View
2
Download
0
Category
Preview:
Citation preview
Government Technology Conference – SouthwestJune 13, 2011
Implementing an Information S it PSecurity Program
William TompkinsInformation Security Officer
Chris CutlerNetwork Infrastructure & Support Section
DirectorDirector
Teacher Retirement System of Texas
William TompkinsWilliam TompkinsWilliam TompkinsWilliam Tompkins
William Tompkins is the Information Security Officer at Teacher Retirement System of Texas. He has more than 27 years of technical, managerial and consulting experience in information technology and more than more than 17 years in information security. Over the past 25 years he has developed and implemented y p y p pinformation security programs in multiple state agencies and within the Univ. of Texas HSC at San Antonio. He is internationally recognized as a leader in information technology security.
Willi l d h ISSA H ll f F i 2006 b h ISSA I i lWilliam was elected to the ISSA Hall of Fame in 2006 by the ISSA International Board of Directors (Information Systems Security Association) . He is a Certified Information Systems Security Professional and a Certified Business Continuity Professional.
Mr. Tompkins holds two Bachelor of Science degrees, Psychology and Computer Information Science, from Troy State University in Alabama and Certification in Risk Management from University of Texas at Austin Division of Continuing Education
2
Education.
Implementing an Information Security Program6/13/2011
Chris CutlerChris Cutler
Chris has over 22 years of experience in State Government, including 19 years in Information Technology Management. He has worked for the Teacher R ti t S t f T (TRS) i J 1994 d tl h ldRetirement System of Texas (TRS) since January 1994 and currently holds the position of Director of Network Infrastructure & Support. In this position, he manages teams that are responsible for all phases of network and systems management including LAN/WAN systems, server/desktop y g g y , pcomputing, enterprise client/server applications, IT service desk, site support and telecommunications.
Chris holds a M.B.A. in Management Information Systems at St. Edward's i i d A i C f i S d iUniversity and a B.B.A. in Computer Information Systems and Business
Management at McMurry University. Technical certifications include Novell Master CNE, Microsoft MCSE and ITIL v3 Foundations.
3Implementing an Information Security Program6/13/2011
AgendaGovernance Architecture &
AgendaRisk ProgramData Classification
Architecture & Infrastructure
Network Security ArchitectureRemote Access
ControlsEducation
Remote AccessIT Systems Management (ITIL)Change managementL i it i t i
AvailabilityPhysical
Logging, monitoring, metricsPenetration testingEmerging Trends
Vi t li tiIncidence Response VirtualizationWeb Application IDSPersonal / Remote DevicesSocial MediaSocial Media
6/13/20114Implementing an Information Security Program
Excerpt from Federal SentencingExcerpt from Federal Sentencing GuidelinesGuidelinesExcerpt from Federal Sentencing Excerpt from Federal Sentencing GuidelinesGuidelines
“An effective compliance program means a program thatAn effective compliance program means a program that has been reasonably designed, implemented and enforced so that it generally will be effective in preventing and detecting criminal conduct. Failure to prevent or detect the instant offense, by itself, does not
th t th t ff ti Th h ll kmean that the program was not effective. The hallmark of an effective program is that the organization exercises due diligence in seeking to prevent and detect criminaldue diligence in seeking to prevent and detect criminal conduct by its employees and other agents.”
5Implementing an Information Security Program6/13/2011
GovernanceMission
Governance
GoalsPolicy
GuidelinesSt d dStandards
Procedures6Implementing an Information Security Program
6/13/2011
GovernanceCore Team
Governance
• CompositionCore Team
– Organization-widerepresentation(as much as possible)
• Tasks– Data classification [ Owners ! ]Data classification [ Owners ! ]– Documentation (Security Policy/Manual)
– Education
7Implementing an Information Security Program6/13/2011
Risk Management ProgramRisk Management Program
• Establish Information Risk Management Policy• Establish Information Risk Management Policy– Document roles & responsibilities
• Identify and measure risksIdentify and measure risks– Project sizing (scope, constraints)
– Threat analysis – Asset identification and valuation– Vulnerability analysis (identification of all vulnerabilities that could increase
frequency or impact of threat)q y p )
– Risk evaluation
86/13/2011
Implementing an Information Security Program
Risk Program (continued)Risk Program (continued)
• Establish Risk Acceptance criteriaEstablish Risk Acceptance criteria.• Mitigate risk.
