43
Property of the University of Notre Dame Building a Risk-Based Information Security Program Mike Chapple University of Notre Dame May 5, 2008

Building a Riskbased Information Security Program132[2]

Embed Size (px)

Citation preview

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 1/43

Property of the University of Notre Dame

Building a Risk-Based

Information Security Program

Mike Chapple

University of Notre Dame

May 5, 2008

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 2/43

Property of the University of Notre Dame

Obligatory Notice

Copyright Michael J. Chapple, 2008. This work is the

intellectual property of the author. Permission is

granted for this material to be shared for non-

commercial, educational purposes, provided that thiscopyright statement appears on the reproduced

materials and notice is given that the copying is by

permission of the author. To disseminate otherwise

or to republish requires written permission from theauthor.

2

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 3/43

Property of the University of Notre Dame

Overview

• Background

• Campus IT Risk Assessment (CITRA)

Digesting the Results• Implementing the Security Program

• Preliminary Results

3

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 4/43

Property of the University of Notre Dame

Notre Dame

• Private, coeducational Catholic research universitylocated in Northern Indiana

• Population of 10,000 students,

1,200 faculty and 5,300 staff• Defining characteristics

 – Long tradition of undergraduate excellence

 – Dedicated to residential life (81% undergrads on campus)

 – Rapidly expanding research community and graduate

programs ; Over the past decade:

• 35% increase in PhDs awarded

• 225% increase in sponsored research

4

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 5/43

Property of the University of Notre Dame

IT at Notre Dame

• OIT is a centralized IT organization – Supports enterprise systems

 – Provides end user support for about

1/3 of campus

• Some colleges and business units

have their own IT support groups

 – Varying levels of custom infrastructure

 – Several have their own networks• Up until 2006, Information Security was a

combination of implementing internal controls and

external consulting

5

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 6/43

Property of the University of Notre Dame

One Day Everything Changed… 

6

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 7/43

Property of the University of Notre Dame

Historical Context

77

Initial PCI DSS

Discussions

Incident CITRAIncident Response

2002 –

 Information Security Office Established2003  – Data Oversight Committee Established

Data Center Firewall Implemented

Data Access Policy Approved

2005  – Strong Password Initiative

PCI DSS

Assessment

CCSP

Planning

Credit Card

Network Inventory

Jul-05 Jul-06

 Aug-05 Sep-05 Oct-05 Nov-05 Dec-05 Jan-06 Feb-06 Mar-06 Apr-06 May-06 Jun-06

Information Security at Notre Dame2005 2006

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 8/43

Property of the University of Notre Dame

Overview

• Background

• Campus IT Risk Assessment (CITRA)

Digesting the Results• Implementing the Security Program

• Preliminary Results

8

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 9/43

Property of the University of Notre Dame

CITRA Overview

• At the request of University Leadership, we

commissioned a campus-wide IT risk assessment

• Partnered with “Big Four” consulting firm 

• Scope included all uses of sensitive University data,in any form

• Tools used:

 –

Network Scanning – Surveys and Interviews

 – Site visits

9

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 10/43

Property of the University of Notre Dame

Assessment Process

10

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 11/43

Property of the University of Notre Dame

Surveys

• 19 pages, 74 questions (mixture of multiple choice

and open-ended)

• Pilot deployment with our own OIT business office,

followed by a select handful of “friends” • Full deployment included business managers from all

academic and administrative units

Accompanied by cover letter from Executive VicePresident and Provost

• Achieved 100% response rate (after quite a few

follow-up calls!)

11

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 12/43

Property of the University of Notre Dame

Selected Questions

• What type(s) of sensitive data does your department

store/process?

• What groups/roles have access to that data?

• Where do you store that data (physical and/or electronic)?

• Do you use encryption to protect stored information?

• How do you transmit sensitive data? How do you receive it?

• Do you use any web-based applications to collect data?

• How long do you retain sensitive information? How do youdispose of it?

• Do you share sensitive information with third parties?

