Building An Information Security PracticeBuilding An Information Security Practice 11
Building an Information SecurityBuilding an Information SecurityPracticePracticeNortheastern’s ExperienceNortheastern’s Experience
Copyright Glenn C. Hill, 2003This work is the intellectual property of the author. Permission is granted for this material to beshared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Glenn C. Hill, CISSPGlenn C. Hill, CISSPManager of IT SecurityManager of IT SecurityNortheastern UniversityNortheastern UniversityBoston, MABoston, MA
Building An Information Security PracticeBuilding An Information Security Practice 22
The beginning is the most importantThe beginning is the most important
part of the workpart of the work..
PlatoPlato
Building An Information Security PracticeBuilding An Information Security Practice 33
Compelling IssuesCompelling Issues
Vast amounts of information.Vast amounts of information. Open environment.Open environment. Decentralized functions.Decentralized functions. Customer expectations.Customer expectations. Institutional responsibility.Institutional responsibility. Financial, operational & reputational Financial, operational & reputational
risks.risks. Increasing threat profile.Increasing threat profile.
Building An Information Security PracticeBuilding An Information Security Practice 44
Imperatives for UnderstandingImperatives for Understanding
Technology service model.Technology service model.• Increasing deployment of electronic self-Increasing deployment of electronic self-
service experiences.service experiences.
Technology landscape.Technology landscape.• New technologies, exploits and vulnerabilities.New technologies, exploits and vulnerabilities.
Threats and vulnerabilities.Threats and vulnerabilities.• Increasing each day.Increasing each day.
Building An Information Security PracticeBuilding An Information Security Practice 55
Imperatives for UnderstandingImperatives for Understanding
Customer and community Customer and community expectations.expectations.• Safe and secure computing experiences.Safe and secure computing experiences.
• Protection of privacy.Protection of privacy.
• Open access.Open access.
• Freedom from interference with learning Freedom from interference with learning and business processes.and business processes.
Regulatory compliance requirements.Regulatory compliance requirements.
Building An Information Security PracticeBuilding An Information Security Practice 66
If Columbus had an advisoryIf Columbus had an advisory
committee, he would probably stillcommittee, he would probably still
be at the dock.be at the dock.
Justice Arthur GoldbergJustice Arthur Goldberg
(1908-1990)(1908-1990)
Building An Information Security PracticeBuilding An Information Security Practice 77
Options for ActionOptions for Action
Hire a consultant…they’ll tell us what to Hire a consultant…they’ll tell us what to do.do.• Expensive.Expensive.
• Not all security concepts are portable from Not all security concepts are portable from one industry to another… “We’re not a bank.”one industry to another… “We’re not a bank.”
• All engagements end someday.All engagements end someday.
• Security requires continuous investment.Security requires continuous investment.
Building An Information Security PracticeBuilding An Information Security Practice 88
Options for ActionOptions for Action
OutsourceOutsource• We don’t know what we don’t know.We don’t know what we don’t know.
• Insufficient decision support data.Insufficient decision support data.
• Traditional pitfalls…Traditional pitfalls… Truly understand the “edu” environment ?Truly understand the “edu” environment ? Understand and actualize the culture ?Understand and actualize the culture ? Real cost of outsourcingReal cost of outsourcing Contractual issuesContractual issues
Building An Information Security PracticeBuilding An Information Security Practice 99
Options for ActionOptions for Action
Create a security practice.Create a security practice.• Flexibility.Flexibility.
• Control of costs.Control of costs.
• Enables building to meet needs.Enables building to meet needs.
• Integrates security function into environment Integrates security function into environment from the inside out.from the inside out.
• Ongoing engagement…the gift that keeps on Ongoing engagement…the gift that keeps on giving.giving.
Building An Information Security PracticeBuilding An Information Security Practice 1010
Education is learning what youEducation is learning what you
didn’t even know you didn’t know.didn’t even know you didn’t know.
Daniel J. BoorstinDaniel J. Boorstin
Librarian of Congress EmeritusLibrarian of Congress Emeritus
Building An Information Security PracticeBuilding An Information Security Practice 1111
Getting startedGetting startedWhat we didn’t knowWhat we didn’t know
What should an Information Security What should an Information Security program look like ?program look like ?