S f d l ti d iti ti– Safeguard selection and mitigation analysis:
• Evaluate safeguards and the degree to which• Evaluate safeguards and the degree to which they mitigate the risk
– Cost benefit analysisy• Monitor information risk management
performance
9
performance.6/13/2011
Implementing an Information Security Program
D tD tDataDataClassificationClassificationClassificationClassification
6/13/2011
Implementing an Information Security Program 10
What Does Classification Enable?What Does Classification Enable?
• Organization’s processes to:Organization s processes to:– Secure information as needed
• Confidential PII PHIConfidential, PII, PHI
– Retain and manage needed dataDispose of data with authority and without risk– Dispose of data with authority and without risk
– Identify and preserve data in crisesA f i d d d f l l– Access for operations and produce data for legal and auditing
116/13/2011
Implementing an Information Security Program
Classification CriteriaClassification Criteria• Value - Classify information that is valuable to anValue Classify information that is valuable to an
organization or its competitors.
• Age - Classification is lowered if information’s valueAge Classification is lowered if information s value decreases on a specific date. Ex: press release.
• Useful Life - Classification is lowered if informationUseful Life Classification is lowered if information becomes obsolete due to new information or changes that evolve over time, usually years. Ex: product specs
• Personal Association - Information may be associated with specific individuals or addressed by privacy law.
6/13/201112Implementing an Information Security Program
ControlsControlsControlsControls
6/13/2011
Implementing an Information Security Program 13
ControlsControls• TechnicalTechnical
– O/S and application controls – Firewall, router, mail filters, ,– Audit logs
Ad i i t ti• Administrative– Document unit processesp– Walkthroughs– Enforcement
14Implementing an Information Security Program6/13/2011
MalwareMalware
• is malicious software that is installed without the user’s knowledge. It includes:– virusesviruses– worms– trojansdi t ti• disrupts operation
• steals information• self‐propagatesself propagates• in some cases it destroys data
Implementing an Information Security Program6/13/2011
15
Countermeasures to Malware• Keep your PC updated.
– Visit Microsoft Update – --or-- turn on Automatic Updates.
• Use an Internet firewall (IPS & IDS)Use an Internet firewall (IPS & IDS) • Subscribe to industry standard antivirus software and
keep it current.• User education !
– Never open an e-mail attachment from someone you don't know.– Avoid opening an e-mail attachment from
someone you know, unless you know exactlywhat the attachment is. The sender may be unaware that it contains a virus.
Source: http://www.microsoft.com/athome/security/viruses/default.mspx6/13/2011
16
Email Internet & Social MediaEmail, Internet & Social Media
• Email for official correspondence– Standardized “Subject:” line ?– Standardized content?– Delivery confirmation?y– Read confirmation?
• Email for personal correspondenceEmail for personal correspondence• Prohibited use ?
176/13/2011
Implementing an Information Security Program
Email Internet & Social MediaEmail, Internet & Social Media
• Internet for official business– Access to other businesses (insuranceAccess to other businesses (insurance,
investments)– Access to other state (government)Access to other state (government)
agencies
P hibit d ?• Prohibited use ?
