Date post: | 18-Jan-2016 |
Category: |
Documents |
Upload: | ernest-chapman |
View: | 212 times |
Download: | 0 times |
Property of the University of Notre Dame
Building a Risk-Based Information Security Program
Mike ChappleUniversity of Notre Dame
May 5, 2008
Property of the University of Notre Dame
Obligatory Notice
Copyright Michael J. Chapple, 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
2
Property of the University of Notre Dame
Overview
• Background• Campus IT Risk Assessment (CITRA)• Digesting the Results• Implementing the Security Program• Preliminary Results
3
Property of the University of Notre Dame
Notre Dame• Private, coeducational Catholic research university
located in Northern Indiana• Population of 10,000 students,
1,200 faculty and 5,300 staff• Defining characteristics
– Long tradition of undergraduate excellence– Dedicated to residential life (81% undergrads on campus)– Rapidly expanding research community and graduate
programs ; Over the past decade:• 35% increase in PhDs awarded• 225% increase in sponsored research
4
Property of the University of Notre Dame
IT at Notre Dame• OIT is a centralized IT organization
– Supports enterprise systems– Provides end user support for about
1/3 of campus
• Some colleges and business units have their own IT support groups– Varying levels of custom infrastructure– Several have their own networks
• Up until 2006, Information Security was a combination of implementing internal controls and external consulting
5
Property of the University of Notre Dame
One Day Everything Changed…
6
Property of the University of Notre Dame
Historical Context
77
Initial PCI DSSDiscussions
Incident CITRAIncident Response
2002 – Information Security Office Established2003 – Data Oversight Committee Established Data Center Firewall Implemented Data Access Policy Approved2005 – Strong Password Initiative
PCI DSSAssessment
CCSPPlanning
Credit CardNetwork Inventory
Jul-05 Jul-06
Aug-05 Sep-05 Oct-05 Nov-05 Dec-05 Jan-06 Feb-06 Mar-06 Apr-06 May-06 Jun-06
Information Security at Notre Dame2005 2006
Property of the University of Notre Dame
Overview
• Background• Campus IT Risk Assessment (CITRA)• Digesting the Results• Implementing the Security Program• Preliminary Results
8
Property of the University of Notre Dame
CITRA Overview• At the request of University Leadership, we
commissioned a campus-wide IT risk assessment• Partnered with “Big Four” consulting firm• Scope included all uses of sensitive University data, in
any form• Tools used:
– Network Scanning– Surveys and Interviews– Site visits
9
Property of the University of Notre Dame
Assessment Process
10
Property of the University of Notre Dame
Surveys• 19 pages, 74 questions (mixture of multiple choice
and open-ended)• Pilot deployment with our own OIT business office,
followed by a select handful of “friends”• Full deployment included business managers from all
academic and administrative units• Accompanied by cover letter from Executive Vice
President and Provost• Achieved 100% response rate (after quite a few
follow-up calls!)11
Property of the University of Notre Dame
Selected Questions• What type(s) of sensitive data does your department
store/process?• What groups/roles have access to that data?• Where do you store that data (physical and/or electronic)?• Do you use encryption to protect stored information?• How do you transmit sensitive data? How do you receive it?• Do you use any web-based applications to collect data?• How long do you retain sensitive information? How do you
dispose of it?• Do you share sensitive information with third parties?
12
Property of the University of Notre Dame
Survey Results
Attribute Percentage
Use Social Security Numbers 88%
Share Passwords 81%
Store Sensitive Data Locally 77%
Transmit Sensitive Data Externally Without Encryption 68%
Not Aware of Security Policies 65%
Retain Sensitive Data Indefinitely 63%
13
Together with the consultants, we surveyed respondents from 53 campus departments on data handling practices.
Property of the University of Notre Dame
Business Unit Interviews• 53 departments selected for individual or group
interviews based upon survey responses• Combination of academic and administrative units• Intended to serve as a one-hour “deep dive” into
survey responses• Conducted by a team consisting of
representatives from InformationSecurity, University Archivesand the consultant
14
Property of the University of Notre Dame
Discussion Guide
• Walk through survey responses• Types of sensitive data within the department• Applications used to process data• Electronic and paper-based data flow
walkthrough• Physical security of departmental spaces
15
Property of the University of Notre Dame
CITRA Findings• End result was 68 findings covering 10 key areas:
• For example…
16
Information Security Framework Data Classification and Handling
Access Control Encryption Strategy
Configuration Standards Physical Security
Technical Security Architecture Disaster Recovery
Compliance Information Security Awareness
Property of the University of Notre Dame
CITRA Findings
17
Property of the University of Notre Dame
Overview
• Background• Campus IT Risk Assessment (CITRA)• Digesting the Results• Implementing the Security Program• Preliminary Results
18
Property of the University of Notre Dame
Planning Workshop• Cross-functional team• Analyzed CITRA results and
created project specifications designed to remediate all medium/high risk findings
• Produced comprehensive project plan with resource estimates and sequencing
19
Property of the University of Notre Dame
Resource Planning
• Discussed project objectives with resource managers
• Simple approach to resource ($$$ and staff) estimation:– Determine “best case” and “worst case” time and
cost estimates– Average those endpoints– Surprisingly accurate!
