Systemic Barriers to IT Security Findings within The University of Texas System Clair Goldsmith, Ph.D., Associate Vice Chancellor and CIO Lewis Watkins,

Slides:

Advertisements

Similar presentations

Identification and Disposition of Official University Records University of Texas at Arlington Records Management.

Advertisements

CANHEIT | On the EDGE | June 15-18, 2008 | University of Calgary Collaborative Computing on an Institutional Level Steve Breeck, Harold Esche, Bill Richardson.

University of Florida Incident Tracking and Reporting Kathy Bergsma

Internal Audit Awareness

David A. Brown Chief Information Security Officer State of Ohio

BASIC SKILLS INITIATIVE Research & Professional Development for Improving “Academic Fundamentals” Background/HistoryBackground/History Research PhaseResearch.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

Today’s Speakers  Diane Dagefoerde, CIO, Arts and Sciences, The Ohio State University  Butch Juelg, Associate Vice Chancellor, Technology Services,

Serving the Research Mission: An Approach to Central IT’s Role Matthew Stock University at Buffalo.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

Prepared: October, Ann Garrett, State Chief Information Security Officer Statewide Security Update October 25, 2005 Information Technology Advisory.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.

Innovative Instruction Transformation Team Jeffrey Bartkovich, Monroe Community College Kim Scalzo, SUNY Center for Professional Development Carey Hatch,

Stephen S. Yau CSE , Fall Security Strategies.

Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.

Information Security Is it warranted on your campus? William C. Moore II, CISSP Chief Information Security Officer Valdosta State University.

ICPL Institute for Computer Policy & Law H. David Lambert Vice President for Information Services and Chief Information Officer Georgetown University e-Discovery:

 The Middle States Commission on Higher Education is a voluntary, non-governmental, membership association that is dedicated to quality assurance and.

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Accessibility, Integrity, & Confidentiality: Security Challenges for E-Business Rodney J. Petersen University of Maryland & Educause/Internet2 Security.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Website Hardening HUIT IT Security | Sep

Peer Information Security Policies: A Sampling Summer 2015.

User Services. Services Desktop Support Technical Support Help Desk User Services Customer Relationship Management.

Information Technology Assessment Review Presented to the Board of the State Center Community College District.

School Technology Solutions, LLC Technology Audits What's in it for you? 4 th Annual SW/WC Technology Conference March 11, 2010 Presenter: Lee Whitcraft.

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

Audit Challenges and Best Practices in a Research University Environment NSAA Annual Conference Jeffrey Huskamp Vice President and CIO.

Re-organizing Information Technology University at Buffalo.

Office of Space Planning & Management Developed with mission of: Providing strategic and thoughtful planning Efficient management and utilization of both.

Lessons Learned in Smart Grid Cyber Security

ISM Workshop 1 Independent Oversight Perspectives Michael A. Kilpatrick Deputy Director Office of Security and Safety Performance Assurance.

Jenny Jopling Texas Computer-based Testing Collaborative.

50 Things Any Lab Manager Member Should Know About EH&S Robert Emery, DrPH, CHP, CIH, CSP, RBP, CHMM, CPP, ARM Vice President for Safety, Health, Environment.

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

If you don’t know where you’re going, any road will take you there.

Bridget-Anne Hampden U.S. Department of Education Guaranty Agency Security Reviews.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

The Health Metrics Network Assessment Tool. HMN Assessment Process & Tool Why use the HMN assessment tool? A step towards a comprehensive HIS vision;

. Safety means first aid to the uninjured. Area Instructional Labs and Facilities Instructional Desktops /Notebooks 1 Non-Instructional Desktops /Notebooks.

University of Idaho Successful External Program Review Archie George, Director Institutional Research and Assessment Jane Baillargeon, Assistant Director.

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

SUNY Oswego Human Subjects Committee Last Revised 10/28/2011.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Information MSU Through the eyes of the users! Dewitt Latimer, Ph.D. Chief Information Officer

AAU Undergraduate STEM Education Initiative Tobin Smith AAU Vice President for Policy ISSUES Workshop January 30, 2014.

HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.

Office of Core and Shared Resources Faculty Council Meeting October 9, 2012.

Company: Cincinnati Insurance Company Position: IT Governance Risk & Compliance Service Manager Location: Fairfield, OH About the Company : The Cincinnati.

CIO Methodology James M. Dutcher. Higher Education Yearly IT Planning.

1 ITS STRATEGIC INITIATIVES Ken Orgill Assistant Vice Chancellor, Information Technology Services and Campus Chief Information Officer.

Indiana University Kokomo Strategic Enrollment Management Consultation Final Report Bob Bontrager December 8, 2007.

Information Technology Assessment Findings Presented to the colleges of the State Center Community College District.

