1 Effective Cybersecurity Practices for Higher Education Educause Southeast Regional Conference Seminar 1A June 6, 2005 Mary Dunker Virginia Tech Tammy.

Slides:



Advertisements
Similar presentations
Management Plans: A Roadmap to Successful Implementation
Advertisements

Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.
Quality Management Training Quality circles Bench Mark Kaizen.
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
August 2006 OSEP Project Director's Conference 1 Preparing Teachers to Teach All Children: The Impact of the Work of the Center for Improving Teacher Quality.
Andrea Eastman-Mullins Information & Technology Coordinator University of North Carolina, Office of the President Teaching and Learning with Technology.
David A. Brown Chief Information Security Officer State of Ohio
Security Controls – What Works
Information Security Policies and Standards
IT Governance and Management
Alliance for Strategic Technology (AST) SUNY Business Intelligence Initiative January 8, 2009.
Computer Security: Principles and Practice
Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
EDUCAUSE/Internet2 Computer and Network Security Task Force Update Jack Suess February 3, 2004.
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Information Security Governance in Higher Education Policy2004 The EDUCAUSE Policy Conference Gordon Wishon EDUCAUSE/Internet 2 Security Task Force This.
Information Assurance and Higher Education Clifton Poole National Defense University Carl Landwehr National Science Foundation Tiffany Olson Jones Symantec.
1 Tuesday, August 16, 2005 W E B C A S T August 16, 2005 Policy Development Theory & Practice: An Emphasis on IT Pat Spellacy Director of Policy & Process.
© 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force Computer Access, Privacy and Security: Legal Obligations and Liabilities Rodney J.
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.
The Quality Management System
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
SEC835 Database and Web application security Information Security Architecture.
PEM-PAL - 2nd Internal auditors’ Community of Practice Workshop
Information Systems Security Computer System Life Cycle Security.
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.
© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
BOTSWANA NATIONAL CYBER SECURITY STRATEGY PROJECT
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
1 Strategic Thinking for IT Leaders View from the CFO Seminars in Academic Computing Executive Leadership Institute.
Basic Workshop For Reviewers NQAAC Recognize the developmental engagements Ensure that they operate smoothly and effectively” Ensure that all team members.
BPK Strategic Planning: Briefing for Denpasar Regional Office Leadership Team Craig Anderson Ahmed Fajarprana August 11-12, 2005.
Policy and IT Security Awareness Amy Ginther Policy Develoment Coordinator University of Maryland Information Technology Security Workshop April 2, 2004.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.
EDUCAUSE LIVE EDUCAUSE/Internet2 Computer and Network Security Task Force Update Jack Suess January 21, 2004.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
A Global Approach to Protecting the Global Critical Infrastructure Dr. Stephen D. Bryen.
Chapter 11: Policies and Procedures Security+ Guide to Network Security Fundamentals Second Edition.
Systems Accreditation Berkeley County School District School Facilitator Training October 7, 2014 Dr. Rodney Thompson Superintendent.
Consultant Advance Research Team. Outline UNDERSTANDING M&E DATA NEEDS PEOPLE, PARTNERSHIP AND PLANNING 1.Organizational structures with HIV M&E functions.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
SecSDLC Chapter 2.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Welcome and Introduction to the Security Task Force Peter Siegel Co-Chair, Security Task Force Chief Information Officer and Vice Provost University of.
Quickly Establishing A Workable IT Security Program EDUCAUSE Mid-Atlantic Regional Conference January 10-12, 2006 Copyright Robert E. Neale This.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
STRATEGIC PLAN OVERVIEW Prepared By: SOUTHERN MARYLAND CHAPTER STRATEGIC PLANNING COMMITTEE April 2007.
A Framework for Assessing Needs Across Multiple States, Stakeholders, and Topic Areas Stephanie Wilkerson & Mary Styers REL Appalachia American Evaluation.
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Sample Fit-Gap Kick-off
Information Security Program
Compliance with hardening standards
2 Selecting a Healthcare Information System.
IT Development Initiative: Status and Next Steps
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
Presentation transcript:

1 Effective Cybersecurity Practices for Higher Education Educause Southeast Regional Conference Seminar 1A June 6, 2005 Mary Dunker Virginia Tech Tammy Clark Georgia State University

2 Seminar Agenda EDUCAUSE/Internet2 Security Task Force initiatives The Effective Security Practices Guide (ESPG) Questions and Break Securing Unmanaged Computers Questions and Feedback

3 Overview of Effective Security Practices Educause/Internet2 Security Task Force background, working groups, initiatives Tools, including Information Security Governance Assessment (ISG) Effective Security Practices Guide Risk assessment methodology from Virginia Tech

