Presentation is loading. Please wait.

Presentation is loading. Please wait.

when you have not been breached.

Published byMae Washington Modified over 6 years ago

Similar presentations

Presentation on theme: "when you have not been breached."— Presentation transcript:

1 when you have not been breached.
IT Governance… M. Peter Adler when you have not been breached. Patrick J. Feehan

2 It Should Be an Easy Proposition

3 IT Departments in Higher Education are Smart and Virtuous.

4 Why Can’t We All Have a Simple Board Resolution Like Indiana?

5 1 Resolution of the Trustees of Indiana University Regarding the Leadership, Responsibility, and Security of IU's Information Technology Infrastructure 5

6 1 WHEREAS, the advent of the Internet has significantly transformed the manner in which information is stored on interconnected servers throughout the world; and 6

7 1 WHEREAS, the Internet is an information technology environment in which it is possible to have inadvertent or intentional unauthorized access to Internet sites and related servers; and 7

8 1 WHEREAS, successful intrusions into Internet sites and servers can lead to the disclosure of sensitive personal and institutional information; and 8

9 1 WHEREAS, it is critical that Indiana University protect its institutional information and information technology infrastructure so as to reduce the possibility of unauthorized access to servers holding sensitive information or running mission-critical applications. 9

10 1 NOW THEREFORE BE IT RESOLVED that the Trustees direct the Office of the Vice President for Information Technology and CIO to develop and implement policies necessary to minimize the possibility of unauthorized access to Indiana University's information technology infrastructure regardless of the Indiana University office involved; and 10

11 1 BE IT FURTHER RESOLVED that the Trustees direct the Office of the Vice President for Information Technology and CIO, which may draw upon the experience and expertise and resources of other University offices (including the Office of Internal Audit), to assume leadership, responsibility, and control of responses to unauthorized access to Indiana University's information technology infrastructure, unauthorized disclosure of electronic information and computer security breaches regardless of the Indiana University office involved. 11

12 We All Like to Think…It Takes a Village, and We Are the Smartest People In This Village When It Comes To Information Security 12

13 Or…. 13

14 Does It Take A Breach? 14

15 2 A simple but fascinating conversation was held on the Educause Security Listserv in November of Kathy Bergsma of the University of Florida asked: 15

16 She inquired about several methods:
I'm interested in hearing about your success stories engaging senior management support for security initiatives. What methods worked at your institution? She inquired about several methods: 16

17 Fear, uncertainty and doubt

18 Metaphors and analogies

19 Working behind the scenes
Relationship building with key players

20 Comparison with peer institutions

21 Financial benefits such as ROI (return on investment)

22 Metrics

23 Ask forgiveness rather than permission

24 Leverage an incident

25 So what do you suppose was the first response she got back?
25

26 “Kathy: while I don't recommend it, A BREACH certainly helped get upper managements attention! After the clean up and notification, we were able to garner some additional resources.” (Emphasis Added) 3 26

27 Others talked about approaches outside a breach
27

28 4 “In advance, evaluation and testing of new security tools and bringing very colorful graphs to senior management, before ask for anything. (altogether: Working behind the scene and Metrics)”

29 “Development, adoption, deployment, and compliance monitoring of an IT Security Governance Industry Standard such as ISO 27002:2005.” 5

30 6 “1. Policy in place to address HIPAA or other security requirements;
2. Understanding business requirements, being flexible and selling it in a manner that makes sense for whichever audience we're presenting to; 3. Comparisons with peer institutions and industry standards” 6

31 “On occasion, an audit issue or an incident will also help drive something forward. In my experience though you have to capitalize on those pretty quickly otherwise priorities will shift and they'll be forgotten about.” 7

32 8 “Create a Business Rationale for Cyber Security”

33 “Working behind the scenes, lots of 1-1 engagement in the community (even if not defined as 'key' players), incremental steps and not trying to make the issue so big, encompassing, or scary that it loses credibility, or asking for disproportionate funding or level of authority - it helps to work within the culture.” 9

34 “Performing a risk assessment helps us out
“Performing a risk assessment helps us out. If you can get them to commit a few hours of staff time to an RA then you can provide some assurance that whatever steps you recommend are well reasoned and show a risk-based strategy for identifying solving security problems. This helps me to avoid the impression that an initiative is just the security people being paranoid.” 10

35 We are required to have guidelines that are compatible with State IT security policies and, as a result, our security officers developed a comprehensive set of guidelines that address risk management, security policy, access controls, network security, nonpublic information, encryption, and other areas.  11

36 12 “We are engaged in most of the activities listed below with some being more successful than others.  Hands down the activity that has shown the most success and has proven the most beneficial to our security cause is our incident response strategy when an incident involved confidential data.” 

