Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Planning: Background and Best Practices

PublishGwen Butler Modified over 6 years ago

Similar presentations

Presentation on theme: "Security Planning: Background and Best Practices"— Presentation transcript:

1 Security Planning: Background and Best Practices
5th Cybersecurity Summit September 14, 2009 Ardoth Hassler Senior IT Advisor National Science Foundation Hello. My name is Ardoth Hassler. I am a Senior Information Technology Advisor at the National Science Foundation. In “real life,” I am Associate VP for University Information Services at Georgetown University. At NSF, I’ve been working on the project to remove SSNs from FastLane and on Cybersecurity for NSF Large Facilities. At GU, I worked most recently in “policy, planning and politics,” having the Security Office and Advanced Research Computing among my direct reports. While GU doesn’t have an NSF-funded large facility, it does have the Lombardi Comprehensive Cancer Center—think “large facility” + HIPAA A Work in Progress 1

2 “Cybersecurity is now a major national security problem for the United States.”
- Securing Cyberspace for the 44th Presidency: A Report of the Center for Strategic and International Studies Washington, DC December 2008 A Work in Progress

3 “…America's economic prosperity in the 21st century will depend on cybersecurity.”
President Barack Obama Washington, DC May 29, 2009 A Work in Progress

4 Introduction Community has asked for guidance on cybersecurity
First CyberSecurity Summit* held after a major incident affected multiple large facilities Opportunity to gather PIs and security professionals with program directors Reports from the Summits have resulted in Closer workings within the community NSF developing language about cybersecurity for the Cooperative Agreements Best Practices in Cybersecurity that Might Be Useful to NSF Large Facilities presentation at the Fourth Summit* in 2008 and other forums This is a work in progress Your feedback is most welcome NSF-sponsored the first CyberSecurity Summit after a major incident affected multiple large facilities in the time frame. It has afforded and opportunity to gather PIs and security professionals with their program directors to focus on security-related issues. Reports from the Summits have resulted in - Closer working relationships within the community NSF developed language about cybersecurity for the Cooperative Agreements Via the Summits, the community has asked for guidance on cybersecurity. This work is to be considered a “work in progress”. We want and welcome your feedback. * Funded by NSF A Work in Progress

5 Introduction Here are some examples of NSF’s sponsored large facilities. If you want me to add your logo, please send it to me. A Work in Progress 5

6 What’s at stake… Lost productivity
TeraGrid supports around $300M in research annually* Expensive incident response and notification Laptop stolen from public west-coast research university 2005: $750K out of pocket Research server breach at private east-coast research university 2006: $200K out of pocket External hard drive stolen containing student and alumni data from a locked office at research university 2008: $1M out of pocket Cost of TeraGrid’s Stakkato Incident in : not calculated Reputational damage Institution or agency: can’t estimate PII disclosure of patient or alumni data: priceless Data integrity compromise Would you know if a data element was changed? Lost productivity TeraGrid supports around $271M in research annually* Incident response and notification are expensive Laptop stolen from public west-coast research university 2005: $750K out of pocket Research server breach at private east-coast research university 2006: $200K out of pocket Cost of the TeraGrid’s Stakkato Incident in : not calculated Reputational damage Hard to estimate the institutional or agency damage PII disclosure of patient or alumni data: priceless Data integrity compromise Would you know if a data element was changed? * Information provided by John Towns, NCSA A Work in Progress

7 First Principles Information security is a journey not a destination.
The challenges keep coming. Security programs evolve and improve. Security budgets are limited Priorities must be established; tradeoffs must be made. Good IT practices foster good security Good IT security reflects good IT practices. Information security is more than an “IT issue.” It is an issue for everyone. Information Security starts with policy. I want to start with some “first principles”. Information security is a journey not a destination. The challenges just keep coming. Our processes evolve and improve. Security budgets are limited. Therefore, we must establish priorities and often make tradeoffs. Good IT practices foster good security. Good IT security reflects good IT practices. This is my new mantra. Information Security starts with policy. That doesn’t mean you don’t wait to lock the barn door while you write the policy but that policy must form the foundation of a security program. A Work in Progress 7

