Presentation is loading. Please wait.

Presentation is loading. Please wait.

EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO

Published byAshlynn Stafford Modified over 6 years ago

Similar presentations

Presentation on theme: "EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO"— Presentation transcript:

1 Complying with NIST SP 800-171
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO April 12, 2018

2 DFARS Clause The Department of Defense established DFARS which specifies that any research containing Controlled Unclassified Information (CUI) be protected using NIST security controls. The DFARS Clause mandates that we: Provide adequate IT security Implement all 109 NIST controls Comply by Report areas of non-compliance to DoD within 30 days after contract award

3 NIST – What is it? Controlled Unclassified Information (CUI) is data that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations and government-wide policies but is not classified. NIST security controls applies to CUI shared by or through the federal government with a nonfederal entity. As a higher educational institution, UConn is a nonfederal entity. If there is no specific law that addresses how the CUI data shared by the federal government must be protected, NIST security controls must be adhered to by UConn. Required compliance due to research contract DFARS clause.

4 NIST Controls Control Family Number of Controls Access Control 22 System and Communications Protection 16 Identification and Authentication 11 Configuration Management 9 Audit and Accountability Media Protection System and Information Integrity 7 Maintenance 6 Physical Protection Risk Assessment 3 Awareness and Training Security Assessment Incident Response Personnel Security 2 Grand Total 109 NIST has 14 families of security requirements comprising of 109 controls Basic: Ultimate Goal Derived: Ways to accomplish the goal

5 Key Infrastructure Elements
Access Control Awareness & Training Audit & Accountability Configuration Management Identification & Authentication System & Information Integrity Incident Response Key Infrastructure Elements Mobility and Supportability Fully Virtualized NetApp Storage Centralized Security Controls Data Collection and Review Firewalls Malware Detection Consistency Operating System Management Documentation Binder System & Communications Protection Maintenance Security Assessment Risk Assessment Physical Protection Personnel Security Media Protection

6 Office of VP for Research Compliance and Risk Management Administrator
Where to start? Key Stakeholders Security Office Office of VP for Research School of Engineering InCHIP Compliance and Risk Management Administrator Faculty Project Manager

7 Debate GovCloud NIST 800-171 Certification Logging Vectra Firewalls
Familiarity Microsoft Azure Local Data Center

8

9 Controls Workbook Map each control to technology or process (x 109!)
NIST Control Number and Type Capability Requirements UConn Defined Control Capabilities Technology or Process Configuration Management 3.4.1 – Basic Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Baseline Windows operating system images are available and managed by ITS. • Baseline configurations documented and maintained for each information system type to include software versions, patch level configuration parameters, network information including topologies, and interfaces with other communication systems. • PI or IT Designee responsible for system and application life cycle changes. Managed Workstation Op Sys Deployment

10 Controls Workbook NIST 800-171 Control Number and Type
Capability Requirements UConn Defined Control Capabilities Technology or Process Configuration Management 3.4.8 – Derived Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. Deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. • Administrative access for users to systems and applications is prohibited per • PI, IT Designee, or Automated Process only can install software. • Systems and/or applications will be accessed by authorized users only, as defined in section 3.1. System Configuration Op Sys Deployment

11 Roles and Responsibilities
Shared: 21 Controls implemented and managed through a combined effort of all groups. System Owner/PI: 13 Controls implemented and managed by the PI or research group. 19% 109 Technical & Operational Controls 12% System Admin: 11 Controls that require some work or interaction by SA to use or implement. 10% ITS and CISO: 64 Controls that are covered based on the current status of UConn’s infrastructure and policies and/or are monitored by CISO. 59%

12 Export Control Workflow

13 NIST BINDER Two Types of Binders: 1) Common Control Provider
2) Program Specific

14 Training Online NIST training developed by ITS and hosted in collaboration with UConn Human Resources. Required by all ITS infrastructure support staff, PI and support staff Reminders Reports Audit Trail

15 Principal Investigator (PI)
New Project? Complete Intake Form CRM Administrator interviews PI to discuss specific project needs Create secured research infrastructure (SRI) for project CRM Administrator meets with PI to review: Secured Research Infrastructure (SRI) PI Checklist Summary and UConn NIST SP Security Control Requirements 3 Month Review One-Year Review

16 Unfinished Business File Transfer Process Application Whitelisting
Binder Revisions

17 Resources Website: PI Intake Form SRI PI Checklist Summary UConn NIST Security Control Requirements

18 Jason Pufahl, UCONN CISO
Thank You! Contact: Jason Pufahl, UCONN CISO

Download ppt "EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO"

Similar presentations

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication 800-171 Protecting Controlled.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication Protecting Controlled.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Security Controls – What Works

Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Information Systems Security Officer

Information Systems Security Officer
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.
Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.

Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
DFARS 204.73 & 252.204-7012 What is Unclassified Controlled Technical Information (UCTI)?

DFARS & What is Unclassified Controlled Technical Information (UCTI)?
HIPAA COMPLIANCE WITH DELL

HIPAA COMPLIANCE WITH DELL
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Similar presentations

Ads by Google