186/13/2011
Implementing an Information Security Program
EducationEducationEducationEducation
6/13/2011
Implementing an Information Security Program 19
Documentation / EducationDocumentation / Education
li• Policy
• Security Manual
• Procedures
20Implementing an Information Security Program6/13/2011
Security ManualSecurity Manual
• Reflects organization’s applicable laws and regulationsg
• Guidelines• Standards• Standards• Few procedures• Define responsibilities
21Implementing an Information Security Program6/13/2011
Recurring educationRecurring educationRecurring educationRecurring education
Security related education:
New employees
C t lCurrent employees
Transfers and TempsTransfers and Temps(e.g., help during “busy season”)
226/13/2011
Implementing an Information Security Program
Recurring educationRecurring educationNew EmployeeNew Employeess
Human Resources
Manager/Team Leader
Information Security OfficerInformation Security Officer
BC / DR Coordinator
236/13/2011
Implementing an Information Security Program
AvailabilityAvailabilityAvailabilityAvailability
6/13/2011
Implementing an Information Security Program 24
Goals (A il bilit )
• Business Continuity Planning - minimize
Goals (Availability)
y gloss resulting from inadequate or failed internal processes, people, and systemsp p p y
• Disaster Recovery Planning - minimize y geffects of a disaster on organization technical operations and to ensure that the resources, p ,personnel, and business processes are able to resume operation in a timely manner
25
p y6/13/2011
Implementing an Information Security Program
Phases (A il bilit )Phases (Availability)
• Scope and Plan Initiation
• Business Impact Assessmentp– The purpose of the Business Impact Analysis project is to provide the
Senior Management Team with the information to make a sound business decision in the development of pragmatic disaster recovery strategies
• Plan Development
• Plan Approval and Implementation
266/13/2011
Implementing an Information Security Program
Ph i lPh i lPhysicalPhysicalSecuritySecuritySecuritySecurity
6/13/2011
Implementing an Information Security Program 27
Physical SecurityPhysical Security• Is often the ‘face’ of your organization to visitors
• A foundation for any information protection programA foundation for any information protection program
• Access controls should match those of the information security programinformation security program
–Identification–Authentication–Access Control
6/13/201128Implementing an Information Security Program
Physical SecurityPhysical Security
• Offices
• Laptops
• Bl kb• Blackberrys
• USB (‘flash’ drives thumb drives)USB ( flash drives, thumb drives)
296/13/2011
Implementing an Information Security Program
Incident Response / ManagementIncident Response / ManagementIncident Response / ManagementIncident Response / Management
• Forming teamD i• Documenting – Procedures– Responsibilities
C ll Li• Call List . . .
30Implementing an Information Security Program6/13/2011
ArchitectureArchitectureArchitectureArchitecture&&&&
InfrastructureInfrastructure6/13/2011
Implementing an Information Security Program 31
Network Security ArchitectureNetwork Security Architecture
6/13/201132Implementing an Information Security Program
Seven Layers of DefenseSeven Layers of DefenseLayer 1 Layer 2 Layer 3 Layer 4 Layer 5 Layer 6 Layer 7
OutsideRouter
Firewall &Web IDS
SPAM &ContentFiltering
EmailMalwareScanning
ServerMalware
Protection
PCMalware
ProtectionSecurity
Awarenessg
6/13/201133Implementing an Information Security Program
Virtual Private Networks (VPN)Virtual Private Networks (VPN)
• Provide a secure path to a system not attachedProvide a secure path to a system not attached to your network.
• Need to extend appropriate controls to thoseNeed to extend appropriate controls to those systems.