4 Strategic Goals The Security Task Force received a grant from National Science Foundation to identify and implement a coordinated strategy for computer and network security for higher education. The following strategic goals have been identified: Education and Awareness Standards, Policies, and Procedures Security Architecture and Tools Organization, Information Sharing, and Incident Response

5 Security Task Force Groups Awareness & Training Working Group Effective Practices & Solutions Working Group Policies & Legal Issues Working Group Risk Assessment Working Group High Performance & Advanced Networking Working Group (SALSA) Security Conference Program Committee

6 National Cyber Security Awareness Month The Security Task Force and the Higher Ed IT Alliance has endorsed October as National Cyber Security Awareness Month. The National Cyber Security Alliance is a unique partnership among the Federal government, leading private sector companies, trade associations and educational organizations that aims to educate Americans about the need for computer security and encourage all computer users to protect their home and small business systems. See

7 Annual Security Conference EDUCAUSE/Internet2 Security Professionals Conference April 10-12, 2006 Denver Marriott City Center Hotel Denver, Colorado Typical Program Content/Tracks  Baseline & Advanced Technology Solutions  Security Management and Operations  Policy and Law For more info, see

8 Information Security Governance Assessment Tool The Information Security Governance (ISG) Assessment Tool is intended to help colleges and universities determine the degree to which they have implemented an ISG Framework at the strategic level within their institution. This tool is not intended to provide a complete and detailed list of information security policies or practices one must follow. Rather, it is intended to help institutional leadership identify general areas of concern as they relate to the ISG Framework. Sections within the Tool:  Organizational Reliance on IT  Risk Management  People  Processes  Technology

9 ISG: Reliance on IT

10 ISG: Risk Management

11 ISG: Final Score

12 Configuration Benchmarks As a free service to EDUCAUSE Institutional Members, EDUCAUSE has entered into a cooperative agreement with the Center for Internet Security (CIS) to provide each EDUCAUSE Institutional Member with a license to redistribute CIS Benchmarks and Software Tools on college and university owned systems. The relationship entitles Institutional Members to redistribute CIS benchmarks and Software Tools to students, faculty and employees for use on computers owned by the students, faculty and employees. The CIS Benchmarks and Software Tools are resources for Institutional Members to assess and measurably improve the security configuration status of its IT systems and networks.

13 Implications of CIS Partnership Encourage the adoption and deployment of widely- accepted, consensus technical control standards (benchmarks) for system security configuration in colleges and universities. Establish technical control baselines that can be presented to software vendors and hardware suppliers as default security configurations for systems that colleges and universities purchase. Expand participation in the CIS consensus development process by security specialists in EDUCAUSE member colleges and universities to ensure that college and university-unique needs are met.

14 CIS Scoring Tool

15 Cyber Security Forum for Higher Education The purpose of the Cyber Security Forum for Higher Education is to create a forum for the discussion of higher education computer and network security issues between the corporate community and the EDUCAUSE/Internet2 Computer and Network Security Task Force with the goal of improving higher education cyber security through mutual efforts.

16 Vendor Engagement Established Corporate Cyber Security Forum to create a dialogue with vendors on practices that have a significant impact on higher education security Educause established the Corporate Cyber Security Forum to develop linkages with the vendor community. Members include - Microsoft, IBM, Dell, HP, Datatel, PeopleSoft, Oracle, Cisco, and SCT Task force visited Microsoft in September ‘03 to explain the needs of higher education and engaged Microsoft for support during the SP2 rollout for Windows XP.

17 Effective Security Practices Guide Balancing the need for security with the higher education tradition of open and collaborative networking

18 Why Not Identify Best Practices Higher education is too diverse in mission and size for a single best practice to be universally effective. Even within a small group of like institutions, few would identify what they are doing now as “Best Practices.” Everyone feels there is room for improvement in what they are doing! Threats are rapidly changing and these effective practices may have a limited shelf life. What might work today may be useless next year.