8 Starting with Policies
If the facility is: …part of a larger organization, the facility should defer to the policies of its parent organization. This could be a “floor” with the facility needing to augment the policies to address specific regulations, issues or needs. It might also be a “ceiling” with the facility needing to tailor policies to its needs. …a Consortium, the Consortium needs to have a policy that all of the members will have policies. …not part of a Consortium and doesn’t have a parent organization, it needs to develop its own policies. This is only the first time you will hear me say to leverage the resources that are available and don’t reinvent any wheels. If the facility is: …part of a larger organization, the facility should defer to the policies of its parent organization. This could be a “floor” with the facility needing to augment the policies to address specific regulations, issues or needs. It might also be a “ceiling” with the facility needing to tailor policies to its needs. …a Consortium, the Consortium needs to have a policy that all of the members will have policies. …not part of a Consortium and doesn’t have a parent organization, it needs to develop its own policies. A Work in Progress 8

9 Policies, Procedures and Practices
Facility Cybersecurity: Do What Makes Sense and Is Appropriate for Identified Risks Institutional Policies, Procedures and Practices Appropriate PPPs for the Facility Where policies about cybersecurity are concerned, and I’ll say more about policies later, leverage what makes sense for your facility. If you are part of a larger institution or a consortium, balance what they have and use against NIST and other Federal or International guidance. Create an environment that is appropriate for your facility. A Work in Progress

10 Cybersecurity is a Balance
Open, Collaborative Environment for Research and Discovery Confidentiality Integrity Availability Security Privacy Cybersecurity is a balance. On the one hand, we all want an open, collaborative environment for research and discovery. On the other, we need to ensure confidentiality, integrity, availability of information and resources while maintaining security and privacy. Facilities must weigh the cost of impact vs the cost of remediation. A Work in Progress 10

11 Information Security is a Continuous Process
Managed Security Services Intrusion Detection Firewall Management Incident Reporting Vulnerability Management Penetration Testing Execute Security Assessments Risk – Threats Privacy Security Test & Evaluation Compliance Assess Security is a continuous process of evaluation and monitoring Implement Product Selection Product Implementation Top-down Security Management Risk-based Strategy Business Continuity Solution Planning Resource Allocation Plan Information Security is a continuous process. I’m not going to speak to this slide in detail, but want to note how many of the elements I’m about to talk about interrelate. It’s important in a security program to: Assess Plan Design Implement Execute And then ensure you have a feedback loop for continuous improvement. Several who previewed these slides drew the analog to safety management systems. With this background, I will now segue into some Best Practices you may find useful. Design Policy Standards Enterprise Architecture Configuration Standards A Work in Progress 11

12 NSF Cooperative Agreements Information Security Requirement
Incorporated in NSF’s Supplemental Financial and Administrative Terms and Conditions: CA-FATC – Large Facilities: Article 51 CA-FATC – FFRDCs: Article 54 Purpose is to help ensure that NSF large facilities and FFRDCs have policies, procedures and practices to protect research and education activities in support of the award. Influenced by recommendations from awardees at previous NSF-sponsored Cyber-security summits. NSF’s Cooperative Agreements for about the last year have incorporated an information security requirement in the Supplemental Financial and Administrative Terms and Conditions. The purpose is to help ensure that NSF large facilities and FFRDCs have policies, procedures and practices to protect research and education activities in support of the award. The language in the CA was influenced by recommendations from awardees at previous NSF-sponsored Cyber-security summits. In summary, it says…. A Work in Progress 12 12

13 Information Security Responsibilities
Security for all IT systems is the Awardee’s responsibility. Includes equipment, data and information Awardee is required to provide a summary of its IT Security program, including: Roles and responsibilities, risk assessment, technical safeguards, administrative safeguards; physical safeguards; policies and procedures; awareness and training; notification procedures. Evaluation criteria employed to assess the success of the program All subawardees, subcontractors, researchers and others with access to the awardee’s systems and facilities shall have appropriate security measures in place. Awardee will participate in ongoing dialog with NSF and others to promote awareness and sharing of best practices. Security for all IT systems under the award, including equipment and information, is the Awardee’s responsibility. The Awardee is required to provide a summary of its IT Security program: Include roles and responsibilities, risk assessment, technical safeguards, administrative safeguards; physical safeguards; policies and procedures; awareness and training; notification procedures. Include evaluation criteria employed to assess the success of the program All subawardees, subcontractors, researchers and others with access to the awardee’s systems and facilities shall have appropriate security measures in place. Awardee will participate in ongoing dialog with NSF and others to promote awareness and sharing of best practices. A Work in Progress 13

