7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 1/34
Confidential Property of the University of Notre Dame
Security From The Ground Up
David SeidlInformation Security Program Manager
University of Notre Dame
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 2/34
Confidential Property of the University of Notre Dame
Copyright
• Copyright David Seidl, 2009. Portions of this
presentation copyright Michael J. Chapple, 2008. This
work is the intellectual property of the author.
Permission is granted for this material to be sharedfor non-commercial, educational purposes, provided
that this copyright statement appears on the
reproduced materials and notice is given that the
copying is by permission of the author. Todisseminate otherwise or to republish requires
written permission from the author.
2
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 3/34
Confidential Property of the University of Notre Dame
Background
• The Office of Information Technology (OIT) is
the central IT organization for Notre Dame.
• Departmental IT organizations exist
independently in some departments.
• The Information Security department is part
of the OIT, but bears central responsibility for
campus information security.
3
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 4/34
Confidential Property of the University of Notre Dame
Background: 2006
• The Information Security department was
founded in 2002 and grew to a total of five
staff members by 2006.
• Up until 2006, Information Security was a
combination of implementing internal
controls and external consulting
• This was seen to not be sufficient due to
regulatory and risk based assessments.
4
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 5/34
Confidential Property of the University of Notre Dame
Background: 2006
• Initial credit card compliance discussions were
being held due to PCI requirements and a
credit card network inventory was completed.
• 70 merchant accounts and 15 distinct
applications were found.
• Credit card compliance efforts were begun
and then…
5
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 6/34
Confidential Property of the University of Notre Dame
Game Changers
6
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 7/34
Confidential Property of the University of Notre Dame
Result:
The CCSP and CITRA• Credit Card Security Program – PCI compliance
– Additional detail is available in slides available on
the EDUCAUSE site as “The Data Center Within A
Datacenter” and “Navigating The Regulatory
Maze”
• University Leadership requested a campus
wide IT risk assessment, which came to becalled CITRA, or the Campus IT Risk
Assessment
7
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 8/34
Confidential Property of the University of Notre Dame
Parallel Efforts
8
Initial PCI DSS
Discussions
Incident CITRA
Incident Response
Consultant
Assessment
CCSP
PlanningCredit Card
Network Inventory
Jul-05 Jul-06
Aug-05 Sep-05 Oct-05 Nov-05 Dec-05 Jan-06 Feb-06 Mar-06 Apr-06 May-06 Jun-06
Information Security at Notre Dame2005 2006
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 9/34
Confidential Property of the University of Notre Dame
Assessment Process
9
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 10/34
Confidential Property of the University of Notre Dame
CITRA Findings
• End result was 68 findings covering 10 key areas:
• For example…
10
Information Security Framework Data Classification and Handling
Access Control Encryption Strategy
Configuration Standards Physical Security
Technical Security Architecture Disaster Recovery
Compliance Information Security Awareness
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 11/34
Confidential Property of the University of Notre Dame
Planning Workshop
• Analyzed CITRA results
and created project
specifications for all
medium/high risk findings• Produced comprehensive
project plan with resource
estimates and sequencing
• Each project ranked on
costs (financial and staff),
importance and urgency
11
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 12/34
Confidential Property of the University of Notre Dame
Resource Planning
• Discussed project objectives with resource
managers
• Simple approach to resource estimation for
both staffing and cost:
– Determine “best case” and “worst case” time and
cost estimates
– Average those endpoints
– Surprisingly accurate!
12
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 13/34
Confidential Property of the University of Notre Dame
Outcome
• Projects sequenced to prioritize high-risk
findings and balance resource consumption
• Overall costs: $4.6M one-time, $630K
recurring. Since then, we have returned $1M
to central control.
Presented to University leadership and funded
IN FULL!
13
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 14/34
Confidential Property of the University of Notre Dame
Security Program Mission
Identify confidentiality, integrity
and availability risks to sensitiveUniversity information, and
mitigate those risks to acceptable
levels.
14
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 15/34
Confidential Property of the University of Notre Dame
Objectives
The objectives of the program are to:
• Evaluate risks to the confidentiality, integrityand availability of sensitive information
• Establish and implement controls to fill criticalgaps, as determined by institutional risktolerance
• Create awareness of information security andproper data handling practices
• Establish and communicate security-relatedpolicies, procedures and standards
15
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 16/34
Confidential Property of the University of Notre Dame
Program Elements
• Policy
• Awareness, Training and Education
• Credit Card Support Program
• Security Infrastructure
• Network Security
• Workstation Security
• Server Security
• Incident Handling
• Sustaining Activities
16
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 17/34
Confidential Property of the University of Notre Dame
Putting it all together
17
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 18/34
Confidential Property of the University of Notre Dame
Policy
• Policy was required as a foundation for other
projects.