19 ESPG Overview Practical approaches to preventing, detecting, and responding to security problems Community driven and serving  University ISOs and supporting staff  Codify experiences of experts Examples of success  Potential models to follow  Provide for various types of institutions Modular resource  Flexibility in presentation & implementation

20 ESPG Design and Development ESP database Core materials Case study submission process Future contributions Seed case studiesPast workshops, discussions & community vetting Categories & keyword searches Structured presentation Suitability, editing, notification & update

21 Core Subject Areas Policy Education, Training and Awareness Risk Analysis and Management Security Architecture Design Network and Host Vulnerability Assessment Network and Host Security Implementation Intrusion and Virus Detection Incident Response Encryption, Authentication & Authorization Addendum: university & vendor resources

22 Effective Practices: Contributors  Bethune-Cookman  Brown  Cornell  CSUSB  GA Tech  GWU  Indiana University  MSCD  Notre Dame  NC A&T  Penn State  U Alabama  Purdue  UC Berkeley  UCONN  U Maryland, BC  U Washington  U Wisc, Madison  Virginia Tech  Yale University

23 ESPG Highlights Evolution of Security Practices

24 Evolution of Security Practices It is not always possible to jump to the most effective practices  Can’t scan for policy violations without policies  Can’t develop policies without mature security standards Some practices require significant human resources  Intrusion detection  Incident response Some practices become more effective over time  Technical support becomes more effective with supporting tools, security policies and architecture

25 Online Demonstration

26 Risk Analysis The most effective security practice given limited resources Types of Risk Strategic Risk Financial Risk Legal Risk Operational Risk Reputation Risk Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).

27 Ideal Risk Analysis & Management Knowledge of all relevant regulations Training and awareness of staff Developing plans to audit individual units for compliance Developing and implementing a code of conduct for the organization Establishing control mechanisms to ensure compliance Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).

28 Risk Analysis Overview Risk = Threats x Vulnerability x Impact  Need to weigh & prioritize risks to develop strategy Threats  Intruders, insiders, accidents, natural disasters Vulnerabilities  Weaknesses in design, implementation, or operation Impact  Level of harm to the institution

29 Practical Risk Analysis in Higher Education Preliminary Risk Analysis (year 1) ● Gathering allies, data and support Risk Analysis of Critical Processes (year 2) ● Concentrating on high risk areas Institution-wide Risk Analysis (year 3+) ● Broadening view to include the whole institution

30 Virginia Tech STAR Risk Process STAR - Security Targeting and Analysis of Risks Developed in-house several years ago Prioritized assets, risks, and controls  Very detailed voting structure Used color codes for compliance Had a control compliance matrix Templates provided to reduce resistance TODAY – same concept but we have simplified the process

31 Risk Analysis Process at Virginia Tech Information Technology process  IT Security Officer leads effort  Annual process with detailed listings  Lots of involvement with teams  Evolved into individual risk analysis reports for other departments University departments  Every 3 years / update major changes  Annual reviews on progress  All reports submitted to the IT Security Office

32 Keys to Success in the Risk Analysis Process Secure senior management support Select a strong risk analysis team Provide risk analysis templates Provide instruction and assistance Specify a timetable for completion Have a collection point for all reports Take the risk analysis process seriously

33 Senior Management Support Important to secure executive support Executive should issue directive to all department heads Directive should specify a time for final reports Accountability for completing risk analyses Executive will identify IT Security Office as providing leadership for effort

34 Assets Are More Than Machines We are now linking Asset identification to the management org chart Assets can be:  Physical systems  Groups of systems that support a service  Business process that requires a group of systems  Business process that depends on other business processes  Data  People

35 Asset Classification Business Process A Business Process B Business Process C Oracle DB Forms Servers Auth Servers Host A Host B Host C Host D Host E Host F

36

37

38

39 Asset Ranking

40 IT Common Risks Twelve (12) common risks identified by VT IT: System administration Training Desktop Access Control Operational Policies Key Person Dependency Bad Passwords Data Disclosure Internal Physical Security External Physical Security Cleartext Spoofing/Forgery Natural Disaster Construction Mistakes

41 Sample Risk Ranking

42 Reference Risks to Critical Assets Review list of critical assets Simply determine which risks apply to which critical assets Can get into more detail and map risks to critical assets by voting technique Helps determine what may need to be addressed first

43 Map Risks to Assets

44 Recommendations and Solutions May be difficult to do at the time of report Others need to be involved in the details  Management, technical personnel, etc. More detailed report may be needed  Description of solution  Impact statement  A cost/benefit analysis  Proposed dates

45 Recommendations The risk(s) for an asset will be addressed within a specific timeframe and a brief explanation should be included Controls to address a risk (or risks) will not be implemented because of information obtained during analysis (new software, new location, etc.) Controls will not be implemented based on factors (time, budget, etc.) in the dept. or operating unit There may not be a known solution at this time, or you don’t feel the risk is a real danger

46 Using STAR Visit the Effective Security Practices Guide Select the link to “Risk Analysis of Critical Areas and Processes” The STAR link will take you to All forms used by Virginia Tech are online

47 Additional Security Resources EDUCAUSE/Internet2 Computer & Network Security Task Force Security Discussion Group Effective Security Practices Guide Internet2 Security Initiatives Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)