Educause Security 2006 © Baylor University 2006 1 Security Assessments for Information Technology Bob Hartland Director of IT Servers and Network Services.

Slides:

Advertisements

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

Advertisements

Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian Davis IT Security & Policy Office of Information.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

University of Florida Incident Tracking and Reporting Kathy Bergsma

Southwest Educause 2003 © Baylor University 2003 Adapting Enterprise Security to a University Environment Bob Hartland Director of IT Servers and Network.

Term Project Teams of ~3 students Pick a system (discuss choice with me)  Want simple functionality, security issues, whole system (e. g., client and.

Unit Outline Information Security Risk Assessment Module 1: Introduction to Risk Module 2: Definitions and Nomenclature Module 3: Security Risk Assessment.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Stephen S. Yau CSE , Fall Security Strategies.

Security Posture Assessment (SPA) Headquarters: Ofisgate Sdn Bhd ( A), 2-15 Jalan Jalil Perkasa 13 Aked Esplanad, Bukit Jalil, Kuala Lumpur,

Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.

Vulnerability Assessment Course Terms, Methodology, Preparation, Obstacles, and Pitfalls.

Purpose of the Standards

Wireless LANs A Case Study of Baylor University’s Wireless Network Copyright Bob Hartland 2002 This work is the intellectual property of the author. Permission.

WRITING THE ClASS REPORT

Network security policy: best practices

VoIP Security Assessment Service Mark D. Collier Chief Technology Officer

Website Hardening HUIT IT Security | Sep

Identification, Analysis and Management

Strategic Technology Planning for Nonprofits 2009 Pacific Northwest Digital Inclusion Summit David Forrester January 28, 2009.

8/28/ Case Study Who – capstone prepared students What – opportunity to work and learn in a team environment Why – to interactively experience.

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

SEC835 Database and Web application security Information Security Architecture.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

Do it pro bono. Competitor/Collaborator Analysis Service Grant The Strategy Management Practice is presented by Wells Fargo. The design of the Competitor/Collaborator.

Process for Analysis  Choose a standard / type  Qualitative / Quantitative Or  Formal / Informal  Select access controls  Match outcome to project.

Developing a result-oriented Operational Plan Training

Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Gathering Network Requirements Designing and Supporting Computer Networks – Chapter.

Strategies for Success in the IRS March 22, 2010 Soft-Con Enterprises Incorporated.

Security Assessments The Baylor University Experience.

1 Project Kick Off Briefing Cost Data Integrity Project August 30, 2007.

Executive Invitation – Oracle Data Finder Service Oracle Corporation.

I MPLEMENTING IT S ECURITY FOR S MALL AND M EDIUM E NTERPRISES Short Presentation by Subhash Uppalapati. - Edgar R. Weippl and Markus Klemen.

Disaster Recovery and Business Continuity Planning.

Fleming College Quality and Risk Management Review Summary February 2, 2006.

Electronic Records Management: A New Understanding of Policy, Compliance, and Discovery Robert J. Sobie, Ph.D. Director Information Systems Department.

INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might.

Project Scope Management Information Technology Project Management, Fifth Edition Note: some slides have been removed from the author’s original presentation.

Office of Performance Review (OPR) U.S. Department of Health and Human Services (DHHS) Health Resources and Services Administration (HRSA) Stephen Dorage.

STEP 4 Manage Delivery. Role of Project Manager At this stage, you as a project manager should clearly understand why you are doing this project. Also.

CU – Boulder Security Incidents Jon Giltner. Our Challenge.

Business Continuity Planning  What is it?  Why do we do it?  How do we do it?

Other Strategies for Planning. Outsourcing strategies This strategy includes: Using external individuals or organizations to complete some tasks This.

This course, Essential Records Seminar, is part of

Information Security IBK3IBV01 College 3 Paul J. Cornelisse.

Quickly Establishing A Workable IT Security Program EDUCAUSE Mid-Atlantic Regional Conference January 10-12, 2006 Copyright Robert E. Neale This.

Continual Service Improvement Methods & Techniques.

TS workshop 2004U. Epting, M.C. Morodo Testa - TS department1 Improving Industrial Process Control Systems Security Uwe Epting (TS/CSE) Maria Carmen Morodo.

Info-Tech Research Group1 Manage IT Budgets & Cost World Class Operations - Impact Workshop.

Installation and Maintenance of Health IT Systems Unit 8a Troubleshooting; Maintenance and Upgrades; and Interaction with Vendors, Developers, and Users.

CBIZ RISK & ADVISORY SERVICES BUSINESS CONTINUITY PLANNING Developing a Readiness Strategy that Mitigates Risk and is Actionable and Easy to Implement.

Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.

CSCE 548 Secure Software Development Penetration Testing.

