Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Slides:

Advertisements

Similar presentations

How Identity and Access Management Can Help Your Institution Touch Its Toes Renee Woodten Frost Internet2 and University of Michigan Kevin Morooney The.

Advertisements

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

© Copyright Computer Lab Solutions All rights reserved. Do you need usage information about your computer labs? Copyright Computer Lab Solutions.

Protection of Information Assets I. Joko Dewanto 1.

Disaster Recovery Planning Because It’s Time! Copyright Columbia University and Bentley College, This work is the intellectual property of the author.

Copyright Sylvia Maxwell and Michael White, This work is the intellectual property of the author. Permission is granted for this material to be shared.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

Making the Case for Security: An Application of the NIST Security Assessment Framework to GW January 17, 2003 David Swartz Chief Information Officer Guy.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

1 Telstra in Confidence Managing Security for our Mobile Technology.

Security Controls – What Works

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Information Systems Security Officer

UWM CIO Office A Collaborative Process for IT Training and Development Copyright UW-Milwaukee, This work is the intellectual property of the author.

Pam Downs Ajay Gupta The Pennsylvania Prince George’s State University Community College "Copyright Penn State University This work is the intellectual.

IT Strategic Planning From Technical Dreams to Institutional Reality

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

Risk Assessment 101 Kelley Bradder VP and CIO Simpson College.

Return On Security Investment Taz Daughtrey Becky Neary James Madison University EDUCAUSE Security Professionals Workshop May 18, 2004 Copyright Taz Daughtrey.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

Security Issues on Campus: Government Initiatives Rodney J. Petersen University of Maryland Educause/Internet2 Security Task Force Copyright Rodney J.

1 Institutions as Allies in the Security Challenge Wayne Donald, Virginia Tech Cathy Hubbs, George Mason University Darlene Quackenbush, James Madison.

Information Security Governance in Higher Education Policy2004 The EDUCAUSE Policy Conference Gordon Wishon EDUCAUSE/Internet 2 Security Task Force This.

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

1 Fighting Back With An Alliance For Secure Computing And Networking Wayne Donald, Virginia Tech Cathy Hubbs, George Mason University Darlene Quackenbush,

EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.

Privileged and Confidential Strategic Approach to Asset Management Presented to October Urban Water Council Regional Seminar.

Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.

Moving Your Paperwork Online University of California, Irvine presents PayQuest Copyright UC,Irvine This work is the.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Thomas Hacker Barb Fossum Matthew Lawrence Open Science Grid May 19, 2011.

Securing Information Systems

Kholoud AlSafadi Ethical Issues in Information Systems and the Internet.

Social Media Jeevan Kaur, Michael Mai, Jing Jiang.

Higher Education and the New International Imperative David Ward President American Council on Education Global Challenges and Higher Education Duke University.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Center for Planning and Information Technology T HE C ATHOLIC U NIVERSITY of A MERICA ERP Systems: Ongoing Support Challenges and Opportunities Copyright.

PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.

George Mason University Assessing Technology Support: Using Portfolios to Set Goals and Measure Progress Anne Agee, Star Muir, Walt Sevon Information Technology.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 NMI R3 Enterprise Directory Components.

IT GOVERNANCE  Objective : The objective of this area is to ensure that the Certified Information Systems Auditor ( CISA ) candidate understands and can.

RESPONSIBLE CARE ® SECURITY CODE Daniel Roczniak Senior Director, Responsible Care American Chemistry Council June 2010.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

Portals and Web Standards Lessons Learned and Applied David Cook Copyright The University of Texas at Austin This work is the.

1 Effective Incident Response Presented by Greg Hedrick, Manager of Security Services Copyright Purdue University This work is the intellectual property.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

IT Security Challenges In Higher Education Steve Schuster Cornell University Copyright Steve Schuster This work is the intellectual property of.

What’s Happening at Internet2 Renee Woodten Frost Associate Director Middleware and Security 8 March 2005.

2007 Carnegie Mellon University 1 Copyright Kelley Anderson and Mary L. Pretz- Lawson, This work is the intellectual property of the authors. Permission.

Matt Broman Kodiac Gamble Devin Nichol SECTION 4.2 INFORMATION SECURITY.

