Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Disintegrating Perimeter: Planning for the Shift to Asset-based Security Adam Goldstein CCNP CISSP IT Security Officer Villanova University.

Published byBeryl Clementine York Modified over 9 years ago

Similar presentations

Presentation on theme: "The Disintegrating Perimeter: Planning for the Shift to Asset-based Security Adam Goldstein CCNP CISSP IT Security Officer Villanova University."— Presentation transcript:

1 The Disintegrating Perimeter: Planning for the Shift to Asset-based Security Adam Goldstein CCNP CISSP IT Security Officer Villanova University

2 Villanova University 2005 2 Introduction Overview of Villanova and IT Overview of Villanova and IT Academic Strategic Plan Academic Strategic Plan Evaluation of our environment Evaluation of our environment Need for shift in our approach Need for shift in our approach

3 Villanova University 2005 3 Discussion Outline Define Asset-based approach Define Asset-based approach The Disintegrating Perimeter and other challenges The Disintegrating Perimeter and other challenges The Plan The Plan IT Security ModelIT Security Model Strategic PlanStrategic Plan IT ScorecardIT Scorecard

4 Villanova University 2005 4 Asset-based Security: Focuses security efforts based on the value of the information system and data

5 Villanova University 2005 5 Why Asset-based Security Higher education institutions face different challenges in providing information assurance Higher education institutions face different challenges in providing information assurance Internal security incidents on the rise Internal security incidents on the rise Cannot secure every system Cannot secure every system

6 Villanova University 2005 6 The Disintegrating Perimeter Technological Changes Technological Changes Elevated Risks Elevated Risks Obstacles for Higher Education Institutions Obstacles for Higher Education Institutions

7 Villanova University 2005 7 Disintegrating Perimeter- Technological Changes Mobile Computing/Wireless Networks Mobile Computing/Wireless Networks Increased Remote Access Needs Increased Remote Access Needs Third-Party integration Third-Party integration Business partnersBusiness partners Research projectsResearch projects Other institutionsOther institutions

8 Villanova University 2005 8 Disintegrating Perimeter- Elevated Risks Improper Handling of University Data - Intent to commit fraud - Intent to commit espionage - Intent to harm an institution’s reputation Disruption of Critical Services - Unintentional disruption - Malicious disruption Unauthorized Access to University IT Resources

9 Villanova University 2005 9 The Disintegrating Perimeter- Higher Ed Obstacles Public Access Requirements Public Access Requirements Diversity of Systems Diversity of Systems Diversity of User Population Diversity of User Population Limited staff and resources for information security Limited staff and resources for information security

10 Villanova University 2005 10 Shifting Focus- Asset-based Security In this environment, Information Assurance cannot be an all or nothing proposition In this environment, Information Assurance cannot be an all or nothing proposition The most important information “assets” must be protected first The most important information “assets” must be protected first

11 Villanova University 2005 11 Strategic Approach- The Plan Set goals by adopting a security model Set goals by adopting a security model Measure existing compliance with model Measure existing compliance with model Create initiatives to improve compliance Create initiatives to improve compliance Prioritize initiatives Prioritize initiatives Track progress Track progress

12 Villanova University 2005 12 Purpose of the Security Model The Model intends to: Detail Villanova University’s overall vision of information technology security Detail Villanova University’s overall vision of information technology security Set security standards for University IT systems and processes Set security standards for University IT systems and processes

13 Villanova University 2005 13 Format of Security Model The model uses a hierarchical architecture The model uses a hierarchical architecture All University systems and processes are placed in a clearly defined security layer All University systems and processes are placed in a clearly defined security layer Each layer sets standards for security controls, administrative procedures, user interaction, and acceptable risk. Each layer sets standards for security controls, administrative procedures, user interaction, and acceptable risk. The boundaries between the layers serve to prevent unauthorized access from lower security layers to higher security layers The boundaries between the layers serve to prevent unauthorized access from lower security layers to higher security layers

14 Villanova University 2005 14 Security Model Layers There are three layers to the Security Model: University Systems – Systems not directly administered by UNIT University Systems – Systems not directly administered by UNIT Core UNIT Systems – Academic, Administrative and IT systems administered by UNIT Core UNIT Systems – Academic, Administrative and IT systems administered by UNIT Security Domains – Systems that contain sensitive data, perform critical University functions, and/or require high security environments Security Domains – Systems that contain sensitive data, perform critical University functions, and/or require high security environments

