Upload
tammy-clark
View
372
Download
0
Embed Size (px)
DESCRIPTION
McAfee Focus Conf Oct 09
Citation preview
April 9, 2023
The Impact of Breaches on Higher Ed
Tammy Clark, CISSP, CISA, CISM, PMP, ISO 27001 Lead AuditorChief Information Security OfficerGeorgia State University
April 9, 2023Title of Presentation2
Is It Really As Bad As They Say it Is?!
Well, that depends on who you talk to– Educational Security Incidents (ESI), which catalogs Higher Education
Security Incidents/Data Breaches reports that in 2008:
• 173 separate incidents were reported
• 24.5% increase over 2007
• Primary Reasons:
– Unauthorized Disclosure - 75
– Theft - 40
– Unauthorized Access/Penetration – 35
– Privacy Rights Clearinghouse reports that so far in 2009, 38 colleges have reported incidents out of 196 total incidents reported…
– Of these, 17 were due to theft; 11 to unauthorized access/penetration, and 10 were the result of unauthorized disclosure
So What Are Our Major Issues?
• Standardization/Plans, Policies and Standards• Data Classification and Risk Management
• Misconfigured devices, apps and web sites• Inadequate perimeter protection• Lack of advanced intrusion detection & analysis skills
• Inadequate endpoint protection• Lack of encryption
• Open Ended Culture• Security ‘un-aware’ users—no ‘skin in the game’ or circumventing
controls
April 9, 2023Title of Presentation3
What ‘Drives Change’ in Higher Ed?
• Compliance: PCI, FERPA, HIPAA, GLBA, Red Flags, DMCA
• Research Grants that require minimum levels of security or compliance with FISMA or ISO 27001/2
• Data Breaches (either our own or a neighboring institution)
• Budget Cuts• Audits• Emergency Management• Risk Management• University President’s/Provost’s Priorities
April 9, 2023Title of Presentation4
What Are We Doing to Prevent Breaches?
Technology
– Renewed emphasis on endpoint security
– Encryption
– Vulnerability Assessments
– NIPS
– Host IPS
– Anti Malware
– NAC
– DLP
– IDM
– Integrated Solutions Suites that provide better, deeper visibility
April 9, 2023Title of Presentation5
What Are We Doing to Prevent Breaches?
Process
– Myriad of Compliance Initiatives
– Standards (ISO, FISMA, COBIT, ITIL) and Standardization (Yes! In higher Ed)
– Get Rid of Confidential Data We Don’t Need or Require!
– Data Classification and Risk Management
– Audits/Corrective & Preventive Controls
– Physical & Logical Controls
– Policies and guidelines for 3rd parties processing or storing our data
– Contract with customers on campus to manage their critical systems and data with central IT/Sec organizations
April 9, 2023Title of Presentation6
What Are We Doing to Prevent Breaches?
People
– Authority=Accountability (The Golden Rule)
– Responsible for Compliance – in Some Cases, Personal Liability
– Security Awareness Training
– Data Cleanup Parties
– Security Reviews and mandated controls for systems processing confidential data (require encryption, not running P2P apps, etc.)
April 9, 2023Title of Presentation7
Now What?
We’re Really Cleaning up our Act
– Getting better and better at protecting the perimeter
– Focusing Now on Testing and Securing Apps, Databases, Web Servers
– Using compliance as a driver to mandate and standardize our complex IT environments
– Endpoint Security – Building arsenals of tools such as anti malware, NAC, tools that enforce standardization, in addition to traditional AV/HIPS
– Turning to standards, especially ISO and NIST, for guidance and best practices based on risk management
– Emphasizing data classification and clean-up
– Selecting integrated solutions
– Making a lot of effort to educate our large user populations
April 9, 2023Title of Presentation8
April 9, 2023
Presentations will be available on the FOCUS website
www.mcafee.com/focus09
Password: protect2009