Upload
elisha-mushaija
View
220
Download
0
Embed Size (px)
Citation preview
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 1/43
Property of the University of Notre Dame
Building a Risk-Based
Information Security Program
Mike Chapple
University of Notre Dame
May 5, 2008
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 2/43
Property of the University of Notre Dame
Obligatory Notice
Copyright Michael J. Chapple, 2008. This work is the
intellectual property of the author. Permission is
granted for this material to be shared for non-
commercial, educational purposes, provided that thiscopyright statement appears on the reproduced
materials and notice is given that the copying is by
permission of the author. To disseminate otherwise
or to republish requires written permission from theauthor.
2
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 3/43
Property of the University of Notre Dame
Overview
• Background
• Campus IT Risk Assessment (CITRA)
•
Digesting the Results• Implementing the Security Program
• Preliminary Results
3
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 4/43
Property of the University of Notre Dame
Notre Dame
• Private, coeducational Catholic research universitylocated in Northern Indiana
• Population of 10,000 students,
1,200 faculty and 5,300 staff• Defining characteristics
– Long tradition of undergraduate excellence
– Dedicated to residential life (81% undergrads on campus)
– Rapidly expanding research community and graduate
programs ; Over the past decade:
• 35% increase in PhDs awarded
• 225% increase in sponsored research
4
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 5/43
Property of the University of Notre Dame
IT at Notre Dame
• OIT is a centralized IT organization – Supports enterprise systems
– Provides end user support for about
1/3 of campus
• Some colleges and business units
have their own IT support groups
– Varying levels of custom infrastructure
– Several have their own networks• Up until 2006, Information Security was a
combination of implementing internal controls and
external consulting
5
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 6/43
Property of the University of Notre Dame
One Day Everything Changed…
6
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 7/43
Property of the University of Notre Dame
Historical Context
77
Initial PCI DSS
Discussions
Incident CITRAIncident Response
2002 –
Information Security Office Established2003 – Data Oversight Committee Established
Data Center Firewall Implemented
Data Access Policy Approved
2005 – Strong Password Initiative
PCI DSS
Assessment
CCSP
Planning
Credit Card
Network Inventory
Jul-05 Jul-06
Aug-05 Sep-05 Oct-05 Nov-05 Dec-05 Jan-06 Feb-06 Mar-06 Apr-06 May-06 Jun-06
Information Security at Notre Dame2005 2006
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 8/43
Property of the University of Notre Dame
Overview
• Background
• Campus IT Risk Assessment (CITRA)
•
Digesting the Results• Implementing the Security Program
• Preliminary Results
8
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 9/43
Property of the University of Notre Dame
CITRA Overview
• At the request of University Leadership, we
commissioned a campus-wide IT risk assessment
• Partnered with “Big Four” consulting firm
• Scope included all uses of sensitive University data,in any form
• Tools used:
–
Network Scanning – Surveys and Interviews
– Site visits
9
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 10/43
Property of the University of Notre Dame
Assessment Process
10
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 11/43
Property of the University of Notre Dame
Surveys
• 19 pages, 74 questions (mixture of multiple choice
and open-ended)
• Pilot deployment with our own OIT business office,
followed by a select handful of “friends” • Full deployment included business managers from all
academic and administrative units
•
Accompanied by cover letter from Executive VicePresident and Provost
• Achieved 100% response rate (after quite a few
follow-up calls!)
11
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 12/43
Property of the University of Notre Dame
Selected Questions
• What type(s) of sensitive data does your department
store/process?
• What groups/roles have access to that data?
• Where do you store that data (physical and/or electronic)?
• Do you use encryption to protect stored information?
• How do you transmit sensitive data? How do you receive it?
• Do you use any web-based applications to collect data?
• How long do you retain sensitive information? How do youdispose of it?
• Do you share sensitive information with third parties?
