Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Standards 2016 Update IIPS Security Standards Committee Roderick Brower - Chair.

Published byMarcus Holland Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Security Standards 2016 Update IIPS Security Standards Committee Roderick Brower - Chair."— Presentation transcript:

1 Information Security Standards 2016 Update IIPS Security Standards Committee Roderick Brower - Chair

2 IT Standards Committee Officers Roderick B. Brower Chair (Ch. 1-Classifying Data & Legal Requirements) Deborah Joyner (Ch. 2-Securing the End User) Jeff Drake (Ch. 3-Securing the Network) Chuck Hauser (Ch. 4-Securing Systems) Karen Sasser (Ch. 5-Physical Security) Bambi Edwards (Ch. 6-Cyber Security Incident Response) Jodi Dyson (Ch. 7-Business Continuity & Risk Management)

3 How Did We Get Here (Again)? New State Information Security Manual (SISM) released from Enterprise Security & Risk Management Office (ESRMO) (December 2015) Extensive review by IT Standards Team started in immediately Submitted a first pass at cleaning up the IIPS Standards and got feedback from Michael McCray in January 2016 Will submit to ESRMO (Post IIPS Conference) for approval Yearly review of the IIPS Standards by IIPS Committee and based on releases from the ESRMO

4 CIOs Local College CIO plays an important role (060202) To manage and implement at local level First point of contact on issues of concern (conduit to ESRMO) Work closely with Business & Finance area on PCI Compliance

5 Passwords 020106Managing Passwords All typical user passwords (e.g., UNIX, Windows, personal computing, RACF, applications, etc.) shall be changed at least every ninety (90) days. This includes College employee and contractor passwords (e.g., email, Web and calendar) used to access systems and applications. Passwords shall not be reused until six additional passwords have been created.

6 Multi-factor Authentication 020108Controlling Remote User Access All users wishing to establish a remote connection via the Internet to the college’s internal network must first authenticate themselves at a firewall or security device. It is recommended that all other remote access to systems, specifically those with confidential data, be achieved using multi-factor authentication (MFA) technologies.

7 Offsite Hosting/Vendors 020109 Contracting with External Suppliers/Other Service Providers Properly executed contracts and confidentiality agreements. These contracts must specify conditions of use and security requirements and the access, roles and responsibilities of the third party before access is granted. Colleges are required to ensure that vendors providing offsite hosting or cloud services will, on an annual basis, provide the College with an annual risk assessment report, validating compliance with College security requirements.

8 020303User: Information Security Training Mandatory information security awareness training to new staff as part of job orientation. Formal information security training appropriate for work responsibilities, on an annual basis. Insider threat training that will cover how to prevent, detect, and respond to an insider threat. Training in information security threats and safeguards, with the technical details to reflect the staff’s individual responsibility for configuring and maintaining information security. **Needs to be a Continuous Cycle**

9 030501Using Encryption Techniques Industry Standards should always be used if at all possible (PCI- DSS, NIST, ISO27001) Confidential data shall not be transmitted across wireless or public networks, including transmissions such as FTP and electronic mail. Secure transmission of confidential data shall use the most current encryption protocol version and must be FIPS 140-2 compliant. If a College is not using the most current encryption protocol version, they must have a mitigation plan in place. (Meeting the higher standard is always best)

10 System Configuration Manual 040407Systems Documentation Colleges should develop and maintain additional documentation that details hardware and software placement and configuration, provide flowcharts, etc. Documentation should include: Vendor name, address, and contact information License number and version Update information Configuration reports and listing for operating system and server software. Bios rev information Port listing

11 041004Using Mobile Communication Devices A minimum 4-digit numeric, user defined, personal identification number (PIN) that is changed every 90 days. A time out of inactivity that is 10 minutes or less. If technically possible, the ability to remotely erase the contents of the device, at the user’s request, management request via a help desk service request, or by the user’s own action. Colleges shall make end users aware that they are accepting the risk of personal data being lost. Users shall report lost or stolen mobile communication devices to a College’s service desk or to college management within 24 hours of confirmation.

12 Passwords Managing User Access (020102) User credentials that are inactive for a maximum of ninety (90) days must be disabled, except as specifically exempted by the security administrator. Passwords defined (020106) At least eight characters in length Strong passwords for High Security Systems

13 Initiation Development Implementation Assessment Who is responsible at your school????? Constant visitation of the plan, Constant improvement. Chapter 7 – Business Continuity and Risk Management 070103

14 070202 Conducting Security/Risk Assessments Due diligence Visit this subject yearly or more if needed This should be used in budget planning All critical systems should be included in the planning

15 Local Implementation You do NOT have to re-write these standards at your local institution This manual should be referenced in your local Administrative Procedures Manual  Statement should reflect that all standards included in the NCCC Information Security manual are followed locally Any deviation from the manual needs to be documented locally and college needs to be prepared to justify the deviation

16 Looking Forward (Items of Interest) Administrative rights to PCs on your local campuses (Labs vs. Office PCs) *only mentioned in guidance area FIPS 140-2 compliance requirements 030501 Other questions????? (via Email)

17 Q&A Once approved by ESRMO Official Document will be placed on IIPS website: http://www.nciips.org/ (About IIPS Tab)

Download ppt "Information Security Standards 2016 Update IIPS Security Standards Committee Roderick Brower - Chair."

Similar presentations

CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
1 April 12, 2010 Information Security Officer Meeting.

1 April 12, 2010 Information Security Officer Meeting.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Secure Computing Network

Secure Computing Network
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
1 1 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 1 IT Audits – Understanding the Standards Illinois Digital Government Summit September.

1 1 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 1 IT Audits – Understanding the Standards Illinois Digital Government Summit September.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security.

Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security.
Www.adira.org Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.

Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Network security policy: best practices

Network security policy: best practices
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep

Similar presentations

Ads by Google