policies-Creation Important to bring in other departments Anticipate problems Try to make policies broad enough to cover many issues Southwest Educause 2003 © Baylor University 2003

Policies-Modification Be flexible Policies are an ongoing work There will always be exceptions to policy Southwest Educause 2003 © Baylor University 2003

Policies-Enforcement Must have administrative backing for policies Helpful to explain this to various departments Must establish consistent method for dealing with student violations Document ALL enforcement actions taken Southwest Educause 2003 © Baylor University 2003

Procedures When done appropriately-procedures can be used to prevent many problems These are very time consuming… …but can eventually save time and headaches by preventing obvious security lapses. Southwest Educause 2003 © Baylor University 2003

Education End-User education Server admin education Support Staff education Southwest Educause 2003 © Baylor University 2003

End-User Education Most important thing is educating end-user on sound password practices. Users are more likely to follow policies and rules if they understand reasons for them Teach users to notice things that don’t seem right Southwest Educause 2003 © Baylor University 2003

Server Admin Education Teach importance of keeping systems up to date Encourage sound local account practices Try to bring other admins in other schools into the security community Southwest Educause 2003 © Baylor University 2003

IT Staff Education Support Staff are many times ignorant of sound security practices Many IT users in general never consider security when doing their jobs. We must also try to bring them into the security community Southwest Educause 2003 © Baylor University 2003

Security is everyone’s job! Southwest Educause 2003 © Baylor University 2003

On the Horizon Proactive and correlative IDS Stricter laws forcing security in universities Probable increase in security incidents Southwest Educause 2003 © Baylor University 2003

Summary Complete security solutions must address both technology and people Technology solutions are only as good as the policies they are enforcing Security strategies must depend upon and encourage cooperation from people in the organization Southwest Educause 2003 © Baylor University 2003

Contributors: Speakers: Bob Hartland Tommy Roberson Director for IT Servers and Network Services Bob_Hartland@Baylor.edu Tommy Roberson Manager of Servers and IT Security Tommy_Roberson@Baylor.edu Jon Allen Coordinator of IT Security Jon_Allen@Baylor.edu Southwest Educause 2003 © Baylor University 2003

Copyright Bob Hartland, Tommy Roberson, and Jon Allen 2003 Copyright Bob Hartland, Tommy Roberson, and Jon Allen 2003.This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. Southwest Educause 2003 © Baylor University 2003

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.