12
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 13/43
Property of the University of Notre Dame
Survey Results
Attribute Percentage
Use Social Security Numbers 88%
Share Passwords 81%
Store Sensitive Data Locally 77%
Transmit Sensitive Data Externally Without Encryption 68%
Not Aware of Security Policies 65%
Retain Sensitive Data Indefinitely 63%
13
Together with the consultants, we surveyed
respondents from 53 campus departments on
data handling practices.
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 14/43
Property of the University of Notre Dame
Business Unit Interviews
• 53 departments selected for individual or group
interviews based upon survey responses
• Combination of academic and administrative units
• Intended to serve as a one-hour “deep dive” intosurvey responses
• Conducted by a team consisting of
representatives from InformationSecurity, University Archives
and the consultant
14
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 15/43
Property of the University of Notre Dame
Discussion Guide
• Walk through survey responses
• Types of sensitive data within the department
•
Applications used to process data• Electronic and paper-based data flow
walkthrough
•
Physical security of departmental spaces
15
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 16/43
Property of the University of Notre Dame
CITRA Findings
• End result was 68 findings covering 10 key areas:
• For example…
16
Information Security Framework Data Classification and Handling
Access Control Encryption Strategy
Configuration Standards Physical Security
Technical Security Architecture Disaster Recovery
Compliance Information Security Awareness
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 17/43
Property of the University of Notre Dame
CITRA Findings
17
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 18/43
Property of the University of Notre Dame
Overview
• Background
• Campus IT Risk Assessment (CITRA)
•
Digesting the Results• Implementing the Security Program
• Preliminary Results
18
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 19/43
Property of the University of Notre Dame
Planning Workshop
• Cross-functional team
• Analyzed CITRA results
and created project
specifications designed toremediate all
medium/high risk findings
• Produced comprehensive
project plan with resource
estimates and sequencing
19
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 20/43
Property of the University of Notre Dame
Resource Planning
• Discussed project objectives with resource
managers
• Simple approach to resource ($$$ and staff)
estimation:
– Determine “best case” and “worst case” time and
cost estimates
– Average those endpoints
– Surprisingly accurate!
20
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 21/43
Property of the University of Notre Dame
Ranking System
• Each project ranked on costs (financial and
staff), importance and urgency
21
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 22/43
Property of the University of Notre Dame
Outcome
• Projects sequenced to prioritize high-risk
findings and balance resource consumption
• Overall costs: $4.6M one-time, $630K
recurring
• Presented to University leadership and funded
in full
22
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 23/43
Property of the University of Notre Dame
Overview
• Background
• Campus IT Risk Assessment (CITRA)
•
Digesting the Results• Implementing the Security Program
• Preliminary Results
23
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 24/43
Property of the University of Notre Dame
Program Mission
24
Identify confidentiality, integrity and
availability risks to sensitive Universityinformation, and mitigate those risks to
acceptable levels.
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 25/43
Property of the University of Notre Dame
Program Objectives
25
The objectives of the program are to:
• Evaluate risks to the confidentiality, integrity andavailability of sensitive information
• Establish and implement controls to fill critical gaps,as determined by institutional risk tolerance
• Create awareness of information security and properdata handling practices
• Establish and communicate security-related policies,procedures and standards
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 26/43
Property of the University of Notre Dame
Program Plan
26
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 27/43
Property of the University of Notre Dame
Policy
• It all begins with policy…really!
