SUPPLEMENT TO STUDENT GUIDEBuilding a Standards-Based Information
Security Program
SEMINAR 03A
Tammy Clark 3 Nov 09
INTRODUCTION
• This supplement to your student guide was developed to assist those of you who are in the process of developing or implementing information security programs and initiatives
• The approach is based on ISO 27000, which advocates building a program with • Top management
sponsorship/support/participation
• Existing resources, which may require an incremental approach depending on your staffing and budget levels
• Risk management as the cornerstone or foundation
• Please keep in mind—ONE SIZE DOES NOT FIT ALL!• The approach you select for
your institution needs to be robust, proactive, cost effective, efficient and comprehensive
INFORMATION SECURITY PROGRAM DEVELOPMENT ROADMAP
• Define information security requirements
• Develop a campus information security plan
• Develop information security policies
• Define information security organizational requirements
• Develop Six Key Information Security Initiatives• Information security
awareness program• Risk/Vulnerability
management program• .
• Incident management program
• Business continuity program• Data protection and privacy
program• Compliance program
• Develop an Information Security Architecture/Standards Roadmap/Plan
• Define and implement methods to assess effectiveness, and institute corrective and preventive improvements, etc.
YOUR INFORMATION SECURITY ROADMAP MIGHT LOOK SOMETHING LIKE THIS EXAMPLE…
ISO/IEC 27000 – A WEALTH OF GUIDANCE/ASSISTANCE IN DEVELOPING YOUR INFORMATION SECURITY PROGRAM
• Security Policy• Organization of Information Security• Asset Management • Human Resources Security • Physical & Environmental Security • Communications & Operations
Management • Access Control • Information Systems Acquisition,
Development & Maintenance • Information Security Incident
Management • Business Continuity Management • Compliance
SO LET’S GET STARTED!
• General overview of various Information Security Roadmap Components
• Tips and recommendations• Pointers over to EDUCAUSE Higher Ed
Information Security Council Information/Guides/Toolkits That Can Assist You Now
• Other helpful references
DEFINING YOUR INSTITUTION’S INFORMATION SECURITY REQUIREMENTS
• Overarching Goals: Confidentiality, Integrity, Availability, and Accountability• Identify and classify critical assets (information, systems,
applications, people)• Conduct Prioritized Risk and Vulnerability Assessments• Study Legal Requirements• Examine Your Institutional Requirements and Strategic
Plans from both a ‘business’ and information technology standpoint
• Gap Analysis: Past, Present and Future
DEFINING YOUR INSTITUTION’S INFORMATION SECURITY REQUIREMENTS
• This is an ongoing activity—you will continue to reassess and build upon your initial requirements
• Consider this a short term project upfront; get a good initial set of requirements to work with and move on to the next step
• Consider additional objectives, such as ethics, transparency, reputation, service delivery, etc.
DEVELOPING YOUR CAMPUS INFORMATION SECURITY PLAN
• Incorporate the following:• Your information security roadmap objectives• Information security requirements• Results of audits, risk and vulnerability assessments• Gap Analysis (Past, Present, Future)• Executive level briefing/discussion to engender support of non-
technical leaders at your university• Any strategic IT, business or academic plans at your university—tie
your plan to key objectives• Actionable objectives for current fiscal year based on staffing levels,
budget, resources, etc., prioritized by greatest need, risk, impact
DEVELOPING INFORMATION SECURITY POLICIES• If you decide to build an information security management system
(ISMS) based on ISO 27000, you will want to consider developing a policy specific to your ISMS
• You can find an ISMS policy that GSU developed at http://www.gsu.edu/ist/33620.html
• Outline of Model Security Policy Elements• https://wiki.internet2.edu/confluence/display/itsg2/Outline+of+Model+Security+Policy+Elements• You can also find a wealth of information about information security
policies at http://www.educause.edu/Resources/Browse/SecurityPolicies/30437
DEFINING YOUR INFORMATION SECURITY PROGRAM’S ORGANIZATIONAL REQMTS
• This particular aspect of developing an effective information security program also brings home the point that top management participation and support is critical to the success of information security programs
• Without necessary funding, staffing and resources, a program will more than likely exist in a ‘reactive’ mode, which is highly problematic
• Selling top management on your program’s goals and objectives is a critical success factor!
