Building a Riskbased Information Security Program132[2]

8/11/2019 Building a Riskbased Information Security Program132[2]

http://slidepdf.com/reader/full/building-a-riskbased-information-security-program1322 1/43

Property of the University of Notre Dame

Building a Risk-Based

Information Security Program

Mike Chapple

University of Notre Dame

May 5, 2008




Obligatory Notice

Copyright Michael J. Chapple, 2008. This work is the

intellectual property of the author. Permission is

granted for this material to be shared for non-

commercial, educational purposes, provided that thiscopyright statement appears on the reproduced

materials and notice is given that the copying is by

permission of the author. To disseminate otherwise

or to republish requires written permission from theauthor.

2




Overview

• Background

• Campus IT Risk Assessment (CITRA)

•

Digesting the Results• Implementing the Security Program

• Preliminary Results

3




Notre Dame

• Private, coeducational Catholic research universitylocated in Northern Indiana

• Population of 10,000 students,

1,200 faculty and 5,300 staff• Defining characteristics

– Long tradition of undergraduate excellence

– Dedicated to residential life (81% undergrads on campus)

– Rapidly expanding research community and graduate

programs ; Over the past decade:

• 35% increase in PhDs awarded

• 225% increase in sponsored research

4




IT at Notre Dame

• OIT is a centralized IT organization – Supports enterprise systems

– Provides end user support for about

1/3 of campus

• Some colleges and business units

have their own IT support groups

– Varying levels of custom infrastructure

– Several have their own networks• Up until 2006, Information Security was a

combination of implementing internal controls and

external consulting

5




One Day Everything Changed…

6




Historical Context

77

Initial PCI DSS

Discussions

Incident CITRAIncident Response

2002 –

Information Security Office Established2003 – Data Oversight Committee Established

Data Center Firewall Implemented

Data Access Policy Approved

2005 – Strong Password Initiative

PCI DSS

Assessment

CCSP

Planning

Credit Card

Network Inventory

Jul-05 Jul-06

Aug-05 Sep-05 Oct-05 Nov-05 Dec-05 Jan-06 Feb-06 Mar-06 Apr-06 May-06 Jun-06

Information Security at Notre Dame2005 2006




Overview

• Background


•



8




CITRA Overview

• At the request of University Leadership, we

commissioned a campus-wide IT risk assessment

• Partnered with “Big Four” consulting firm

• Scope included all uses of sensitive University data,in any form

• Tools used:

–

Network Scanning – Surveys and Interviews

– Site visits

9




Assessment Process

10




Surveys

• 19 pages, 74 questions (mixture of multiple choice

and open-ended)

• Pilot deployment with our own OIT business office,

followed by a select handful of “friends” • Full deployment included business managers from all

academic and administrative units

•

Accompanied by cover letter from Executive VicePresident and Provost

• Achieved 100% response rate (after quite a few

follow-up calls!)

11




Selected Questions

• What type(s) of sensitive data does your department

store/process?

• What groups/roles have access to that data?

• Where do you store that data (physical and/or electronic)?

• Do you use encryption to protect stored information?

• How do you transmit sensitive data? How do you receive it?

• Do you use any web-based applications to collect data?

• How long do you retain sensitive information? How do youdispose of it?

• Do you share sensitive information with third parties?

12




Survey Results

Attribute Percentage

Use Social Security Numbers 88%

Share Passwords 81%

Store Sensitive Data Locally 77%

Transmit Sensitive Data Externally Without Encryption 68%

Not Aware of Security Policies 65%

Retain Sensitive Data Indefinitely 63%

13

Together with the consultants, we surveyed

respondents from 53 campus departments on

data handling practices.




Business Unit Interviews

• 53 departments selected for individual or group

interviews based upon survey responses

• Combination of academic and administrative units

• Intended to serve as a one-hour “deep dive” intosurvey responses

• Conducted by a team consisting of

representatives from InformationSecurity, University Archives

and the consultant

14




Discussion Guide

• Walk through survey responses

• Types of sensitive data within the department

•

Applications used to process data• Electronic and paper-based data flow

walkthrough

•

Physical security of departmental spaces

15




CITRA Findings

• End result was 68 findings covering 10 key areas:

• For example…

16

Information Security Framework Data Classification and Handling

Access Control Encryption Strategy

Configuration Standards Physical Security

Technical Security Architecture Disaster Recovery

Compliance Information Security Awareness




CITRA Findings

17




Overview

• Background


•



18




Planning Workshop

• Cross-functional team

• Analyzed CITRA results

and created project

specifications designed toremediate all

medium/high risk findings

• Produced comprehensive

project plan with resource

estimates and sequencing

19




Resource Planning

• Discussed project objectives with resource

managers

• Simple approach to resource ($$$ and staff)

estimation:

– Determine “best case” and “worst case” time and

cost estimates

– Average those endpoints

– Surprisingly accurate!