27
Security Policies(1.1)
ConfigurationStandards (1.3)
SDLC (1.5)
Policy
Security Policies and Standards (FY 2007)
Establish University-wide Information Security policies and handling
standards based on ISO 17799
Configuration Standards (FY 2007)
Develop configuration standards for applications and mobile systems
Software Development Lifecycle (FY 2010)
Select and implement a SDLC model for use with OIT systems
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 28/43
Property of the University of Notre Dame
Awareness, Training and
Education
28
Awareness, Training and Educat ion ClassificationWorkshops (2.2)
Sensitive Data Handler
Training (2.4)
Technical Security
Training (2.5)Student Awareness
& Training (2.3)
Employee
Awareness &Training (2.1)
Employee Awareness (FY 2007-2008)
Provide security awareness, communication and training for faculty & staff
Student Awareness (FY 2008)
Provide security awareness, communication and training for students
Classification Workshops (FY 2008)
Conduct workshops to aid Data Stewards in classifying their data
Sensitive Data Handler Training (FY 2008)
Provide specialized training for those who work with sensitive University Data
Technical Security Training (FY 2009)
Provide specialized technical security training for IT Professionals
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 29/43
Property of the University of Notre Dame
Workstation Security
29
File Security (6.3)Malware
Management (6.2)
Workstat ion Secur i ty
Initial DesktopRemediation (6.1)
MessagingSecurity (6.4)
Initial Desktop Remediation (FY 2007) Apply a basic set of security controls to University workstations
Malware Management (FY 2008)
Provide a solution for management and monitoring of antivirus and anti-
spyware software on University systems
File Security (FY 2009)
Conduct a vulnerability assessment and apply security controls to NetFile
Messaging Security (FY 2009-2010)
Apply security controls to electronic mail and instant messaging
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 30/43
Property of the University of Notre Dame
Server Security
30
Database Security
(7.3)
Data Center
Remediation (7.1)
Server Integrity
Monitoring (7.2)
Server Security
Dept Server
Consulting (7.4)
OIT Server
Management (7.5)
Data Center Architecture Enhancements (FY 2008)Enhance security controls on the OIT Data Center front end
Server Integrity Monitoring (FY 2008)
Formalize OIT server integrity monitoring infrastructure and processes
Database Security (FY 2008)Conduct a vulnerability assessment of University databases and implement
appropriate controls
Departmental Server Consulting (FY 2008-2009)
Conduct a security assessment of each departmental server and provide
recommendations on alternative technologies and/or appropriate controls.
OIT Server Management (FY 2008-2009)
Implement security management practices for OIT servers with
separation of duties and data segregation, where appropriate
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 31/43
Property of the University of Notre Dame
Network Security
31
Intrusion
Prevention (5.4)
Network Secur i ty
Border Security
(5.1)
Network AdmissionControl (5.5)
Zoned Network &
Wireless Sec. (5.3)
Network Device
Management (5.2)
Border Security (FY 2007)Implement campus network border firewall to block unsolicited inbound connections
Network Device Management (FY 2007-2008)
Implement security standards on campus network devices
Zoned Network and Wireless Security (FY 2008-2009)Design and implement a zoned network architecture with appropriate security
controls on the wired and wireless networks
Intrusion Prevention (FY 2009)
Replace the University’s existing intrusion detection system with a comprehensive
intrusion prevention system
Network Admission Control (FY 2010)
Implement controls to ensure that network-
connected systems meet security standards
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 32/43
Property of the University of Notre Dame
Security Infrastructure
32
ApplicationLogging (4.4)
Log Security
Analysis (4.5)
Network Activity
Logging (4.7)
Vulnerability
Scanning (4.1)
Firewall
Mgt. (4.6)
Security Infrastructure
Rogue Wireless AP
Detection (4.8)Sensitive Data
Scanning (4.3)Security Review
Process (4.2)
Vulnerability Scanning (FY 2007)Create a scanning facility to proactively detect technical vulnerabilities in
University systems
Security Review Process (FY 2007)
Create a process for consistently conducting information security reviews
Sensitive Data Scanning (FY 2008)
Create a scanning facility to proactively detect CC/SSNs stored in institutional
file systems
