Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Technology Standards at the University of Illinois

Published byAnnabelle Jenkins Modified over 6 years ago

Similar presentations

Presentation on theme: "Information Technology Standards at the University of Illinois"— Presentation transcript:

1 Information Technology Standards at the University of Illinois
Common Challenges and Solutions Shea Nangle, Security Standards and Compliance Officer Michael Corn, CPO/CSO

2 Presentation Outline A little context and history
Three Elements of a standards program Drill down during each Feel free to interrupt during any portion Encourage alternate solutions or overlooked challenges during discussion

3 Background and Context

4 Background Policy vs. Standards vs. Guidelines vs. Procedures
No campus understanding No tradition of central IT Governance Usual issues of distributed IT Well established role for the security office

5 Context Diverse environment Forced to be collaborative

6 Slow Progress Timeline PCI DSS

7 Three Legs of a Standards Program
Elements Governance Compliance Risks Controls Standards Policy Oversight Vetting/Socialization Accountability Technology Risk Acceptance Challenges Elements Governance Compliance

8 Controls| Standards | Risks
Elements

9 Elements of a Standards Program
Controls 13. All University-owned laptops must be configured and operate with Full Disk Encryption (FDE) software or hardware. Standards Laptop Standard Risks [GEN-001] Risk of data breach, release, or loss through the theft or loss of a laptop.

10 Controls ISO 27002 NIST

11 Standards Not organizing/writing in ISO 27k domains
Very low bar due to University culture Acceptability will increase over time

12 Risks Changing perspective (forest vs. trees)
Developing Risk Knowledgebase

13 Element Challenges I Palatability of controls Everyone’s an expert
Standards are platform-agnostic Exception process Everyone’s an expert Risk first? Standards first? Controls first?

14 Element Challenges II Quantification vs. Qualification of risk
Discussion of choice to do lightweight, qualitative risk analysis initially (examples) Move towards quantitative risk analysis as much as possible

15 Current Risk Analysis

16 Policy| Oversight | Vetting
Governance

17 Governance - Policy Policy
“The responsibility for Information Security includes the authority to assume leadership and responsibility to develop, implement, and monitor for compliance the policies, standards, and procedures necessary to achieve the objectives detailed within this policy.”

18 Governance – Oversight
Standards Advisory Board 2-3 faculty Service/admin representative 1 college CIO; 1 IT line staff Auditor + Security Office

19 Governance - Vetting Standards Focus Group Range of constituents
Visiting SMEs Monthly meetings Draft discussion Revision discussion Endorsement (as interim standards)

20 Governance Challenges
Policy != Standard Faculty and non-IT engagement

21 Accountability| Technology | Risk Acceptance
Compliance

22 Accountability Control  Accountability

23 Compliance Technology
Ad hoc GPOs CIS benchmarks Scanners Centralized tools

24 Risk Acceptance Only a percentage of your environment can be measured
Extrapolate Map your “compliance topology” Compare with high risk zones Focus efforts with a higher ROI “Accept” what you can’t measure

25 Compliance Challenges
Defining accountability outside of central unit How do we measure compliance? Evaluate each control, average across standard Leverage any existing tools, even if weak

26 Compliance Challenges
How do we increase compliance? Sales & Marketing Audit Cyber-Insurance requirements Incident follow up Identify centralized management as strategic (e.g., endpoint management) Provide simple tools: GPOs, CIS benchmark, Scanners, Hardening scripts

27 Fear | Uncertainty | Doubt
Challenge Summary

28 Contact Shea Nangle nangle@illinois.edu Mike Corn mcorn@illinois.edu

Download ppt "Information Technology Standards at the University of Illinois"

Similar presentations

Internal Audit Capability Model (IA-CM) for the Public Sector

Internal Audit Capability Model (IA-CM) for the Public Sector
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
CANHEIT | On the EDGE | June 15-18, 2008 | University of Calgary Collaborative Computing on an Institutional Level Steve Breeck, Harold Esche, Bill Richardson.

CANHEIT | On the EDGE | June 15-18, 2008 | University of Calgary Collaborative Computing on an Institutional Level Steve Breeck, Harold Esche, Bill Richardson.
Child Safeguarding Standards

Child Safeguarding Standards
Overview of Priorities and Activities: Shared Services Canada Presentation to the Information Technology Infrastructure Roundtable June 17, 2013 Liseanne.

Overview of Priorities and Activities: Shared Services Canada Presentation to the Information Technology Infrastructure Roundtable June 17, 2013 Liseanne.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Information Security Governance

Information Security Governance
Information & Communication Technologies 08 2014 NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.
Security Controls – What Works

Security Controls – What Works
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Financial Controls Task Force Report Joint Financial-HRMS Unit Liaison Meeting March 17, 2004 Mike Kalasinski Norel Tullier Cheryl Soper.

Financial Controls Task Force Report Joint Financial-HRMS Unit Liaison Meeting March 17, 2004 Mike Kalasinski Norel Tullier Cheryl Soper.
Www.umbc.edu EDUCAUSE/Internet2 Computer and Network Security Task Force Update www.educause.edu/security Jack Suess February 3, 2004.

EDUCAUSE/Internet2 Computer and Network Security Task Force Update Jack Suess February 3, 2004.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.
Institutional Leadership for Copyright Administration Presentation to ACCC June 2013.

Institutional Leadership for Copyright Administration Presentation to ACCC June 2013.
April 2, 2013 Longitudinal Data system Governance: Status Report Alan Phillips Deputy Director, Fiscal Affairs, Budgeting and IT Illinois Board of Higher.

April 2, 2013 Longitudinal Data system Governance: Status Report Alan Phillips Deputy Director, Fiscal Affairs, Budgeting and IT Illinois Board of Higher.
Monitoring Policy Implementation Michelle Murton, School Nutritionist.

Monitoring Policy Implementation Michelle Murton, School Nutritionist.
Performance Audit Fraud management in local government Report 19: 2014-15 David Toma Manager 24 July 2015.

Performance Audit Fraud management in local government Report 19: David Toma Manager 24 July 2015.
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.

INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.
Annual Conference The Internal Auditor – value added to both the Audit Committee and Management 7 November 2012.

Annual Conference The Internal Auditor – value added to both the Audit Committee and Management 7 November 2012.

Similar presentations

Ads by Google