Presentation is loading. Please wait.

Presentation is loading. Please wait.

MBUG 2018 Session Title: NIST in Higher Education

Published byBeverley Thomas Modified over 5 years ago

Similar presentations

Presentation on theme: "MBUG 2018 Session Title: NIST in Higher Education"— Presentation transcript:

1 MBUG 2018 Session Title: NIST 800-171 in Higher Education
Presented By: Thomas Ritter – Security & Compliance Officer Institution: Mississippi State University September 3rd, 2018

2 Session Rules of Etiquette
Please turn off your cell phone If you must leave the session early, please do so discreetly Please avoid side conversation during the session

3

4 Economic Impact of Cybercrime
Latest Center for Strategic and International Studies (CSIS) report says $600 Billion – Feb Title is: Economic Impact of Cybercrime – No Slowing Down Helped by black markets, digital currencies and new technology

5 Higher Education Particularly Attractive
Hackers want faculty, staff, student and institutional DATA!!! Passwords Financial Aid Information Health Information Intellectual Property of all kinds Library journals and periodicals Research Data

6 National Institute of Standards and Technology
NIST recommends security controls for federal information systems. 800 Series documents describe the US federal government computer security policies, procedures and guidelines NIST is a part of the Dept. of Commerce NIST is the standard used by Federal Information Security Management Act (FISMA)

7 NIST Protection standards for Controlled Unclassified Information (CUI) in non-federal information systems CUI is essentially anything that must be protected that is not “classified” Higher Education: research data, export controlled research data, personally identifiable information (PII) and student financial aid information 14 families of security requirements

8 Why do Higher Education care?
Defense Contracts Defense Federal Acquisition Regulation Supplement (DFARS) Federal Acquisition Regulation (FAR) – expected December requirements-in-federal-contracts-arent-far- away “Since all higher education institutions must sign a PPA in order to participate in federal student aid programs, as well as have an SAIG agreement in place to exchange data with FSA systems, integration of CUI Rule requirements based on into those agreements would have far-reaching implications for EDUCAUSE members.”

9 Dear Colleague Letter – July 2016
Reminded institutions that student financial aid information is subject to the security requirements of Gramm-Leach-Bliley Act (GLBA) “Strongly encourages” institutions to review and understand NIST Audits will begin to incorporate GLBA requirements into its annual audit guide

10 GAO – Report Dec 2017 Title Says it all…
“Until Education ensures that information security requirements are considered in program reviews of schools, FSA will lack assurance that schools have effective information security programs.”

11 Are you already required?
-introduction-to-nist-special-publication for-higher-education-institutions “A higher education institution must review its contracts with federal agencies carefully. There must be a document (contract) referencing both (1) the data the federal agency is sharing that it has specifically identified as CUI, and (2) that the institution must follow the terms of NIST ”

12 NIST 800-171 Control Families
Family Access Control Media Protection Awareness and Training Personnel Security Audit and Accountability Physical Protection Configuration Management Risk Assessment Identification and Authentication Security Assessment Incident Response System & Communications Protection Maintenance System and Information Integrity

13 Security Requirement Structure
Basic Security Requirements: (Configuration) Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Establish and enforce security configuration settings for information technology products employed in organizational information systems.

14 Security Requirement Structure
Derived Security Requirements: Track, review, approve/disapprove, and audit changes to information systems Analyze the security impact of changes prior to implementation.

15 NIST 800-171 Compliance Template
/9/nist-sp compliance-template

16 NIST Dell SecureWorks – NIST Security Controls Assessment – July 2018 Units Financial Aid/Registrar and a research unit *major cultural change *significant long-term effort *scoping critical

17 Two – Factor Authentication

18 Two – Factor Authentication

19 DUO is REQUIRED@MSSTATE
To access university information staff are required to use two factor authentication (2FA) per the Information Security Program infosecurity.msstate.edu Student requirement has been approved and will be implemented in Spring 2019 To folks that complain, students have lost financial aid funds and staff have lost paychecks…

20 Keystroke Logger

21 Conclusions Don’t have exact timelines but it is clear that NIST is coming and will be required. Institution Security Programs need to be reviewed and it should start now. Questions?

Download ppt "MBUG 2018 Session Title: NIST in Higher Education"

Similar presentations

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication 800-171 Protecting Controlled.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication Protecting Controlled.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
1 Executive Office of Public Safety. 2 National Incident Management System.

1 Executive Office of Public Safety. 2 National Incident Management System.
Security Controls – What Works

Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Information Systems Security Officer

Information Systems Security Officer
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Information Security Framework & Standards

Information Security Framework & Standards
Business Justification California Department of Social Services

Business Justification California Department of Social Services
Presented by Raaj Kurapati and Charlene Hart. Introduction  The Single Audit Act Amendments of 1996 was enacted to streamline and improve the effectiveness.

Presented by Raaj Kurapati and Charlene Hart. Introduction  The Single Audit Act Amendments of 1996 was enacted to streamline and improve the effectiveness.
1 The Auditor’s Perspective Division of Sponsored Research Research Administration Training Series Presented by: Joe Cannella Audit Manager,

1 The Auditor’s Perspective Division of Sponsored Research Research Administration Training Series Presented by: Joe Cannella Audit Manager,
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
Systems and Software Consortium | 2214 Rock Hill Road, Herndon, VA 20170-4227 Phone: (703)742-8877 | FAX: (703)742-7200 www.systemsandsoftware.org Best.

Systems and Software Consortium | 2214 Rock Hill Road, Herndon, VA Phone: (703) | FAX: (703) Best.
Roadmap to Maturity FISMA and ISO 2700x. Technical Controls Data IntegritySDLC & Change Management Operations Management Authentication, Authorization.

Roadmap to Maturity FISMA and ISO 2700x. Technical Controls Data IntegritySDLC & Change Management Operations Management Authentication, Authorization.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.

1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.

Similar presentations

Ads by Google