Why build a strategy? 7/15/2015 University of Wisconsin–Madison2 Options: Detection or Prevention Last strategic plan was five years old and never formally.

Slides:

Advertisements

Similar presentations

Task Force V: Faculty & Staff Capacity Building Our Charge: –Provide recommendations to develop a capacity building plan for faculty and staff that allow.

Advertisements

Roadmap for Sourcing Decision Review Board (DRB)

Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.

Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian Davis IT Security & Policy Office of Information.

Enterprise Security A Framework For Tomorrow Christopher P. Buse, CPA, CISA, CISSP Chief Information Security Officer State of Minnesota.

Strategy 2022: A Holistic View Tony Hayes International President ISACA © 2012, ISACA. All rights reserved.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.

Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc.

Cybersecurity Strategy … a first look

Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.

Software Process and Product Metrics

Procurement Transformation State of North Carolina

Implementation of Project Governance at the Center Level

+ Hybrid Roles in Your School If not now, then when?

Information Technology Audit

Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM or

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Prepare for Change Ideas for Today and Tomorrow. Change is inevitable: Internal Factors Aging infrastructures Aging workforce Projects vs. programs New.

Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.

Test Organization and Management

11 Canal Center Plaza, Alexandria, VA T F Enterprise Computing Conference (ECC) Workshop Alma R. Cole,

© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,

Organize to improve Data Quality Data Quality?. © 2012 GS1 To fully exploit and utilize the data available, a strategic approach to data governance at.

Resources to Support Training Programs for CSIRTs.

Engineering Management From The Top Power Behind the Storage.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Communication System Coherent Instructional Program Academic Behavior Support System Strategic FocusBuilding Capacity.

Enterprise Risk Management & IT Compliance March 30, 2010 Presented by: Ken Rowe, Director Enterprise Systems Assurance & Chief Security Officer University.

September 14, David A. Reed Attorney at Law Reed & Jolly, PLLC (703)

ItSMF-Australia Deakin University “Where’s My Dinner?” Darren Burgess Program Director, Service Improvement Program Business Services Manager Information.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

Post-Merger Integration

The Value Driven Approach

Example Incident Mgmt Initiation No recording of Incidents Users can approach different departments Solutions of previous incidents are not available.

NEACS: CRO Perspective William Feher Vice President, Internal Audit and Chief Risk Officer October 27, 2015.

Marv Adams Chief Information Officer November 29, 2001.

Agency Name Security Program FY 2009 John Q. Public Agency Director/CIO/ISO.

1 1 Cybersecurity : Optimal Approach for PSAPs FCC Task Force on Optimal PSAP Architecture Working Group 1 Final Report December 10 th, 2015.

UNCLASSIFIED Homeland Security Introduction to the National Cybersecurity & Communications Integration Center (NCCIC) “A Partnership for Strength” 1.

FFIEC Cyber Security Assessment Tool

Information Technology Services Strategic Directions Approach and Proposal “Charting Our Course”

1 CREATING AND MANAGING CERT. 2 Internet Wonderful and Terrible “The wonderful thing about the Internet is that you’re connected to everyone else. The.

Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,

Information Technology Assessment Findings Presented to the colleges of the State Center Community College District.

A Leader’s Guide to Resiliency Case Examples Roadmap Dashboard.

Leadership Guide for Strategic Information Management Leadership Guide for Strategic Information Management for State DOTs NCHRP Project Information.

FFIEC Cybersecurity Assessment Tool Maine Credit Union League September 23, 2015 Patrick Truett, Information Systems Officer National Credit Union Administration.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

Community Infrastructure Levy Project Planning and Infrastructure Evidence July 2014.

Proactive Incident Response

Thomas A. Baden Jr. | Commissioner and State Chief Information Officer

Information Security Program

Team 4 – Mack, Josh, Felicia, Kevin and Walter

Identify the Risk of Not Doing BA

Overview – Guide to Developing Safety Improvement Plan

Steven Hartman State Information Security Officer State of Nebraska

I have many checklists: how do I get started with cyber security?

