Information Security Is it warranted on your campus? William C. Moore II, CISSP Chief Information Security Officer Valdosta State University.

Slides:



Advertisements
Similar presentations
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Advertisements

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Data Ownership Responsibilities & Procedures
Security Controls – What Works
Information Security Policies and Standards
VITA [Virginia Information Technologies Agency]
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Computer Security: Principles and Practice
Payment Card Industry (PCI) Data Security Standard
Systemic Barriers to IT Security Findings within The University of Texas System Clair Goldsmith, Ph.D., Associate Vice Chancellor and CIO Lewis Watkins,
Risk Assessment 101 Kelley Bradder VP and CIO Simpson College.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Unit Introduction and Overview
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Module 3 Develop the Plan Planning for Emergencies – For Small Business –
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Association for Biblical Higher Education February 13, 2013 Lori Jo Stanfield Evaluator Team Training for Business Officers.
INFORMATION ASSURANCE USING C OBI T MEYCOR C OBI T CSA & MEYCOR C OBI T AG TOOLS.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Module N° 8 – SSP implementation plan. SSP – A structured approach Module 2 Basic safety management concepts Module 2 Basic safety management concepts.
Management Information Systems The Islamia University of Bahawalpur Delivered by: Tasawar Javed Lecture 17.
The Need for Security Awareness Programs. Agenda 1)The Need for Security Awareness Programs 2)Security Awareness as a Product 3)Phase 1 – Identify Target.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Instructional & Information Technology Services Fall, Activities and Updates Teresa Macklin Information Security Officer Information Security.
Appendix C: Designing an Operations Framework to Manage Security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Note1 (Admi1) Overview of administering security.
UMBC POLICY ON ESH MANAGEMENT & ENFORCEMENT UMBC Policy #VI
IMFO Annual Conference – 2015 S21: Good Governance & Oversight B2B.
Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Application Security Business Risk and Data Protection Gregory Neuhaus.
NFPA 1600 Disaster/Emergency Management and Business Continuity Programs.
5/18/2006 Department of Technology Services Security Architecture.
Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
Chief Compliance Officer
Chapter 8 Auditing in an E-commerce Environment
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
IT Governance Purpose: Information technology is a catalyst for productivity, creativity and community that enhances learning opportunities in an environment.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
IT Audit Processes and Audit
Overview Introduction Meaningful Use Objective for Security Key Security Areas and Measures Best Practices Security Risk Analysis (SRA) Action Plan Demonstration.
Red Flags Rule An Introduction County College of Morris
UCA Gramm-Leach Bliley Act (GLBA) Safeguards Rule Compliance Training Effective June 12, 2018 Adapted from materials published by the Federal Trade Commission.
Drew Hunt Network Security Analyst Valley Medical Center
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Introduction to the PACS Security
Presentation transcript:

Information Security Is it warranted on your campus? William C. Moore II, CISSP Chief Information Security Officer Valdosta State University

Requirement in many new mandates FERPA HIPPA Sarbanes Oxley Graham Leach Bliley VISA Requirements

Many of these mandates have accountability requirements HIPPA –Information Security is responsible for data security and shall audit the access to enterprise-wide systems and data. This includes, but is not limited to, access to Network, , Internet, PRISM, Medipac, Human Resources, Accounts Payable, Payroll, General Ledger and TESS GLBA –(i) ensure the security and confidentiality of covered records, (ii) protect against any anticipated threats or hazards to the security of such records, and (iii) protect against the unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience to customers VISA CISP- Digital Dozen –1. Firewalls 2. Security Patches 3. Stored Data 4. Encryption 5. Anti-Virus 6. Restrict Access 7. Unique IDs 8. Change Default Security Settings 9. Track Access 10, Test Security Regularly 11. Implement and Maintain Security Policy 12. Restrict Physical Access These are mandates that require addressing Information Security as a responsibility for operating the business of education.