Quickly Establishing A Workable IT Security Program EDUCAUSE Mid-Atlantic Regional Conference January 10-12, 2006 Copyright Robert E. Neale This.

CPT 123 Internet Skills Class Notes Internet Security Session B.

Select Phase Pertemuan Matakuliah: A0774/Information Technology Capital Budgeting Tahun: 2009.

Securing Information Systems

Performing Risk Analysis and Testing: Outsource or In-house

BruinTech Vendor Meet & Greet December 3, 2015

Educause/Internet 2 Computer and Network Security Task Force

INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.

Defining an IT Workflow, from Request to Support

Securing Information Systems

myIS.neu.edu – presentation screen shots accompany:

In the attack index…what number is your Company?

Presentation transcript:

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced Materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Overview  Threats to the enterprise  Security challenges  Six step process

Threat Statistics  47% of browser attacks - Microsoft IE  Average 6110 DoS attacks per day  28 days average vulnerability exposure  86% of all attacks are against home user  54% of DoS attacks world-wide against US  69% of vulnerabilities against Web applications (Symantec Internet Security Threat Report, Threats fro January 06- June 06, Vol X, September 2006)

Threats to the Enterprise  Virus, worms, Trojan horses  Web site hacking  Hackers and crackers  Terrorist attacks  Cyber crime and information warfare  Effects of emerging standards and technologies

Security Challenges  ID and prioritize opportunities to improve security effectiveness and efficiency  Manage security in dynamic threat environment with limited budget  Courts and government policy expectations  Securing Web services  Managing identity and access privileges “Business expects IT to be secure and CIO keep it that way” - Gartner

Six Step Process Inventory Risk Assessment Risk Assessment ID Needs Review Execute Support

Inventory Environment “The first thing we need to do is to actually draft out all of the assets that run on our computing system and understand what the relationship of each asset is to our business process” Andre Gold, CISO Continental Airlines  Prioritize assets  Ensure critical systems are protected  Use Enterprise Architecture

Risk Assessment - Portfolio Risks Threats Loss of Data Costs Prevention Data Recovery Look at all assets Best Practices Service Levels “CISO has to deal with how to let good guys in as well as keep the bad guys out” - Gartner

ID Needs and Write Plan  Define, align, and prioritize opportunities  Vulnerability vs largest risks  ID and define security goals  Determine costs and ROI – Key is Impact! “CISO not only must spend money wisely on correct security enhancements but must also qualify what they are doing with that budget” - Gartner

ID/Define Organizational Goals  Protect sensitive and critical information  Prevent unauthorized access to the network  Avoid embarrassing publicity  Maintain uninterrupted operations  Protect privacy  Set a “zero-incident” culture  Comply with federal and state regulations

Obtain Support and Approval  Need executive champion – CIO  Know top management priorities  Know what the competition is doing  Projects in line with market’s thinking  Use federal mandates and audit findings

Execute Plan  Use annual tactical plans  Execute strategic plan in small steps  Used to define and execute budget  Manage using cost planning and portfolio management  Report progress using balanced scorecard

Cost Planning and Portfolio Management Zero-based Budget Track Initiatives Management Review ID Problems Early

Balance Scorcard Answers … How am I doing? Am I on time? Within budget? Are there any problems or issues Keeps management informed!

Sample Scorecard DescriptionStatus Goal 2: Provide enhanced and secure IT infrastructure for all campus- wide customers 2.4 Establish self-monioring and reporting capability for all network systems Deploy self-policing technology Deploy automated monitoring and reporting tools Deploy and utilize vulnerability scanning technology Goal 3: Improve customer understanding of INFOSEC responsibilities 3.1 Develop and Enterprise-wide IT security awareness training program Establish and maintain a security web site for distributing security tips and guidance Establish security workshops

Review Plan Maintenance  Review annually  Compare against best practices  Adjust as necessary

Conclusion  An IT Security Strategic Plan will provide….  Better use of limited resources  Phased deployment and enhancements  Improved justification of security projects  Direct tie to university IT strategic plan  Better planning & execution of security spending  Implement best security practices and strategies to create an enterprise that is well managed and secure

Questions