UConn NIST Compliance Project

Slides:

Advertisements

Similar presentations

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication Protecting Controlled.

Advertisements

October In May 2000, Walkerton’s drinking water system became contaminated with deadly bacteria, primarily Escherichia coli O157:H7.1 Seven people.

David A. Brown Chief Information Security Officer State of Ohio

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:

Security Controls – What Works

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)

Computer Security: Principles and Practice

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Stephen S. Yau CSE , Fall Security Strategies.

Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.

Session 3 – Information Security Policies

Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

SEC835 Database and Web application security Information Security Architecture.

HIPAA COMPLIANCE WITH DELL

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

E-Security: 10 Steps to Protect Your School’s Network NEN – the education network.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Eliza de Guzman HTM 520 Health Information Exchange.

1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Grid Operations Centre LCG SLAs and Site Audits Trevor Daniels, John Gordon GDB 8 Mar 2004.

IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

Information Security tools for records managers Frank Rankin.

The NIST Special Publications for Security Management By: Waylon Coulter.

By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Patricia Toth NIST MEP.

Safeguarding CDI - compliance with DFARS

Introduction for the Implementation of Software Configuration Management I thought I knew it all !

Presenter: Mohammed Jalaluddin

Critical Security Controls

Leverage What’s Out There

Cybersecurity Policies & Procedures ICA

Introduction to the Federal Defense Acquisition Regulation

Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security.

BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT

Safeguarding Covered Defense Information

IS4550 Security Policies and Implementation

I have many checklists: how do I get started with cyber security?

IT Development Initiative: Status and Next Steps

Supplier Information Session Safeguarding Covered Defense Information and Cyber Incident Reporting, DFARS August 16, 2016 Christian Ortego.

Final HIPAA Security Rule

County HIPAA Review All Rights Reserved 2002.

MBUG 2018 Session Title: NIST in Higher Education

How to Mitigate the Consequences What are the Countermeasures?

EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO

HIPAA Security Standards Final Rule

IS4680 Security Auditing for Compliance

Introduction to the PACS Security

IT Management Services Infrastructure Services

In the attack index…what number is your Company?

Presentation transcript:

UConn NIST 800-171 Compliance Project UITS All Staff Meeting Jason Pufahl, CISO October 30, 2017

DFARS Clause The Department of Defense established DFARS 252. 204-7012 which specifies that any research containing Controlled Unclassified Information (CUI) be protected using NIST 800-171. DFARS Clause 252.204-7012 mandates: Provide adequate IT security Implement all 109 NIST 800-171 controls Comply by 12-31-2017 Report areas of non-compliance to DoD within 30 days after contract award

Key Infrastructure Elements Access Control Awareness & Training Audit & Accountability Configuration Management Identification & Authentication System & Information Integrity Incident Response Key Infrastructure Elements Mobility and Supportability Fully Virtualized NetApp Storage Centralized Security Controls Data Collection and Review Firewalls Malware Detection Consistency Operating System Management Documentation Binder System & Communications Protection Maintenance Security Assessment Risk Assessment Physical Protection Personnel Security Media Protection

Total Number of Controls Compliance Efforts Control Family UITS and CISO System Admin System Owner or PI Shared Total Number of Controls Access Control 14 3 5 22 System and Communications Protection 13 1 2 16 Identification and Authentication 10 11 Configuration Management 7 9 Audit and Accountability Media Protection 6 System and Information Integrity Maintenance Physical Protection Risk Assessment Awareness and Training Security Assessment Incident Response Personnel Security Grand Total 64 21 109

Roles and Responsibilities Shared: 21 Controls implemented and managed through a combined effort of all groups. System Owner/PI: 11 Controls implemented and managed by the PI or research group. System Admin: 11 Controls that require some work or interaction by SA to use or implement. UITS and CISO: 64 Controls that are covered based on the current status of UConn’s infrastructure and policies and/or are monitored by CISO.

Configuration Management (9) NIST 800-171 Control Number Control Type Capability Requirements UConn Defined Control Capabilities 3.4.1 Basic Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Baseline Windows operating system images are available and managed by UITS. • Baseline configurations documented and maintained for each information system type to include software versions, patch level configuration parameters, network information including topologies, and interfaces with other communication systems. • PI or IT Designee responsible for system and application life cycle changes.

Configuration Management (9) NIST 800-171 Control Number Control Type Capability Requirements UConn Defined Control Capabilities 3.4.8 Derived Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. Deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. • Administrative access for users to systems and applications is prohibited per 3.1.6. • PI, IT Designee, or Automated Process only can install software. • Systems and/or applications will be accessed by authorized users only, as defined in section 3.1.

DFARS and Beyond Export Control Human Subject Research Protected Health Information Industry Partners

Key Contributors Thank you!!! George Assard Chris Tarricone Mike Lang Paul Majkut OVPR Catherine Rhodes Thank you!!!