DEFINING YOUR INFORMATION SECURITY PROGRAM’S ORGANIZATIONAL REQMTS
• Rule of thumb—If information security is handled by a ‘silo’ information security group or dept., the more staffing resources you will need…in fact, you may never have enough
• Alternatively, the more that information security accountability is ‘spread’ throughout the IT organization, and operational, tactical and training aspects are handled by departments that specialize in these areas, the less information security staffing resources you will require
DEFINING YOUR INFORMATION SECURITY PROGRAM’S ORGANIZATIONAL REQMTS• EDUCAUSE resources:• Information Security Governance Assessment Tool:• http://www.educause.edu/Resources/InformationSecurityGovernanceA/160639• Other EDUCAUSE resources:• http://www.educause.edu/search?quick_query=information+security+staffing&Image1.x=40&Image1.y=19• Additional resources:• http://csrc.nist.gov/publications/nistir/ir7359/NISTIR-7359.pdf• http://searchcio.techtarget.com/generic/0,295582,sid182_gci1259541,00.html
DEVELOPING SIX KEY INFORMATION SECURITY PROGRAM INITIATIVES
• The EDUCAUSE Higher Education Information Security Council has working groups that have developed resources for most, if not all of these key security initiatives
• The primary advantage to integrating them into your program is that they were developed by information security practitioners in higher education
• There is also an information security guide and a number of effective practices and case studies
DEVELOPING AN INFORMATION SECURITY AWARENESS PROGRAM• Organizing Your Campus IT Security Website• https://wiki.internet2.edu/confluence/display/itsg2/Organizing+Your+Campus+IT+Security+Website• Cybersecurity Awareness Resource Library:• https://wiki.internet2.edu/confluence/display/itsg2/Cybersecurity+Awareness+Resource+Library• National Cybersecurity Awareness Month Resource Kit:• https://wiki.internet2.edu/confluence/display/itsg2/NCSAM+Resource+Kit• National Cybersecurity Awareness Month Sample Kit:• https://wiki.internet2.edu/confluence/display/itsg2/NCSAM+Sample+Kit• Other EDUCAUSE Information Security Awareness Resources:• http://www.educause.edu/Resources/Browse/SecurityAwareness/30439
DEVELOPING RISK AND VULNERABILITY MANAGEMENT PROGRAMS
• There is an ISO standard 27005 that assists organizations in developing a measurable, consistent, systematic and auditable approach to risk management
• Additionally, many turn to the NIST standards, which are also helpful to integrate into a program, as they do not take a comprehensive approach to the information security management and governance aspects
DEVELOPING RISK AND VULNERABILITY MANAGEMENT PROGRAMS• Risk Management Framework:• https://wiki.internet2.edu/confluence/display/itsg2/Risk+Management+Framework• Risk Assessment Consultants List:• https://wiki.internet2.edu/confluence/display/itsg2/IS+Risk+Assessment+Consultants+List• Risk Assessment Sample RFPs• https://wiki.internet2.edu/confluence/display/itsg2/IS+Risk+Assessment+Sample+RFPs• Risk Assessment Tools List:• https://wiki.internet2.edu/confluence/display/itsg2/Risk+Assessment+Tools
DEVELOPING AN INCIDENT MANAGEMENTPROGRAM• Data Incident Notification Toolkit:• https://wiki.internet2.edu/confluence/display/itsg2/Data+Incident+Notification+Toolkit• Guidelines for Responding to Compulsory Legal Requests
for Information• https://wiki.internet2.edu/confluence/display/itsg2/Protocol+for+Law+Enforcement+Requests• Electronic Records Management Toolkit:• https://wiki.internet2.edu/confluence/display/itsg2/Protocol+for+Law+Enforcement+Requests
DEVELOPING A BUSINESS CONTINUITY PROGRAM
• There is a new standard for business continuity that I encourage you to check out—BS 25999. It will become an ISO 27000 standard and the approach taken is similar to that of the ISO 27001 and 2—building a system based on risk management and continuous improvement
• An org can also get their BCMS (business continuity management system) certified by a registrar, as with the ISO 27001
DEVELOPING A BUSINESS CONTINUITY PROGRAM
• Business Continuity Planning Toolkit: https://wiki.internet2.edu/confluence/display/itsg2/Business+Continuity+Planning+Toolkit
• Other EDUCAUSE Resources:• http://www.educause.edu/Resources/Browse/BusinessContinuityPlanning/25543
DEVELOPING A DATA PROTECTION AND PRIVACY PROGRAM• Confidential Data Handling Toolkit:
