Date post: | 17-Dec-2015 |
Category: |
Documents |
Upload: | allison-watkins |
View: | 216 times |
Download: | 3 times |
Information Security at Waterloo: Past, Present, and Future
Jason A. Testart, BMath, CISSP
Director, Information Security Services
Information Systems & Technology
Hacked by an iron.
#watitis2013
#watitis2013
Five Eyes
#watitis2013
#watitis2013
#watitis2013
Security Portfolio: 1998
• A single FTE• UWDir (identity management)• Best Practices for OS and Application
Security• Awareness• Certificate Authority
#watitis2013
Security Portfolio: 2008
• A single FTE• Best Practices for OS and Application
Security• Awareness• Certificate Authority• Compliance (PCI DSS, FIPPA)
• Network Security
#watitis2013
Tools: 2008
• Netflow for IDS• Nessus scanner• Focus on baselines• Email for incident response• Email for certificate management
#watitis2013
Status 2011
• Added 4 FTEs (5 total)• Renamed “Information Security Services”• Security reports to senior IT leader• Security Operations Centre• Policy 8 approved and in force• More formal incident response (RTIR)
#watitis2013
2011 continued
• VPN• Self-serve certificates (Globalsign)• Proactive vulnerability management
– AppScan– QualysGuard
• Encryption support• Investigations Support
#watitis2013
2012/2013
• NetID• SIEM (log correlation)• Metasploit• Threat Intelligence
#watitis2013
2014 and Beyond
• Evolve current capabilities in IDS, IR, and vulnerability management
• More standards (all layers of stack)• PSIA• WatIAM:TNG IAMNG• More compliance
– Anti-spam law– New copyright legislation
#watitis2013
ISS Previous Structure
Director
Systems Integration Specialist
Systems Integration Specialist
Systems Integration Specialist
Systems Integration Specialist
#watitis2013
ISS Current Structure
#watitis2013
Director
Manager, Information Security
Operations
Security Operations Analyst
Security Operations Analyst
(co-op student)
Information Security Specialist
Information Security Specialist
Information Security Specialist IAM Specialist IAM Specialist
Key Partnerships
• Secretariat– Privacy– Records Management– Law
• IST Portfolio Group– Policy, Standards, Compliance, Risk Management
• Finance– PCI DSS Compliance
• Office of Research– Compliance
• UW Police– Investigations
#watitis2013
PSIA
• What is it?– Mechanism for the identification, assessment,
and mitigation of privacy and security risks for information-centric university initiatives
– Assessors: Privacy Officer, Information Security Officer
#watitis2013
Proposed PSIA Process
Stage of Initiative
Privacy Action(s) Security Action(s)
Sign-off?
Proposal/Business Case
Review/Assess Review Sponsor + Privacy
Solution Design (or “RFP Response”)
Review/Assess Review/Assess Sponsor/Project Team + Privacy + Security
Development/Pre-production
Review/Assess Project Team + Security
Implementation/Production
Review Review Sponsor + Project Team + Privacy + Security
Jason’s Principles of Identity Management
1. A person can assume more than one role at one time (badges, not hats).
2. There is no “primary role”.
3. Every role has a sponsor (i.e. someone needs to attest to you being here).
4. “Expired” means you are status VSA.
#watitis2013
Identity Management
1. Enumerate Roles
2. Determine lifecycles of each role
3. Business process analysis
4. Requirements Definition
5. Architecture
6. RFP
#watitis2013
Access Management
• CAS may not be the ultimate solution.• Centralize/automate where possible.• Require multi-factor authentication for
certain types of access/transactions.• Approach problem with EA-like
abstractions.
#watitis2013
Enterprise Architecture (Zachman)(from zachman.com)
#watitis2013
Networking Models
#watitis2013
Testart’s EA-Lite
Business View
Logical View
Physical View
EA-Lite for Access Control
Role Definition/Requirements
ACL in generic language
Implementation
Simplified Example
Academic Advisor
Bio+Marks: RO Access
Program/Plan: RW Access
Peoplesoft Security Controls
Online Advising Tool (OAT) ACLs
Active Directory Security Group
For your consideration…
• ISS is not just about IT infrastructure.• Let us know about current challenges you
see with WatIAM• Stay-tuned for the potential IT impact of
new legislation.• You MUST report breaches. We have legal
obligations to uphold.
#watitis2013