Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Similar presentations


Presentation on theme: "Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC."— Presentation transcript:

1 Enterprise Security

2 Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC

3 Presenter’s Background Mark Bruhn  Supervised IU security operations in various forms from 1988 to 2006  Executive Director of REN-ISAC  Held leadership positions in the security task force since 2002 on Awareness and Policy/Legal groups Jack Suess  Co-Chair of task force since 2003.  Coordinated effective practice workgroup

4 Format for this Session This session on enterprise security is intended to be interactive. The format we will use is to ask questions of you and collectively reflect on the answers we get. Our goal is to build on the collective expertise in the room and have you leave here with some tangible steps to take to improve security when you return back to campus.

5 Question 1. Priority The 2006 EDUCAUSE survey of top-10 issues listed Security and Identity Management the #1 issue.  How many in this room listed this #1? Why?  How many in this room consider this their number one responsibility? How are you evaluated on this?  Does your IT strategic plan have a section on security?

6 Question 2. Technology What technologies are deployed on your campus?  Firewall(s)  VPN  Intrusion Detection System  Intrusion Prevention System  Security updates for computers How does IdM relate to security?

7 Question 3. Effectiveness With all we have spent on security technology do we feel more secure today than 4 years ago? Why or why not?

8 Question 4. Policy What is the process for identifying and developing policies and procedures related to security? How is compliance monitored and enforced?  HIPAA, GLBA, FERPA What is the role of IT in this?

9 Question 5. Data Policy Do you have a data classification policy that is actively enforced?  What classifications are used?  Is training provided for end-users?  Is the training mandatory?

10 Question 6. Organization How is your organization organized for security?  Who has a CISO and to whom do they report?  How many security staff do you have? Is that a useful metric?  What is the role of the CIO?  How is funding for security handled?  How does this relate to physical security?

11 Question 7. IT Staff How is security integrated into the jobs of all central IT staff?  What is the role of certification?  Where do you send staff for training? How is security integrated into the jobs of IT in the departments?  What level of centralization is occurring?

12 Question 8. People What responsibility do students, faculty, and staff have for securing both their campus and personal machines? What are the repercussions if they don’t secure their machines? How are users educated on social engineering exploits such as phishing?

13 Question 9. Risk Management What group on campus has responsibility for risk management? What role does auditing play? How many have done a risk assessment of at least some departments on campus? How many have a formal process for risk assessment that you use across campus? How many have done an institution-wide risk assessment? How frequent? What are the barriers?

14 Question 10. Identify Protection Is there an identity management system on campus? How does it relate to your campus ID card and Library? Have you defined non-public information (NPI) in your data access policy? How is authentication and authorization to/on systems handled?

15 Question 11. Data Breach Do you have a plan for what to do if you have a data breach? Does it involve groups outside of IT? Who will take the lead? Do you have plans or contracts in place with partners for the following:  Digital forensics;  Crisis management;  Call center operations;  Identity theft counseling? From whose pocket will the funds come?

16 What to Take Away Technology devices can help but can’t guarantee you won’t have an incident. There are no silver bullets. Don’t stovepipe security under CISO. Security must be everyone’s job #1, including yours! Engage your leadership team around this issue. Develop a comprehensive risk management program across the institution and insist in leadership buy in. Invest in training campus staff across the board. Management oversight is key. Development of policies and procedures is essential. Begin to look at and work towards ISO 17799.

17 Security Resources Have someone join the security discussion email list. Send staff to the Security Professionals conference in April 2007. EDUCAUSE/Internet2 Security Task Force http://www.educause.edu/security Effective Security Practices Guide http://www.educause.edu/security/guide Internet2 Security Initiatives http://security.internet2.edu Research and Education Networking ISAC http://www.ren-isac.net http://www.ren-isac.net


Download ppt "Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC."

Similar presentations


Ads by Google