https://wiki.internet2.edu/confluence/display/itsg2/Confidential+Data+Handling+Blueprint• Data Classification Toolkit:• https://wiki.internet2.edu/confluence/display/itsg2/Data+Classification+Toolkit• Data Protection Contractual Language:• https://wiki.internet2.edu/confluence/display/itsg2/Data+Protection+Contractual+Language• Guidelines for Information Media Sanitation• https://wiki.internet2.edu/confluence/display/itsg2/Guidelines+for+Information+Media+Sanitization
DEVELOPING A COMPLIANCE PROGRAM
• Study (and determine) the legal requirements applicable to your institution
• Develop a matrix that maps the key requirements you need to meet from all legal requirements that your institution may be subject to, as well as your policies and standards
• At that point, you will want to integrate all of them under one umbrella, which the ISO standards facilitate very easily and well…rather than trying to accommodate each standard separately
DEVELOPING A COMPLIANCE PROGRAM
• Major Compliance Categories to Integrate into your program:• Asset Identification and
Classification• Risk and Vulnerability
Management• Controls Integration into
IT and business processes
• Addressing Third-Party Security through Contracts or Service Provider Agreements:
• Security Awareness Training
• Monitoring and Measuring
• Continuous Improvement
DEVELOPING A COMPLIANCE PROGRAM
• PCI DSS Resources on EDUCAUSE:• http://www.educause.edu/Resources/Browse/PCIDSS/33405• Compliance Resources on EDUCAUSE:• http://www.educause.edu/search?quick_query=Compliance• Additional Resources:• http://www.google.com/search?hl=en&rlz=1R2GGIT_en&q=information+security+compliance+universities&aq=f&oq=&aqi
=
DEVELOPING AN INFORMATION SECURITY ARCHITECTURE/STANDARDS PLAN
• Develop both short and long range plans• Take into account the roles that Technology, Processes,
and People play in protecting critical IT resources and data• Use the standards that are available (ISO, NIST, COBIT,
etc.) to assist in creating a ‘holistic’ strategy and approach• An incremental and measured approach is critical• Demonstrating ROI in terms of increased
efficiencies/effectiveness is also important
DEVELOPING AN INFORMATION SECURITY ARCHITECTURE/STANDARDS PLAN• Technology• An effective long term
strategy will take into account the past, present and future IT infrastructure, critical systems and information, and academic/business objectives in relation to the use of technology
• Use the results of risk and vulnerability assessments, security reviews, as well as audits and incidents, to assist in prioritization and selection of countermeasures and technology solutions
DEVELOPING AN INFORMATION SECURITY ARCHITECTURE/STANDARDS PLAN• Process• Standardized processes
and increasing the understanding and ability of ‘people’ to both use technology responsibly and protect information from becoming exposed, stolen, or available to unauthorized persons. Are also important
• In addition to technical measures, seek to develop processes that are proactive in preventing unintended exposures of critical/confidential data, and policy violations that also could result in a data breach or failure of confidentiality, integrity, and availability
DEVELOPING AN INFORMATION SECURITY ARCHITECTURE/STANDARDS PLAN
• People• Increasing the
understanding and ability of ‘people’ to both use technology responsibly and protect information from becoming
• exposed, stolen, or available to unauthorized persons is critical
• Consider strategies and solutions that will increase accountability across the IT organization and campus
DEVELOPING AN INFORMATION SECURITY ARCHITECTURE/STANDARDS PLAN
• EDUCAUSE References:• http://www.educause.edu/Resources/Browse/SecurityArchitecture/30441• Other References:
http://en.wikipedia.org/wiki/Enterprise_information_security_architecture• http://www.oracle.com/industries/education/pdfs/oracle-higher-ed-how-secure-article.pdf
DEFINE AND IMPLEMENT METHODS TO ASSESS EFFECTIVENESS• Take into account results of security audits,
incidents, effectiveness measurements, suggestions and feedback from interested parties
• Measure the effectiveness of the control objectives that you’ve implemented (business continuity, compliance, etc.)
• There are lots of perspectives about metrics available on the EDUCAUSE site at http://www.educause.edu/search?quick_query=information+security+metrics
QUESTIONS?
Feel free to contact me!
Tammy Clark, 404 413 4509, [email protected]
Copyright Tammy L. Clark, Nov 2009.. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Recommended