14 Awardee Responsibilities under the Cooperative Agreement
Summary of IT Security Program roles and responsibilities risk assessment technical safeguards administrative safeguards physical safeguards policies and procedures awareness and training notification procedures Risk Assessment Roles and Responsi- bilities Technical Safeguards Administrative Physical Policies and Procedures Awareness Training Notification The Cooperative Agreement asks facility managers to summarize elements of their security programs to include: roles and responsibilities risk assessment technical safeguards administrative safeguards physical safeguards policies and procedures awareness and training notification procedures I’ve represented these components in a wagon wheel (seems appropriate for “the West”). A Work in Progress 14

15 IT Security Program …becomes a Security Plan Roles and Elements of an
Risk Assessment Roles and Responsibilities Technical Safeguards Administrative Physical Policies and Procedures Awareness Training Notification Elements of an IT Security Program Operations Assessment Planning Oversight Good planning Sound operations Continuous assessment Good Management or Oversight Now, we’ve covered all the parts of what the cooperative agreement requires. If you consider your IT planning, with your operations and build in some type of assessment or continuous improvement process, with good management oversight… you have the elements of a good IT security program. …becomes a Security Plan A Work in Progress

16 In summary… Information Security is the awardee’s responsibility
Facility Security programs should be: Sufficient to meet the needs of the facility Appropriate to identified risks Facilities should: Be encouraged to have good IT management practices Recognize Information Security is one part of good IT operations Facilities need to recognize the roles of executives, management, technical staff, users Remember: your Program Director is not a cybersecurity expert A Work in Progress

17 Don’t reinvent wheels…
Facilities have many resources available for their use: Expertise and existing policies and procedures from their parent organization or institution (if they have one) Example security programs of some other Large Facilities Community best practices EDUCAUSE, Internet2, universities Published standards from NIST, SANS and other organizations A Work in Progress

18 Remember… It’s about risk mitigation
Information security programs and plans will improve over time Information security is a journey not a destination A Work in Progress

19 Good IT practices foster good security.
Good IT security reflects good IT practices. A Work in Progress

20 Questions? Ardoth Hassler Senior IT Advisor, NSF ahassler@nsf.gov
In real life: Associate Vice President, University Information Services Georgetown University A Work in Progress

Download ppt "Security Planning: Background and Best Practices"

Similar presentations

WV High Quality Standards for Schools

WV High Quality Standards for Schools
Khammar Mrabit Director Office of Nuclear Security

Khammar Mrabit Director Office of Nuclear Security
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United.

© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United.
Providence School Board September 10, 2012 Introductory Briefing Providence Public School District Comprehensive Information Technology Blueprint Center.

Providence School Board September 10, 2012 Introductory Briefing Providence Public School District Comprehensive Information Technology Blueprint Center.
Security, Privacy, and the Protection of Personally Identifiable Information Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.

Security, Privacy, and the Protection of Personally Identifiable Information Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.
A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.

A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.

WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.

Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.
Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.

Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.
NSF CYBER-SECURITY SUMMIT: INFORMATION SECURITY CLAUSE  Influenced by recommendations from previous Cyber-Security Summit meetings, the clause was added.

NSF CYBER-SECURITY SUMMIT: INFORMATION SECURITY CLAUSE  Influenced by recommendations from previous Cyber-Security Summit meetings, the clause was added.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Information Security Governance in Higher Education Policy2004 The EDUCAUSE Policy Conference Gordon Wishon EDUCAUSE/Internet 2 Security Task Force This.

Information Security Governance in Higher Education Policy2004 The EDUCAUSE Policy Conference Gordon Wishon EDUCAUSE/Internet 2 Security Task Force This.
Anatomy of Total Hospital Security Presented by: H. Edward Creamer Security Assessments International, Inc. June 16, 2005.

Anatomy of Total Hospital Security Presented by: H. Edward Creamer Security Assessments International, Inc. June 16, 2005.
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Similar presentations

Ads by Google