7/30/2019 Creating an IT Security Baseline (166244112)
http://slidepdf.com/reader/full/creating-an-it-security-baseline-166244112 1/14
Crea%nganITSecurityBaselineUW-Madison
OfficeofCampusInforma%onSecurity
CoryChrisinger,EricGiefer,JimLowe,and
AllenMonee
7/30/2019 Creating an IT Security Baseline (166244112)
http://slidepdf.com/reader/full/creating-an-it-security-baseline-166244112 2/14
ITSecurityBaseline
http://
www.cio.wisc.edu/
security-baseline.aspx
7/30/2019 Creating an IT Security Baseline (166244112)
http://slidepdf.com/reader/full/creating-an-it-security-baseline-166244112 3/14
ITSecurityPoll(roomresponses)
Control Doyourequire
(Most,Some,Few)
CentrallyReport
Results(Y/N)
NetworkFirewallsforendpoints Some Some
An5virusrequiredforendpoints Most Some
Patchwithin30days Few FewKnowloca5onsofRestricteddata
(SSN,DL,CC,financialacct#,etc)
Few Few
7/30/2019 Creating an IT Security Baseline (166244112)
http://slidepdf.com/reader/full/creating-an-it-security-baseline-166244112 4/14
UW-MadisonCampusInforma%on
• Madison,WI
• 936acres
• ~43kstudents
• ~18kemployees
• $2.8Bbudget,~$1Bresearch
7/30/2019 Creating an IT Security Baseline (166244112)
http://slidepdf.com/reader/full/creating-an-it-security-baseline-166244112 5/14
ITatUW-Madison
• ~150ITDepartmentsacrosscampus
– ~1200peopleintheseITdepartments
• ~600peopleincentralIT(DoIT)
• ~53,000devicesoncampuswiredstaffnet
• 60,000+devicesonresidencehalls,wireless,
andothernetworks
7/30/2019 Creating an IT Security Baseline (166244112)
http://slidepdf.com/reader/full/creating-an-it-security-baseline-166244112 6/14
Whatdowegetfromthe
baseline?
• Buildacentralrepor%nginfrastructure
– Dashboardwithcurrentstateof
• NetworkFirewalls
• A/V
• Patchingwithin30days(vulnerabili%es)
• Restricteddataloca%ons
• Hopingtoachieve80complianceacrosscampus
7/30/2019 Creating an IT Security Baseline (166244112)
http://slidepdf.com/reader/full/creating-an-it-security-baseline-166244112 7/14
RiskCon%nuum
(Lowest–Highest)
CopyrightViola5on/HEOA
• Risks:IfstudentsIllegallydownloadmaterials(music,documents,etc.)thereisariskofprosecu5on,andlossofaccesstoUWnetwork.ThereisalsoariskofUWlosingfinancialaid
funding
UnauthorizedNetworkAccess
• Risks:Ifhackersaccessthenetworkthroughservers,printers,computers,webapplica5ons,etc.,thereisariskisthelossofintellectualproperty,andmalfeasance.
UnauthorizedAccesstoRestrictedData
• Risks:Ifhackersaccessrestricteddata(SSN,CreditCards,etc.),therearerisksoflegalfees,reputa5on,andfinancialcostsofremedia5on
FailuretoComplywithPCIstandards
• Risks:Notproperlysecuringcreditcarddataandprocesses,mayresultinfines($2kperday)andadiminishedreputa5on
FailuretoAdheretoFISMA/HIPAAStandards
• Risks:NotadheringtoFISMA/HIPAArequirementsmayresultinlossofgrantaward,grantcon5nua5on,andresearchreputa5on
7/30/2019 Creating an IT Security Baseline (166244112)
http://slidepdf.com/reader/full/creating-an-it-security-baseline-166244112 8/14
CurrentState
• Incidents
– 2-3hackedperday
– 1website/week
• Polices/Standards
– Patching,AV,F/W
– IncidentRepor%ng
• Pilots
• Tools
7/30/2019 Creating an IT Security Baseline (166244112)
http://slidepdf.com/reader/full/creating-an-it-security-baseline-166244112 9/14
Toolsweoffer
7/30/2019 Creating an IT Security Baseline (166244112)
http://slidepdf.com/reader/full/creating-an-it-security-baseline-166244112 10/14
Improvementwehaveseen
7/30/2019 Creating an IT Security Baseline (166244112)
http://slidepdf.com/reader/full/creating-an-it-security-baseline-166244112 11/14
Whydidittakesolongtoget
going?
7/30/2019 Creating an IT Security Baseline (166244112)
http://slidepdf.com/reader/full/creating-an-it-security-baseline-166244112 12/14
Whatdowegetfromthe
baseline?
7/30/2019 Creating an IT Security Baseline (166244112)
http://slidepdf.com/reader/full/creating-an-it-security-baseline-166244112 13/14
NextStepsaerthebaseline
7/30/2019 Creating an IT Security Baseline (166244112)
http://slidepdf.com/reader/full/creating-an-it-security-baseline-166244112 14/14
ThankYou
JimLowe,CISO,OfficeofCampusInforma5onSecurity
CoryChrisinger,RiskAnalyst,Officeof
CampusInforma5onSecurityAllenMonee,EndpointSecurity
Specialist,OfficeofCampusInforma5on
SecurityEricGiefer,DirectorofLawSchool
Technology,UW-MadisonSchoolofLaw