10/11/2006 1

Implementing an Information Technology

Security Program

EDUCAUSE 2006

Stefan WaheEnterprise Security Consultant

& Gary De Clute

IT Policy Consultant

Copyright © 2006 University of Wisconsin Board of Regents

UNIVERSITY OF WISCONSIN – MADISON • DoIT • DIVISION OF INFORMATION TECHNOLOGY

10/11/2006 2

A Quick SurveyWho are Information Technology Managers (CIO’s, Department Managers , Project Managers)?

• Management Responsibilities

Who has the phrase “IT Security” in their title?• Ensuring that something is being done about

security. The keeper of the Master Schedule.

Who are Security Administrators? • Help Identify Best Practices• Follow Master Schedule

10/11/2006 3

Our Working Definition

An Information Technology Security Program (ITSP) is an administrative program for an information system that provides the policy and procedural framework for building and maintaining the information security of the system.

10/11/2006 4

Why is there a need for a security program?

Ever increasing riskRisk = Value X Vulnerabilities X Threats

Ever expanding mandatesFederal and State laws and regulations

10/11/2006 5

Risk = Value X Vulnerabilities X Threats Value

Concern for the well-being of the people in our university community:

Health and safety Identity theft Privacy of medical, financial and

academic records

10/11/2006 6

Risk = Value X Vulnerabilities X Threats Value...

Concern for the well-being of our institution:

Reputation Morale Funding

10/11/2006 7

Risk = Value X Vulnerabilities X Threats Vulnerabilities

Increased complexity results in increased vulnerability:

More avenues of attack Harder to track More surprises

10/11/2006 8

Risk = Value X Vulnerabilities X Threats Threats

Threat levels are steadily increasing: More attackers (automated or hacking) More motivation (financial gain) More sophisticated tools

10/11/2006 9

Mandates

In response to increasing risk we are experiencing:

Proliferation of Federal and State laws and regulations

Increasing need for campus-wide information security policies

10/11/2006 10

10/11/2006 11

Why is there a need for an “administrative program”

• We have many security controls available to us to reduce risk

• But, how good are we at applying those controls cost-effectively and consistently?

• Good planning is the “good” kind of overhead

10/11/2006 12

Systematic Approach

Adhocracy is no longer sufficientNot comprehensive in scopeNot consistent over timeMurphy’s Law applies: If there is a

vulnerability, sooner or later someone or something will exploit it

10/11/2006 13

Prerequisites for Effective Security Controls

• Management commitment

• Doable, affordable and maintainable implementation

• Cooperation among organizations, staff and users

10/11/2006 14

People Make aSystem Secure

Examples: Strong passwords and safe practices Secure workstation, server and network

configurations Security-conscious business

processes Good planning and execution of

security controls

10/11/2006 15

Policies& Roles

FollowProcedures

Awareness& Training

ProduceDocuments

ITSP

10/11/2006 16

Key Success Factors:

EfficiencyAdopt an existing, inexpensive, comprehensive, and expanding body of work:

We adopted the framework from the National Institute of Standards and Technology (NIST)

Works well for a large state university (many similarities to a federal agency)

10/11/2006 17

Key Success Factors:

Comprehensive

Comprehensive in order to provide assurance:

NIST framework addresses all major aspects of information security

Encompasses entire system development cycle

10/11/2006 18

Management

Operations

Technical

Risk Management

Life Cycle Security Authorization to Process

Security ProgramReview of Controls

Human Resources

Awareness & Training

Physical Security

Access Controls Audit Trails

Incident Response

Authentication and Authorization

Information Handling

Business Continuity

HW & SW Maintenance

Data Integrity

Documentation

10/11/2006 19

Key Success Factors:

Continuous

• A one time effort after a “scare” creates a false sense of security

• Security controls need to be designed and implemented for the long-haul

• Protects prior investment in controls

• Avoids repeating implementation

10/11/2006 20

Key Success Factors:

Iterative Development

• We are creating a series of templates that can be customized to fit local conditions

• As each is implemented, we take what we learn and build it into the templates, making it easier next time

10/11/2006 21

ITSPProgram

Descriptionand

Policy

ManagementSecurity

Guidelines

SecurityAdministrator

Guidelines

DeveloperSecurity

Guidelines

User SecurityGuidelines

InformationHandling

Guidelines

ManagementProcedures

OperationalProcedures

TechnicalProcedures

ResultingPlans andReports

Inherited and System SpecificProcedures and Documents

Inherited and SystemSpecific Policy & Guidelines

ITSP DocumentOrganization

10/11/2006 22

ITSP OutlineI. Program DescriptionII. Management SecurityIII. Operational SecurityIV. Technical SecurityV. Security RolesVI. Core DocumentsVII. GlossaryVIII. References

10/11/2006 23

Key Success Factors:

Just-in-time Development

Develop templates as they are needed for a particular implementation. To get started one needs:

“Information Technology Security Program” (provides the framework)

“Master Schedule & Plan” (provides a generic plan for implementation.)

