Information Security Management throughout the Service Lifecycle
Sarah Irwin & Craig Haynal
2015 Penn State Security Conference, October 14, 2015

Session Roadmap
• Security Landscape
• Current Challenges
• Service Management at Penn State
• Designing for Security
• Call to Action

When I say “Sensitive Data”….
You probably think of:
Photo credit: frankleleon
Photo credit: NEC Corporation of America
Photo credit: Alan Levine
Photo credit: GotCredit

You probably also think of: http://www.databreachtoday.com/experian-faces-congressional-scrutiny-over-breach-a-8580 / http://www.databreachtoday.com/etrade-dow-jones-issue-breach-alerts-a-8586

www.target.com

www.homedepot.com

http://www.engr.psu.edu/

http://www.la.psu.edu/

Traditionally…
• Sensitive data includes things like:
• Personally identifiable information (PII)
• Payment Card Industry (PCI) data
• Health Insurance Portability and Accountability Act (HIPAA)
• Family Educational Rights and Privacy Act (FERPA)

But it’s more than just PII
• Research
• Human subjects
• Deductive disclosure risk
• Contract data
• Geographic ID’s
• Student information
• Transgender community
• Confidentiality holds
• Mental health counseling
• Administrative
• HR records
• Budget information
• Salary and review information
• Laws and Regulations
• Federal and state laws and regs
• University policies
• Third party contracts

70
60
50
40
30
20
10
0
100
90
80
It’s also becoming more prevalent
Sensitive data contracts processed by the Office of Sponsored Programs per fiscal year
3
FY2010
20
38
39
FY2011 FY2012 FY2013 FY2014
90

Our Data Security Environment
Inconsistent standards and policies
Highly decentralized, disparate IT environments and support
Lack of awareness and understanding

Pain Points
• Lack of communication or notice between IT and users
• IT is an afterthought, typically brought in after project starts
• Historic lack of trust that IT can provide what users need
• Currently, few central IT services for restricted data
• Local IT staff assist in some colleges/departments
• Many users left to sort out IT needs on their own

Secure Technology + Safe People + Sound Process =
Security

Reactive IT

Retrofitting

IT Services
People
Process Technology

Services
• A means of delivering value to customers by facilitating outcomes customers want to achieve without the ownership of specific costs and risks.
• Service ≠ Product
• Unlike products, services often have no intrinsic value.

Service Management at Penn State
• IT Transformation Program (ITX)
• The program tasked with developing and implementing the Penn State
Service Management Program.
• Penn State Service Management Program (PSSMP)
• An accepted standard for University service models, processes, and tools that improves the consistency and efficiency of Penn State services.
• By using a common language and set of procedures, Penn State units will unite in providing efficient, high-level customer service, while reducing service redundancy and cost across the University.

ITIL Framework
• Service Strategy
• Service Design
• Service Transition
• Service Operation
• Continual Service Improvement

ITX/PSSMP Processes
Current:
• Incident Management
• Change Management
• Service Catalog Management
• Request Fulfillment
Future:
• Service Portfolio Management
• Project Portfolio Management
• Resource Portfolio Management
• Knowledge Management
• Problem Management
• Project Management
• Service Asset and Configuration
Management

ITX/PSSMP Processes – Greatest Security Impact
Current:
• Incident Management
• Change Management
• Service Catalog Management
• Request Fulfillment
Future:
• Service Portfolio Management
• Project Portfolio Management
• Resource Portfolio Management
• Knowledge Management
• Problem Management
• Project Management
• Service Asset and Configuration
Management

Designing Services

Warranty
Quality
Service

Value
Utility Value Warranty

Design Coordination
Overall service design process:
Define & maintain policies and methods
Plan design resources and capabilities
Coordinate design activities
Per design process:
Plan individual design
Coordinate individual design
Manage design risks & issues
Monitor individual design
Improve service design
Review design and ensure handover of service design package

Service Design Package
Major components
• Requirements
• Service design
• Organizational readiness assessment
• Service lifecycle plan
Security checkpoints
• Gather security requirements
• Plan for security
• Ensure adequate security training
• Incorporate security checkpoints into the plan

Information Security Management System
Plan
Maintain
Control
Implement
Evaluate

Information Security Management
Produce/maintain information security policy
Assess/categorize risks and vulnerabilities
Monitor/manage security incidents
Enforce security policy
Report security risks and threats
Implement/review security controls and risk mitigation
Review/report/reduce security incidents
Design focus
Operation focus

Security management information system (SMIS)
Information security policy
Security reports and information
Security controls
Security risks and responses

RESILIA™ Cyber Resilience Best Practice
• A practical framework for building and managing cyber resilience, reflecting the changing need not only to detect and protect against cyber-attacks but also to respond and recover from them.
• Provides security guidance aligned with the service lifecycle from the
ITIL books:
• Service strategy
• Service design
• Service transition
• Service operation
• Continual service improvement

Start Small: Learn
• Learn about Penn State’s policies that pertain to security, especially data categorization: http://guru.psu.edu/policies/AD71.html
(and the related guideline: http://guru.psu.edu/policies/ADG07.html
)
• Understand the minimum security baseline and be ready to incorporate it into your services: http://sos.its.psu.edu/minimumsecurity-baseline.html

Focus on People
• Have conversations about the types of data that will be handled by IT services up front
• You may have to educate your customers and users on data categorization in order to discover their information security needs
• Negotiate the right level of security before you plan, purchase, or build anything
• Always plan for user education, especially when it comes to securely using services

Design Better Services
• Plan your services; don’t just rush to solutions without fully understanding the problems, particularly when it comes to security
• Remember that good IT services focus on helping customers achieve outcomes and consider people and process in addition to technology
• Make sure your services not only have the needed features (utility) but also live up to their commitments (warranty)
• Taking the time to design services for security will be much less expensive than retrofitting or replacing them later