KSU’s Quality Enhancement Plan.  Current Core Requirement 2.12  The institution has developed an acceptable Quality Enhancement Plan (QEP) that (1)

Information Security tools for records managers Frank Rankin.

Chapter 8 – Administering Security  Security Planning  Risk Analysis  Security Policies  Physical Security.

Best Cyber Security Practices for Counties An introduction to cybersecurity framework.

Superior Infrastructure – Phase One Lenora Chapman & Michelle Stevenson Presenting.

IT Governance Purpose: Information technology is a catalyst for productivity, creativity and community that enhances learning opportunities in an environment.

Physical Security at Data Center: A survey. Objective of the Survey  1. To identify the current physical security in data centre.  2.To analyse the.

Presentation to the COIT Architecture Sub-Committee

Team 1 – Incident Response

Addressing Curricular Barriers to Completion

Department of Political Science & Sociology North South University

Leverage What’s Out There

Fundamentals of a Business Impact Analysis

IT Development Initiative: Status and Next Steps

IT Development Initiative: Status & Next Steps

Higher Education CIO Methodology

Presentation transcript:

Systemic Barriers to IT Security Findings within The University of Texas System Clair Goldsmith, Ph.D., Associate Vice Chancellor and CIO Lewis Watkins, CISSP Director of Information Resources

The University of Texas System Nine Academic Institutions Six Health Institutions ~ 175,000 Students ~ 16,000 Faculty ~ 72,000 Non-Faculty Staff

The Attention Grabber! ►Security breach resulting in the unauthorized collection of 50,000+ social security numbers raises awareness of risks to our systems. ►Chancellor writes letter to all Presidents asking them to conduct a security inventory.

The Process ► IT System Application Vulnerability Assessment ► Operational Review of IT Security

Information System Application Vulnerability Inventory Phase 1: Mission Critical and Centrally Managed Systems Inventory Action Plan Assurance Report Phase 2: Departmental Systems Inventory Action Plan Assurance Report

Security Vulnerability Findings

Phase 2 Vulnerability Inventory Findings. (Some Specific Measures) 9

Some Observations & Questions Many departments failed to respond to the inventory or to specific questions. What do we conclude from items not reported? ► Vulnerabilities don’t exist? ► Cover-up? ► Ignorance? ► Survey instrument or procedure weakness? ► All of the above? 10

Some Observations & Questions Maturity levels in terms of security awareness varies greatly among institutions and sub-units. Addressing all risks is a massive undertaking. To what degree does the culture need to change? How do we change it? 10

12 System-wide Operational Review Center for Infrastructure Assurance and Security (CIAS) The CIAS is designed to leverage San Antonio's Infrastructure Assurance and Security (IAS) strengths as part of the solution to the nation's Homeland Defense needs and deficit of IAS talent and resources.

System-wide Operational Review Phase 1: Organization and Development ► Develop comprehensive schedule. ► Develop list of interest items, data points, and metrics. ► Develop survey forms and questionnaires.

Phase 2: Information Gathering ► Questionnaires to points of contact. ► Visited to UT institutions. ► During campus visits conducted interviews and manual inspections. System-wide Operational Review

Phase 3: Analysis and Reporting ► Identify risks, problems, best practices, and barriers to remediation. ► Verify risk assessments. ► Develop metrics to allow measure risks and effectiveness of remediation efforts. ► Deliver report providing recommendations to address risks, barriers, and future security needs. 14 System-wide Operational Review

Findings 205 specific recommendations across the following subject areas: Budget Personnel Network Perimeter Software Patches Physical Security Anti-virus Telecommunications Backups Data Mgt. & Destruction Internal System Security Incident Response Policies and Procedures Lab Environments Wireless

Findings Executive Metrics – Reported to UT System. Operational Metrics – Tracked locally at the institution. Temporary Metrics – Used to track progress towards specific project goals until complete. 26 proposed metrics to measure security program activity and effectiveness.

Top Three Systemic Barriers 1.Resource Allocation: Institutions feel their security programs are under funded and do not have adequate staff to properly secure their information systems

Top Three Systemic Barriers 2.Decentralized IT: Independent and open nature of institutions creates pool of systems that are not under centralized control, are managed and maintained at different levels, and introduce significant security risks.

Top Three Systemic Barriers 3.Decentralized Accountability: The academic enterprise is an open and shared environment with little to no accountability for information security. This ingrained culture is counter to efforts to maintain IT security.

Next Steps ► Identify funding mechanism to support System-wide support for Information Security efforts. ► Develop and deploy a certification process to be required of all distributed Server Administrators. ► Deploy a pilot of Secure Watch software for later expansion system-wide.

Questions? 11 Clair Goldsmith, Ph.D., Associate Vice Chancellor and CIO Lewis Watkins, CISSP Director of Information Resources