Information Security Guide

advertisement
HEISC Town Hall Webinar:
2012-2013 Strategic Plan
Host:
Larry Conrad
CIO, UNC-Chapel Hill
& HEISC Co-Chair
Today’s Agenda

Information security changes in the past 10 years
 Ongoing challenges for security practitioners
 HEISC strategic plan (2012-2013)




Vision
Mission
Goals & objectives
HEISC working group updates
 What can you do?
Information Security Changes in the Past 10 Years
Threats: More serious – e.g., nation states,
organized crime
 Vulnerabilities: New technologies (e.g., social
media, cloud, mobility) introduce new
vulnerabilities
 Impact: Confidentiality, Integrity, Availability (CIA)
recognized as mission critical

On the Plus Side

Increased awareness
 Greater investments, including security staff
 Staff professional development and training
 Improved organization across higher ed
 Better tools
 More policies and standards
 More strategic, proactive outlook
 More “effective practices” are available
Ongoing Challenges for Security Practitioners

Executive awareness and support
 Technology changes: Mobility, outsourcing, cloud,
IPv6
 Benchmarks and metrics
 Organizational dynamics: Centralized, distributed,
and affiliated centers
 Funding for IT security
 Staff resources and training
Ongoing Challenges (Cont’d)

Data standards, governance, and risk
management
 Data protection tools
 Student and employee awareness
 Academic continuity and disaster recovery
 Legislation and compliance
 Research data and process
 International collaboration
 Vendor relationships
HEISC Vision

Guide academic institutions in their quest to
safeguard data, information systems, and
networks
 Protect the privacy of the higher education
community
 Ensure that information security is an integral
part of campus activities and business processes
HEISC Mission




Improve information security, data protection, and
privacy programs across the higher education sector
Develop and promote leadership; awareness and
understanding; effective practices and policies; and
solutions for the protection of critical data, IT assets,
and infrastructures
Accomplish activities through working groups of
volunteers and staff
Coordinate and collaborate with government,
industry, and other academic organizations
HEISC Goals
1.
2.
3.
4.
5.
Establish the Information Security Guide as the premier
resource for security professionals.
Improve security-related interorganizational
collaboration with higher education stakeholders.
Inform and educate campus leaders on information
security issues by leveraging enterprise risk
management (ERM) processes.
Help institutions leverage their investments with regard
to all IT products and services.
Increase the effectiveness of communication efforts.
Objectives for Goal #1: Establish the Information Security
Guide as the premier resource for security professionals

Toolkits, primers, and templates
 Information security maturity model
 Security requirements
 Security practices in research environments
 CISO duties and reporting line
 Identity management (IdM) practices
Objectives for Goal #2: Improve security-related
collaboration with higher education stakeholders

EDUCAUSE, Internet2, and the REN-ISAC
 Core Data Service and EDUCAUSE Data,
Research, and Analytics staff
 Other higher education associations, industry
groups, and government
 Higher education information security
professionals
Objectives for Goal #3: Inform & educate campus leaders
on information security issues by leveraging ERM processes

ERM summit
 Messaging, talking points, and presentation
template
 Other higher ed association meetings and
conferences (e.g., URMIA, NACUBO, AAU)
Objectives for Goal #4: Help institutions leverage their
investments with regard to all IT products and services

Vendor community outreach
 Resources for IT products and services
 Information sharing
Objectives for Goal #5: Increase the effectiveness of
communication efforts

Higher ed security professionals, CIOs, IT
leaders
 Wealth of resources in the Information Security
Guide
 Issues and successes in the .edu domain
 HEISC volunteer opportunities
Q&A
HEISC Goals and Objectives
HEISC Working Groups

Awareness & Training (A&T)
 Governance, Risk, & Compliance (GRC)
 Technologies, Operations, & Practices (TOP)
 Information Security Guide Editorial Board
 Security Professionals Conference Program
Committee
 Research and Education Networking Information
Sharing and Analysis Center (REN-ISAC)
Awareness & Training (A&T)
Co-Chairs: Nicole Kegler & Ben Woelk







Student Poster & Video Contest
National Cyber Security Awareness Month in October
Executive Awareness Communications
Partnering with the IT Communications Group New!
Data Privacy Month in January New!
Security Awareness Metrics
Outreach and Marketing
Governance, Risk, & Compliance (GRC)
Co-Chairs: Doug Markiewicz & David Escalante







Recent publications: Two-Factor Authentication, Data
Incident Notification Toolkit,
Shared Assessments Project Team
Sensitive Data Exposure Incident Checklist New!
GRC Systems FAQ New!
Information Security Maturity Model New!
Essential Security Metrics New!
Top Info Security Concerns for Researchers New!
Technologies, Operations, & Practices (TOP)
Co-Chairs: Jim Taylor & Marcos Vieyra




Recent publications: Mobile Internet Device Security
Guidelines, Dropbox Security & Privacy
Considerations, Full Disk Encryption Guide
Identify emerging technologies and their security
implications New!
With the REN-ISAC, develop partnerships with
vendors to improve information sharing
Facilitate state or local ISO gatherings New!
Information Security Guide Editorial Board
Co-Chairs: Ced Bennett & Mary Dunker

Fresh look and feel New!
 Emphasizing practical application of the Security
Guide via conference presentations New!
 Growing the content (nearly doubled in 2011)
 Extending the Guide's exposure and reach (even
beyond EDU) New!
Security Professionals Conference 2012
Program Chair: Jodi Ito & Vice Chair: Paul Howell

May 15-17, 2012 in Indianapolis, IN
 10th annual conference
 Focused on information security in higher ed
 Premier forum for networking with security
professionals
 Theme: Security Everywhere: Exploring the
Expanding World of Security
 www.educause.edu/SEC12
REN-ISAC
Technical Director: Doug Pearson











Membership growth
Growth in relationships
Involvement in strategic industry groups
Implementation of Security Event System
Community Security
Partnership with SANS
Engagement in international standards work
Handling of 0-day vulnerability communications
Increase in number of notifications
Additional staff
Contact: dodpears@ren-isac.net
Q&A
HEISC Working Groups
What Can You Do?

Join the Security Discussion Group:
www.educause.edu/groups/security
 Volunteer: security-council@educause.edu
 Find resources: www.educause.edu/security
 Attend Security 2012: www.educause.edu/sec12
 Follow us: @HEISCouncil
 Contacts:


Valerie Vogel (vvogel@educause.edu)
Rodney Petersen (rpetersen@educause.edu)
Look for These Hot Topics in 2012…

Metrics & Benchmarking
 Cloud Computing & Services
 Consumerization & Mobility
 Enterprise Risk Management
 IPv6
 Privacy
 Federated IdM
 Addressing the decentralized university from a
security perspective
Thank you for participating!
If you’d like to get in touch with our speakers,
please send an e-mail to
security-council@educause.edu
Download