NSF and IT Security George O. Strawn NSF CIO. Outline Confessions of a CIO Otoh NSF matters IT security progress at NSF IT security progress in the Community.

Slides:

Advertisements

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

Advertisements

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.

Today’s Speakers  Diane Dagefoerde, CIO, Arts and Sciences, The Ohio State University  Butch Juelg, Associate Vice Chancellor, Technology Services,

1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID THE NETWORK SECURITY CHALLENGE Jack Suess CIO University of Maryland Baltimore.

Security Controls – What Works

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

The State of Security Management By Jim Reavis January 2003.

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Cyber Security/Information Security Definitions

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.

Stephen S. Yau CSE , Fall Security Strategies.

Payment Card Industry (PCI) Data Security Standard

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Morris Bennett Altman Director of Network Services Internet Security Officer Queens College, CUNY Are You Exposed? Network Security.

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

University of Missouri System 1 Security – Defending your Customers from Themselves StateNets Annual Meeting February, 2004.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop.

Describe How Software and Network Security Can Keep Systems and Data Secure P3. M2 and D1 Unit 7.

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

CERN’s Computer Security Challenge

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

SALSA-NetAuth Joint Techs Vancouver, BC July 2005.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Information Assurance Program Manager U.S. Army Europe and Seventh Army Information Assurance in Large-Scale Practice International Scientific NATO PfP/PWP.

Chapter 6 of the Executive Guide manual Technology.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

Orphaned Servers and Broken Processes 2007 Security Professionals Conference April 12, 2007.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Information Systems Security Operations Security Domain #9.

1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Note1 (Admi1) Overview of administering security.

EDUCAUSE LIVE EDUCAUSE/Internet2 Computer and Network Security Task Force Update Jack Suess January 21, 2004.

Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.

Small Business Security Keith Slagle April 24, 2007.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

Desktop Security: Making Sure Your Office Environment is Secure.

Module 11: Designing Security for Network Perimeters.

Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &

Scott Charney Cybercrime and Risk Management PwC.

Enterprise Cybersecurity Strategy

SecSDLC Chapter 2.

Hot Topics in Information Security Rick Shaw – President, CorpNet Security, Inc. Mick Johannes – CTO, CorpNet Security, Inc.

CPT 123 Internet Skills Class Notes Internet Security Session B.

Cyber Security in the Mobile Era KEEPING ENTERPRISE DATA SAFE IN THE BYOD ERA.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.

By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.

OFFICE OF VA ENTERPRISE ARCHITECTURE VA EA Cybersecurity Content Line of Sight Report April 29, 2016.

© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.

Managed IT Services JND Consulting Group LLC

Department of Computer Science Introduction to Information Security Chapter 7 Activity Security Assessment Semester 1.

Performing Risk Analysis and Testing: Outsource or In-house

Team 1 – Incident Response

Security Standard: “reasonable security”

Capabilities Matrix Access and Authentication

Today’s Risk. Today’s Solutions. Cyber security and

Enterprise Roles and Structures:

Security Essentials for Small Businesses

Presentation transcript:

NSF and IT Security George O. Strawn NSF CIO

Outline Confessions of a CIO Otoh NSF matters IT security progress at NSF IT security progress in the Community The future of IT security

Confessions of a CIO To a scientist, there are more interesting things in the world than IT security Until I became a CIO, I also had little interest in the subject I was surprised to find out how much can be done for IT security with today’s tools (ie, we’re not using the tools we have) I worry about unfunded mandates, too

But … It’s not interesting doing no science on a shut-down-for-scrubbing facility Attending to IT security requires a culture change for most people and organizations You have to learn what are the elements of a IT security program Full cost accounting would show that lost productivity and remediation can exceed the cost of a security program

NSF Matters NSF makes $5B+ of assistance awards annually, many to faculty and students at US colleges and universities Assistance awards are outside the FARs; they used to be viewed as gifts to HE; now they are viewed as highly orchestrated purchases of research capability NSF awardees are bound by terms and conditions, which tend to say what is required, but not how to do it

More NSF context NSF support can be approximately divided into $3B for research; $1B for education; and $1B for research tools Of the $1B support for research tools, 36 projects are designated as MREFC-class facilities (called large facilities below) Most of our large facilities look to the CIO like networked computers with strange I/O devices attached. We are focusing on large facility IT security

IT Security at NSF Management committed to IT security as a strategic priority The staff created and implemented of a comprehensive IT security program We have received sustained levels of investment (~10% of IT budget) We have performance goals and measures

Security Management at NSF Roles and responsibilities (CIO & SISO) Policies and procedures (SWG) FISMA, including system inventory and Certification & Accreditation (C&A) Plan of action and milestones (POAM) Security reviews and assessments (contingency planning, DR, Coop) Security awareness and training

Security Technology at NSF Connectivity standards (and deconn) External and internal networks Laptop scanning Firewall architecture Vulnerability scans and penetration tests Anti-virus protection Patch management Intrusion detection

Thinking about ITsec Consider both risk (possible damage) and vulnerability (possible danger) Design security into systems Keep hackers out: proactive security Detect computer incidents Report and remediate: reactive security

Keeping them out Firewall(s): shut down all possible ports and open necessary ports by special rules Passwords: use strong passwords and change them; consider OTP Encrypt wireless net traffic Run the latest virus scans constantly Patch, patch, patch known vulnerabilities Attack your own system

Detection/Reaction Intrusion Detection services Intrusion Detection techniques CIRT (computer incident response team) Report to Fed CIRC (federal computer incident report center)

Progress in the Community FacSec subgroup of NSF Security Working Group (SWG) Large Facility Security Workshop(s) Educause Security Task Force/Internet2 HE moving towards –Separating authentication and authorization –Using stronger authentication –Sharing/bridging authentication

The future of IT security Culture changes slowly: management attention and/or incidents can speed it up Investment is required Next generation IT security products and services may be better Next generation hackers will be worse Good luck to us all!