WSU IT Risk Assessment Process

Deployment of a Virtualized Server Grid

ISSeG Integrated Site Security for Grids WP2 - Methodology

CIS 333 Course Experience Tradition/ snaptutorial.com

Systems Analysis and Design in a Changing World, 4th Edition

Adapting Enterprise Security to a University Environment

BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT

Cyber Risk Management Through Vendor Contracts

Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,

Disaster Recovery AITR Meeting Aug 25, 2009.

Disaster Recovery AITR Meeting Aug 25, 2009.

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

Program Review Workshop

Is Cloud Identity Management Ready

Anatomy of a Common Cyber Attack

Presentation transcript:

Educause Security 2006 © Baylor University Security Assessments for Information Technology Bob Hartland Director of IT Servers and Network Services Jon Allen Information Security Officer By

Educause Security 2006 © Baylor University Baylor University Chartered in 1845 Largest Baptist University in the world 13,799 Students 2,000 Full Time Employees 85 Buildings Networked Waco, Texas

Educause Security 2006 © Baylor University Organizational Chart Reagan Ramsower CIO/CFO Bob Hartland Director of IT Servers and Networking Systems Data NetworkVoice NetworkVideo NetworkServers Jon Allen Information Security Officer

Educause Security 2006 © Baylor University BU Network 2005

Educause Security 2006 © Baylor University Why an Assessment? Several high profile security compromises in the news. Potential Identity theft issues for cliental Legal costs Public relation nightmare Help you stay out of the news! Defines a risk level base line

Educause Security 2006 © Baylor University Choosing a Vendor

Educause Security 2006 © Baylor University Why an outside vendor? Struggled with even making the recommendation Better equipped to handle a complex environment. Documentation- Formal report Good – documents your vulnerabilities and gets your people engaged. Bad – documents your vulnerabilities and you are now on the hook. Unbiased look at your system Best of breed expertise

Educause Security 2006 © Baylor University Three Types of Vendors Tier Three Simple Scans (commercial or open source packages) Predefined scopes Inside scans only No Verification of vulnerabilities Canned report with little insight Relatively inexpensive

Educause Security 2006 © Baylor University Three Types of Vendors Tier Two Simple Scans (commercial or open source packages) Scope is somewhat limited Both inside and outside scans Some verification of vulnerabilities Thorough report Medium to high cost

Educause Security 2006 © Baylor University Three Types of Vendors Tier One Scans are customizable Scope is customizable Both inside and outside scans Full verification of vulnerabilities Detailed report with recommended course of action Higher cost

Educause Security 2006 © Baylor University Planning

Educause Security 2006 © Baylor University Defining the Assessment Define scope before picking vendor Exercise none disclosure to protect both parties Redefine scope after meeting with chosen vendor Identify critical systems with associated timelines Predefine areas of potential issues Identify point person to handle issues Schedule update meetings Develop project plan with associated time line

Educause Security 2006 © Baylor University Key Components of Offsite Assessment Strong test of detection technologies on Internet connection Know the source IP address space the assessment will originate from Should not be a drag on bandwidth

Educause Security 2006 © Baylor University Key Components of Onsite Assessment Make sure to know requirements and have a site ready for the consultants The site should be separate from IT staff to avoid raising suspicion The network connection should be open to access the systems to be targeted

Educause Security 2006 © Baylor University Baylor’s Assessment 2 week external scan 2 week internal scan 1 week personnel interviews 1 week social engineering Scan included PBX Draft report with meeting Final report and presentation

Educause Security 2006 © Baylor University Getting Started

Educause Security 2006 © Baylor University Follow the Plan

Educause Security 2006 © Baylor University Assessment Execution Remember - confidentiality of the assessment happening will give a more realistic snapshot of security Make sure that DPS and at least one lead IT administer are aware Clearly define the order of the assessment to limit the occurrences of unexpected outages

Educause Security 2006 © Baylor University Daily reviews Make sure to keep aware of how the assessment is progressing React if necessary to glaring critical issues discovered Timelines may need to be adjusted due to extended scan times

Educause Security 2006 © Baylor University The results are in…which direction are you headed?

Educause Security 2006 © Baylor University Vulnerabilities Identified Technical Behavioral

Educause Security 2006 © Baylor University Remediation All your dirty laundry is now exposed Be inclusive of findings Executives IT departments School/Department IT managers General Counsel Prioritize vulnerabilities to be resolved. Vulnerability Severity Resource cost Business impact Set schedules and milestones Create a response document to the assessment discoveries

Educause Security 2006 © Baylor University By Products Security Team Security Training Security awareness campaign

Educause Security 2006 © Baylor University Was it worth it?

Educause Security 2006 © Baylor University Desired Results Achieved Got the attention of the right people Documented a baseline Remediation of exposed issues Long term strategy

Educause Security 2006 © Baylor University Looking Forward Multiyear agreement can reduce cost. Assessment follow-ups will allow for trending data to show policy and remediation impact Assessments do not replace normal security vigilance

Educause Security 2006 © Baylor University Questions? Bob Hartland Director for IT Servers and Network Services Speakers: Jon Allen Information Security Officer