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 33/43
Property of the University of Notre Dame
Security Infrastructure (cont’d)
33
ApplicationLogging (4.4)
Log Security
Analysis (4.5)
Network Activity
Logging (4.7)
Vulnerability
Scanning (4.1)
Firewall
Mgt. (4.6)
Security Infrastructure
Rogue Wireless AP
Detection (4.8)Sensitive Data
Scanning (4.3)Security Review
Process (4.2)
Application Logging (FY 2009)Capture enterprise application events in the OIT central log repository
Network Logging (FY 2009)
Capture records of off-campus connections involving University systems
Security Log Analysis (FY 2009)Create a security log analysis capability for use with the central log repository
Firewall Management (FY 2009)
Audit existing firewall rulebase and implement standard management practices
Rogue Wireless AP Detection (FY 2010)Provide the ability to identify unauthorized wireless access points on the
University network
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 34/43
Property of the University of Notre Dame
Credit Card Security
34
Infrastructure
(3.1)Monitoring (3.3)
CCSP
Physical
Security (3.4)
Application
Migration (3.2)
CCSP Infrastructure (FY 2007)Create the infrastructure required to migrate card processing applications to
the OIT data center
CCSP Application Migration (FY 2007-2008)
Move card processing servers to the payment card environment located in the
OIT data center
CCSP Monitoring (FY 2008)
Implement ongoing technical monitoring of the payment card environment
CCSP Physical Security (FY 2008-2009)
Upgrade data center physical security to meet PCI DSS requirements
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 35/43
Property of the University of Notre Dame
Incident Handling
35
Forensics (8.2)
Incident Tracking
System (8.3)
Incident Response
Procedures (8.1)
Incident Handling
Incident Response Procedures (FY 2010)
Create technical procedures for responding to information security incidents
to supplement the existing Incident Response Plan
Forensics (FY 2010)
Identify forensic resources for use in information security incident response.
Incident Tracking System (FY 2010)
Provide an information security incident tracking system
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 36/43
Property of the University of Notre Dame
Sustaining Activities
36
Program
Monitoring (9.3)
Susta in ing Ac t iv i t ies
Security Ops
Center (9.1)
Recurring Risk
Assessments (9.2)
Security Operations Center (FY 2008-2009)
Create an operations center to monitor and provide initial response to
security events
Recurring Risk Assessments (FY 2010)
Establish a process for recurring, periodic risk assessments to measure riskto University data assets
Program Monitoring (FY 2010)
Assess the ongoing effectiveness of the information security program
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 37/43
Property of the University of Notre Dame
Overview
• Background
• Campus IT Risk Assessment (CITRA)
• Digesting the Results
• Implementing the Security Program
• Preliminary Results
37
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 38/43
Property of the University of Notre Dame
Current Status
38
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 39/43
Property of the University of Notre Dame
Program Highlights
• For the most part, on-time completion under
budget
• Some “in-flight” changes to the plan to:
– Reprioritize project sequencing
– Address new risks (e.g. Web application security)
– Balance resource utilization with other initiatives
39
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 40/43
Property of the University of Notre Dame
Policy and Standards
• Policy complete and
awaiting Officer approval
• Operating systemstandards in place
•
Application standardscomplete and published
40
Policy Usage
(Spring 2007 – Fall 2007)
2%10% 7% 13%
44%
59%55%
66%
35%
21% 28%12%
20%10% 10% 9%
0%
10%
20%
30%
40%
50%60%
70%
80%
90%
100%
Spring 2007 Fall 2007 Spring 2007 Fall 2007
Faculty Staff
Use it regularly Have read it
Aware it exists Not aware it exists
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 41/43
Property of the University of Notre Dame
Vulnerability Scanning
41
8/11/2019 Building a Riskbased Information Security Program132[2]
http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 42/43
Property of the University of Notre Dame
Awareness
42
• Goal: Engage 85% of the faculty and staff atleast twice annually
42
43%
94%
56%
97%
32%
6%
23%
1%
25%
3%
21%
2%
0%
10%20%
30%
40%
50%
60%
70%
80%
90%
100%
Faculty
Spring 2007
Faculty
Fall 2007
Staff
Spring 2007
Staff
Fall 2007
No contact
One-TouchTwo-Touch