35
Peter Murray Co-Chair Higher Ed Information Security Council (HEISC) Moving From Security to Governance, Risk, and Compliance? Campus Perspectives Panel
Peter Murray
Co-Chair Higher Ed Information Security Council (HEISC)
Moving From Security to �Governance, Risk, and Compliance?�Campus Perspectives Panel�
© 2014 Internet2
[ ‹#› ]
Today’s Panelists
• Peter Murray – University of Maryland
• Rob Adams – University of Florida
• Michele Norin – University of Arizona
• Joe St. Sauver – University of Oregon
Moving From Security to �Governance, Risk, and Compliance?�
Campus Perspectives Panel�
Joe St Sauver, Ph.D. ([email protected])��
Internet2 Global Summit, Denver Colorado �Tuesday, April 8th, 2014 8:45-10:00AM�
Governor's Square 11 ��
http://pages.uoregon.edu/joe/security-to-grc/��
Disclaimer: all opinions expressed are strictly my own.�
A Lot Has Been Changing in Security, Par7cularly in the Higher Ed Community
• Higher ed organiza7ons that have been involved with security have been evolving (including the Higher Educa7on Informa7on Security Council (HEISC).
• Personnel and their roles have also been changing, and some higher ed security ac7vi7es have (for whatever reason) seemingly have gone dormant.
• Security threats haven't disappeared, however. We're s7ll seeing as many or MORE technical security threats as in the past.
• Our topic today, however, relates to the (poten7al) evolu7on of higher "opera7onal/technical security" to "governance, risk and compliance" (hereaHer "GRC").
4
Paul Proctor (Gartner) on "What Is GRC?" • "GRC is the most worthless term in the vendor lexicon. Vendors use it to describe whatever they are selling and Gartner clients use it to describe whatever problem they have. For seven years I have baLled this monolithic term and I fear I’m losing the baLle. The alterna7ve is to try to bring some clarity to its usage by defining some boundaries.
• "Here is our published GRC defini7on, which I [e.g., Paul Proctor] like[s]: "GRC is neither a project nor a technology, but a corporate objec7ve for improving governance through more-‐effec7ve compliance and a beLer understanding of the impact of risk on business performance. Governance, risk management and compliance have many valid defini7ons. The following defini7ons illustrate the rela7onship of the three terms and serve for Gartner’s GRC research:
– Governance — The process by which policy is set and decision making is executed. – Risk Management — The process for preven7ng an unacceptable level of uncertainty in business objec7ves with a balance of avoidance through reconsidera7on of objec7ves, mi7ga7on through the applica7on of controls, transfer through insurance and acceptance through governance mechanisms. It is also the process to ensure that important business processes and behaviors remain within the tolerances associated with policies and decisions set through the governance process.
– Compliance — The process of adherence to policies and decisions. Policies can be derived from internal direc7ves, procedures and requirements, or external laws, regula7ons, standards and agreements."
• hLp://blogs.gartner.com/paul-‐proctor/2013/05/13/why-‐i-‐hate-‐the-‐term-‐grc/
5
Opera7onal/Tech Security vs GRC
• Opera7onal/Tech Security: – Technical focus – Audiences: users, "techies" – Prac77oner background: o`en computer science
– Tools: improved coding, encryp7on, ac7ve scanning, passive monitoring, firewalls, an7-‐virus, forensics, etc.
– Success? system usable and not hacked/cracked; no breach of PII, etc.
– Some Challenges: personnel (huge demand for technical talent, limited pipeline); resources (huge popula7on to help but few resources); security v. user convenience
• GRC – NON-‐technical focus – Audience: board, sr. execs, auditors, policy folks
– Prac77oner background: o`en law, public policy, management, etc.
– Tools: statutes/regula7ons/ policies, plans, audits/other reports, cost analyses, resource alloca7on choices
– Success? Followed plan and on budget; complied with all laws/specs; no bad publicity.
– Some Challenges: s7ll seeing breaches even when "fully compliant;" all that "techie" security stuff...
6
CIOs/CISOs And How We're GeTng To GRC...
• Assume you're a Chief Informa7on Officer (CIO) [or maybe a Chief Informa7on Security Officer (CISO)].
• Cyber security is increasingly "in the news." • Execu7ve leadership wants to know "what's going on" in cyber security and "what steps are being taken to keep our ins7tu7on safe?"
• Given the "importance of the issue" you've been given a "long" presenta7on slot (e.g., ten minutes) at the next execu7ve leadership mee7ng to explain "in detail" what's being done [including five minutes for Q&A].
• Members of the execu7ve leadership team are smart men and women, but they're juggling a million other major issues, too, and they're not really highly technical people.
• So what do you cover during that session? 7
Maybe Opera7onal Security Issues?