So, what do we, as USG do? Acquire administrative support Appoint an accountable individual(s) Evaluate current state Develop policies Develop procedures Provide training and awareness Enforce policies and procedures Report Repeat

Administrative Support Is it needed –ABSOLUTELY What level is needed –The higher, the better. Minimum of CIO/VP When should you seek support? –NOW! How did VSU meet the demand?

Milestones for VSU Obtain CIO and executive approval/buy in before proceeding further. –Obtained CIO and VP of Business and Finance support to meet University goals and mandates

VSU Internal Project Began internal project directions with existing personnel –Designate group of individuals “Taskforce” from various depts. (Student Information Systems, Business Finances/People Soft, Main I.T. Systems Support, Network Services, Library, Auxiliary Services, Faculty Senate) to carry out the following task:

Assess Current Status Gather current inventory of existing technologies on campus –Through departmental surveys assessment for all areas on campus. –Additional departmental surveys and observations

Assess Current Status Assessment –Essential for measuring the current status of organizational security. –Demonstrates a formal assessment of organizations strengths and weaknesses –Presents meaningful insight thereby presenting focus and direction for security actions –Develop a plan of action to address deficiencies found in assessment

Report Current Status Report to “Taskforce” and authorizing Executive(s) Report findings or strengths and weaknesses Report plans for rectifying vulnerabilities (Action steps for security campus)

Data Classification Develop and implement method of data classification for campus (will require buy in and assistance from all areas of campus).

Method of Prioritizing Use data classification to steer mandatory campus policies/procedures for business continuity and disaster recovery. (classification should be used to set priority of what data is critical, vital, important and, less important for the continuation of business by the campus, college, and then dept. level)

Determine effectiveness Once data classification is implemented and running, re-assess using ISO –Allows for measuring effectiveness of classification scheme. –Reemphasizes priorities of various systems/data –Important method of budget justifications

Develop Policies Security Taskforce should develop campus information security policy recommendations –Request comments (not necessarily approval) from faculty, staff and students All policy recommendations should be submitted through Legal Affairs for approval. Submit recommendations to B.O.R. Information Security for comments/review Policies must receive Cabinet and/or President approval Make all users aware of policies after approval

1 st Vulnerability Test Begin vulnerability test for critical areas after written approval from CIO (should be scheduled and well known to those tested to allow for addressing problems if they should arise). Do not use invasive techniques at this time. –Review findings with CIO and affected System Administrators. –Make recommendations to CIO and affected Administrators Risks must be reduced, accepted, transferred or rejected with reason If necessary, point to policies

1 st Vulnerability Test Based off 1 st vulnerability test findings –Work with Systems Administrators on developing procedures to address findings Provides initial “Raw” score Procedures provide steps to meet policies Procedures should be as specific and standard as possible

Procedures are in place Reinitiate vulnerability test for critical areas (Again, after written approval from CIO) Report both findings to CIO and supporting executive(s) If necessary, use these findings as support mechanisms for obtaining methods of mitigating risks (i.e. campus AV, firewalls, IDS, training, etc.)

Use procedures to provide: Awareness and Training –Required by some federal mandates –Employee participation can be your strongest or weakest segment of your security initiatives –Raising levels of awareness could help gain support Make security personal by demonstrating how it can help champion other goals Demonstrate how security can help increase value by increasing “uptime” and reliability or save money by standardizing areas of support

Use procedures to provide: Awareness and Training cont. Start small (cheap) websites, posters, notices, etc. Coming soon through Vista, general Security Awareness for Admins and End Users. Use specific procedures to develop new employee training

Use procedures to provide: Awareness and Training cont. Mentor potential cross-trainers. –If other I.T. personnel show an interest in Information Security, offer additional training leading to certifications –Consider “Train the Trainers” for other depts. Offer to include nearby USG campuses

So what do you do now? Gain support Designate or appoint an accountable person Evaluate Develop policies and procedures Report Awareness/Training Enforce policies and procedures Maybe next year Incident Response

Questions / Comments?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.