12

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 13/43

Property of the University of Notre Dame

Survey Results

Attribute Percentage

Use Social Security Numbers 88%

Share Passwords 81%

Store Sensitive Data Locally 77%

Transmit Sensitive Data Externally Without Encryption 68%

Not Aware of Security Policies 65%

Retain Sensitive Data Indefinitely 63%

13

Together with the consultants, we surveyed

respondents from 53 campus departments on

data handling practices.

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 14/43

Property of the University of Notre Dame

Business Unit Interviews

• 53 departments selected for individual or group

interviews based upon survey responses

• Combination of academic and administrative units

• Intended to serve as a one-hour “deep dive” intosurvey responses

• Conducted by a team consisting of

representatives from InformationSecurity, University Archives

and the consultant

14

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 15/43

Property of the University of Notre Dame

Discussion Guide

• Walk through survey responses

• Types of sensitive data within the department

Applications used to process data• Electronic and paper-based data flow

walkthrough

Physical security of departmental spaces

15

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 16/43

Property of the University of Notre Dame

CITRA Findings

• End result was 68 findings covering 10 key areas:

• For example… 

16

Information Security Framework Data Classification and Handling

Access Control Encryption Strategy

Configuration Standards Physical Security

Technical Security Architecture Disaster Recovery

Compliance Information Security Awareness

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 17/43

Property of the University of Notre Dame

CITRA Findings

17

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 18/43

Property of the University of Notre Dame

Overview

• Background

• Campus IT Risk Assessment (CITRA)

Digesting the Results• Implementing the Security Program

• Preliminary Results

18

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 19/43

Property of the University of Notre Dame

Planning Workshop

• Cross-functional team

• Analyzed CITRA results

and created project

specifications designed toremediate all

medium/high risk findings

• Produced comprehensive

project plan with resource

estimates and sequencing

19

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 20/43

Property of the University of Notre Dame

Resource Planning

• Discussed project objectives with resource

managers

• Simple approach to resource ($$$ and staff)

estimation:

 – Determine “best case” and “worst case” time and

cost estimates

 – Average those endpoints

 – Surprisingly accurate!

20

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 21/43

Property of the University of Notre Dame

Ranking System

• Each project ranked on costs (financial and

staff), importance and urgency

21

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 22/43

Property of the University of Notre Dame

Outcome

• Projects sequenced to prioritize high-risk

findings and balance resource consumption

• Overall costs: $4.6M one-time, $630K

recurring

• Presented to University leadership and funded

in full

22

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 23/43

Property of the University of Notre Dame

Overview

• Background

• Campus IT Risk Assessment (CITRA)

Digesting the Results• Implementing the Security Program

• Preliminary Results

23

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 24/43

Property of the University of Notre Dame

Program Mission

24

Identify confidentiality, integrity and

availability risks to sensitive Universityinformation, and mitigate those risks to

acceptable levels.

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 25/43

Property of the University of Notre Dame

Program Objectives

25

The objectives of the program are to:

• Evaluate risks to the confidentiality, integrity andavailability of sensitive information

• Establish and implement controls to fill critical gaps,as determined by institutional risk tolerance

• Create awareness of information security and properdata handling practices

• Establish and communicate security-related policies,procedures and standards

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 26/43

Property of the University of Notre Dame

Program Plan

26

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 27/43

Property of the University of Notre Dame

Policy

• It all begins with policy…really! 