• The implica7ons of MS Windows XP going end-‐of-‐life and no longer gejng security patches from Microso`, including your strategy for handling those EOL systems?
• Recent aLempts to phish members of the campus community, and the role of mul7factor authen7ca7on?
• Cryptolocker and other major recent malware threats? • New results from scanning the campus for hitherto-‐unknown caches of personally iden7fiable informa7on?
• The security benefits of the latest cloud-‐based security applica7on the university would like to adopt, if funded?
• All terrific and important opera7onal security topics, but NONE can be part of your presenta7on to the board: it would take too long to cover even just one such topic.
• Mr. Fail Boat says, "Ah ooh gah... now depar7ng, pier #1..." 8
OR... Do You Talk About "GRC"?
• Governance: someone's in charge of cybersecurity. There's a firm hand on the security 7ller, and oversight. An "adult" is paying aLen7on to what's going on in that area.
• Risk: We're "business savvy." We "get it" that fixing stuff costs money. We're not going to try to fix "everything," or buy solu7ons just because they're technically "cool," we're only going to fix the security stuff that's really a problem, and only when it makes financial sense. There's a responsible hand on the ins7tu7onal checkbook.
• Compliance: If the law says we have to do something (par7cularly i`here are consequences if we don't), we know what we're supposed to do and we're going to do it, we're not ignoring specific legal requirements. Audits aren't going to come back full of embarrassing findings.
• GRC == a well-‐tailored approach for *that* audience. 9
GRC Uptake Is Also Driven By "The Cloud"
• If you're outsourcing facili7es and applica7ons to third par7es, your ability to even a/empt to do technical security may be disappearing (you may simply not have the access you need to do technical security any more – e.g., you may not be allowed to check data center physical security, sniff traffic or ac7vely scan the systems that are hos7ng your cloud based applica7ons). So what's le`?
• Governance decisions about what applica7ons will move to the cloud and who the organiza7on will use and trust.
• Risk management via SLAs and contractually enforced protec7ve mechanisms
• Audit reports aLes7ng to compliance with all applicable standards and requirements...
• If you're going to the cloud, you ARE going toward GRC. 10
Contras7ng Approaches: Awareness & Training
• Opera7onal security approach: many of the vulnerabili7es we see are associated with badly wriLen web applica7ons. Let's bring in some experts in the OWASP Top 10 web security issues, and ensure our developers know how to avoid accidentally allowing those bugs into the applica7ons that they write. [in-‐depth technical training, selec7vely targeted, driven by observed local vulnerabili7es]
• The GRC approach: The security framework we've adopted requires us to do annual security awareness training for our community, and if we don't do that training, we won't be in compliance – and some users may end up gejng phished. Let's buy SANS "Securing the Human" training for end users. It not only ensures we're compliant, "it offers training that changes behaviors and reduces risk."
• Non-‐rhetorical ques7on: which approach is "beLer?" 11
Compe77on for Resources
• In an ideal world, we'd want BOTH opera7onal/technical security AND GRC-‐based approaches.
• Unfortunately, in the real world, you've got finite budget and personnel slots. If you buy more OpSec people, you have less money le` for GRC people, and vice-‐versa.
• Note that GRC has an "unfair" advantage in this compe77on: GRC-‐oriented people have direct access to senior leadership, and "they talk the language of those that hold the purse strings:" we've got a plan, there's an adult in charge, we're business savvy, and if you do what we tell you, you won't end up embarrassed.
• But "bea7ng" OpSec people and successfully pushing GRC-‐based approaches may be a Pyrrhic victory (a victory with such a terrible cost that it is tantamount to defeat).
12
100% Compliant, But Also 100% P0n3d?
• You've made some hard choices, and allocated your limited resources. You're 100% compliant with all applicable requirements. You've assessed the risks your school faces, and your governance commiLee has signed off on a plan that follows a well known security framework. Unfortunately, doing so has meant that you didn't have much money (or many staff slots) le` for opera7onal/technical cyber security.
• Late one Friday night you're contacted by a reporter from CNN... the "unthinkable" has happened and a major breach has occurred, exploi7ng a technical vulnerability that you knew about, but which was deemed "low risk...."
[Pinkie Pie graphic from hLp://mlp.wikia.com/wiki/Pinkie_Pie , CC-‐BY-‐SA]
13
What Will You Say/Do?
• We can talk about the hypothe7cal case from the preceding slide, or about decisions in real life (someday, the two may even be exactly the same, unfortunately)
• You can fully meet all expecta7ons of a GRC-‐oriented approach, and STILL end up experiencing a breach.
• If you'd spent more of your resources on technical/opera7onal security, you might not have experienced a breach -‐-‐ but then again, inves7ng in technical/opera7onal security also might make no difference.