What resources are required ?What resources are required ? What will it cost ?What will it cost ? What are the key relationships ?What are the key relationships ? What type of person is best suited for the What type of person is best suited for the
role ?role ?
Building An Information Security PracticeBuilding An Information Security Practice 1212
Getting startedGetting startedWhat we didn’t knowWhat we didn’t know
What experience should we look for ?What experience should we look for ? What should we expect from the role ?What should we expect from the role ?
Building An Information Security PracticeBuilding An Information Security Practice 1313
The “Project”The “Project”Build an IT security practice.Build an IT security practice.
Create a position: IT Security Manager. Create a position: IT Security Manager. CIO and Executive Director of IS articulated CIO and Executive Director of IS articulated the initial charge:the initial charge:• Identify and establish key relationships.Identify and establish key relationships.
• Recommend security goals and architecture.Recommend security goals and architecture.
• Figure out what needs to be done.Figure out what needs to be done.
• Prioritize.Prioritize.
• Seek low-hanging opportunities.Seek low-hanging opportunities.
• Demonstrate value-add.Demonstrate value-add.
Building An Information Security PracticeBuilding An Information Security Practice 1414
Candidate SelectionCandidate SelectionKey attributesKey attributes
Appropriate background experiencesAppropriate background experiences• BusinessBusiness
• TechnologyTechnology
• Policy, legal and regulatory awarenessPolicy, legal and regulatory awareness
• Cross-functional awarenessCross-functional awareness
• Influence skillsInfluence skills
• Investigation skillsInvestigation skills
Building An Information Security PracticeBuilding An Information Security Practice 1515
Candidate SelectionCandidate SelectionKey attributesKey attributes
Familiarity with information assets of the Familiarity with information assets of the “edu” environment.“edu” environment.• Student, faculty and staff personal informationStudent, faculty and staff personal information
• Institutional data (financial, strategic)Institutional data (financial, strategic)
• Student record information (FERPA protected)Student record information (FERPA protected)
• Intellectual propertyIntellectual property
Building An Information Security PracticeBuilding An Information Security Practice 1616
Candidate SelectionCandidate SelectionKey attributesKey attributes
Appreciation of constituencies and Appreciation of constituencies and what’s important to each:what’s important to each:• Students (access, privacy)Students (access, privacy)
• Faculty (access, academic freedom)Faculty (access, academic freedom)
• Staff (access, privacy, security)Staff (access, privacy, security) Self-directed, quick start.Self-directed, quick start.
Building An Information Security PracticeBuilding An Information Security Practice 1717
Candidate SelectionCandidate SelectionKey attributesKey attributes
Diplomatic skillsDiplomatic skills• Ability to engage others in difficult Ability to engage others in difficult
discussions without provoking undue alarm, discussions without provoking undue alarm, fear or ineffective behaviors.fear or ineffective behaviors.
Brokerage skillsBrokerage skills• Ability to bring people together in Ability to bring people together in
discussion.discussion.
Building An Information Security PracticeBuilding An Information Security Practice 1818
Candidate SelectionCandidate SelectionKey attributesKey attributes
Influence and change agency skills.Influence and change agency skills.• Sensitivity to legacy interests.Sensitivity to legacy interests.• Recognition of change opportunities in people Recognition of change opportunities in people
and process.and process.• Recognition of values and currencies across Recognition of values and currencies across
interests.interests. Catalyst.Catalyst.
• Facilitate and speed interaction and cooperation Facilitate and speed interaction and cooperation between individuals & groups. between individuals & groups.
Building An Information Security PracticeBuilding An Information Security Practice 1919
Expectations of the PositionExpectations of the Position
Understand the imperatives.Understand the imperatives. Identify key relationships.Identify key relationships. Create shared values and trust.Create shared values and trust. Develop security framework.Develop security framework. Figure out what needs to be done.Figure out what needs to be done. Articulate essential processes and Articulate essential processes and
procedures.procedures.