10/11/2006 24

Key Success Factors:

Collaborative Development

• Folks can customize the templates in any manner

• We don’t tell folks what to do, we provide resources to help them do what they decide to do

10/11/2006 25

Key Success Factors:

Clearly Defined Roles

Four main roles:ManagementSecurity AdministratorsApplication DevelopersUsers

10/11/2006 26

Key Success Factors: Management Commitment

• Information security is management’s responsibility

• Adhocracy is no longer sufficient:Increasing RiskIncreasing consequences

10/11/2006 27

Key Success Factors:

Specialized Management Roles

• Sponsors• Middle Management & Supervisors (Mgt)• Information System

Security Managers (ISSM’s)• Information System

Project Managers (ISPM’s)

10/11/2006 28

Key Success Factors:

Inheritance

• We reduce the amount of work by “inheriting” policy and procedures from superior units

• These are “common controls”• No need to restate a policy or

procedure when one can reference it and note how it is implemented locally

10/11/2006 29

WPHINITSP

UDSITSP

FederalRegulations

StateRegulations

CampusPolicy

DoIT Policy

ITSPPolicy &

ProcedureInheritance

10/11/2006 30

Key Success Factors:

Flexible Orderof Implementation

• Gaps can be plugged in any order

• Address the “crisis de jour”

• Each security control becomes a brick in the wall instead of a brick on the pile

10/11/2006 31

Key Success Factors:

Tied to SystemDevelopment Cycle

• Allows for background activity to systematically improve security

• Events in the development cycle trigger security activities

• Incidents should not be the only triggers

10/11/2006 32

Key Success Factors:

Initial “Lite” Implementation

• The templates suggest a “lite” implementation as the default

• The cost of implementation depends on the willingness of management to “accept risk”

• Can be tuned by frequency or scope of activity

10/11/2006 33

Prioritize

Fill in the Rest Later

10/11/2006 34

THE WORLD WILL END

10/11/2006 35

YOUR DATA WILL BE

RELEASED

10/11/2006 36

IT Security’s Role• Keep the Discussion Simple

Don’t ask too many questions too soon Avoid exceptions and other minutia

• Give Examples When a laptop walks off … News Clippings, Journals, Books

• Have Answers Available Audit trails are important because … There is a centralized service for …

10/11/2006 37

Implementation Step One

Review and Document System DescriptionWhat are we trying to protect?Business NeedData Types Identify Management, Administrators,

Developers, and UsersDescribe the Infrastructure

10/11/2006 38

Implementation Step Two

Identify Assignment and ResponsibilityManagement Security Procedures

o Risk Management, Life Cycle Management, Security Program

Operational Security Procedures and Controlso Contingency Planning, Integrity, Incident Response

Technical Security Procedures and Controlso Access Controls, Audit Trials

10/11/2006 39

Implementation Step Three

Review Findings and Document Identify Risks

o What are you not doing that could cost you?Document Responsibility in Policy-Like

Statements o The System Security Manager will be responsible for

implementing and maintaining a Security Program. Master Schedule

o The System Security will implement a Security Program for the System by December 23, 2006.

10/11/2006 40

Step OneExample - System Description

What: Student Information System

Data: Sensitive Data (SSN, Financial Aid); Internal Data (Grades, FERPA)

Who: (1) Data Custodian, Registrar’s Office

(2) System Management, Central IT

Users: Functional Offices, Instructors, Students (Self-Service)

10/11/2006 41

Step TwoEx - Lets Talk Personnel Security

• Job responsibilities should be separated to reduce financial or system loss

• Background screening• User accountability• What could happen? The hiring of an

employee who has previously committed financial fraud.

10/11/2006 42

Step TwoExample - Personnel Security

Has Management identified where a segregation of duties is needed to reduce the the likelihood that deliberate security breaches will occur?

Does Management conduct background screening of Staff, as warranted (are there legislative or regulatory requirements requiring background checks)? Are Users responsible for complying with all relevant security policies and following all applicable security procedures as documented?

How does Management assure that all Users are informed of their security responsibilities?

10/11/2006 43

Step ThreeExample - Personnel Security

• Identified Risk (1) Access to sensitive data could be granted to a

new hire who previously has been found guilty of financial fraud.

• Policy-Like Statements (1) Management will identify and implement a process for

Human Resources to follow for conducting background screening on new hires. Security Manager will periodically review process.

Human Resources will conduct background screening of Staff.

10/11/2006 44

Step ThreeExample - Personnel Security

• Identified Risk (2)Since Staff are not made aware of new security

policies, they will not be able to modify their behaviors to comply with the policy that increases the level of security.

• Policy-Like Statement (2)The System Security Manager will create an

awareness training program and periodically review the program.

All Staff are required to complete a yearly security awareness training program.

10/11/2006 45

Step ThreeExample - Personnel Security

Master ScheduleSystem Cluster Item Actor (s) Feq

Personnel Security

Background Check Plan Senior Management will identify and implement a plan.

One Time

Personnel Security

Review Plan The Security Manager will periodically review the plan and submit recommendations to Management

Once a Year

Personnel Security

Conduct Background Check

Human Resources will conduct checks on new hires

Ongoing

Security Awareness

Security Awareness Program

System Security Manager will identify and implement a program

One Time

Security Awareness

Security Awareness Program

System Security Manager will periodically review and update the program,

Once a Year

Security Awareness

Complete Training All Staff will periodically complete the program.

Once a Year

10/11/2006 46

Thank You!Stefan Wahe,Enterprise Security Consultant stefan.wahe@doit.wisc.edu

Gary De CluteDoIT IT Policy Consultant

gdeclute@doit.wisc.edu

More Information about our Security Program can be fount at www.itsp.doit.wisc.edu after November 1, 2006.