• What will YOU say/do? 14
Governance,
Risk, & Compliance
15
Governance – Engaging the Campus
• Security landscape is changing • Level of resources can’t compete • Openness vs. lock-‐down strained • Assets at risk are shi`ing • Rethinking tolerance for risk • Need more ver7cal and horizontal involvement in security planning
16
Commonly targeted types of data* Sensi7ve Enterprise Data • Employee data
• Student records
• Financial data
• Recruitment and marke7ng data
Research with Poten7al Economic Value
• Energy technology
• Biotechnology, medical, and pharmaceu7cals
• Engineering • New materials, such as semi-‐conductors
• Informa7on technology
Poli7cally or Commercially Sensi7ve Informa7on
• Climate modeling • Economic data and projec7ons
• Live animal research
• Product development data
• Informa7on used for expert tes7mony
17 * Adapted from: Universi7es UK. “Cyber security and universi7es: managing the risk.” November 2013.
Poten7al impact of cyber aLacks Reputa7on • May harm the University’s reputa7on in the eyes of alumni, students, partners, businesses, and government agencies
Legal • May leave the University in viola7on of laws or contract requirements • Risk of prosecu7on, financial penal7es, or withdrawal of exis7ng and future funding
Economic • May undermine the University’s ability to capitalize on poten7al intellectual property or knowledge transfer
Opera7onal • May disrupt normal opera7ons and result in significant remedial cost
18
Governance,
Risk, & Compliance
19
Moving From Security to Governance, Risk and Compliance Informa7on Security
• Informa7on Security and the Informa7on Security Council (HEISC)
• Established by EDUCAUSE and Internet2 in July 2000 ➢ Successfully providing a wealth of helpful resources to the higher educa7on
community
• The Higher Educa7on Informa7on Security Council (HEISC) mission has been to improve informa7on security, data protec7on, and privacy programs across the higher educa7on sector.
• It has ac7vely developed and promoted leadership; awareness and understanding; effec7ve prac7ces and policies; and solu7ons for the protec7on of cri7cal data, IT assets, and infrastructures for the higher educa7on community.
Moving From Security to Governance, Risk and Compliance Three Areas of Focus for HEISC in 2014
Strengthen Founda7ons
• The council will strengthen communica7ons and marke7ng of exis7ng resources, especially to CIOs.
• HEISC will strengthen collabora7on and coordinate conversa7ons and ac7vi7es with partner organiza7ons such as Educause, Internet2, InCommon, and the REN-‐ISAC.
Con7nue to Build the Informa7on Security Profession
• Annual Security Professionals Conference • Expand and enhance a mentoring pilot program, while crea7ng career development tools and
resources that balance the technical and business needs of the profession. • Promote the use of its key publica7on, the InformaDon Security Guide, to security
prac77oners and other campus business groups.
Advance Informa7on Security Strategies in Higher Educa7on • Begin building an Informa7on Security Peer Review Program to be used by ins7tu7ons for
benchmarking and maturity assessment. • Assist with building the EDUCAUSE Governance, Risk, and Compliance (GRC) program.
Moving From Security to Governance, Risk and Compliance Governance, Risk and Compliance (GRC)
• Moving from a specific focus on informa7on security ac7vi7es to:
• An alignment with an ins7tu7on’s broader strategic goals;
• A process for iden7fying, assessing and mi7ga7ng risks;
• Policies and procedures for complying with audit requirements, laws and regula7ons.
Moving From Security to Governance, Risk and Compliance Let’s Talk About the “R”: IT Risk Management
• IT risk management refers to the process of iden7fying risk, assessing risk, and priori7za7on of the major IT risks associated with the organiza7on’s key objec7ves.
• Once the risks have been priori7zed, the organiza7on proceeds with taking steps to reduce risk to acceptable levels, or in some cases, to assume the iden7fied risk.
• This typically means developing policies, procedures and ac7on items (projects) to engage changes to exis7ng systems, and integra7ng risk mi7ga7on strategies into the life cycle for new systems.
• The process includes monitoring risk mi7ga7on ac7vi7es to ensure that the risk has been reduced.
Moving From Security to Governance, Risk and Compliance Let’s Talk About the “R”: Enterprise IT Risk Management
• Enterprise IT risk management programs move beyond informa7on systems and security risks associated with the IT organiza7on.
• Ins7tu7onal focus, not unit-‐specific.
• Aligns and priori7zes ac7vi7es to address the iden7fied IT risks that impact university-‐wide academic and business opera7ons.
• These are IT risks that have a substan7al financial impact, lead to lost produc7vity, a distrac7on from ins7tu7onal goals, cause nega7ve publicity, affect ins7tu7onal reputa7on, etc.
