Designing Services for Security: Information Security Management throughout the Service Lifecycle...

Preview:

Citation preview

Designing Services for Security:

Information Security Management throughout the Service Lifecycle

Sarah Irwin & Craig Haynal2015 Penn State Security Conference, October 14, 2015

Session Roadmap

• Security Landscape• Current Challenges• Service Management at Penn State • Designing for Security• Call to Action

Security Landscape

When I say “Sensitive Data”….

You probably think of:

Photo credit: frankleleon

Photo credit: NEC Corporation of America

Photo credit: Alan Levine

Photo credit: GotCredit

http://www.databreachtoday.com/experian-faces-congressional-scrutiny-over-breach-a-8580 / http://www.databreachtoday.com/etrade-dow-jones-issue-breach-alerts-a-8586

You probably also think of:

www.target.com

www.homedepot.com

http://www.engr.psu.edu/

http://www.la.psu.edu/

Traditionally…

• Sensitive data includes things like:• Personally identifiable information (PII)• Payment Card Industry (PCI) data• Health Insurance Portability and Accountability Act (HIPAA)• Family Educational Rights and Privacy Act (FERPA)

But it’s more than just PII• Research• Human subjects• Deductive disclosure risk• Contract data• Geographic ID’s

• Student information• Transgender community• Confidentiality holds• Mental health counseling

• Administrative• HR records• Budget information• Salary and review information

• Laws and Regulations• Federal and state laws and regs• University policies• Third party contracts

It’s also becoming more prevalent

FY2010 FY2011 FY2012 FY2013 FY20140

10

20

30

40

50

60

70

80

90

100

3

20

38 39

90

Sensitive data contracts processed by the Office of Sponsored Programs per fiscal year

Current Challenges

Our Data Security Environment

Highly decentralized,

disparate IT environments and

support

Inconsistent standards

and policies

Lack of awareness and understanding

Pain Points

IT

• Lack of communication or notice between IT and users• IT is an afterthought, typically brought in after project starts• Historic lack of trust that IT can provide what users need

Users

• Currently, few central IT services for restricted data• Local IT staff assist in some colleges/departments • Many users left to sort out IT needs on their own

Secure Technology + Safe People + Sound Process = Security

Reactive IT

Retrofitting

Service Managementat Penn State

IT Services

People

TechnologyProcess

Services

• A means of delivering value to customers by facilitating outcomes customers want to achieve without the ownership of specific costs and risks.

• Service ≠ Product

• Unlike products, services often have no intrinsic value.

Service Management at Penn State

• IT Transformation Program (ITX)• The program tasked with developing and implementing the Penn State

Service Management Program.

• Penn State Service Management Program (PSSMP)• An accepted standard for University service models, processes, and tools that

improves the consistency and efficiency of Penn State services.• By using a common language and set of procedures, Penn State units will

unite in providing efficient, high-level customer service, while reducing service redundancy and cost across the University.

ITIL Framework

• Service Strategy• Service Design• Service Transition• Service Operation• Continual Service Improvement

ITX/PSSMP Processes

Current:• Incident Management• Change Management• Service Catalog Management• Request Fulfillment

Future:• Service Portfolio Management• Project Portfolio Management• Resource Portfolio Management• Knowledge Management• Problem Management• Project Management• Service Asset and Configuration

Management

ITX/PSSMP Processes – Greatest Security ImpactCurrent:• Incident Management• Change Management• Service Catalog Management• Request Fulfillment

Future:• Service Portfolio Management• Project Portfolio Management• Resource Portfolio Management• Knowledge Management• Problem Management• Project Management• Service Asset and Configuration

Management

People

TechnologyProcess

Designing for Security

Designing Services

Warranty

Availa

bility Capacity

Continuity Security

QualityService

Value

Utility WarrantyValue

Design Coordination

Define & maintain

policies and methods

Plan design resources and

capabilities

Coordinate design activities

Manage design risks & issues

Improve service design

Plan individual design

Coordinate individual design

Monitor individual design

Review design and ensure handover of

service design package

Overall service design process:

Per design process:

Service Design Package

Major components• Requirements• Service design• Organizational readiness

assessment• Service lifecycle plan

Security checkpoints• Gather security requirements• Plan for security• Ensure adequate security

training• Incorporate security checkpoints

into the plan

Information Security Management System

Control

Plan

Implement

Evaluate

Maintain

Information Security ManagementProduce/maintain

information security policy

Assess/categorize risks and vulnerabilities

Report security risks and threats

Implement/review security controls and risk

mitigation

Monitor/manage security incidents

Enforce security policy

Review/report/reducesecurity incidents

Design focusOperation focus

Security management information system (SMIS)

Information security policy

Security reports and information

Security controls

Security risks and

responses

RESILIA™ Cyber Resilience Best Practice • A practical framework for building and managing cyber resilience,

reflecting the changing need not only to detect and protect against cyber-attacks but also to respond and recover from them.• Provides security guidance aligned with the service lifecycle from the

ITIL books:• Service strategy• Service design• Service transition• Service operation• Continual service improvement

Call to Action

Start Small: Learn

• Learn about Penn State’s policies that pertain to security, especially data categorization: http://guru.psu.edu/policies/AD71.html (and the related guideline: http://guru.psu.edu/policies/ADG07.html)• Understand the minimum security baseline and be ready to

incorporate it into your services: http://sos.its.psu.edu/minimum-security-baseline.html

Focus on People

• Have conversations about the types of data that will be handled by IT services up front• You may have to educate your customers and users on data

categorization in order to discover their information security needs• Negotiate the right level of security before you plan, purchase, or

build anything• Always plan for user education, especially when it comes to securely

using services

Design Better Services

• Plan your services; don’t just rush to solutions without fully understanding the problems, particularly when it comes to security• Remember that good IT services focus on helping customers achieve

outcomes and consider people and process in addition to technology• Make sure your services not only have the needed features (utility)

but also live up to their commitments (warranty)• Taking the time to design services for security will be much less

expensive than retrofitting or replacing them later

Any Questions?

Recommended