37 “Compliance with laws can be a major driver - state data breach law was a motivator here. 
13

38 Our Informal Poll Amongst Colleagues

39 All sorts of ways….. To make your case.

40 I prefer charts and graphs – I like making my case

41 41

42 ISO 27002: 2005 hands down!

43 No, you have to perform a risk assessment!
scare them!

44 Just barge ahead and ask for forgiveness later

45 Think like a brand manager!!

46 How does a brand manager think?
They “leverage” the brand. They use an existing and well known brand name to enter a new product. Examples?

47

48

49 What “Brands” can we leverage. How about Red Flags. PCI. GLBA. HEAA
What “Brands” can we leverage? How about Red Flags? PCI? GLBA? HEAA? HIPAA? All of these compliance items are well known to our schools and require information security. Can we leverage that?

50 Summing up, without a breach we have…

51 ∆ Comparison with peer institutions
∆ Metaphors and analogies ∆ Fear, uncertainty and doubt ∆ Working behind the scenes; Relationship Building with key Players ∆ Financial benefits such as ROI (return on investment); Metrics ∆ State breach Laws or State InfoSec Laws ∆ Ask forgiveness rather than permission ∆ Leverage the information security brand

52 Or, we can always wait for the breach. 

53 IT Governance Yes We Can!

54 Questions? Fill Out Your Evaluations!!

Download ppt "when you have not been breached."

Similar presentations

Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian Davis IT Security & Policy Office of Information.

Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian Davis IT Security & Policy Office of Information.
© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United.

© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United.
Audit Issues regarding Passwords on Elevated Privilege Accounts Gene Scheckel Global Internal Audit.

Audit Issues regarding Passwords on Elevated Privilege Accounts Gene Scheckel Global Internal Audit.
Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.

Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.
Security Controls – What Works

Security Controls – What Works
Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.

Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Company Name Motto Confidential and Proprietary By viewing this document, you are bound by the ethics of your own professionalism and sound judgment Presentation.

Company Name Motto Confidential and Proprietary By viewing this document, you are bound by the ethics of your own professionalism and sound judgment Presentation.
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.

Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
VIRGINIA PUBLIC-PRIVATE EDUCATION FACILITIES AND INFRASTRUCURE ACT OF 2002 (PPEA) Augusta County Board of Supervisors Wednesday, January 6, 2009.

VIRGINIA PUBLIC-PRIVATE EDUCATION FACILITIES AND INFRASTRUCURE ACT OF 2002 (PPEA) Augusta County Board of Supervisors Wednesday, January 6, 2009.
C R A W April 2005 The Job Search Process & Later Job-Related Decision Making Joann Ordille Avaya Labs Research The Industry Perspective.

C R A W April 2005 The Job Search Process & Later Job-Related Decision Making Joann Ordille Avaya Labs Research The Industry Perspective.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
Contact Center Security Strategies Karl Walder Director - Solutions Noble Systems.

Contact Center Security Strategies Karl Walder Director - Solutions Noble Systems.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.

Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
ANALYTICS IN HIGHER EDUCATION: PROGRESS AND PROMISE July 2012 Susan Grajek, PhD Vice President, EDUCAUSE.

ANALYTICS IN HIGHER EDUCATION: PROGRESS AND PROMISE July 2012 Susan Grajek, PhD Vice President, EDUCAUSE.
No More Fat Here Mike Dennis Garland Elmore Greg Topp Lori Temple.

No More Fat Here Mike Dennis Garland Elmore Greg Topp Lori Temple.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.

Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Forward: Analytics Red Queen Moving Eden Dahlstrom, Director of Research Maturing the November 5, 2015 Practices.

Forward: Analytics Red Queen Moving Eden Dahlstrom, Director of Research Maturing the November 5, 2015 Practices.

Similar presentations

Ads by Google