Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Is Information Security warranted on your campus

advertisement 
Information Security
Is it warranted on your campus?
William C. Moore II, CISSP
Chief Information Security Officer
Valdosta State University
Requirement in many new mandates
•
•
•
•
•
FERPA
HIPPA
Sarbanes Oxley
Graham Leach Bliley
VISA Requirements
Many of these mandates have
accountability requirements
•
HIPPA
– Information Security is responsible for data security and shall audit the access to
enterprise-wide systems and data. This includes, but is not limited to, access to
Network, Email, Internet, PRISM, Medipac, Human Resources, Accounts
Payable, Payroll, General Ledger and TESS
•
GLBA
– (i) ensure the security and confidentiality of covered records, (ii) protect against
any anticipated threats or hazards to the security of such records, and (iii) protect
against the unauthorized access or use of such records or information in ways
that could result in substantial harm or inconvenience to customers
•
VISA CISP- Digital Dozen
– 1. Firewalls 2. Security Patches 3. Stored Data 4. Encryption 5. Anti-Virus 6.
Restrict Access 7. Unique IDs 8. Change Default Security Settings 9. Track
Access 10, Test Security Regularly 11. Implement and Maintain Security Policy
12. Restrict Physical Access
• These are mandates that require addressing Information Security as a responsibility for
operating the business of education.
So, what do we, as USG do?
•
•
•
•
•
•
•
•
•
Acquire administrative support
Appoint an accountable individual(s)
Evaluate current state
Develop policies
Develop procedures
Provide training and awareness
Enforce policies and procedures
Report
Repeat
Administrative Support
• Is it needed
– ABSOLUTELY
• What level is needed
– The higher, the better. Minimum of CIO/VP
• When should you seek support?
– NOW!
• How did VSU meet the demand?
Milestones for VSU
•
Obtain CIO and executive approval/buy
in before proceeding further.
– Obtained CIO and VP of Business and
Finance support to meet University goals
and mandates
VSU Internal Project
•
Began internal project directions with
existing personnel
– Designate group of individuals “Taskforce”
from various depts. (Student Information
Systems, Business Finances/People Soft,
Main I.T. Systems Support, Network
Services, Library, Auxiliary Services, Faculty
Senate) to carry out the following task:
Assess Current Status
•
Gather current inventory of existing
technologies on campus
– Through departmental surveys
•
17799 assessment for all areas on
campus.
– Additional departmental surveys and
observations
Assess Current Status
• 17799 Assessment
– Essential for measuring the current status of
organizational security.
– Demonstrates a formal assessment of organizations
strengths and weaknesses
– Presents meaningful insight thereby presenting focus
and direction for security actions
– Develop a plan of action to address deficiencies
found in assessment
Report Current Status
• Report 17799 to “Taskforce” and
authorizing Executive(s)
• Report findings or strengths and
weaknesses
• Report plans for rectifying vulnerabilities
(Action steps for security campus)
Data Classification
•
Develop and implement method of data
classification for campus (will require buy
in and assistance from all areas of
campus).
Method of Prioritizing
•
Use data classification to steer
mandatory campus policies/procedures
for business continuity and disaster
recovery. (classification should be used
to set priority of what data is critical, vital,
important and, less important for the
continuation of business by the campus,
college, and then dept. level)
Determine effectiveness
•
Once data classification is implemented
and running, re-assess using ISO-17799.
– Allows for measuring effectiveness of
classification scheme.
– Reemphasizes priorities of various
systems/data
– Important method of budget justifications
Develop Policies
• Security Taskforce should develop campus
information security policy recommendations
– Request comments (not necessarily approval) from
faculty, staff and students
• All policy recommendations should be submitted
through Legal Affairs for approval.
• Submit recommendations to B.O.R. Information
Security for comments/review
• Policies must receive Cabinet and/or President
approval
• Make all users aware of policies after approval
1st Vulnerability Test
•
Begin vulnerability test for critical areas after
written approval from CIO (should be
scheduled and well known to those tested to
allow for addressing problems if they should
arise). Do not use invasive techniques at this
time.
–
–
Review findings with CIO and affected System
Administrators.
Make recommendations to CIO and affected
Administrators
•
•
Risks must be reduced, accepted, transferred or rejected
with reason
If necessary, point to policies
1st Vulnerability Test
• Based off 1st vulnerability test findings
– Work with Systems Administrators on
developing procedures to address findings
• Provides initial “Raw” score
• Procedures provide steps to meet policies
• Procedures should be as specific and standard as
possible
Procedures are in place
• Reinitiate vulnerability test for critical areas
(Again, after written approval from CIO)
• Report both findings to CIO and
supporting executive(s)
• If necessary, use these findings as support
mechanisms for obtaining methods of
mitigating risks (i.e. campus AV, firewalls,
IDS, training, etc.)
Use procedures to provide:
• Awareness and Training
– Required by some federal mandates
– Employee participation can be your strongest
or weakest segment of your security initiatives
– Raising levels of awareness could help gain
support
• Make security personal by demonstrating how it
can help champion other goals
• Demonstrate how security can help increase value
by increasing “uptime” and reliability or save
money by standardizing areas of support
Use procedures to provide:
• Awareness and Training cont.
• Start small (cheap) websites, posters,
email notices, etc.
• Coming soon through Vista, general
Security Awareness for Admins and End
Users.
• Use specific procedures to develop new
employee training
Use procedures to provide:
• Awareness and Training cont.
• Mentor potential cross-trainers.
– If other I.T. personnel show an interest in
Information Security, offer additional training
leading to certifications
– Consider “Train the Trainers” for other depts.
• Offer to include nearby USG campuses
So what do you do now?
•
•
•
•
•
•
•
•
Gain support
Designate or appoint an accountable person
Evaluate
Develop policies and procedures
Report
Awareness/Training
Enforce policies and procedures
Maybe next year Incident Response
Questions / Comments?
Related documents
ST. JOHN`S UNIVERSITY CAREER CENTER
ST. JOHN`S UNIVERSITY CAREER CENTER
Facilities Planning and Construction
Facilities Planning and Construction
Media Technician - Bakersfield College
Media Technician - Bakersfield College
Campus Life Meetings - Orientation
Campus Life Meetings - Orientation
First Year Experience Powerpoint
First Year Experience Powerpoint
Keynote - Utah Higher Education Service Desk Forum
Keynote - Utah Higher Education Service Desk Forum
Download
advertisement