20




Ranking System

• Each project ranked on costs (financial and

staff), importance and urgency

21




Outcome

• Projects sequenced to prioritize high-risk

findings and balance resource consumption

• Overall costs: $4.6M one-time, $630K

recurring

• Presented to University leadership and funded

in full

22




Overview

• Background


•



23




Program Mission

24

Identify confidentiality, integrity and

availability risks to sensitive Universityinformation, and mitigate those risks to

acceptable levels.




Program Objectives

25

The objectives of the program are to:

• Evaluate risks to the confidentiality, integrity andavailability of sensitive information

• Establish and implement controls to fill critical gaps,as determined by institutional risk tolerance

• Create awareness of information security and properdata handling practices

• Establish and communicate security-related policies,procedures and standards




Program Plan

26




Policy

• It all begins with policy…really!

27

Security Policies(1.1)

ConfigurationStandards (1.3)

SDLC (1.5)

Policy

Security Policies and Standards (FY 2007)

Establish University-wide Information Security policies and handling

standards based on ISO 17799

Configuration Standards (FY 2007)

Develop configuration standards for applications and mobile systems

Software Development Lifecycle (FY 2010)

Select and implement a SDLC model for use with OIT systems




Awareness, Training and

Education

28

Awareness, Training and Educat ion ClassificationWorkshops (2.2)

Sensitive Data Handler

Training (2.4)

Technical Security

Training (2.5)Student Awareness

& Training (2.3)

Employee

Awareness &Training (2.1)

Employee Awareness (FY 2007-2008)

Provide security awareness, communication and training for faculty & staff

Student Awareness (FY 2008)

Provide security awareness, communication and training for students

Classification Workshops (FY 2008)

Conduct workshops to aid Data Stewards in classifying their data

Sensitive Data Handler Training (FY 2008)

Provide specialized training for those who work with sensitive University Data

Technical Security Training (FY 2009)

Provide specialized technical security training for IT Professionals




Workstation Security

29

File Security (6.3)Malware

Management (6.2)

Workstat ion Secur i ty

Initial DesktopRemediation (6.1)

MessagingSecurity (6.4)

Initial Desktop Remediation (FY 2007) Apply a basic set of security controls to University workstations

Malware Management (FY 2008)

Provide a solution for management and monitoring of antivirus and anti-

spyware software on University systems

File Security (FY 2009)

Conduct a vulnerability assessment and apply security controls to NetFile

Messaging Security (FY 2009-2010)

Apply security controls to electronic mail and instant messaging




Server Security

30

Database Security

(7.3)

Data Center

Remediation (7.1)

Server Integrity

Monitoring (7.2)

Server Security

Dept Server

Consulting (7.4)

OIT Server

Management (7.5)

Data Center Architecture Enhancements (FY 2008)Enhance security controls on the OIT Data Center front end

Server Integrity Monitoring (FY 2008)

Formalize OIT server integrity monitoring infrastructure and processes

Database Security (FY 2008)Conduct a vulnerability assessment of University databases and implement

appropriate controls

Departmental Server Consulting (FY 2008-2009)

Conduct a security assessment of each departmental server and provide

recommendations on alternative technologies and/or appropriate controls.

OIT Server Management (FY 2008-2009)

Implement security management practices for OIT servers with

separation of duties and data segregation, where appropriate




Network Security

31

Intrusion

Prevention (5.4)

Network Secur i ty

Border Security

(5.1)

Network AdmissionControl (5.5)

Zoned Network &

Wireless Sec. (5.3)

Network Device

Management (5.2)

Border Security (FY 2007)Implement campus network border firewall to block unsolicited inbound connections

Network Device Management (FY 2007-2008)

Implement security standards on campus network devices

Zoned Network and Wireless Security (FY 2008-2009)Design and implement a zoned network architecture with appropriate security

controls on the wired and wireless networks

Intrusion Prevention (FY 2009)

Replace the University’s existing intrusion detection system with a comprehensive

intrusion prevention system

Network Admission Control (FY 2010)