Making Information Security Manageable with GRC

Overview – Guide to Developing Safety Improvement Plan

Threat Trends and Protection Strategies Barbara Laswell, Ph. D

Cybersecurity compliance for attorneys

Third-party risk management (TPRM)

Managing IT Risk in a digital Transformation AGE

A Risk Management Approach to Business Continuity

MAZARS’ CONSULTING PRACTICE Helping your Business Venture Further

Brian Robinson, Deputy HR Director

Presentation transcript:

Why build a strategy? 7/15/2015 University of Wisconsin–Madison2 Options: Detection or Prevention Last strategic plan was five years old and never formally adopted by leadership Newer technology breeds newer and more sophisticated threats Well engineered and professional looking malware Zero Day attacks continue to increase in volume (24 tracked in 2014)* Total Days of Exposure for malware was over 295 in 2014* Threat Actors are more clever and the stakes are higher Campaigns such as Dragonfly, Waterbug, and Turla infiltrated industrial systems, embassies, and other sensitive targets* Volume and Complexity of Threat Activity Increasing Spear-Phishing attempts increased by 8% and more sophisticated * Increased “State Sponsored” cyberespionage and greater focus on Higher Education* Well engineered and professional looking malware Optimized risk management requires cybersecurity approaches that center on the data “Strategy without tactics is the slowest route to victory, tactics without strategy is the noise before defeat.” - Sun Tzu (Ancient Chinese Military Strategist) * = From Symantec’s 2015 Internet Security Threat Report

Getting to work… 7/15/2015 University of Wisconsin–Madison3 Options: Detection or Prevention Know what you want at the end of the run… This is more than a Gap Analysis and Cybersecurity is more than a service function Understand the assets and the need for protection Be prepared to “dovetail” business risk to the security plans Know where you are and where you want to be – it’s that simple!!! The mindset you need to create a useful strategy: Executive Buy-In Support from the CIO and other C-Leaders plus VPs Discussions that align guidance to business strategy Speak in a Common Language Level set the definitions of risk, vulnerability and threat Understand how the business works and how managers talk Do not be the “Merchant of No!” Learn the fastest way to get to YES! “Security Teams must demonstrate the ability to view business problems from different or multiple perspectives.” – Gus Agnos (VP Strategy & Operations at Synack) It has to be a team effort involving domain leaders and key performers

Where is our focus? Cybersecurity Incident Response Cycle Vulnerability scanning & analysis inconsistent / infrequent Threat Intel and Reporting Security Education and Training Incident Response – Metrics and Trends Security engineering and formal approval of systems connecting or operating Common Services = Common Delivery Reactive vs. Proactive Third Party Assessment Scalable Security Tools Data Location 7/15/2015 University of Wisconsin–Madison4 Staff perform relevant and meaningful cybersecurity tasks Data Classification Periodic (Comprehensive) Security Assessments Tangled funding sources Data Data Governance Data Ownership

Components of UW-Madison Cybersecurity Strategy 7/15/2015 University of Wisconsin–Madison5 Options: Detection or Prevention Preparation is key! You cannot do this alone! Working Groups and Committees (UW-MIST, MTAG, ITC, TISC, etc) Cybersecurity Leadership Team Executive and Department/College/Business Unit Buy-In Cost, Schedule, Performance Governance and Collaboration UW-Madison Cybersecurity Strategy Strategic ElementsEnabling Objectives Data Governance and Information Classification PlanRetain previous strategy’s actions (“find it/delete it/protect it”) Establish the UW-Madison Risk Management FrameworkEnable & support culture to value cybersecurity & reduce risk Build community of experts/improve user competence (SETA)Establish Restricted Data Environments Consolidate Security Operations & institute best practicesCentral data collection/aggregation to analyze security events Improve Cyber Threat Analysis/Dissemination /RemediationIdentify and seek sources of repeatable funding Optimize Services, Security Metrics, Compliance & CDM Identify UW-Madison compliance issues (FERPA, HIPAA, PCI- DSS, Red Flags Rule, etc.) Establish Collaborative Partnerships to assure teaching and research availability (Wisconsin Idea) Develop and refine sustainable security ops/risk assessments Develop & implement a marketing and communications plan