Building An Information Security PracticeBuilding An Information Security Practice 2020
Expectations of the PositionExpectations of the Position
Exploit low-hanging opportunities.Exploit low-hanging opportunities. Take baby steps.Take baby steps. Prove value.Prove value. Be effective.Be effective. Avoid getting in the way.Avoid getting in the way.
Building An Information Security PracticeBuilding An Information Security Practice 2121
Key Challenges in the PositionKey Challenges in the Position
No reporting relationships.No reporting relationships. No “instruction book” for implementing No “instruction book” for implementing
security in the academic environment.security in the academic environment. Prescription may be good for security, Prescription may be good for security,
but doesn’t always translate well into the but doesn’t always translate well into the EDU environment.EDU environment.
Pull works better than push.Pull works better than push. No staff adds during first year.No staff adds during first year.
Building An Information Security PracticeBuilding An Information Security Practice 2222
The Core SkillThe Core SkillSeek to balance controls and accessSeek to balance controls and access
Controls Access
Customers can access what is required, and no more.Appropriate controls are in place.
Risk is effectively managed.
Building An Information Security PracticeBuilding An Information Security Practice 2323
Expanded Core SkillExpanded Core SkillSeek to balance Seek to balance allall interests interests
Controls
RiskNeed for
Open access
Privacy &Security
Studentinterests
Facultyinterests
Staffinterests
Regulatory
Building An Information Security PracticeBuilding An Information Security Practice 2424
Analysis and Problem-SolvingAnalysis and Problem-Solving
Building An Information Security PracticeBuilding An Information Security Practice 2525
Analysis and Problem-SolvingAnalysis and Problem-SolvingWhat we looked atWhat we looked at
PeoplePeople BusinessBusiness Security modelSecurity model Costing, measuring, evaluatingCosting, measuring, evaluating
Building An Information Security PracticeBuilding An Information Security Practice 2626
PeoplePeople
Identify key relationships.Identify key relationships. Establish rapport with students, faculty Establish rapport with students, faculty
and staff.and staff. Become visible and available.Become visible and available. Develop security awareness program.Develop security awareness program. Be the person who is there to help.Be the person who is there to help.
Building An Information Security PracticeBuilding An Information Security Practice 2727
BusinessBusiness
Understand…Understand…• businesses and customer expectations.businesses and customer expectations.
• relationships between businesses and relationships between businesses and customers.customers.
• key information assets, owners and key information assets, owners and custodianscustodians..
Perform data classificationPerform data classification• (identify the information, it’s value, and cost (identify the information, it’s value, and cost
of compromise)of compromise)
Building An Information Security PracticeBuilding An Information Security Practice 2828
Security ModelSecurity Model
Application of security model to Application of security model to problemsproblems• Where does the model make sense ?Where does the model make sense ?
• What needs to be done ? Priorities ?What needs to be done ? Priorities ? Costing, Measuring and EvaluatingCosting, Measuring and Evaluating
• What does security cost ?What does security cost ?
• What do we measure and how ?What do we measure and how ?
• How to evaluate effectiveness/efficiency ?How to evaluate effectiveness/efficiency ?
Building An Information Security PracticeBuilding An Information Security Practice 2929
Security ModelSecurity Model
Analysis and understanding of traditional Analysis and understanding of traditional security model in businesssecurity model in business• ““We’re not a bank.”We’re not a bank.”
• What parts of the model make sense for us ?What parts of the model make sense for us ?
Apply appropriate parts of the model.Apply appropriate parts of the model.• Can’t lock down everything. Can’t lock down everything.
• Selective/judicious application of controls.Selective/judicious application of controls.
Building An Information Security PracticeBuilding An Information Security Practice 3030
Applying Security Practices to Applying Security Practices to ProblemsProblems
Risk analysisRisk analysis• (cost of consequence v. cost of protection)(cost of consequence v. cost of protection)
Recommend and cost appropriate Recommend and cost appropriate administrative, physical and logical administrative, physical and logical controls to protect information.controls to protect information.
Help business unit leaders and IT Help business unit leaders and IT managers weigh costs v. benefits.managers weigh costs v. benefits.
