Upload
von-welch
View
390
Download
3
Embed Size (px)
Citation preview
Von Welch, DirectorCraig Jackson, Senior Policy AnalystSusan Sons, Senior Systems Analyst
Naval Surface Warfare Center Crane Division28 August 2015
Outline
1. Overview and History of CACR2. CACR Expertise: Risk Management, Policy,
Compliance3. CACR Activities: CTSC, SWAMP, XSIM,
Education/Internships4. CACR Events: Seminar Series, Summits
2
CACR
Founded by then CIO Michael McRobbiein 2003
“...university-wide research center that would bridge our operational strengths and practical experience with our academic units [and] bridge technical specialties in cybersecurity with business, law and the behavior disciplines.”
3
Cybersecurity @ IUCACR’s IU Partner Organizations
•REN-ISAC
•SOIC (Master’s Degree in Cybersecurity)
•University Information Security Office
•University Information Policy Office
•Maurer School of Law
•Kelley School of Business
•IUPUI School of Science
•Pervasive Technology Institute Research Center
4
IU’s NSA/DHS Designations
Indiana University designated as a National Center of Academic Excellence in Information Assurance / Cyber Defense through academic year 2021.
5
CACR is External Facing
Base funding from OVPIT, President’s Office, but primarily grant-funded applied research.
Since its origination in 2003, over $16 million in external funding from: Lilly Endowment, Inc., the National Science Foundation, the Department of Energy, the Department of Homeland Security, the National Institutes of Health, and others.
External partners: CMU/PSC, U. of Illinois/NCSA, U. of Wisconsin,
U. of Wisconsin-Milwaukee, Morgridge Institute for Research.
6
Applied Research
CACR’s mission is to advance the state of cybersecurity practice, interdisciplinary research, and understanding in order to serve Indiana University, the state of Indiana,
and our national and global communities.
Some guiding principles:
● Stay grounded: CACR takes on operational cybersecurity responsibilities.
● Real-world problem-oriented research in collaboration with funding partners.
● Tackle all aspects of problem: technical, policy, legal, social.
● Draw on Indiana University’s wide range of scholarly expertise in computer science, informatics, accounting and information systems, criminal justice, law, organizational behavior, public policy, and other disciplines.
7
Cybersecurity Historically
Firewalls, IDS,
encryption, logs,
passwords,...
8
Cybersecurity is an Interdisciplinary Challenge today
9
http://www.bankinfosecurity.com/
Cybersecurity as a Risk Management Tool
Cybersecurity supports the organization by
managing risks to its business mission.
Must understand what is critical to business mission and apply resources appropriately.
Must balance resources between prevention, detection, and response to risks.
10
CACR Expertise: Risk Management, Policy, Compliance
11
Risk Management & Resilience
● Familiarity w/ many frameworks: FISMA / NIST RMF, NIST Framework for Improving Critical Infrastructure Cybersecurity, HIPAA, ISO, MITRE’s resilience work
● Assist organizations in navigating and applying these frameworks, conducting risk assessments, balancing prevention, detection, response, fight thru, and recovery; evaluating their information security programs
● Experience applying risk management to novel environments and particular missions where one-size-fits-all doesn’t cut it
● We know the pitfalls: effort / resources; failure of orgs and auditors to understand risk acceptance
12
Policy & Law
Policy: provide leadership, guidance, and a convening function on national and international levels; often bringing people together who otherwise would never talk
policy: assist organizations
in creating, navigating, enforcing,
and educating personnel on
the detailed policies and laws
that both limit and enable our missions
13
Image credit: Bob Cowles
Compliance
• FISMA and HIPAA
• Establish NIST-based Risk Management Framework (RMF) at IU
• Use it to align IU’s central systems with HIPAA & FISMA
• Assist IU biomedical researchers to tackle HIPAA
• Develop compliance resources for IU
• Education
• Provide HIPAA and FISMA training locally and nationally
• Outreach
• Provide cyber compliance assistance to other academic and research institutions
• Provide national leadership on compliance issues in research and academia
14
Key CACR Projects
15
16
Image credit: NSF/K. Thompson
17
TrustedCI.org:Center for Trustworthy Scientific Cyberinfrastructure
Providing leadership and addressing cybersecurity challenges for the NSF community.
CTSC’s Accomplishments
● Engaged with >20 NSF science projects to provide cybersecurity leadership.