• Requires good authentication system.Requires good authentication system.• Use approved (FIPS140) devices and software
to encrypt your data.to encrypt your data.• Can provide secure road-warrior or remote site
connectivity.connectivity.6/13/2011
34Implementing an Information Security Program
Remote AccessRemote Access
6/13/201135Implementing an Information Security Program
Secure File TransfersSecure File Transfers• Inventory all file transfers inside and outside theInventory all file transfers inside and outside the organization
• Ensure end‐to‐end encryption of sensitive / yp /confidential information
• Standardize and centralize processesp
6/13/201136Implementing an Information Security Program
ITIL – IT Systems ManagementITIL IT Systems Management
6/13/201137Implementing an Information Security Program
ITIL – IT Systems ManagementITIL IT Systems Management
6/13/201138Implementing an Information Security Program
Change ManagementChange ManagementFormal Authorization of any Changesy g• Evaluate business drivers of proposed change• Verification of technical correctness• Validate changes and test impact• Documents all changes• Prevents self-sabotage of security infrastructure• Links to COOP and business continuity plans to
keep them up to datekeep them up to date• Enables an organization to survive a
compromised system or security administratorp y y6/13/2011
39Implementing an Information Security Program
Logging, Monitoring, MetricsLogging, Monitoring, Metrics• [logging] Consistently gathered, preferably in an automated way[logging] Consistently gathered, preferably in an automated way• [monitoring] Consistently measured, without subjective criteria
MetricsMetrics• Expressed as a cardinal number or percentage, not with qualitative
labels like “high”, “medium” or “low”g ,• Expressed using at least one unit of measure, such as “defects”,
“hours” or “dollars”• Ideally: Contextually specific, relevant enough to decision-makers
so that they can take action
6/13/201140Implementing an Information Security Program
Security Penetration TestingSecurity Penetration Testing
• Test every 1‐2 yearsTest every 1 2 years
• Change security vendors often
i l f i h• Put special focus areas in each test
• Don’t forget about testinginternally
• Test web applicationspp
6/13/201141Implementing an Information Security Program
Trends: Personal \ Remote DevicesTrends: Personal \ Remote Devices
6/13/201142Implementing an Information Security Program
Trends: VirtualizationTrends: Virtualization
6/13/201143Implementing an Information Security Program
Trends: VirtualizationTrends: Virtualization
• Apply all your standard security policies toApply all your standard security policies to your virtual server environment
• Compensate for immature virtual• Compensate for immature virtual configuration and monitoring tools
T k d d VM lik• Track and destroy your VMs like you do your server images
• Keep hypervisor patched and updated - Forrester
6/13/201144Implementing an Information Security Program
Forrester
Trends: Web Application SecurityTrends: Web Application Security
• Consider adding a Web Application Firewall Co s de add g a eb pp cat o e a(WAF)
• Vulnerable Web Applications are the No.1 attack ppvector today (Forrester)
• Compliance mandates (i.e. PCI DSS)
• Protects all web applicationswithout additional codingwithout additional coding
• Can help with Web performanceand optimizationand optimization
6/13/201145Implementing an Information Security Program
Trends: Social MediaTrends: Social Media
6/13/201146Implementing an Information Security Program
Use of Social Networking sitesUse of Social Networking sites
D t li k b d• Do not click on banner ads.• Be vigilant for other attacks, such as bogus
d iupdate notices.• Strong and regularly changed passwords g g y g p
are a must.•• Social media passwords should be Social media passwords should be pp
different from those used to access internal different from those used to access internal organization’s networks and services. organization’s networks and services.
476/13/2011
Implementing an Information Security Program
Productivity & Internet AbuseProductivity & Internet Abuse
• 64% of employees say they use the Internet for personal interest duringInternet for personal interest during working hours
• 37% of workers say they surf the Web constantly at work
Data sources include: U.S. DEPARTMENT OF COMMERCE // Economics and Statistics Administration National Telecommunications and I f ti Ad i i t ti // G fi ld d Ri t E l t b t ti ti
48
Information Administration // Greenfield and Rivet. Employee computer abuse statistics
6/13/2011
Implementing an Information Security Program
william tompkins@trs state tx us chris cutler@trs state tx uswilliam.tompkins@trs.state.tx.us chris.cutler@trs.state.tx.us
496/13/2011
Implementing an Information Security Program
506/13/2011
Implementing an Information Security Program
516/13/2011
Implementing an Information Security Program
Recommended