Building An Information Security PracticeBuilding An Information Security Practice 3131
Costing, Measuring and Costing, Measuring and EvaluatingEvaluating
Quantify cost of security.Quantify cost of security. What we measure.What we measure.
• Types of activities (AUP, Security, and Risk)Types of activities (AUP, Security, and Risk)
• Hours invested, costs avoided.Hours invested, costs avoided. How we measure it.How we measure it.
• Incident tracking system.Incident tracking system.
Building An Information Security PracticeBuilding An Information Security Practice 3232
Costing, Measuring and Costing, Measuring and EvaluatingEvaluating
Look at risks mitigated, costs avoided.Look at risks mitigated, costs avoided.
Create and share metrics across key Create and share metrics across key relationships and constituencies.relationships and constituencies.
Building An Information Security PracticeBuilding An Information Security Practice 3333
Outcomes/AchievementsOutcomes/Achievements
Building An Information Security PracticeBuilding An Information Security Practice 3434
Outcomes/AchievementsOutcomes/Achievements
Formed key Formed key administrativeadministrative relationships: relationships:• Office of University CounselOffice of University Counsel
• Internal AuditInternal Audit
• Human ResourcesHuman Resources
• External AffairsExternal Affairs
• Public Safety, Student AffairsPublic Safety, Student Affairs
• Office of the President, Office of ProvostOffice of the President, Office of Provost
Building An Information Security PracticeBuilding An Information Security Practice 3535
Outcomes/AchievementsOutcomes/Achievements
Formed key Formed key businessbusiness relationships: relationships:• Office of the Registrar (FERPA)Office of the Registrar (FERPA)
• Enrollment ManagementEnrollment Management
• Customer Service Center (for students)Customer Service Center (for students)
• Office of the Controller (GLB)Office of the Controller (GLB)
• Faculty representation (faculty senate)Faculty representation (faculty senate)
• Division of Research (ethics)Division of Research (ethics)
• Residential Life (ResNet network)Residential Life (ResNet network)
• HIPAA covered entitiesHIPAA covered entities
Building An Information Security PracticeBuilding An Information Security Practice 3636
Outcomes/AchievementsOutcomes/Achievements
Formed key Formed key communitycommunity relationships: relationships:• StudentsStudents
• Student representation (RSA)Student representation (RSA)
• Student media leadershipStudent media leadership
• Student advisory groupsStudent advisory groups
Building An Information Security PracticeBuilding An Information Security Practice 3737
Outcomes/AchievementsOutcomes/Achievements
Formed Formed individualindividual relationships: relationships:• Faculty Faculty
• Students with specific questions/needsStudents with specific questions/needs
• External mediaExternal media
Building An Information Security PracticeBuilding An Information Security Practice 3838
Outcomes/AchievementsOutcomes/Achievements
Updated Appropriate Use Policy Updated Appropriate Use Policy (AUP). (AUP). • The The foundationfoundation for policy enforcement for policy enforcement
and assertion of everyone’s rights and and assertion of everyone’s rights and interests.interests.
Instituted annual review/update cycle.Instituted annual review/update cycle.
Building An Information Security PracticeBuilding An Information Security Practice 3939
Outcomes/AchievementsOutcomes/Achievements
Created Appropriate Use incident Created Appropriate Use incident management process.management process.• Case intake and documentationCase intake and documentation
• InvestigationInvestigation
• Developmental discussionDevelopmental discussion
• Identification of sanctioning bodiesIdentification of sanctioning bodies
• Development of sanction recommendationsDevelopment of sanction recommendations
• Case escalation and referral procedureCase escalation and referral procedure
Building An Information Security PracticeBuilding An Information Security Practice 4040
Outcomes/AchievementsOutcomes/Achievements
Made change in Appropriate Use Made change in Appropriate Use incident management process:incident management process:
• OLD: OLD: direct referral to disciplinary direct referral to disciplinary processprocess
• NEW: NEW: developmental discussion first, developmental discussion first, then referral to disciplinary process if then referral to disciplinary process if necessarynecessary
Building An Information Security PracticeBuilding An Information Security Practice 4141
Outcomes/AchievementsOutcomes/Achievements
Developed Security Awareness Training Developed Security Awareness Training Program for students, faculty and staffProgram for students, faculty and staff
• Information Security and Information Security and YOUYOU…Partners in …Partners in ProtectionProtection
• One hour presentationOne hour presentation• ““My security self-assessment” instrumentMy security self-assessment” instrument• Introduction to assets, value and cost of Introduction to assets, value and cost of
consequenceconsequence• Self-help recommendationsSelf-help recommendations
Building An Information Security PracticeBuilding An Information Security Practice 4242
Outcomes/AchievementsOutcomes/Achievements
Developed targeted Security Awareness Developed targeted Security Awareness Training Program for studentsTraining Program for students• Delivered in ResNet “town meeting” forums.Delivered in ResNet “town meeting” forums.