18
Security Policies(1.1)
ConfigurationStandards (1.3)
SDLC (1.5)
Policy
Security Policies and Standards (FY 2007)
Establish University-wide Information Security policies and handling standards based on ISO 17799
Configuration Standards (FY 2007)
Develop configuration standards for applications and mobile systems
Software Development Lifecycle (FY 2010)
Select and implement a SDLC model for use with OIT systems
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 19/34
Confidential Property of the University of Notre Dame
Awareness, Training and
Education
19
Awareness, Training and Educat ion ClassificationWorkshops (2.2)
Sensitive Data Handler
Training (2.4)
Technical Security
Training (2.5)Student Awareness
& Training (2.3)
Employee
Awareness &Training (2.1)
Employee Awareness (FY 2007-2008)
Provide security awareness, communication and training for faculty & staff
Student Awareness (FY 2008)
Provide security awareness, communication and training for students
Classification Workshops (FY 2008)
Conduct workshops to aid Data Stewards in classifying their data
Sensitive Data Handler Training (FY 2008)
Provide specialized training for those who work with sensitive University Data
Technical Security Training (FY 2009)
Provide specialized technical security training for IT Professionals
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 20/34
Confidential Property of the University of Notre Dame
Workstation Security
20
File Security (6.3)Malware
Management (6.2)
Workstat ion Secur i ty
Initial DesktopRemediation (6.1)
MessagingSecurity (6.4)
Initial Desktop Remediation (FY 2007) Apply a basic set of security controls to University workstations
Malware Management (FY 2008)
Provide a solution for management and monitoring of antivirus and anti-
spyware software on University systems
File Security (FY 2009)
Conduct a vulnerability assessment and apply security controls to NetFile
Messaging Security (FY 2009-2010)
Apply security controls to electronic mail and instant messaging
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 21/34
Confidential Property of the University of Notre Dame
Server Security
21
Database Security
(7.3)
Data Center
Remediation (7.1)
Server Integrity
Monitoring (7.2)
Server Security
Dept Server
Consulting (7.4)
OIT Server
Management (7.5)
Data Center Architecture Enhancements (FY 2008)Enhance security controls on the OIT Data Center front end
Server Integrity Monitoring (FY 2008)
Formalize OIT server integrity monitoring infrastructure and processes
Database Security (FY 2008)Conduct a vulnerability assessment of University databases and implement
appropriate controls
Departmental Server Consulting (FY 2008-2009)
Conduct a security assessment of each departmental server and provide
recommendations on alternative technologies and/or appropriate controls.
OIT Server Management (FY 2008-2009)
Implement security management practices for OIT servers with
separation of duties and data segregation, where appropriate
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 22/34
Confidential Property of the University of Notre Dame
Network Security
22
Intrusion
Prevention (5.4)
Network Secur i ty
Border Security
(5.1)
Network AdmissionControl (5.5)
Zoned Network &
Wireless Sec. (5.3)
Network Device
Management (5.2)
Border Security (FY 2007)Implement campus network border firewall to block unsolicited inbound connections
Network Device Management (FY 2007-2008)
Implement security standards on campus network devices
Zoned Network and Wireless Security (FY 2008-2009)Design and implement a zoned network architecture with appropriate security
controls on the wired and wireless networks
Intrusion Prevention (FY 2009)
Replace the University’s existing intrusion detection system with a comprehensive
intrusion prevention system
Network Admission Control (FY 2010)
Implement controls to ensure that network-
connected systems meet security standards
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 23/34
Confidential Property of the University of Notre Dame
Security Infrastructure
23
ApplicationLogging (4.4)
Log Security
Analysis (4.5)
Network Activity
Logging (4.7)
Vulnerability
Scanning (4.1)
Firewall
Mgt. (4.6)
Security Infrastructure
Rogue Wireless AP
Detection (4.8)Sensitive Data
Scanning (4.3)Security Review
Process (4.2)
Vulnerability Scanning (FY 2007)Create a scanning facility to proactively detect technical vulnerabilities in
University systems
Security Review Process (FY 2007)
Create a process for consistently conducting information security reviews
Sensitive Data Scanning (FY 2008)
Create a scanning facility to proactively detect CC/SSNs stored in institutional
file systems
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 24/34
Confidential Property of the University of Notre Dame
Security Infrastructure (cont’d)
24
ApplicationLogging (4.4)
Log Security
Analysis (4.5)
Network Activity
Logging (4.7)
Vulnerability
Scanning (4.1)
Firewall
Mgt. (4.6)
Security Infrastructure
Rogue Wireless AP
Detection (4.8)Sensitive Data
Scanning (4.3)Security Review
Process (4.2)
Application Logging, Network Logging, and Security Log Analysisprojects (FY 2009)
Intended to capture enterprise application events as well as records of off-
campus connections involving University systems in the OIT central log
repository, and to create security analysis capabilities for the data that is
available via these logging processes. These were all rolled into the SOC
project.