Implement controls to ensure that network-

connected systems meet security standards




Security Infrastructure

32

ApplicationLogging (4.4)

Log Security

Analysis (4.5)

Network Activity

Logging (4.7)

Vulnerability

Scanning (4.1)

Firewall

Mgt. (4.6)


Rogue Wireless AP

Detection (4.8)Sensitive Data

Scanning (4.3)Security Review

Process (4.2)

Vulnerability Scanning (FY 2007)Create a scanning facility to proactively detect technical vulnerabilities in

University systems

Security Review Process (FY 2007)

Create a process for consistently conducting information security reviews

Sensitive Data Scanning (FY 2008)

Create a scanning facility to proactively detect CC/SSNs stored in institutional

file systems




Security Infrastructure (cont’d)

33

ApplicationLogging (4.4)

Log Security

Analysis (4.5)

Network Activity

Logging (4.7)

Vulnerability

Scanning (4.1)

Firewall

Mgt. (4.6)


Rogue Wireless AP

Detection (4.8)Sensitive Data

Scanning (4.3)Security Review

Process (4.2)

Application Logging (FY 2009)Capture enterprise application events in the OIT central log repository

Network Logging (FY 2009)

Capture records of off-campus connections involving University systems

Security Log Analysis (FY 2009)Create a security log analysis capability for use with the central log repository

Firewall Management (FY 2009)

Audit existing firewall rulebase and implement standard management practices

Rogue Wireless AP Detection (FY 2010)Provide the ability to identify unauthorized wireless access points on the

University network




Credit Card Security

34

Infrastructure

(3.1)Monitoring (3.3)

CCSP

Physical

Security (3.4)

Application

Migration (3.2)

CCSP Infrastructure (FY 2007)Create the infrastructure required to migrate card processing applications to

the OIT data center

CCSP Application Migration (FY 2007-2008)

Move card processing servers to the payment card environment located in the

OIT data center

CCSP Monitoring (FY 2008)

Implement ongoing technical monitoring of the payment card environment

CCSP Physical Security (FY 2008-2009)

Upgrade data center physical security to meet PCI DSS requirements




Incident Handling

35

Forensics (8.2)

Incident Tracking

System (8.3)

Incident Response

Procedures (8.1)

Incident Handling

Incident Response Procedures (FY 2010)

Create technical procedures for responding to information security incidents

to supplement the existing Incident Response Plan

Forensics (FY 2010)

Identify forensic resources for use in information security incident response.

Incident Tracking System (FY 2010)

Provide an information security incident tracking system




Sustaining Activities

36

Program

Monitoring (9.3)

Susta in ing Ac t iv i t ies

Security Ops

Center (9.1)

Recurring Risk

Assessments (9.2)

Security Operations Center (FY 2008-2009)

Create an operations center to monitor and provide initial response to

security events

Recurring Risk Assessments (FY 2010)

Establish a process for recurring, periodic risk assessments to measure riskto University data assets

Program Monitoring (FY 2010)

Assess the ongoing effectiveness of the information security program




Overview

• Background


• Digesting the Results

• Implementing the Security Program


37




Current Status

38




Program Highlights

• For the most part, on-time completion under

budget

• Some “in-flight” changes to the plan to:

– Reprioritize project sequencing

– Address new risks (e.g. Web application security)

– Balance resource utilization with other initiatives

39




Policy and Standards

• Policy complete and

awaiting Officer approval

• Operating systemstandards in place

•

Application standardscomplete and published

40

Policy Usage

(Spring 2007 – Fall 2007)

2%10% 7% 13%

44%

59%55%

66%

35%

21% 28%12%

20%10% 10% 9%

0%

10%

20%

30%

40%

50%60%

70%

80%

90%

100%

Spring 2007 Fall 2007 Spring 2007 Fall 2007

Faculty Staff

Use it regularly Have read it

Aware it exists Not aware it exists




Vulnerability Scanning

41




Awareness

42

• Goal: Engage 85% of the faculty and staff atleast twice annually

42

43%

94%

56%

97%

32%

6%

23%

1%

25%

3%

21%

2%

0%

10%20%

30%

40%

50%

60%

70%

80%

90%

100%

Faculty

Spring 2007

Faculty

Fall 2007

Staff

Spring 2007

Staff

Fall 2007

No contact

One-TouchTwo-Touch



Questions

Documents

Building a Riskbased Information Security Program132[2]