• Topics:Topics: Appropriate Use, Computer securityAppropriate Use, Computer security Copyright compliance, SpamCopyright compliance, Spam
Building An Information Security PracticeBuilding An Information Security Practice 4343
Outcomes/AchievementsOutcomes/Achievements
Using AUP incident response process as Using AUP incident response process as a model, created incident response a model, created incident response outline for Security and Risk outline for Security and Risk Management activities.Management activities.
Building An Information Security PracticeBuilding An Information Security Practice 4444
Outcomes/AchievementsOutcomes/Achievements
Security incidents:Security incidents:• Loss of confidentialityLoss of confidentiality• Physical loss of information assetsPhysical loss of information assets• System intrusion attemptsSystem intrusion attempts
Risk incidents:Risk incidents:• Electronic threats to persons and propertyElectronic threats to persons and property• System vulnerabilitiesSystem vulnerabilities• Business and operational risksBusiness and operational risks
Building An Information Security PracticeBuilding An Information Security Practice 4545
Outcomes/AchievementsOutcomes/Achievements
Identified additional opportunities for Identified additional opportunities for security contribution:security contribution:• University Crisis TeamUniversity Crisis Team
• Business Continuity and Disaster RecoveryBusiness Continuity and Disaster Recovery
• Academic Honesty and Integrity TeamAcademic Honesty and Integrity Team
• HIPAA Compliance TeamHIPAA Compliance Team
• GLBA Compliance TeamGLBA Compliance Team
• Guest lecture services for facultyGuest lecture services for faculty
Building An Information Security PracticeBuilding An Information Security Practice 4646
Outcomes/AchievementsOutcomes/Achievements
Integrated security reviews into new Integrated security reviews into new product development efforts. product development efforts.
Began collecting & sharing monthly Began collecting & sharing monthly metrics.metrics.• How many incidents of each type (AUP, How many incidents of each type (AUP,
Security, Risk)Security, Risk)
• Time investment per incidentTime investment per incident
• Outcomes and trendingOutcomes and trending
Building An Information Security PracticeBuilding An Information Security Practice 4747
Before and AfterBefore and After
Building An Information Security PracticeBuilding An Information Security Practice 4848
Security Questions & ProblemsSecurity Questions & Problems
Before:Before:• Customers didn’t know where to go for help Customers didn’t know where to go for help
with security questions and problems.with security questions and problems.
Effects:Effects:• Delayed answers/resolutions.Delayed answers/resolutions.• Unnecessary risks.Unnecessary risks.
After:After:• There is a person to speak to, and a There is a person to speak to, and a
procedure for each problem.procedure for each problem.
Building An Information Security PracticeBuilding An Information Security Practice 4949
Appropriate Use PolicyAppropriate Use Policy
BeforeBefore::• Appropriate Use Policy was weak and hard-to-find.Appropriate Use Policy was weak and hard-to-find.
EffectsEffects::• Difficult for readers to understand how to comply.Difficult for readers to understand how to comply.• Hard to enforce the AUP.Hard to enforce the AUP.
AfterAfter::• AUP more clear, concise and easy-to-find.AUP more clear, concise and easy-to-find.• Forms an improved foundation for protecting the Forms an improved foundation for protecting the
rights of all individuals.rights of all individuals.