20
Property of the University of Notre Dame
Ranking System
• Each project ranked on costs (financial and staff), importance and urgency
21
Property of the University of Notre Dame
Outcome
• Projects sequenced to prioritize high-risk findings and balance resource consumption
• Overall costs: $4.6M one-time, $630K recurring
• Presented to University leadership and funded in full
22
Property of the University of Notre Dame
Overview
• Background• Campus IT Risk Assessment (CITRA)• Digesting the Results• Implementing the Security Program• Preliminary Results
23
Property of the University of Notre Dame
Program Mission
24
Identify confidentiality, integrity and availability risks to sensitive University information, and mitigate those risks to
acceptable levels.
Property of the University of Notre Dame
Program Objectives
25
The objectives of the program are to:
• Evaluate risks to the confidentiality, integrity and availability of sensitive information
• Establish and implement controls to fill critical gaps, as determined by institutional risk tolerance
• Create awareness of information security and proper data handling practices
• Establish and communicate security-related policies, procedures and standards
Property of the University of Notre Dame
Program Plan
26
Property of the University of Notre Dame
Policy
• It all begins with policy…really!
27
Security Policies and Standards (FY 2007)Establish University-wide Information Security policies and handling standards based on ISO 17799
Configuration Standards (FY 2007)Develop configuration standards for applications and mobile systems
Software Development Lifecycle (FY 2010)Select and implement a SDLC model for use with OIT systems
Property of the University of Notre Dame
Awareness, Training and Education
28
Awareness, Training and Education ClassificationWorkshops (2.2)
Sensitive Data Handler Training (2.4)
Technical Security Training (2.5)Student Awareness
& Training (2.3)
EmployeeAwareness & Training (2.1)
Employee Awareness (FY 2007-2008)Provide security awareness, communication and training for faculty & staff
Student Awareness (FY 2008)Provide security awareness, communication and training for students
Classification Workshops (FY 2008)Conduct workshops to aid Data Stewards in classifying their data
Sensitive Data Handler Training (FY 2008)Provide specialized training for those who work with sensitive University Data
Technical Security Training (FY 2009)Provide specialized technical security training for IT Professionals
Property of the University of Notre Dame
Workstation Security
29
File Security (6.3)Malware
Management (6.2)
Workstation Security
Initial Desktop Remediation (6.1)
Messaging Security (6.4)
Initial Desktop Remediation (FY 2007)Apply a basic set of security controls to University workstations
Malware Management (FY 2008)Provide a solution for management and monitoring of antivirus and anti-spyware software on University systems
File Security (FY 2009)Conduct a vulnerability assessment and apply security controls to NetFile
Messaging Security (FY 2009-2010)Apply security controls to electronic mail and instant messaging
Property of the University of Notre Dame
Server Security
30
Database Security (7.3)
Data Center Remediation (7.1)
Server IntegrityMonitoring (7.2)
Server Security
Dept Server Consulting (7.4)
OIT Server Management (7.5)
Data Center Architecture Enhancements (FY 2008)Enhance security controls on the OIT Data Center front end
Server Integrity Monitoring (FY 2008)Formalize OIT server integrity monitoring infrastructure and processes
Database Security (FY 2008)Conduct a vulnerability assessment of University databases and implement appropriate controls
Departmental Server Consulting (FY 2008-2009)Conduct a security assessment of each departmental server and provide recommendations on alternative technologies and/or appropriate controls.