27

Security Policies(1.1)

ConfigurationStandards (1.3)

SDLC (1.5)

Policy  

Security Policies and Standards (FY 2007)

Establish University-wide Information Security policies and handling

standards based on ISO 17799

Configuration Standards (FY 2007)

Develop configuration standards for applications and mobile systems

Software Development Lifecycle (FY 2010)

Select and implement a SDLC model for use with OIT systems

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 28/43

Property of the University of Notre Dame

Awareness, Training and

Education

28

Awareness, Training and Educat ion  ClassificationWorkshops (2.2)

Sensitive Data Handler

Training (2.4)

Technical Security

Training (2.5)Student Awareness

& Training (2.3)

Employee

 Awareness &Training (2.1)

Employee Awareness (FY 2007-2008)

Provide security awareness, communication and training for faculty & staff

Student Awareness (FY 2008)

Provide security awareness, communication and training for students

Classification Workshops (FY 2008)

Conduct workshops to aid Data Stewards in classifying their data

Sensitive Data Handler Training (FY 2008)

Provide specialized training for those who work with sensitive University Data

Technical Security Training (FY 2009)

Provide specialized technical security training for IT Professionals

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 29/43

Property of the University of Notre Dame

Workstation Security

29

File Security (6.3)Malware

Management (6.2)

Workstat ion Secur i ty 

Initial DesktopRemediation (6.1)

MessagingSecurity (6.4)

Initial Desktop Remediation (FY 2007) Apply a basic set of security controls to University workstations

Malware Management (FY 2008) 

Provide a solution for management and monitoring of antivirus and anti-

spyware software on University systems

File Security (FY 2009)

Conduct a vulnerability assessment and apply security controls to NetFile

Messaging Security (FY 2009-2010)

 Apply security controls to electronic mail and instant messaging

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 30/43

Property of the University of Notre Dame

Server Security

30

Database Security

(7.3)

Data Center

Remediation (7.1)

Server Integrity

Monitoring (7.2)

Server Security 

Dept Server

Consulting (7.4)

OIT Server

Management (7.5)

Data Center Architecture Enhancements (FY 2008)Enhance security controls on the OIT Data Center front end

Server Integrity Monitoring (FY 2008)

Formalize OIT server integrity monitoring infrastructure and processes

Database Security (FY 2008)Conduct a vulnerability assessment of University databases and implement

appropriate controls

Departmental Server Consulting (FY 2008-2009)

Conduct a security assessment of each departmental server and provide

recommendations on alternative technologies and/or appropriate controls.

OIT Server Management (FY 2008-2009)

Implement security management practices for OIT servers with

separation of duties and data segregation, where appropriate

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 31/43

Property of the University of Notre Dame

Network Security

31

Intrusion

Prevention (5.4)

Network Secur i ty 

Border Security

(5.1)

Network AdmissionControl (5.5)

Zoned Network &

Wireless Sec. (5.3)

Network Device

Management (5.2)

Border Security (FY 2007)Implement campus network border firewall to block unsolicited inbound connections

Network Device Management (FY 2007-2008)

Implement security standards on campus network devices

Zoned Network and Wireless Security (FY 2008-2009)Design and implement a zoned network architecture with appropriate security

controls on the wired and wireless networks

Intrusion Prevention (FY 2009)

Replace the University’s existing intrusion detection system with a comprehensive

intrusion prevention system

Network Admission Control (FY 2010)

Implement controls to ensure that network-

connected systems meet security standards

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 32/43

Property of the University of Notre Dame

Security Infrastructure

32

 ApplicationLogging (4.4)

Log Security

 Analysis (4.5)

Network Activity

Logging (4.7)

Vulnerability

Scanning (4.1)

Firewall

Mgt. (4.6)

Security Infrastructure 

Rogue Wireless AP

Detection (4.8)Sensitive Data

Scanning (4.3)Security Review

Process (4.2)

Vulnerability Scanning (FY 2007)Create a scanning facility to proactively detect technical vulnerabilities in

University systems

Security Review Process (FY 2007)

Create a process for consistently conducting information security reviews

Sensitive Data Scanning (FY 2008)

Create a scanning facility to proactively detect CC/SSNs stored in institutional

file systems

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 33/43

Property of the University of Notre Dame

Security Infrastructure (cont’d) 

33

 ApplicationLogging (4.4)

Log Security

 Analysis (4.5)

Network Activity

Logging (4.7)

Vulnerability

Scanning (4.1)

Firewall

Mgt. (4.6)