Building An Information Security PracticeBuilding An Information Security Practice 5050
Security Awareness TrainingSecurity Awareness Training
Before:Before:• No Security Awareness Training Program in No Security Awareness Training Program in
place.place. Effects:Effects:
• Out of sight = out of mind.Out of sight = out of mind.• Customers had no foundation to understand Customers had no foundation to understand
security in the context of their work.security in the context of their work. After:After:
• Foundation for understanding established.Foundation for understanding established.• Customers better able to apply concepts to Customers better able to apply concepts to
their work.their work.
Building An Information Security PracticeBuilding An Information Security Practice 5151
Perceived value of securityPerceived value of security
Before:Before:• Security seen as an inconvenient obstacle.Security seen as an inconvenient obstacle.
Effects:Effects:• No rationale for individual investment.No rationale for individual investment.
After:After:• People now ask about security.People now ask about security.• Risks are being proactively addressed and Risks are being proactively addressed and
reduced.reduced.
Building An Information Security PracticeBuilding An Information Security Practice 5252
Stewardship in projectsStewardship in projects
Before:Before:• Security didn’t have stewardship in University Security didn’t have stewardship in University
projects.projects.
Effects:Effects:• Un-necessary risk exposure.Un-necessary risk exposure.• Re-work to shore up security.Re-work to shore up security.
After:After:• Security now an integral part of many projects.Security now an integral part of many projects.• Much of security work gets done up front.Much of security work gets done up front.
Building An Information Security PracticeBuilding An Information Security Practice 5353
Developmental processDevelopmental process
Before:Before:• AUP violators didn’t have an opportunity for AUP violators didn’t have an opportunity for
developmental discussions.developmental discussions.
Effects:Effects:• No basis for understanding real risks of No basis for understanding real risks of
ineffective/risky behaviors.ineffective/risky behaviors.
After:After:• 99% of all cases resolve at the developmental 99% of all cases resolve at the developmental
discussion phase, as opposed to sanction discussion phase, as opposed to sanction phase.phase.
Building An Information Security PracticeBuilding An Information Security Practice 5454
SuccessesSuccesses
Building An Information Security PracticeBuilding An Information Security Practice 5555
SuccessesSuccesses
Created the key relationships.Created the key relationships.
Created security awareness.Created security awareness.
Illustrated relevance of security to all Illustrated relevance of security to all roles.roles.
Building An Information Security PracticeBuilding An Information Security Practice 5656
SuccessesSuccesses
Turned the tide from security being an Turned the tide from security being an inconvenience, to becoming an enabler.inconvenience, to becoming an enabler.
Achieved risk reductions across Achieved risk reductions across multiple exposures.multiple exposures.
Building An Information Security PracticeBuilding An Information Security Practice 5757
FailuresFailures
Building An Information Security PracticeBuilding An Information Security Practice 5858
FailuresFailures
We didn’t catch all the risks.We didn’t catch all the risks.
Didn’t create awareness deep into faculty Didn’t create awareness deep into faculty constituency.constituency.
Some discussions/interactions were strained. Some discussions/interactions were strained. Relationships required repair.Relationships required repair.
Ineffective at gaining full implementation of Ineffective at gaining full implementation of recommended technical controls.recommended technical controls.
Building An Information Security PracticeBuilding An Information Security Practice 5959
Lessons LearnedLessons Learned
(Top Ten)(Top Ten)
Building An Information Security PracticeBuilding An Information Security Practice 6060
Lessons Learned: 1Lessons Learned: 1 The security leadership position is not a The security leadership position is not a
technical role.technical role.
Rather, it is a program manager role.Rather, it is a program manager role.
The role must be comfortable as a The role must be comfortable as a program manager, and must be able to program manager, and must be able to know when to put on the technical hat.know when to put on the technical hat.
Building An Information Security PracticeBuilding An Information Security Practice 6161
Lessons Learned: 2Lessons Learned: 2 Security awareness is not a natural thought Security awareness is not a natural thought
process for everyone.process for everyone.
Sometimes you don’t know what you don’t Sometimes you don’t know what you don’t know.know.
