+ All Categories
Home > Documents > Office of Campus Information Security

Office of Campus Information Security

Date post: 12-Jan-2016
Category:
Upload: eldon
View: 32 times
Download: 0 times
Share this document with a friend
Description:
Office of Campus Information Security. Stefan Wahe ([email protected]) Sr. Information Security Analyst. Driving a Security Architecture by Assessing Risk. Realizing our Principles. Answering the question, “Why?” To have a common understanding of building a secure architecture. - PowerPoint PPT Presentation
Popular Tags:
9
Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe ([email protected]) Sr. Information Security Analyst
Transcript
Page 1: Office of Campus Information Security

Office of Campus Information Security

Driving a Security Architecture by Assessing Risk

Stefan Wahe ([email protected])

Sr. Information Security Analyst

Page 2: Office of Campus Information Security

Realizing our Principles

• Answering the question, “Why?”

• To have a common understanding of building a secure architecture.

• Developed based on NIST 800-27,, ISO 20071, CIC schools, and other publications.

Page 3: Office of Campus Information Security

OCIS IT Security Principles

4. Security is a Common Understanding– Due Diligence; Manage Threats, Risks, and Costs;

and Incident Management.

3. Security is Asset Management– Classify Information; Least Privilege; and

Separation of Duties.

2. Security is Part of the Development Life Cycle– Information Privacy and Assurance; Usability; and

Defense in Depth.

1. Security is Everyone’s Responsibility

Page 4: Office of Campus Information Security

Risk Assessment Process

Step 1: Letter of Engagement

Step 2: Conduct the Assessment

Step 3: Draft Report on Findings

Step 4: Communicate Findings

Step 5: Re-Assess

Page 5: Office of Campus Information Security

Building a Common Understanding: Managing Risk

RiskImpact

Mitigation Controls$ Care $

$

Page 6: Office of Campus Information Security

Example Question

• Does the system maintain Configuration Management methodology that includes:1. A documented process for

reviewing, approving and implementing changes

2. Version control for software system components

3. Timely identification and installation of all applicable patches for any software used in the provisioning of the CS.

Page 7: Office of Campus Information Security

Common Gaps

• Common Security Gaps (examples)– The system infrastructure needs to be

segmented with robust firewall controls.

– Encryption controls and key management procedures should be implemented for data at rest.

– Restricted data needs to be sanitized in non-production environments.

– Intrusion detection, prevention and log management devices should be installed and maintained with appropriate alerting processes.

Page 8: Office of Campus Information Security

Integrating a Security Culture

• Awareness and Training– SANS Secure Web Development

• Policy Development and Best Practices– Restricted Information Management Practices– Desktop Encryption Policy

• Centralized Resources– Security Event Management– Network Management– Desktop Tools– PKI

Page 9: Office of Campus Information Security

Questions

• How can we help you?


Recommended