Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Infosec-Program-2013version

advertisement 
The Pennsylvania State University
Information Security Program Plan
I. Organization of the Information Security Program
Penn State has maintained a centralized computer and network security program since
approximately 1992, and an administrative computer security program for far longer. The first
University Computer, Network and Information Security Officer (now the Senior Director of
Security Operations and Services) was appointed in 1993 to coordinate security functions
University-wide. Formal University-wide security policies were first instituted in 1992 and
extensively re-written in 1997. They form the basis for the overall security program. Policies are
reviewed regularly by Security Operations and Services and a major update is anticipated in
2014. In 1996, the overall security program was awarded the prestigious runner-up designation
for Computer Security Program of the year by the Computer Security Institute (CSI). The
program also received an award from Mirage technologies several years ago for early adoption
of Intrusion Detection Systems (IDS) technology. Responsibility for the overall information
security program rests with central Information Technology Services and is administered by the
Senior Director of Security Operations and Services. Many other organizations and individuals,
however, also play a role in providing a comprehensive, distributed security program suitable for
a geographically disparate, multi-campus, multi-subnet environment of more than 150,000 users.
These include the Administrative Information Services (AIS) Data Security Manager, Area
Security Representatives (ASR), and the data backbone network contacts. Designation of “unit
liaisons” who will be formally trained in security and who will be responsible for data
categorization and risk assessment coordination in their areas is planned to begin in high risk
areas in mid 2014.
A. Senior Director, Security Operations and Services
The Senior Director of Security Operations and Services (SOS) within the Information
Technology Services (ITS) organization is the designated contact responsible for information
1
security within Penn State. The overall responsibilities of this position are defined in University
Administrative Policy AD20, Computer and Network Security. The Senior Senior Director
reports to the Vice Provost for Information Technology to ensure that security concerns receive
high-level attention and can be elevated to the Provost or Presidential level immediately, should
that become necessary. The Senior Director of SOS also serves as the Digital Millennium
Copyright Act (DMCA) agent for the University for purposes of resolving complaints of
unauthorized use of copyrighted materials.
Note: For purposes of reporting possible security issues or violations, the current contact address
for the Senior Director of SOS is:
Kathleen R. Kimball
Senior Director Security Operations and Services
Information Technology Services
The Pennsylvania State University
2013 Sandy Drive, Suite 201
State College, PA 16803
(814) 863-9533; FAX: (814) 865-2585
Incident email: security@psu.edu
The office of Security Operations and Systems, which the Senior Director of SOS
administers, is broken into the following functional areas:

Policy Development
The Senior Director of SOS is responsible for the initial development and subsequent
interpretation of University policy in the information security area. Both
development and interpretation are coordinated as appropriate with various offices of
the University (e.g., Office of General Counsel, Internal Audit). Draft policies in the
security area also receive extensive coordination with student and faculty committees.
There are four primary policies related to information security. These are AD20,
Computer and Network Security; AD23, Use of Institutional Data; ADG01, Glossary
of Computerized Data and System Terminology; and ADG02, Computer Facility
Security Guideline. The policies and guidelines apply to all campuses and all units of
the University. Additionally, college and unit-level policies and procedures may exist
2
augmenting the overall AD20 policy provisions. The University has also
implemented a Data Categorization policy (AD71, Data Categorization and its
accompanying Guideline, ADG07, Data Categorization Examples) to establish a
formal three-tiered information sensitivity level for the University. The three
categories or classifications are Public, Internal/Controlled and Restricted. A data
census or inventory to identify distributed systems at the various levels and to
assess/mitigate risk has begun with two pilot efforts and will be implemented in high
risk areas beginning in mid 2014. A Governance, Risk and Compliance (GRC) tool,
Modulo, is being used to generate surveys, document findings and to identify
compliance gaps.

Training and Awareness
Any unit of the University may request training in security topical areas from
Security Operations and Services. Additionally, seminars are conducted in specific
security areas on a regular basis. These include such topics as desktop security,
incident reporting, and securing Windows platforms. Web-based security tutorials
are available to the entire University community to enable learning in this area at
times and places convenient to the user base. Additionally, week-long, hands-on
training is provided at the level of two to three courses per year to improve the
security administration skills of system administrators. Informational materials and
brochures are also produced for distribution at meetings and other functions. An
annual security conference is held for a nominal fee that is open to all members of the
Penn State community. Advisories on vulnerabilities from major incident response
organizations (e.g., CERT/CC) are circulated to all of the University’s formal
network contacts so that appropriate action to resolve vulnerabilities can commence
at the local level as soon as vulnerability information is published.