OIT Server Management (FY 2008-2009)Implement security management practices for OIT servers with separation of duties and data segregation, where appropriate
Property of the University of Notre Dame
Network Security
31
Intrusion Prevention (5.4)
Network Security
Border Security (5.1)
Network Admission Control (5.5)
Zoned Network & Wireless Sec. (5.3)
Network DeviceManagement (5.2)
Border Security (FY 2007)Implement campus network border firewall to block unsolicited inbound connections
Network Device Management (FY 2007-2008)Implement security standards on campus network devices
Zoned Network and Wireless Security (FY 2008-2009)Design and implement a zoned network architecture with appropriate security controls on the wired and wireless networks
Intrusion Prevention (FY 2009)Replace the University’s existing intrusion detection system with a comprehensive intrusion prevention system
Network Admission Control (FY 2010)Implement controls to ensure that network-connected systems meet security standards
Property of the University of Notre Dame
Security Infrastructure
32
Application Logging (4.4)
Log Security Analysis (4.5)
Network Activity Logging (4.7)
VulnerabilityScanning (4.1)
FirewallMgt. (4.6)
Security Infrastructure
Rogue Wireless AP Detection (4.8)
Sensitive DataScanning (4.3)
Security Review Process (4.2)
Vulnerability Scanning (FY 2007)Create a scanning facility to proactively detect technical vulnerabilities in University systems
Security Review Process (FY 2007)Create a process for consistently conducting information security reviews
Sensitive Data Scanning (FY 2008)Create a scanning facility to proactively detect CC/SSNs stored in institutional file systems
Property of the University of Notre Dame
Security Infrastructure (cont’d)
33
Application Logging (4.4)
Log Security Analysis (4.5)
Network Activity Logging (4.7)
VulnerabilityScanning (4.1)
FirewallMgt. (4.6)
Security Infrastructure
Rogue Wireless AP Detection (4.8)
Sensitive DataScanning (4.3)
Security Review Process (4.2)
Application Logging (FY 2009)Capture enterprise application events in the OIT central log repository
Network Logging (FY 2009)Capture records of off-campus connections involving University systems
Security Log Analysis (FY 2009)Create a security log analysis capability for use with the central log repository
Firewall Management (FY 2009)Audit existing firewall rulebase and implement standard management practices
Rogue Wireless AP Detection (FY 2010)Provide the ability to identify unauthorized wireless access points on the University network
Property of the University of Notre Dame
Credit Card Security
34
Infrastructure (3.1)
Monitoring (3.3)
CCSP
PhysicalSecurity (3.4)
Application Migration (3.2)
CCSP Infrastructure (FY 2007)Create the infrastructure required to migrate card processing applications to the OIT data center
CCSP Application Migration (FY 2007-2008)Move card processing servers to the payment card environment located in the OIT data center
CCSP Monitoring (FY 2008)Implement ongoing technical monitoring of the payment card environment
CCSP Physical Security (FY 2008-2009)Upgrade data center physical security to meet PCI DSS requirements
Property of the University of Notre Dame
Incident Handling
35
Forensics (8.2)
Incident TrackingSystem (8.3)
Incident ResponseProcedures (8.1)
Incident Handling
Incident Response Procedures (FY 2010)Create technical procedures for responding to information security incidents to supplement the existing Incident Response Plan
Forensics (FY 2010)Identify forensic resources for use in information security incident response.
Incident Tracking System (FY 2010)Provide an information security incident tracking system
Property of the University of Notre Dame
Sustaining Activities
36
Program Monitoring (9.3)
Sustaining Activities
Security Ops Center (9.1)
Recurring Risk Assessments (9.2)
Security Operations Center (FY 2008-2009)Create an operations center to monitor and provide initial response to security events
Recurring Risk Assessments (FY 2010)Establish a process for recurring, periodic risk assessments to measure risk to University data assets
Program Monitoring (FY 2010)Assess the ongoing effectiveness of the information security program
Property of the University of Notre Dame
Overview
• Background• Campus IT Risk Assessment (CITRA)• Digesting the Results• Implementing the Security Program• Preliminary Results
37
Property of the University of Notre Dame
Current Status
38
Property of the University of Notre Dame
Program Highlights
• For the most part, on-time completion under budget
• Some “in-flight” changes to the plan to:– Reprioritize project sequencing– Address new risks (e.g. Web application security)– Balance resource utilization with other initiatives
39
Property of the University of Notre Dame
Policy and Standards
• Policy complete and awaiting Officer approval
• Operating system standards in place
• Application standards complete and published
40
Policy Usage(Spring 2007 – Fall 2007)
Property of the University of Notre Dame
Vulnerability Scanning
41
Property of the University of Notre Dame
Awareness
42
• Goal: Engage 85% of the faculty and staff at least twice annually
42
Property of the University of Notre Dame
Questions
43