Cybersecurity Strategy … a first look Brief to Information Technology Committee Bob Turner UW-Madison CISO April 17, 2015 What the Cybersecurity Strategic Plan provides… • A road map to improved cybersecurity within RMF • Enables complete understanding of the UWMadison and UW System IT infrastructure that: • • • • enables clear view of all routers, switches and hosts; promotes cyber hygiene in connected or virtual environments; facilitates helpful behaviors and drives staff to engineer appropriate defense measures, informed incident response; and consolidates Incident Response capability for campus networks and systems and for UW Common Systems 2 Aligns to University Strategic Priorities and Initiatives • • • Educational Experience: Improve access and affordability; Scale Wisconsin Experience; Improve learning outcomes; Ensure graduate student mentoring; Build innovative professional degrees and other lifelong learning experiences. Research and Scholarship: Nurture excellence in research, scholarship, and creative activity; Optimize the research and scholarship infrastructure; Strengthen our influence in national decision-making around research policy and funding; Engage our interdisciplinary strength; Support the continued high level integration of research and education. The Wisconsin Idea: Partner to bring value to Wisconsin citizens; Promote economic development through technology-transfer ecosystem; Extend our educational mission to Wisconsin and the world; Leverage our distinctive interdisciplinary strength to address complex problems http://chancellor.wisc.edu/strategicplan2/images/Strategic%20Framework_15-19.pdf 3 Aligns to University Strategic Priorities and Initiatives (Cont’d) • • People: Ensure a highly talented, engaged, and diverse workforce; Enhance the strength of our campus through diversity and inclusion; Ensure our ability to attract and retain talent Nurture growth of our people through professional development; Create the best possible environment for our people Resource Stewardship: Promote resource stewardship, improve service delivery and efficiency; Create a stable and sustainable financial structure; Identify and pursue new revenue sources aligned with mission and goals; n Promote environmental sustainability; Transform library structures and technologies to best support research and learning; Sponsor a comprehensive campaign to invest in the future of the university and shape the future of Wisconsin and the world http://chancellor.wisc.edu/strategicplan2/images/Strategic%20Framework_15-19.pdf 4 Links to Campus/UW System IT Strategy A. B. C. D. E. Educational Experience 1. Provide career-oriented experiences for our students 2. Design, create, and support learning-centered ecosystem 3. Unify the student experience with access to data and information 4. Provide tech services and resources to enhance student success and digital literacy Research and Scholarship 1. Provide and support robust and secure IT research and scholarship infrastructure 2. Collaboratively partner with researchers to explore, access and use technology 3. Encourage, recognize and support staff scholarship Wisconsin Experience 1. Foster state-wide public and private IT relationships 2. Proactively share our IT expertise to solve complex problems 3. Extend the educational mission with next generation IT infrastructure Our People 1. Provide career-pathing and prepare staff and managers for the future 2. Diversify the IT workforce 3. Recruit and retain talented and engaged staff Stewards of Our Resources 1. Practice and promote IT effectiveness and efficiency 2. Ensure sustainable funding 3. Practice transparent financial management and reporting 4. Provide leadership for IT risk compliance and management 5. Support and enhance innovate business and administrative systems 6. Facilitate effective and secure sharing and use of data “Look beyond the send button and shift your focus to the receiving end.” - Anonymous 5 CISO’s Vision (Functional Capabilities) Governance Policy Development, Security working group leadership Data Governance and Security Security education, training, and awareness Risk Management Framework implementation Compliance Security Engineering Assessment and Approval (RMF) PCI-DSS, PHI, HIPAA, FERPA, and other auditing activities Security Metrics Risk Management Cybersecurity Defense Cyber Threat Intelligence and Reporting Security Assessments Forensics Security Operations (ERP+) Communications and Networking Faculty, Staff and Student Education Executive Security Awareness Shared Governance, Boards and Committees 6 Leadership and Business Considerations • • • • Challenging budget priorities Competition for resources Staff maintaining work-life balance Adapt to changing technology or revisions to best practices • Shared Governance • Visibility within DoIT • External influences “Security Teams must demonstrate the ability to view business problems from different or multiple perspectives.” – Gus Agnos (VP Strategy & Operations at Synack) 7 Elements of the Cybersecurity Strategy • Strategic Element 1: Complete Data Governance and Information Classification Plan • Strategic Element 2: Establish the UW System Risk Management Framework to materially reduce cybersecurity risk • Strategic Element 3: Build a community of experts and improve institutional user competence though Security Education, Training, and Awareness • Strategic Element 4: Consolidate Security Operations and institute best practices for UW-Madison Campus Networks and UW System Common Services “Strategy without tactics is the slowest route to victory, tactics without strategy is the noise before defeat.” - Sun Tzu (Ancient Chinese Military Strategist) 8 Elements of the Cybersecurity Strategy (Cont’d) • Strategic Element 5: Improve Cyber Threat Intelligence Analysis, Dissemination and Remediation • Strategic Element 6: Optimize Services, Establish Security Metrics, Promote Compliance, Achieve Continuous Diagnostics and Mitigation • Strategic Element 7: Establish Collaborative Partnerships to assure teaching and research computing resources and results are available to fulfill the Wisconsin Idea and return value to the state and its citizens 9 Enabling Objectives • • • • • Objective 1: Consider retention of previous strategy’s actionable items (“find it”, “delete it”, and “protect it”). Objective 2: Create the “Culture of Compliance” for oversight of all campus data, networks and systems. Objective 3: Establish Restricted Data Environments based on the needs of Faculty, Researchers or IT project requirement documents. Objective 4: Centralize data collection and aggregation for analysis of security related events to promote unified measurement of cybersecurity attributes. Objective 5: Identify and stabilize sources of repeatable funding to enable accomplishment of technical or staffing related strategic goals. “Real commitment means doing everything in your power to get things done.” - Jeroen De Flander 10 Enabling Objectives (Cont’d) • • • Objective 6: Understand and map requirements imposed upon us (e.g., FERPA, HIPAA, PCI, DSS, NIST, etc.) by other agencies (i.e., Department of Education, Office for Civil Rights, credit card companies, research grant authorities). Objective 7: Develop and refine procedures to ensure security operations and risk assessments are conducted in a sustainable and repeatable manner that ensures standards for timeliness and measurable response are achieved and maintained. Objective 8: Develop and implement marketing and communications plans. 11 The road ahead… • • • • • • • • • • Complete Draft for CIO Staff Review: Done CIO Staff Review: April 15 - 21 DoIT Director Review: April 15 – 21 (Walk Around Tour) Campus Colleges and Departments CIO Review: Week of April 20 Forward Draft for UW-MIST Review: April 22 UW-MIST Review: April 23 – 29. Comments adjudicated by May 5 with discussion and concurrence during May MIST meeting (May 7) Final Draft for ITC: Brief at May 15th ITC Final Version for CIO: No later than 29 May Socialize with MTAG: Targeting June 16th meeting Socialize with TISC: Announce during Lockdown (July 15) and TISC Summer Meeting (July 16) with review based on responses 12 Questions? 13