Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lessons Learned in Managing IT Risk

Published byWesley Bradford Modified over 6 years ago

Similar presentations

Presentation on theme: "Lessons Learned in Managing IT Risk"— Presentation transcript:

1 Lessons Learned in Managing IT Risk
EDUCAUSE Security Professionals Conference 2013 Jane Drews, CISO The University of Iowa Lessons Learned in Managing IT Risk

2 Topics Understanding IT Risk Key Areas and Lessons Learned
Information Risk Endpoint Risk System/Server Risk Educause SPC 2013

3 Understanding IT Risk Educause SPC 2013

4 An “Economic” aspect Educause SPC 2013

5 A “Safety” aspect Educause SPC 2013

6 A “Probability” perspective
Educause SPC 2013

7 An “Impact” perspective
Educause SPC 2013

8 IT Risk Sources Information (CIA) Physical failures Software errors
Non-Compliance Human elements Environmental Educause SPC 2013

9 An IT Risk Management Model
Impact Transfer Avoid Probability Accept Reduce Educause SPC 2013

10 Information Risk Educause SPC 2013

11 Preservation Educause SPC 2013

12 Litigation Educause SPC 2013

13 Lessons about Information Risk
Preserve important information Resources, methods/formats, and instructions Discard what you don’t need Controls cost, information sprawl Automate records management if possible Controls errors and omissions Be prepared for litigation Educause SPC 2013

14 Endpoint Risk Educause SPC 2013

15 User as the Endpoint Educause SPC 2013

16 Client Devices Websense reports only 5 percent of actively used browser installations have the most up-to-date version of the Java plug-in… Organizations face malware-related events that bypass traditional defense technologies on their networks every three minutes, according to a new report released Wednesday by security vendor FireEye. Educause SPC 2013

17 Lessons about Endpoints
Threats are constantly evolving A-V model is no longer very effective Standardize and automate client security Professionally manage all devices Lockdown as much as possible User Training and Awareness Learn safe computing practices and policies Recognize and avoid risks Stronger authentication should be considered Educause SPC 2013

18 System (Server) Risk Educause SPC 2013

19 System Compromises Credentials, Keys, SSO Patching
Configuration and trusts System Monitoring Educause SPC 2013

20 Defense in Depth Educause SPC 2013

21 Lessons about systems We are an interconnected IT ecosystem
Common good, general protections for all Small system changes can reap large benefits Strong authentication for all accounts Don’t be the weak link! Enforcement is tricky Educate on guidelines and policy Utilize assessment methods and tools to check Educause SPC 2013

22 Specific Lessons Recap:
Implement a records management program Address normal preservation and litigation, as they are equally important Automate management of all clients Expand user security awareness training Employ stronger authentication Isolate systems or services from Internet Improve system-level monitoring Provide more training for IT staffs Perform more system checks/assessments Educause SPC 2013

23 For more information: Educause SPC 2013

Download ppt "Lessons Learned in Managing IT Risk"

Similar presentations

Current Security Threats WMO CBS ET-CTS Toulouse, France 26-30 May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Network security policy: best practices

Network security policy: best practices
Automating Endpoint Security Policy Enforcement Computing and Networking Services University of Toronto.

Automating Endpoint Security Policy Enforcement Computing and Networking Services University of Toronto.
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Information Security Update CTC 18 March 2015 Julianne Tolson.

Information Security Update CTC 18 March 2015 Julianne Tolson.
Evolving IT Framework Standards (Compliance and IT)

Evolving IT Framework Standards (Compliance and IT)
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Security Introduction. Security is a system It is important to realize that security is a system of individual measures, each of which is not fully effective.

Security Introduction. Security is a system It is important to realize that security is a system of individual measures, each of which is not fully effective.
RINGS (ResNet Integrated Next Generation Solution) Educause Security Professionals Conference 2006.

RINGS (ResNet Integrated Next Generation Solution) Educause Security Professionals Conference 2006.

Similar presentations

Ads by Google