Vulnerability Assessment
Penn State has maintained an active security scanning program since 1995. At that
time, it was becoming apparent that large-scale “scans” of Internet address spaces
3
were being conducted by hostile sources and that such probes were becoming more
sophisticated, employing both techniques to disguise the probes and converting
probing methods to more automated forms requiring little human intervention. Such
probes or scans seek to detect known vulnerabilities in operating systems or
applications that can be subsequently exploited to gain control of a machine or
machines. SOS routinely runs similar scans, not for purposes of exploitation of
vulnerabilities, but to report such vulnerabilities to the cognizant system or network
administrators so that the issue(s) can be fixed. The tool used is a commercial
product, Tenable’s Nessus, which was procured by site license. The scans are
normally voluntary, conducted at the request of the cognizant system or network
administrator for a given network, though the University reserves the right to scan
any address in its Internet Protocol (IP) space at any time in order to help ensure
security. Such scans are frequently conducted in association with routine audits of a
given network. They are mandatory for networks handling credit card data and
subject to the PCI standards. SOS has also implemented the Security Center
functionality of Nessus that allows authorized network contacts to run their own scans
of their designated address space in addition to scans that SOS may conduct.
SOS also runs web application scans using a commercial tool, AppScan. Similar to
baseline OS vulnerability scans, any unit contact can request a web application scan.
A self service web application scanning capability using a different tool, Cenzic, is
also planned.
In addition to vulnerability and web application scans, Penn State also has a very
large scale effort to scan for Personally Identifiable Information (PII), for example
Social Security Numbers, Credit Card Numbers and Drivers License Numbers, on
systems where such data should not reside. At present there are more than 20,000
clients reporting results to a central console. Employing Identity Finder commercial
software, users of the clients are presented with suspected PII instances and choices
for how to remediate or remove the PII. The program helps to significantly reduce the
possibility of data loss.
4

Risk Assessment
Risk assessments are done both by internal staff and by external auditors or
consultants for certain critical systems. A comprehensive early study resulted in
implementation of a very robust Intrusion Detection architecture. The Intrusion
Detection Architecture, monitored centrally, includes Snort Sensors at local area
networks in 50 locations, border capture which analyzes header data for traffic
patterns related to hostile activity, and Bro which allows deeper analytic capabilities
to identify sophisticated attacks and to evaluate their scope.
SOS also conducts on-site risk assessments with requesting units that include
recommendations for mitigating identified risks. Primary threats to Penn State
systems include: external Internet-based attacks leveraging comparatively open
University academic systems to try to gain further advantage, internal threat from
inquisitive or malicious students, internal employee threat, disruption or data loss by
physical human action (theft, vandalism, terrorism), accidental disruption of service
or data loss by human error, and accidental disruption of service or data loss by
natural disaster (fire, flood, tornado). In the financial area, the most severe threats are
generally insider threats (data modification by motivated students or employees),
though external Internet-based probes/attacks are frequently encountered.

Incident Response and Forensics
Penn State has had a formal incident response team since 1993. Penn State is a
member of the REN-ISAC and frequently receives early warning of Internet-based
attacks via that mechanism. Members of the response team assist units in incident
resolution, to include hands-on support and systems analysis as required. The team
also handles minor abuse reports such as spam and chain letters. By policy, any user
who suspects a computer or network security incident is required to report that to the
central incident response team. The response function is staffed during working
hours but maintains a telephone number where a team member can be reached 24/7,
365 days per year. The team frequently works with law enforcement agencies and
5
maintains two analysts trained in the preservation of evidence and forensic evaluation
of computer systems. The particular forensic tool most frequently used for hard drive
disk image copy and analysis is EnCase.
B. Administrative Information Systems (AIS) Data Security Manager
In coordination with the Senior Director of Security Operations and Services and
other cognizant University offices (e.g., Internal Audit), the Administrative Information
Systems (AIS) Data Security Manager (within the AIS unit of Information Technology
Services) is responsible for the development and implementation of security policies,
safeguards and methods related to the handling of institutional data (including financial
information). In this regard, s/he is responsible both for overseeing security of the
administrative mainframe and in helping to set applicable security requirements for
distributed administrative sytems (those that process sensitive institutional data and for
which stricter security requirements are imposed).
In conjunction with the Security Operations and Services Senior Director, the
Administrative Information Services Security Officer helps to establish compliance
requirements and security levels for authorized connection to AIS systems. Either the
AIS Data Security Manager or the SOS Senior Director may request the immediate
removal of account privileges on administrative networks for system users or information
associates who have violated University computer and network security policies.
C. Access and Security Representative(s) (ASR)
An ASR enforces all University policies and guidelines pertinent to the use of University
computerized data assets. S/He acts as an interface between a specific work unit and the AIS
Security Office and AIS Data Security Manager. Whenever problems, questions, or issues must
be brought to the attention of the AIS Security Office, the unit’s ASR becomes involved. ASR’s
also request access to administrative systems and applications and verify the need for unit
personnel to have access to specific administrative information (including financial information).
6
D. Data Backbone Contacts
A prerequisite for a subnet to join the Penn State integrated data backbone is the
designation of an Administrative, Technical and Security contact for network addresses within
the subnet range. This greatly facilitates security response in that the individual or individuals
responsible for a given IP can be quickly located. The responsibilities of data backbone contacts
include:

Administrative Contact - responsible for administrative and policy concerns for
machines using the assigned subnet, and is also the secondary contact with the
Telecommunications and Networking Services (TNS) unit of Information Technology
Services for changes in the domain name system.

Technical Contact - responsible for technical matters for the assigned subnet such as
assigning the host part of the Internet address, and is also the primary contact with
TNS for changes in the domain name system.

Security Contact - responsible for security matters for the assigned subnet such as
representing the organization at computer and network security meetings and
ensuring that University computer and network security policies are followed within
the subnet.
All three contacts are notified if a security occurs involving an IP address in their
subnet range and are responsible for working with SOS with regard to incident
resolution.
7
II. Risk Assessment
Risks that are considered in evaluating central or distributed sytems include the
following:
A. Data and Systems (Risks)
1. External – i.e. originating from a machine, device, or user outside the University.
a. Destruction, modification, or disclosure (intentional) – includes unauthorized
insertion of data (e.g., creation of an illegal warez site for the trading of
copyrighted materials)
b. Destruction, modification, or disclosure (unintentional) – e.g., caused by a
system configuration error on a machine or device external to the University
but which may interface with internal systems
c. Denial of service (intentional)
d. Denial of service (unintentional) – e.g., an error in system configuration
external to the University produces a network flood
2. Internal – i.e., originating from a machine, device, or user inside the University.
a. Destruction, modification, or disclosure (intentional)
b. Destruction, modification, or disclosure (unintentional) – e.g., caused by a
system configuration error on a Penn State system
c. Denial of service (intentional)
d. Denial of service (unintentional) – e.g., an error in system configuration
external to the University produces a network flood
B. Network (Risks)
1. External or Internal
a. Destruction or modification of critical network infrastructure (intentional)
8
b. Destruction or modification of critical network infrastructure (unintentional)
c. Denial of service (intentional)
d. Denial of service (unintentional)
C. Physical (Risks)
1. Unauthorized access resulting in physical destruction or modification of data
2. Unauthorized access resulting in theft of material assets
3. Unauthorized access resulting in theft of data
4. Intentional or accidental damage or destruction to computing or network
resources (e.g., manmade or natural disaster)
D. Policy and Procedural (Risks)
1. Destruction, modification, or disclosure of system or data assets due to lack of
policy, inadequate policy, or lack of understanding of the applicable policy by the
affected constituency
2. Destruction, modification or disclosure of system or data assets due to lack of
procedures, inadequate procedures, or lack of understanding of the applicable
procedures by the affected constituency
As noted, the University uses a Governance, Risk and Compliance (GRC) tool, Modulo, with
templates for the major compliance requirements that can be applied to the various central and
distributed systems. The templates also address networks with specialized requirements (e.g.,
HIPAA, PCI). A major data inventory and risk assessment activity is being undertaken in 2014
using the tool and associated surveys. Two pilots were completed in late 2013, early 2014.
III. Risk Mitigation
In addition to the scanning programs and the Data Categorization efforts to assess overall
information security risk, a number of specific risk mitigation steps have been in place for some
9
time. These follow below. Additionally, the GRC tool noted above provides the ability to assign
a system or area for “treatment” to track the status of specific remediation efforts.
A. Administrative/Financial
1. The mainframe is protected using well-known security access and authorization
control software (ACF2)
2. Updates and most read access to mainframe administrative/financial data requires
two factor authentication (Vasco tokens)
3. Access by users to personal information maintained by the institution requires
strong authentication (Kerberos)
4. Administrative networks are generally segregated from academic networks and/or
untrusted user data interception
5. A well-established procedure exists for granting and removing administrative
access
6. Distributed applications require strong authentication and, where possible, two
factor authentication and encryption
7. Financial transactions have a designated approval path involving more than one
user
8. Regular external and internal audits are conducted
9. Scans are conducted at the request of the cognizant administrator to determine
residual vulnerabilities.
10. Off-site backup is maintained for administrative/financial data essential to
continuity of business operations
11. Any system authorized to store Social Security Numbers must comply with a
minimum set of security standards suitable for highly restricted data
12. A cyber-insurance program exists with deductible rates adjusted to the level of
security the unit can demonstrate
13. A very active program exists to help merchant areas ensure compliance with PCIDSS. The QSA is 403 Labs.
10
In addition to the mitigating steps at the enterprise level, a number of distributed
inititatives have been pursued as a result of various strategic plans and consultant engagements.
These include:

