Presentation is loading. Please wait.

Presentation is loading. Please wait.

UConn NIST Compliance Project

Published byAmparo Méndez Núñez Modified over 6 years ago

Similar presentations

Presentation on theme: "UConn NIST Compliance Project"— Presentation transcript:

1 UConn NIST 800-171 Compliance Project
UITS All Staff Meeting Jason Pufahl, CISO October 30, 2017

2 DFARS Clause The Department of Defense established DFARS which specifies that any research containing Controlled Unclassified Information (CUI) be protected using NIST DFARS Clause mandates: Provide adequate IT security Implement all 109 NIST controls Comply by Report areas of non-compliance to DoD within 30 days after contract award

3 Key Infrastructure Elements
Access Control Awareness & Training Audit & Accountability Configuration Management Identification & Authentication System & Information Integrity Incident Response Key Infrastructure Elements Mobility and Supportability Fully Virtualized NetApp Storage Centralized Security Controls Data Collection and Review Firewalls Malware Detection Consistency Operating System Management Documentation Binder System & Communications Protection Maintenance Security Assessment Risk Assessment Physical Protection Personnel Security Media Protection

4 Total Number of Controls
Compliance Efforts Control Family UITS and CISO System Admin System Owner or PI Shared Total Number of Controls Access Control 14 3 5 22 System and Communications Protection 13 1 2 16 Identification and Authentication 10 11 Configuration Management 7 9 Audit and Accountability Media Protection 6 System and Information Integrity Maintenance Physical Protection Risk Assessment Awareness and Training Security Assessment Incident Response Personnel Security Grand Total 64 21 109

5 Roles and Responsibilities
Shared: 21 Controls implemented and managed through a combined effort of all groups. System Owner/PI: 11 Controls implemented and managed by the PI or research group. System Admin: 11 Controls that require some work or interaction by SA to use or implement. UITS and CISO: 64 Controls that are covered based on the current status of UConn’s infrastructure and policies and/or are monitored by CISO.

6 Configuration Management (9)
NIST Control Number Control Type Capability Requirements UConn Defined Control Capabilities 3.4.1 Basic Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Baseline Windows operating system images are available and managed by UITS. • Baseline configurations documented and maintained for each information system type to include software versions, patch level configuration parameters, network information including topologies, and interfaces with other communication systems. • PI or IT Designee responsible for system and application life cycle changes.

7 Configuration Management (9)
NIST Control Number Control Type Capability Requirements UConn Defined Control Capabilities 3.4.8 Derived Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. Deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. • Administrative access for users to systems and applications is prohibited per • PI, IT Designee, or Automated Process only can install software. • Systems and/or applications will be accessed by authorized users only, as defined in section 3.1.

8 DFARS and Beyond Export Control Human Subject Research
Protected Health Information Industry Partners

9 Key Contributors Thank you!!! George Assard Chris Tarricone Mike Lang
Paul Majkut OVPR Catherine Rhodes Thank you!!!

Download ppt "UConn NIST Compliance Project"

Similar presentations

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication 800-171 Protecting Controlled.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication Protecting Controlled.
October 2009. In May 2000, Walkerton’s drinking water system became contaminated with deadly bacteria, primarily Escherichia coli O157:H7.1 Seven people.

October In May 2000, Walkerton’s drinking water system became contaminated with deadly bacteria, primarily Escherichia coli O157:H7.1 Seven people.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Security Controls – What Works

Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Www.adira.org Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.

Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.

Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
HIPAA COMPLIANCE WITH DELL

HIPAA COMPLIANCE WITH DELL
Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology.

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.

Similar presentations

Ads by Google