Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Slides:

Advertisements

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Advertisements

Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

Creating Executive Awareness about Information Security Joy Hughes, VP, George Mason Univ. Jack Suess, VP, UMBC EDUCAUSE.

SL21 Information Security Board Mission, Goals and Guiding Principles.

Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Information Security Governance

1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID THE NETWORK SECURITY CHALLENGE Jack Suess CIO University of Maryland Baltimore.

Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.

Security Controls – What Works

Information Security Policies and Standards

Identity Management: Some Basics Mark Crase, California State University Office of the Chancellor CENIC - March 9, 2011.

Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Data Security At Cornell Steve Schuster. Questions I’d like to Answer ► Why do we care about data security? ► What are our biggest challenges at Cornell?

The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference.

Computer Security: Principles and Practice

Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

EDUCAUSE/Internet2 Computer and Network Security Task Force Update Jack Suess February 3, 2004.

Systemic Barriers to IT Security Findings within The University of Texas System Clair Goldsmith, Ph.D., Associate Vice Chancellor and CIO Lewis Watkins,

Risk Assessment 101 Kelley Bradder VP and CIO Simpson College.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Information Assurance and Higher Education Clifton Poole National Defense University Carl Landwehr National Science Foundation Tiffany Olson Jones Symantec.

© 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force Computer Access, Privacy and Security: Legal Obligations and Liabilities Rodney J.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

1 EDUCAUSE Midwest Regional Conference Top Strategies for Working with Stakeholders: Synopses of Recommendations from the Identity Management Summit Mark.

IDENTITY MANAGEMENT: PROTECTING FROM THE INSIDE OUT MICHAEL FORNAL, SECURITY ANALYST PROVIDENCE HEALTH & SERVICES SOURCE SEATTLE CONFERENCE

Data Privacy and Security: Sort of Urgency Praveen Panchal, CIO.

INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.

Information Security Training for Management Complying with the HIPAA Security Law.

Rodney Petersen Security Task Force Coordinator EDUCAUSE

Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE.

1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.

Responding to a Security Incident Maryland Security Day March 2, 2004 Joy Hughes, CIO

Public Employees Retirement System October 31, 2007 Eric Sokol, CSD Administrator Jeffrey Marecic, ISD Administrator Senate Bill 583 Implementation.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Chapter 6 of the Executive Guide manual Technology.

Orphaned Servers and Broken Processes 2007 Security Professionals Conference April 12, 2007.

Privacy & Security Policy Meets Technology at the Crossroads: Best Practice Methods & Approaches to Developing Organizational Frameworks to Avoid Collision.

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

Getting Started With Information Security An Overview Cedric Bennett EDUCAUSE Western Regional Conference March 3, 2004 Cedric Bennett © 2004.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

EDUCAUSE LIVE EDUCAUSE/Internet2 Computer and Network Security Task Force Update Jack Suess January 21, 2004.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

KENTUCKY: POLICIES & PRACTICE Preventing, Detecting, and Investigating Test Security Irregularities: A Comprehensive Guidebook On Test Security For States.

Agency Name Security Program FY 2009 John Q. Public Agency Director/CIO/ISO.

Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.

Quickly Establishing A Workable IT Security Program EDUCAUSE Mid-Atlantic Regional Conference January 10-12, 2006 Copyright Robert E. Neale This.

+ Privacy, Security, and Identity Management for Research Environments Peter M. Siegel UC Davis Co-chair, Educause-I2 Security Task Force Chair, Internet2.

Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.

IT Governance Purpose: Information technology is a catalyst for productivity, creativity and community that enhances learning opportunities in an environment.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Developing a Network Security Policy By: Chris Catalano.

Earth’s Mightiest Heroes: Combating the Evils Lurking in Cyberspace

Managing Compliance for All Departments

EDUCAUSE/Internet2 Computer & Network Security Task Force

Capabilities Matrix Access and Authentication

Securing Critical Assets: Arizona’s Security & Privacy Initiatives

IT Development Initiative: Status and Next Steps

Enterprise Roles and Structures:

County HIPAA Review All Rights Reserved 2002.

EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO

Presentation transcript:

Enterprise Security

Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC

Presenter’s Background Mark Bruhn  Supervised IU security operations in various forms from 1988 to 2006  Executive Director of REN-ISAC  Held leadership positions in the security task force since 2002 on Awareness and Policy/Legal groups Jack Suess  Co-Chair of task force since  Coordinated effective practice workgroup

Format for this Session This session on enterprise security is intended to be interactive. The format we will use is to ask questions of you and collectively reflect on the answers we get. Our goal is to build on the collective expertise in the room and have you leave here with some tangible steps to take to improve security when you return back to campus.

Question 1. Priority The 2006 EDUCAUSE survey of top-10 issues listed Security and Identity Management the #1 issue.  How many in this room listed this #1? Why?  How many in this room consider this their number one responsibility? How are you evaluated on this?  Does your IT strategic plan have a section on security?

Question 2. Technology What technologies are deployed on your campus?  Firewall(s)  VPN  Intrusion Detection System  Intrusion Prevention System  Security updates for computers How does IdM relate to security?

Question 3. Effectiveness With all we have spent on security technology do we feel more secure today than 4 years ago? Why or why not?

Question 4. Policy What is the process for identifying and developing policies and procedures related to security? How is compliance monitored and enforced?  HIPAA, GLBA, FERPA What is the role of IT in this?

Question 5. Data Policy Do you have a data classification policy that is actively enforced?  What classifications are used?  Is training provided for end-users?  Is the training mandatory?

Question 6. Organization How is your organization organized for security?  Who has a CISO and to whom do they report?  How many security staff do you have? Is that a useful metric?  What is the role of the CIO?  How is funding for security handled?  How does this relate to physical security?

Question 7. IT Staff How is security integrated into the jobs of all central IT staff?  What is the role of certification?  Where do you send staff for training? How is security integrated into the jobs of IT in the departments?  What level of centralization is occurring?

Question 8. People What responsibility do students, faculty, and staff have for securing both their campus and personal machines? What are the repercussions if they don’t secure their machines? How are users educated on social engineering exploits such as phishing?

Question 9. Risk Management What group on campus has responsibility for risk management? What role does auditing play? How many have done a risk assessment of at least some departments on campus? How many have a formal process for risk assessment that you use across campus? How many have done an institution-wide risk assessment? How frequent? What are the barriers?

Question 10. Identify Protection Is there an identity management system on campus? How does it relate to your campus ID card and Library? Have you defined non-public information (NPI) in your data access policy? How is authentication and authorization to/on systems handled?

Question 11. Data Breach Do you have a plan for what to do if you have a data breach? Does it involve groups outside of IT? Who will take the lead? Do you have plans or contracts in place with partners for the following:  Digital forensics;  Crisis management;  Call center operations;  Identity theft counseling? From whose pocket will the funds come?

What to Take Away Technology devices can help but can’t guarantee you won’t have an incident. There are no silver bullets. Don’t stovepipe security under CISO. Security must be everyone’s job #1, including yours! Engage your leadership team around this issue. Develop a comprehensive risk management program across the institution and insist in leadership buy in. Invest in training campus staff across the board. Management oversight is key. Development of policies and procedures is essential. Begin to look at and work towards ISO

Security Resources Have someone join the security discussion list. Send staff to the Security Professionals conference in April EDUCAUSE/Internet2 Security Task Force Effective Security Practices Guide Internet2 Security Initiatives Research and Education Networking ISAC