15 Villanova University 2005 15 Security Layer Definition Each layer is defined by the following criteria: Included Systems: The systems and resources that fall under the specific layer Included Systems: The systems and resources that fall under the specific layer Security Controls: Specify the baseline security standards required at the given level. Controls include: Security Controls: Specify the baseline security standards required at the given level. Controls include: Technical Controls: Hardware and software security requirementsTechnical Controls: Hardware and software security requirements Administrative Controls: Required security measures for system administrationAdministrative Controls: Required security measures for system administration User Interaction: Security requirements for system usersUser Interaction: Security requirements for system users Exposures: Assumed risk at the given layer Exposures: Assumed risk at the given layer

16 Villanova University 2005 16 Strategic Plan- Initiatives Assessment of our current state against the Security Model highlighted deficiencies Assessment of our current state against the Security Model highlighted deficiencies Determined initiatives to protect assets Determined initiatives to protect assets Prioritized initiatives and developed multi-year plan Prioritized initiatives and developed multi-year plan

17 Villanova University 2005 17 Strategic Plan – Technical Initiatives Firewalls/network segmentation Firewalls/network segmentation Network traffic scanning Network traffic scanning Integrity checking Integrity checking Enhanced monitoring tools Enhanced monitoring tools Secure remote access Secure remote access

18 Villanova University 2005 18 Strategic Plan- Administrative Initiatives Change management procedure Change management procedure Incident Response Policy Incident Response Policy Security Standards Security Standards Internal information system audit process Internal information system audit process Security Monitoring Procedure Security Monitoring Procedure Data Handling Procedure Data Handling Procedure “Focused” User Awareness Campaign “Focused” User Awareness Campaign

19 Villanova University 2005 19 Strategic Plan- IT Security Scorecard Developed a scorecard that rated compliance with the security model Developed a scorecard that rated compliance with the security model Updated quarterly to monitor improvements Updated quarterly to monitor improvements Highlights weaknesses and aids in setting priorities Highlights weaknesses and aids in setting priorities

20 Villanova University 2005 20 Benefits of Asset-based Approach Critical systems better protected from internal threats Critical systems better protected from internal threats Critical data is more secure Critical data is more secure Heightened awareness among end users Heightened awareness among end users System owners more involved with security practices System owners more involved with security practices Increased compliance with security standardsIncreased compliance with security standards Lowered incident response timeLowered incident response time

21 Villanova University 2005 21 Challenges to Asset-based Approach Overcoming “higher ed” obstacles Overcoming “higher ed” obstacles Legacy systems Legacy systems Asset inventory Asset inventory

22 Villanova University 2005 22 Thanks!adam.goldstein@villanova.edu

Download ppt "The Disintegrating Perimeter: Planning for the Shift to Asset-based Security Adam Goldstein CCNP CISSP IT Security Officer Villanova University."

Similar presentations

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Developing Information Security Policy. Why is Developing Good Security Policy Difficult? Effective Security/IA Policy is more than locking doors and.

Developing Information Security Policy. Why is Developing Good Security Policy Difficult? Effective Security/IA Policy is more than locking doors and.
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Chapter 5 IT Processes Presented by Dr. Mohamed Sammouda.

Chapter 5 IT Processes Presented by Dr. Mohamed Sammouda.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Managing the Information Technology Resource Jerry N. Luftman

Managing the Information Technology Resource Jerry N. Luftman
Chapter 12 Strategies for Managing the Technology Infrastructure.

Chapter 12 Strategies for Managing the Technology Infrastructure.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
IACT 901 Module 10 1 Plan Delivery. IACT 901 Module 10 2 Elements of IS & IT Plans Delivered Comprise Overall IS/IT vision Applications development plan.

IACT 901 Module 10 1 Plan Delivery. IACT 901 Module 10 2 Elements of IS & IT Plans Delivered Comprise Overall IS/IT vision Applications development plan.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Risk Assessment Frameworks

Risk Assessment Frameworks
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Fraud Prevention and Risk Management

Fraud Prevention and Risk Management

Similar presentations

Ads by Google