The role must plant/grow the seeds of The role must plant/grow the seeds of awareness, and illustrate the relevance of awareness, and illustrate the relevance of security to all roles.security to all roles.
Building An Information Security PracticeBuilding An Information Security Practice 6262
Lessons Learned: 3Lessons Learned: 3 A commitment to security implies A commitment to security implies
investment primarily in a security investment primarily in a security leadership position itself.leadership position itself.
The investment needn’t involve The investment needn’t involve spending money on technology.spending money on technology.
Invest in the human resource first.Invest in the human resource first.
Building An Information Security PracticeBuilding An Information Security Practice 6363
Lessons Learned: 4Lessons Learned: 4 While security and privacy are important While security and privacy are important
to most people, we tend to be to most people, we tend to be uncomfortable talking about security uncomfortable talking about security weaknesses.weaknesses.
The role must de-mystify security and The role must de-mystify security and steward creation of appropriate settings steward creation of appropriate settings and processes to discuss security issues.and processes to discuss security issues.
Building An Information Security PracticeBuilding An Information Security Practice 6464
Lessons Learned: 5Lessons Learned: 5 Security is on everyone’s mind, but not Security is on everyone’s mind, but not
everyone understands how to apply everyone understands how to apply security in the context of their work.security in the context of their work.
Ability to articulate and quantify risk and Ability to articulate and quantify risk and cost of consequence is an essential cost of consequence is an essential element of gaining a motivated audience.element of gaining a motivated audience.
Building An Information Security PracticeBuilding An Information Security Practice 6565
Lessons Learned: 6Lessons Learned: 6 The “starter” key relationships are:The “starter” key relationships are:
• Office of University CounselOffice of University Counsel
• Internal AuditInternal Audit
• Human ResourcesHuman Resources
• External AffairsExternal Affairs
• Public Safety, Student AffairsPublic Safety, Student Affairs
• Office of the President, Office of ProvostOffice of the President, Office of Provost
Building An Information Security PracticeBuilding An Information Security Practice 6666
Lessons Learned: 7Lessons Learned: 7 Over-prescription creates little gain in Over-prescription creates little gain in
security at the expense of willingness and security at the expense of willingness and cooperation from customers.cooperation from customers.
Security is a “living thing”, not a one-time Security is a “living thing”, not a one-time project.project.
Find ways to attract and retain customers in Find ways to attract and retain customers in security discussions and activities.security discussions and activities.
Building An Information Security PracticeBuilding An Information Security Practice 6767
Lessons Learned: 8Lessons Learned: 8 Few security answers are binary.Few security answers are binary.
The vast majority of answers are analog.The vast majority of answers are analog.
The ability to discriminate which The ability to discriminate which situations require a binary answer, and situations require a binary answer, and which require more a more introspective which require more a more introspective analog answer, is essential.analog answer, is essential.
Building An Information Security PracticeBuilding An Information Security Practice 6868
Lessons Learned: 9Lessons Learned: 9 Measurement is essential to illustrate Measurement is essential to illustrate
value and costs, and to underwrite future value and costs, and to underwrite future success.success.• Keep track of what you do.Keep track of what you do.
• Tabulate.Tabulate.
• Quantify.Quantify.
• Report.Report.
• Share (with discretion)Share (with discretion)
Building An Information Security PracticeBuilding An Information Security Practice 6969
Lessons Learned: 10Lessons Learned: 10
The beginning is the most importantThe beginning is the most important
part of the workpart of the work..
Building An Information Security PracticeBuilding An Information Security Practice 7070
Contact InformationContact Information
Glenn C. Hill, CISSPGlenn C. Hill, CISSP
Manager of IT SecurityManager of IT Security
Northeastern UniversityNortheastern University
403 Richards Hall403 Richards Hall
Boston, MA 02115Boston, MA 02115
617.373.7718617.373.7718
[email protected]@neu.edu
Building An Information Security PracticeBuilding An Information Security Practice 7171
Building an Information SecurityBuilding an Information SecurityPracticePracticeNortheastern’s ExperienceNortheastern’s Experience
Questions and AnswersQuestions and Answers