Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Published byDillan Lyford Modified over 9 years ago

Similar presentations

Presentation on theme: "Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author."— Presentation transcript:

1 Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced Materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 Overview  Threats to the enterprise  Security challenges  Six step process

3 Threat Statistics  47% of browser attacks - Microsoft IE  Average 6110 DoS attacks per day  28 days average vulnerability exposure  86% of all attacks are against home user  54% of DoS attacks world-wide against US  69% of vulnerabilities against Web applications (Symantec Internet Security Threat Report, Threats fro January 06- June 06, Vol X, September 2006)

4 Threats to the Enterprise  Virus, worms, Trojan horses  Web site hacking  Hackers and crackers  Terrorist attacks  Cyber crime and information warfare  Effects of emerging standards and technologies

5 Security Challenges  ID and prioritize opportunities to improve security effectiveness and efficiency  Manage security in dynamic threat environment with limited budget  Courts and government policy expectations  Securing Web services  Managing identity and access privileges “Business expects IT to be secure and CIO keep it that way” - Gartner

6 Six Step Process Inventory Risk Assessment Risk Assessment ID Needs Review Execute Support

7 Inventory Environment “The first thing we need to do is to actually draft out all of the assets that run on our computing system and understand what the relationship of each asset is to our business process” Andre Gold, CISO Continental Airlines  Prioritize assets  Ensure critical systems are protected  Use Enterprise Architecture

8 Risk Assessment - Portfolio Risks Threats Loss of Data Costs Prevention Data Recovery Look at all assets Best Practices Service Levels “CISO has to deal with how to let good guys in as well as keep the bad guys out” - Gartner

9 ID Needs and Write Plan  Define, align, and prioritize opportunities  Vulnerability vs largest risks  ID and define security goals  Determine costs and ROI – Key is Impact! “CISO not only must spend money wisely on correct security enhancements but must also qualify what they are doing with that budget” - Gartner

10 ID/Define Organizational Goals  Protect sensitive and critical information  Prevent unauthorized access to the network  Avoid embarrassing publicity  Maintain uninterrupted operations  Protect privacy  Set a “zero-incident” culture  Comply with federal and state regulations

11 Obtain Support and Approval  Need executive champion – CIO  Know top management priorities  Know what the competition is doing  Projects in line with market’s thinking  Use federal mandates and audit findings

12 Execute Plan  Use annual tactical plans  Execute strategic plan in small steps  Used to define and execute budget  Manage using cost planning and portfolio management  Report progress using balanced scorecard

13 Cost Planning and Portfolio Management Zero-based Budget Track Initiatives Management Review ID Problems Early

14 Balance Scorcard Answers … How am I doing? Am I on time? Within budget? Are there any problems or issues Keeps management informed!

15 Sample Scorecard DescriptionStatus Goal 2: Provide enhanced and secure IT infrastructure for all campus- wide customers 2.4 Establish self-monioring and reporting capability for all network systems 2.4.1 Deploy self-policing technology 2.4.2 Deploy automated monitoring and reporting tools 2.4.3 Deploy and utilize vulnerability scanning technology Goal 3: Improve customer understanding of INFOSEC responsibilities 3.1 Develop and Enterprise-wide IT security awareness training program 3.1.1 Establish and maintain a security web site for distributing security tips and guidance 3.1.2 Establish security workshops

16 Review Plan Maintenance  Review annually  Compare against best practices  Adjust as necessary

17 Conclusion  An IT Security Strategic Plan will provide….  Better use of limited resources  Phased deployment and enhancements  Improved justification of security projects  Direct tie to university IT strategic plan  Better planning & execution of security spending  Implement best security practices and strategies to create an enterprise that is well managed and secure

18 Questions

Download ppt "Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author."

Similar presentations

How Identity and Access Management Can Help Your Institution Touch Its Toes Renee Woodten Frost Internet2 and University of Michigan Kevin Morooney The.

How Identity and Access Management Can Help Your Institution Touch Its Toes Renee Woodten Frost Internet2 and University of Michigan Kevin Morooney The.
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
© Copyright Computer Lab Solutions 2006. All rights reserved. Do you need usage information about your computer labs? Copyright Computer Lab Solutions.

© Copyright Computer Lab Solutions All rights reserved. Do you need usage information about your computer labs? Copyright Computer Lab Solutions.
Protection of Information Assets I. Joko Dewanto 1.

Protection of Information Assets I. Joko Dewanto 1.
Disaster Recovery Planning Because It’s Time! Copyright Columbia University and Bentley College, 2003. This work is the intellectual property of the author.

Disaster Recovery Planning Because It’s Time! Copyright Columbia University and Bentley College, This work is the intellectual property of the author.
Copyright Sylvia Maxwell and Michael White, 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared.

Copyright Sylvia Maxwell and Michael White, This work is the intellectual property of the author. Permission is granted for this material to be shared.
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
Making the Case for Security: An Application of the NIST Security Assessment Framework to GW January 17, 2003 David Swartz Chief Information Officer Guy.

Making the Case for Security: An Application of the NIST Security Assessment Framework to GW January 17, 2003 David Swartz Chief Information Officer Guy.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Security Controls – What Works

Security Controls – What Works
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Information Systems Security Officer

Information Systems Security Officer
UWM CIO Office A Collaborative Process for IT Training and Development Copyright UW-Milwaukee, 2007. This work is the intellectual property of the author.

UWM CIO Office A Collaborative Process for IT Training and Development Copyright UW-Milwaukee, This work is the intellectual property of the author.
Pam Downs Ajay Gupta The Pennsylvania Prince George’s State University Community College Copyright Penn State University-2008. This work is the intellectual.

Pam Downs Ajay Gupta The Pennsylvania Prince George’s State University Community College "Copyright Penn State University This work is the intellectual.
IT Strategic Planning From Technical Dreams to Institutional Reality

IT Strategic Planning From Technical Dreams to Institutional Reality
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

Similar presentations

Ads by Google