Firewall Management (FY 2009)
Audit existing firewall rulebase and implement standard management practices
Rogue Wireless AP Detection (FY 2010)
Provide the ability to identify unauthorized wireless access points on theUniversity network
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 25/34
Confidential Property of the University of Notre Dame
Credit Card Security
25
Infrastructure
(3.1)Monitoring (3.3)
CCSP
Physical
Security (3.4)
Application
Migration (3.2)
CCSP Infrastructure (FY 2007)Create the infrastructure required to migrate card processing applications to
the OIT data center
CCSP Application Migration (FY 2007-2008)
Move card processing servers to the payment card environment located in the
OIT data center
CCSP Monitoring (FY 2008)
Implement ongoing technical monitoring of the payment card environment
CCSP Physical Security (FY 2008-2009)
Upgrade data center physical security to meet PCI DSS requirements
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 26/34
Confidential Property of the University of Notre Dame
Incident Handling
26
Forensics (8.2)
Incident Tracking
System (8.3)
Incident Response
Procedures (8.1)
Incident Handling
Incident Response Procedures (FY 2010)
Create technical procedures for responding to information security incidents
to supplement the existing Incident Response Plan
Forensics (FY 2010)
Identify forensic resources for use in information security incident response.
Incident Tracking System (FY 2010)
Provide an information security incident tracking system
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 27/34
Confidential Property of the University of Notre Dame
Sustaining Activities
27
Program
Monitoring (9.3)
Susta in ing Ac t iv i t ies
Security Ops
Center (9.1)
Recurring Risk
Assessments (9.2)
Security Operations Center (FY 2008-2009)
Create an operations center to monitor and provide initial response to
security events
Recurring Risk Assessments (FY 2010)
Establish a process for recurring, periodic risk assessments to measure risk to University data assets
Program Monitoring (FY 2010)
Assess the ongoing effectiveness of the information security program
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 28/34
Confidential Property of the University of Notre Dame
Where are we now?
28
SecurityOperations
Technology andProcedures
Awareness
Policy and RegulatoryRequirements
Ongoing
Current Efforts
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 29/34
Confidential Property of the University of Notre Dame
Program Highlights
• For the most part, on-time completion underbudget
• Some “in-flight” changes to the plan to:
– Combine projects (SOC)
– Reprioritize project sequencing
– Deal with staffing and priority changes
– Address new risks (e.g. Web application security) – Balance resource utilization with other initiatives
29
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 30/34
Confidential Property of the University of Notre Dame
Successes
• CCSP fully implemented and online
• More than 50% of the program’s projects are
successfully completed.
• High success rate for awareness program -
>85% two-touch response rate.
• Vulnerability scanning resulted in very
significant decrease in reported
vulnerabilities.
30
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 31/34
Confidential Property of the University of Notre Dame
Lessons Learned
• Maintenance of business activities were
originally not designed to increase as projects
came online.
– This led to delayed maintenance and issues with
sustaining activities
– Meeting ongoing operational security needs
proved difficult.• Added a process to review maintenance
activities after project go-live.
31
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 32/34
Confidential Property of the University of Notre Dame
More Lessons Learned
• Staffing changes
– Program Manager left for another campus
organization.
– Backfilling InfoSec position took 6 months.
– Worked to solve this by spreading work over
longer time periods and by using more project
management time to conserve technicalresources.
32
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 33/34
Confidential Property of the University of Notre Dame
More Lessons Learned
• Priorities
– Priorities driven by non-program projects require
additional staff time from InfoSec
– This time was not allocated in the program design,and leads to delays in programs projects
– Still working to deal with this:
•
Increase maintenance of business time• Create a pool of available hours
• Project planning phase involvement for new projects
and strong partnership with project management
33
7/29/2019 Information Security from the Ground Up (166362637)
http://slidepdf.com/reader/full/information-security-from-the-ground-up-166362637 34/34
C fid ti l P t f th U i it f N t D
Questions?
34