● Organized 2013-15 NSF Cybersecurity Summits for Large Facilities and CI
● Developed and provided training & best practices.● Developed Cybersecurity Program Guide for NSF CI
● Authoring cybersecurity chapter for NSF Large Facilities Manual
18
Software Assurance Marketplace (SWAMP)
We rely increasingly on our software stacks – both the ones we write and others.
Open nature leads to large attack surfaces.
Software integrity is critical.
19
Funded by DHS:
Morgridge Institute for Research (lead)
University of Illinois Urbana Champaign
University of Wisconsin – Madison
Indiana University
20
Explosion of Software
Plus cars, medical devices, Internet of Things….
And where are all those programmers?
21
A Framework for Software Assurance
22
Results
PackagePackagePackage
ToolToolTool
Platform
PlatformPlatform
Current: 396 &bring your own
Current: 8
PerformAssess-ment
ResultViewe
r
ResultViewe
rResultViewer
Current: 2
Current: 700+ Cores
ViewResults
ParseResults
ParsedResults
Current: 9
eXtreme Scale Identity Managementfor Science (XSIM)
Traditional computing with users all managed by data center.
Modern science has large multi-site collaborations.
Funded by DOE/ASCR
23
Image credit: Ian Bird/CERN
Science collaboratory identity management
• Based on interviews with 18 sites and projects.
• Simple model for describing collaboratory IdM.• Identified factors that inhibit and encourage
delegation from computing center to collaboration.
24
Security Matters
A trusted voice for the general public.
Real world practice cybersecurity guidance videos.
http://www.securitymatters.iu.edu/
25
Internships
● Working with students from multiple disciplines: law/policy, computer science, engineering
● Students work alongside CACR Senior Analysts on policy issues, selecting and implementing security controls, providing training, and assessing the security needs of novel technologies and implementations.
● Big attractants: exposure to unusual technologies and environments, opportunities for professional development rather than getting penned in on rote tasks.
26
CACR 2015-16 Seminar Series
Every other Thursday at noon in Law 335.
Free and open to the public. Lunch provided.
27
9/3/15 Stacy Prowell, ORNL
10/1/15 Sadia Afroz, U. Berkeley
10/15/15 Bart Miller, U. Wisconsin
11/5/15 Abhi Shelat, U. Virginia
12/10/15 Kathryn Seigfried-Spellar, Purdue U.
1/21/16 Lujo Bauer, CMU
2/4/16 Serge Egelman, U. Berkeley
2/18/16 Matt Bishop, U. Cal-Davis
3/24/16 LeAnn Miller, Sandia
4/7/16 Yang Wang, Syracuse U.
4/21/16 Adam Slagell, U. Illinois/NCSA
CACR Cybersecurity Summit
2014 Summit
● Featured two senior Homeland Security officials responsible for cyber operations and R&D.
2015 Summit Coming Soon!
● September 15, 2015● Hine Hall, IUPUI, Indianapolis● Featuring Ron Ross, NIST
28
2015 CACR Summit Agenda
• Morning Keynote Address: • Ron Ross, NIST
• Morning Panel: • Enterprise Risk Management
• Merri Beth Lavagnino, Indiana University
• Ron Ross, NIST
• Hans Vargas, Indiana Office of Technology and IN-ISAC
• Lunch Keynote Address: • Harvey Rishikof, Crowell & Moring
• Afternoon Panel: • Privacy, Promises and Shortcomings of Technology
29
2015 CACR Summit Agenda
Cybercrime and Fraud Track• Speaker/Topic: Stephen Reynolds, Stephen Reynolds & Nick Merker - Ice Miller
• “Preventing, Insuring and Surviving Fund Transfer Fraud”
• Speaker/Topic: Mark Villinski, Kaspersky Lab North America• “The Explosion of Cybercrime - The 5 Ways IT May be an Accomplice”
Privacy Track• Speaker/Topic: Nate Anderson, Sears Holding Company
• “Privacy Lessons from the Field”
Governance, Risk Management & Compliance Track• Speaker/Topic: Jeff Foresman, Rook Security
• “Compliance vs. Security – How to Build a Secure Compliance Program”
• Speaker/Topic: Scot Ganow, Esq., CIPP/US, Faruki, Ireland & Cox P.L.L.• “Getting in Shape for Breach Season”
30
2015 CACR Summit
• Registration: https://uits.iu.edu/cybersecurity-summit
• Additional Information: Contact CACR at [email protected]
31
Thank you.
Von Welch [email protected]
Craig Jackson [email protected]
Susan Sons [email protected]
cacr.iu.edu32