Security Infrastructure 

Rogue Wireless AP

Detection (4.8)Sensitive Data

Scanning (4.3)Security Review

Process (4.2)

Application Logging (FY 2009)Capture enterprise application events in the OIT central log repository

Network Logging (FY 2009)

Capture records of off-campus connections involving University systems

Security Log Analysis (FY 2009)Create a security log analysis capability for use with the central log repository

Firewall Management (FY 2009)

 Audit existing firewall rulebase and implement standard management practices

Rogue Wireless AP Detection (FY 2010)Provide the ability to identify unauthorized wireless access points on the

University network

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 34/43

Property of the University of Notre Dame

Credit Card Security

34

Infrastructure

(3.1)Monitoring (3.3)

CCSP 

Physical

Security (3.4)

 Application

Migration (3.2)

CCSP Infrastructure (FY 2007)Create the infrastructure required to migrate card processing applications to

the OIT data center

CCSP Application Migration (FY 2007-2008)

Move card processing servers to the payment card environment located in the

OIT data center

CCSP Monitoring (FY 2008)

Implement ongoing technical monitoring of the payment card environment

CCSP Physical Security (FY 2008-2009)

Upgrade data center physical security to meet PCI DSS requirements

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 35/43

Property of the University of Notre Dame

Incident Handling

35

Forensics (8.2)

Incident Tracking

System (8.3)

Incident Response

Procedures (8.1)

Incident Handling 

Incident Response Procedures (FY 2010) 

Create technical procedures for responding to information security incidents

to supplement the existing Incident Response Plan

Forensics (FY 2010)

Identify forensic resources for use in information security incident response.

Incident Tracking System (FY 2010)

Provide an information security incident tracking system

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 36/43

Property of the University of Notre Dame

Sustaining Activities

36

Program

Monitoring (9.3)

Susta in ing Ac t iv i t ies 

Security Ops

Center (9.1)

Recurring Risk

 Assessments (9.2)

Security Operations Center (FY 2008-2009)

Create an operations center to monitor and provide initial response to

security events

Recurring Risk Assessments (FY 2010)

Establish a process for recurring, periodic risk assessments to measure riskto University data assets

Program Monitoring (FY 2010)

 Assess the ongoing effectiveness of the information security program

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 37/43

Property of the University of Notre Dame

Overview

• Background

• Campus IT Risk Assessment (CITRA)

• Digesting the Results

• Implementing the Security Program

• Preliminary Results

37

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 38/43

Property of the University of Notre Dame

Current Status

38

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 39/43

Property of the University of Notre Dame

Program Highlights

• For the most part, on-time completion under

budget

• Some “in-flight” changes to the plan to: 

 – Reprioritize project sequencing

 – Address new risks (e.g. Web application security)

 – Balance resource utilization with other initiatives

39

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 40/43

Property of the University of Notre Dame

Policy and Standards

• Policy complete and

awaiting Officer approval

• Operating systemstandards in place

Application standardscomplete and published

40

Policy Usage

(Spring 2007 – Fall 2007)

2%10% 7% 13%

44%

59%55%

66%

35%

21% 28%12%

20%10% 10% 9%

0%

10%

20%

30%

40%

50%60%

70%

80%

90%

100%

Spring 2007 Fall 2007 Spring 2007 Fall 2007

Faculty Staff  

Use it regularly Have read it

Aware it exists Not aware it exists

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 41/43

Property of the University of Notre Dame

Vulnerability Scanning

41

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 42/43

Property of the University of Notre Dame

Awareness

42

• Goal: Engage 85% of the faculty and staff atleast twice annually

42

43%

94%

56%

97%

32%

6%

23%

1%

25%

3%

21%

2%

0%

10%20%

30%

40%

50%

60%

70%

80%

90%

100%

Faculty

Spring 2007

Faculty

Fall 2007

Staff 

Spring 2007

Staff 

Fall 2007

No contact

One-TouchTwo-Touch

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 43/43

Questions