Cybersecurity Strategy
… a first look
Brief to Information Technology Committee
Bob Turner
UW-Madison CISO
April 17, 2015
What the Cybersecurity Strategic Plan provides…
• A road map to improved cybersecurity within RMF
• Enables complete understanding of the UWMadison and UW System IT infrastructure that:
•
•
•
•
enables clear view of all routers, switches and hosts;
promotes cyber hygiene in connected or virtual
environments;
facilitates helpful behaviors and drives staff to engineer
appropriate defense measures, informed incident
response; and
consolidates Incident Response capability for campus
networks and systems and for UW Common Systems
2
Aligns to University Strategic Priorities and Initiatives
•
•
•
Educational Experience: Improve access and affordability; Scale
Wisconsin Experience; Improve learning outcomes; Ensure
graduate student mentoring; Build innovative professional
degrees and other lifelong learning experiences.
Research and Scholarship: Nurture excellence in research,
scholarship, and creative activity; Optimize the research and
scholarship infrastructure; Strengthen our influence in national
decision-making around research policy and funding; Engage our
interdisciplinary strength; Support the continued high level
integration of research and education.
The Wisconsin Idea: Partner to bring value to Wisconsin citizens;
Promote economic development through technology-transfer
ecosystem; Extend our educational mission to Wisconsin and the
world; Leverage our distinctive interdisciplinary strength to
address complex problems
http://chancellor.wisc.edu/strategicplan2/images/Strategic%20Framework_15-19.pdf
3
Aligns to University Strategic Priorities and Initiatives
(Cont’d)
•
•
People: Ensure a highly talented, engaged, and diverse workforce;
Enhance the strength of our campus through diversity and
inclusion; Ensure our ability to attract and retain talent Nurture
growth of our people through professional development; Create
the best possible environment for our people
Resource Stewardship: Promote resource stewardship, improve
service delivery and efficiency; Create a stable and sustainable
financial structure; Identify and pursue new revenue sources
aligned with mission and goals; n Promote environmental
sustainability; Transform library structures and technologies to
best support research and learning; Sponsor a comprehensive
campaign to invest in the future of the university and shape the
future of Wisconsin and the world
http://chancellor.wisc.edu/strategicplan2/images/Strategic%20Framework_15-19.pdf
4
Links to Campus/UW System IT Strategy
A.
B.
C.
D.
E.
Educational Experience
1.
Provide career-oriented experiences for our students
2.
Design, create, and support learning-centered ecosystem
3.
Unify the student experience with access to data and information
4.
Provide tech services and resources to enhance student success and digital literacy
Research and Scholarship
1.
Provide and support robust and secure IT research and scholarship infrastructure
2.
Collaboratively partner with researchers to explore, access and use technology
3.
Encourage, recognize and support staff scholarship
Wisconsin Experience
1.
Foster state-wide public and private IT relationships
2.
Proactively share our IT expertise to solve complex problems
3.
Extend the educational mission with next generation IT infrastructure
Our People
1.
Provide career-pathing and prepare staff and managers for the future
2.
Diversify the IT workforce
3.
Recruit and retain talented and engaged staff
Stewards of Our Resources
1.
Practice and promote IT effectiveness and efficiency
2.
Ensure sustainable funding
3.
Practice transparent financial management and reporting
4.
Provide leadership for IT risk compliance and management
5.
Support and enhance innovate business and administrative systems
6.
Facilitate effective and secure sharing and use of data
“Look beyond the send button and shift your focus to the receiving end.”
- Anonymous
5
CISO’s Vision (Functional Capabilities)








Governance
Policy Development, Security
working group leadership
Data Governance and Security
Security education, training, and
awareness
Risk Management Framework
implementation
Compliance
Security Engineering
Assessment and Approval (RMF)
PCI-DSS, PHI, HIPAA, FERPA, and
other auditing activities
Security Metrics





Risk Management
Cybersecurity Defense
Cyber Threat Intelligence and
Reporting
Security Assessments
Forensics
Security Operations (ERP+)
Communications and Networking
 Faculty, Staff and Student
Education
 Executive Security Awareness
 Shared Governance, Boards and
Committees
6
Leadership and Business Considerations
•
•
•
•
Challenging budget priorities
Competition for resources
Staff maintaining work-life balance
Adapt to changing technology or revisions to best
practices
• Shared Governance
• Visibility within DoIT
• External influences
“Security Teams must demonstrate the ability to view business problems from different or multiple perspectives.”
– Gus Agnos (VP Strategy & Operations at Synack)
7
Elements of the Cybersecurity Strategy
• Strategic Element 1: Complete Data Governance and
Information Classification Plan
• Strategic Element 2: Establish the UW System Risk
Management Framework to materially reduce
cybersecurity risk
• Strategic Element 3: Build a community of experts and
improve institutional user competence though Security
Education, Training, and Awareness
• Strategic Element 4: Consolidate Security Operations
and institute best practices for UW-Madison Campus
Networks and UW System Common Services
“Strategy without tactics is the slowest route to victory, tactics without strategy is the noise before defeat.”
- Sun Tzu (Ancient Chinese Military Strategist)
8
Elements of the Cybersecurity Strategy
(Cont’d)
• Strategic Element 5: Improve Cyber Threat Intelligence
Analysis, Dissemination and Remediation
• Strategic Element 6: Optimize Services, Establish
Security Metrics, Promote Compliance, Achieve
Continuous Diagnostics and Mitigation
• Strategic Element 7: Establish Collaborative Partnerships
to assure teaching and research computing resources
and results are available to fulfill the Wisconsin Idea and
return value to the state and its citizens
9
Enabling Objectives
•
•
•
•
•
Objective 1: Consider retention of previous strategy’s
actionable items (“find it”, “delete it”, and “protect it”).
Objective 2: Create the “Culture of Compliance” for
oversight of all campus data, networks and systems.
Objective 3: Establish Restricted Data Environments
based on the needs of Faculty, Researchers or IT project
requirement documents.
Objective 4: Centralize data collection and aggregation
for analysis of security related events to promote unified
measurement of cybersecurity attributes.
Objective 5: Identify and stabilize sources of repeatable
funding to enable accomplishment of technical or
staffing related strategic goals.
“Real commitment means doing everything in your power to get things done.”
- Jeroen De Flander
10
Enabling Objectives
(Cont’d)
•
•
•
Objective 6: Understand and map requirements
imposed upon us (e.g., FERPA, HIPAA, PCI, DSS, NIST,
etc.) by other agencies (i.e., Department of Education,
Office for Civil Rights, credit card companies, research
grant authorities).
Objective 7: Develop and refine procedures to ensure
security operations and risk assessments are conducted
in a sustainable and repeatable manner that ensures
standards for timeliness and measurable response are
achieved and maintained.
Objective 8: Develop and implement marketing and
communications plans.
11
The road ahead…
•
•
•
•
•
•
•
•
•
•
Complete Draft for CIO Staff Review: Done
CIO Staff Review: April 15 - 21
DoIT Director Review: April 15 – 21 (Walk Around Tour)
Campus Colleges and Departments CIO Review: Week of
April 20
Forward Draft for UW-MIST Review: April 22
UW-MIST Review: April 23 – 29. Comments adjudicated by
May 5 with discussion and concurrence during May MIST
meeting (May 7)
Final Draft for ITC: Brief at May 15th ITC
Final Version for CIO: No later than 29 May
Socialize with MTAG: Targeting June 16th meeting
Socialize with TISC: Announce during Lockdown (July 15) and
TISC Summer Meeting (July 16) with review based on
responses
12
Questions?
13