Information Security Update CTC 18 March 2015 Julianne Tolson
2 What is Information Security? ” Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical). ” information Wikipedia:
3 CSU Information Security Policy It is the collective responsibility of all users to ensure: Confidentiality of information which the CSU must protect from unauthorized access Integrity and availability of information stored on or processed by CSU information systems Compliance with applicable laws, regulations, and CSU/campus policies governing information security and privacy protection ICSUAM
4 Information Security Standards ISO 27000,27001,27002, NIST Cyber Security Framework (NIST CSF)
5 How is Information Security Achieved? A strategic partnership between stakeholders that includes: Risk management Controls Access control
6 Risk Management / Assessment Establish context Risk assessment Physical / Logical Threats Vulnerabilities Risk mitigation Reduce, retain, avoid, transfer Monitor and control
7 Risk Management examples Business continuity planning Offsite back-ups Patching and updates Qualys Vulnerability scans Web application scans Browsercheck (Bus. Ed.)
8 Qualys Browsercheck Business Ed. Demo 1.Sign-up 2.Configure 3.Distribute link 4.Monitor Users will be prompted to take action when vulnerabilities are detected
9 Controls Administrative: policies and procedures, background checks, FERPA, PCI, HIPAA Logical: intrusion detection, firewalls, encryption, principle of least privilege Physical: environment, separation of duties
10 Controls examples Responsible use policy Identity Finder Intrusion detection: PAN and Fireeye Information Security Awareness Discussion topic: How to get the word out?
11 Access control Identification Assurance Authorization Mandatory Access Control Discretionary Access Control Authentication Multi-factor authentication
12 Access control example Multi-factor authentication DuoSecurity pilot Action Item: Review any discretionary access control you have granted
13 Security Incident Response Assessing current process Incident categorization Response by incident category Server, Account, Endpoint Forensic tools Event logs & analysis
14 Questions?