A program to provide enhanced system administrator training

A program to provide enhanced user training and awareness

A University-wide site license for anti-viral software

Implementation of distributed firewalls and Intrusion Detection Systems
Additionally, when system and network administrators request security scans and/or undergo
mandatory audits for their respective systems, specific mitigating recommendations are made at
that time.
B. Contractor Relations
In the event that that processing of Restricted data must be outsourced, adequate and
appropriate contractual checks and balances exist to help ensure overall security and integrity of
the data. A Security Design Review (SDR) document exists to help ensure that external vendors
have adequately considered security in products Penn State seeks to procure. Security Operations
and Services maintains active relationships with Purchasing, Risk and the Office of General
Counsel to help ensure that cloud or other third party vendor software has included viable
safeguards.
IV. Incident Response
As noted previously, the University has a long-standing incident response capability
under the direction of Security Operations and Services. Employees within SOS are crosstrained to handle incidents and a contact list is maintained such that incidents can be handled
twenty-four hours a day. Instructions on reporting incidents have been formulated and
disseminated within the community. There are two primary reporting email addresses:

security@psu.edu
11

abuse@psu.edu
The SOS security team monitors and responds to both addresses.
By policy, all computer and network security incidents, regardless of where they occur within the
University, are to be reported to the central response organization. The range of response
services is broad, ranging from minor spam and chain mail reports to major investigations
involving multiple systems internal and external to the University. The response function
maintains active relations with law enforcement and external incident response organizations
such as CERT/CC. The incident categories handled by the response team include:

Denial of Service

Unauthorized Access Attempts

System, Account, or Data Compromise

Copyright Infringement

Electronic Harassment

Commercial Use

Phish, Relays, and Chain Letters

Forgeries/Misrepresentation

Other
Incidents are tallied annually. The incident handler on duty the day reports are received
prioritizes the incident reports. An incident involving a financial asset would generally receive
immediate attention; the only category of incident higher in priority would be a threat to human
life. As noted before, the response team also has a full forensic analysis capability available and
can preserve/analyze computer evidence in a manner suitable for use in court should the need
arise.
V. Summary
12
The Information Security Program is organized in a mix of central and distributed roles,
suited to its geographic and unit differences. Central responsibility for security functions has
been established and vested in the position of the Senior Director for Security Operations and
Services within Information Technology Services. The program maintains the controls needed
for sensitive financial and administrative applications and has a firm policy and procedural
underpinning. A permanent funding stream has been identified which will allow continuation of
and growth for the Program.
13
Policy References
AD20, Computer and Network Security (http://guru.psu.edu/policies/AD20.html)
AD23, Use of Institutional Data and System Terminology
(http://guru.psu.edu/policies/AD23.html)
AD35, University Archives and Records Management (http://guru.psu.edu/policies/AD35.html)
AD71, Data Categorization (http://guru.psu.edu/policies/AD71.html)
ADG01, Glossary of Computerized Data and System Terminology
(http://guru.psu.edu/policies/ADG01.html)
ADG02, Computer Facility Security Guideline (http://guru.psu.edu/policies/ADG02.html)
ADG07, Data Categorization Examples (http://guru.psu.edu/policies/ADG07.html)
14
Related documents
Critically incident technique The Critical Incident Technique (or CIT
Critically incident technique The Critical Incident Technique (or CIT
How to update SOS Work Unit Progress
How to update SOS Work Unit Progress
Incident Reporting Form
Incident Reporting Form
illicit discharge report form - Licking Soil and Water Conservation
illicit discharge report form - Licking Soil and Water Conservation
Mobile Spay/Neuter Authorization Waiver
Mobile Spay/Neuter Authorization Waiver
FBI-SOS Challenge - National Center for Simulation
FBI-SOS Challenge - National Center for Simulation
PN Incident Powerpt
PN Incident Powerpt
One Source One Message
One Source One Message
A Recipe for Creating Accessible Word Documents
A Recipe for Creating Accessible Word Documents
Jeopardy PST Overview 2
Jeopardy PST Overview 2
Download
advertisement