• Enterprise IT risk management strategies help protect the ins7tu7on so that it can achieve its strategic goals.
• Enterprise IT risk management requires collabora7on between IT and the other academic and business areas of the university…it will not be effec7ve if it is just an IT organiza7on ac7vity.
• One ques7on to ask in iden7fying these enterprise IT risks is: ➢ What are the IT risks that would cause the university to fail to achieve its ins7tu7onal goals and
opera7onal excellence?
Moving From Security to Governance, Risk and Compliance Let’s Talk About the “R”: Enterprise Risk Management
• Enterprise risk management (ERM) is con7nuing to mature and be implemented in higher educa7on ins7tu7ons.
• In 2003, Felix Kloman, founder and editor of Risk Management Reports, said that in the future ins7tu7ons will look at risks affec7ng the whole of an organiza7on and they will be enterprise-‐wide, integrated and holis7c. 1
• In 2013, Janice M. Abraham, President and CEO of United Educators, says the future is here for enterprise risk management. 1
• Colleges and universi7es are assessing risks associated with physical assets, people assets, and cyber assets.
1 “Good Risk Management Is Good Governance” an ar7cle excerpted from Risk Management: An Accountability Guide for University and College Boards (AGB Press, 2013), by Janice M. Abraham.
Moving From Security to Governance, Risk and Compliance Let’s Talk About the “R”: Enterprise Risk Management
• Sponsored and led by the President;
• It is a process effected by an organiza7on’s leadership;
• Developed and managed at the ‘enterprise’ level with all key academic and business areas included;
• Designed to iden7fy and mi7gate risks that would impact strategic objec7ves;
• Provides a framework for determining risk tolerance, developing mi7ga7ng strategies, and alloca7ng resources.
Moving From Security to Governance, Risk and Compliance Let’s Talk About the “R”: Enterprise Risk Management
ERM Structure at the University of Maryland, Bal7more • President • Execu7ve Commimee • ERM Steering Commimee • Subject Area Workgroups:
➢ IT Systems and Security ➢ Academic Affairs ➢ Campus security and public safety ➢ Clinical prac7ce ➢ External and internal rela7ons ➢ Facili7es ➢ Environmental Health and Safety ➢ Finance and internal controls ➢ Global ac7vi7es ➢ Government regulatory/compliance ➢ Human resources ➢ Research ➢ Risk management and insurance
• Collabora7on across the enterprise • Added visibility and value to IT Systems and Security
Moving From Security to Governance, Risk and Compliance Let’s Talk About the “R”: Enterprise Risk Management
• The ERM process is just as important as the product…it’s a process not a project;
• Creates a risk aware culture throughout the enterprise;
• And influences an important posi7ve change as the ins7tu7on moves from security to an enterprise program of governance, risk and compliance.
Governance,
Risk, &
Compliance
29
Compliance: Not Alphabet Soup…
ECPA
CFAA
DPPA ITAD
A
CP
NI
GLBA
pcidss
▪ “The process of adherence to policies and decisions. Policies can be derived from internal direc7ves, procedures and requirements, or external laws, regula7ons, standards and agreements.”
– Compliance focuses on valida7on, security focuses on protec7on
– Compliance standards tend to be sta7c in nature and are slow to be updated where security is dynamic and ever changing
What is Compliance?
hLp://blogs.gartner.com/paul-‐proctor/2013/05/13/why-‐i-‐hate-‐the-‐term-‐grc/
▪ It is achieved through management processes which – Iden7fy the applicable requirements (e.g. laws, regula7ons, contracts)
– Assess the current state of compliance – Assess the risks and poten7al costs of non-‐compliance against the projected expenses to achieve compliance
– Priori7ze and ini7ate any correc7ve ac7ons deemed necessary
How is Compliance Achieved?
Two different measurements which are not interchangeable
You may be secure, yet not compliant
You may be compliant, yet not secure
Does Compliance Equal Security?
The Evolving Landscape
▪ ALacks con7nue to grow beyond most preven7on & detec7on technologies and techniques
▪ Barriers to entry for bad actors are low
▪ Ability to apply invasive controls will be limited as IT will not directly own a user’s device or the services provisioned to the device
Risk Decisions • Transfer • Accept • Reduce • Share University Mission • Pa7ent care • Service • Research • Educa7on
▪ The goal is to reduce adverse impacts to an acceptable level of risk – Balance risk with the missions of educa7on,
research, service and pa7ent care.
▪ Informa7on security is not only a technical issue – It is a business and governance challenge that involves adequate risk management, repor7ng and accountability.
– Effec7ve security requires the ac7ve involvement of management to assess emerging threats and the response to them.
Importance of Governance, Risk Management and Compliance
