10/11/20061 implementing an information technology security program educause 2006 stefan wahe...
TRANSCRIPT
10/11/2006 1
Implementing an Information Technology
Security Program
EDUCAUSE 2006
Stefan WaheEnterprise Security Consultant
& Gary De Clute
IT Policy Consultant
Copyright © 2006 University of Wisconsin Board of Regents
UNIVERSITY OF WISCONSIN – MADISON • DoIT • DIVISION OF INFORMATION TECHNOLOGY
10/11/2006 2
A Quick SurveyWho are Information Technology Managers (CIO’s, Department Managers , Project Managers)?
• Management Responsibilities
Who has the phrase “IT Security” in their title?• Ensuring that something is being done about
security. The keeper of the Master Schedule.
Who are Security Administrators? • Help Identify Best Practices• Follow Master Schedule
10/11/2006 3
Our Working Definition
An Information Technology Security Program (ITSP) is an administrative program for an information system that provides the policy and procedural framework for building and maintaining the information security of the system.
10/11/2006 4
Why is there a need for a security program?
Ever increasing riskRisk = Value X Vulnerabilities X Threats
Ever expanding mandatesFederal and State laws and regulations
10/11/2006 5
Risk = Value X Vulnerabilities X Threats Value
Concern for the well-being of the people in our university community:
Health and safety Identity theft Privacy of medical, financial and
academic records
10/11/2006 6
Risk = Value X Vulnerabilities X Threats Value...
Concern for the well-being of our institution:
Reputation Morale Funding
10/11/2006 7
Risk = Value X Vulnerabilities X Threats Vulnerabilities
Increased complexity results in increased vulnerability:
More avenues of attack Harder to track More surprises
10/11/2006 8
Risk = Value X Vulnerabilities X Threats Threats
Threat levels are steadily increasing: More attackers (automated or hacking) More motivation (financial gain) More sophisticated tools
10/11/2006 9
Mandates
In response to increasing risk we are experiencing:
Proliferation of Federal and State laws and regulations
Increasing need for campus-wide information security policies
10/11/2006 10
10/11/2006 11
Why is there a need for an “administrative program”
• We have many security controls available to us to reduce risk
• But, how good are we at applying those controls cost-effectively and consistently?
• Good planning is the “good” kind of overhead
10/11/2006 12
Systematic Approach
Adhocracy is no longer sufficientNot comprehensive in scopeNot consistent over timeMurphy’s Law applies: If there is a
vulnerability, sooner or later someone or something will exploit it
10/11/2006 13
Prerequisites for Effective Security Controls
• Management commitment
• Doable, affordable and maintainable implementation
• Cooperation among organizations, staff and users
10/11/2006 14
People Make aSystem Secure
Examples: Strong passwords and safe practices Secure workstation, server and network
configurations Security-conscious business
processes Good planning and execution of
security controls
10/11/2006 15
Policies& Roles
FollowProcedures
Awareness& Training
ProduceDocuments
ITSP
10/11/2006 16
Key Success Factors:
EfficiencyAdopt an existing, inexpensive, comprehensive, and expanding body of work:
We adopted the framework from the National Institute of Standards and Technology (NIST)
Works well for a large state university (many similarities to a federal agency)
10/11/2006 17
Key Success Factors:
Comprehensive
Comprehensive in order to provide assurance:
NIST framework addresses all major aspects of information security
Encompasses entire system development cycle
10/11/2006 18
Management
Operations
Technical
Risk Management
Life Cycle Security Authorization to Process
Security ProgramReview of Controls
Human Resources
Awareness & Training
Physical Security
Access Controls Audit Trails
Incident Response
Authentication and Authorization
Information Handling
Business Continuity
HW & SW Maintenance
Data Integrity
Documentation
10/11/2006 19
Key Success Factors:
Continuous
• A one time effort after a “scare” creates a false sense of security
• Security controls need to be designed and implemented for the long-haul
• Protects prior investment in controls
• Avoids repeating implementation
10/11/2006 20
Key Success Factors:
Iterative Development
• We are creating a series of templates that can be customized to fit local conditions
• As each is implemented, we take what we learn and build it into the templates, making it easier next time
10/11/2006 21
ITSPProgram
Descriptionand
Policy
ManagementSecurity
Guidelines
SecurityAdministrator
Guidelines
DeveloperSecurity
Guidelines
User SecurityGuidelines
InformationHandling
Guidelines
ManagementProcedures
OperationalProcedures
TechnicalProcedures
ResultingPlans andReports
Inherited and System SpecificProcedures and Documents
Inherited and SystemSpecific Policy & Guidelines
ITSP DocumentOrganization
10/11/2006 22
ITSP OutlineI. Program DescriptionII. Management SecurityIII. Operational SecurityIV. Technical SecurityV. Security RolesVI. Core DocumentsVII. GlossaryVIII. References
10/11/2006 23
Key Success Factors:
Just-in-time Development
Develop templates as they are needed for a particular implementation. To get started one needs:
“Information Technology Security Program” (provides the framework)
“Master Schedule & Plan” (provides a generic plan for implementation.)
10/11/2006 24
Key Success Factors:
Collaborative Development
• Folks can customize the templates in any manner
• We don’t tell folks what to do, we provide resources to help them do what they decide to do
10/11/2006 25
Key Success Factors:
Clearly Defined Roles
Four main roles:ManagementSecurity AdministratorsApplication DevelopersUsers
10/11/2006 26
Key Success Factors: Management Commitment
• Information security is management’s responsibility
• Adhocracy is no longer sufficient:Increasing RiskIncreasing consequences
10/11/2006 27
Key Success Factors:
Specialized Management Roles
• Sponsors• Middle Management & Supervisors (Mgt)• Information System
Security Managers (ISSM’s)• Information System
Project Managers (ISPM’s)
10/11/2006 28
Key Success Factors:
Inheritance
• We reduce the amount of work by “inheriting” policy and procedures from superior units
• These are “common controls”• No need to restate a policy or
procedure when one can reference it and note how it is implemented locally
10/11/2006 29
WPHINITSP
UDSITSP
FederalRegulations
StateRegulations
CampusPolicy
DoIT Policy
ITSPPolicy &
ProcedureInheritance
10/11/2006 30
Key Success Factors:
Flexible Orderof Implementation
• Gaps can be plugged in any order
• Address the “crisis de jour”
• Each security control becomes a brick in the wall instead of a brick on the pile
10/11/2006 31
Key Success Factors:
Tied to SystemDevelopment Cycle
• Allows for background activity to systematically improve security
• Events in the development cycle trigger security activities
• Incidents should not be the only triggers
10/11/2006 32
Key Success Factors:
Initial “Lite” Implementation
• The templates suggest a “lite” implementation as the default
• The cost of implementation depends on the willingness of management to “accept risk”
• Can be tuned by frequency or scope of activity
10/11/2006 33
Prioritize
Fill in the Rest Later
10/11/2006 34
THE WORLD WILL END
10/11/2006 35
YOUR DATA WILL BE
RELEASED
10/11/2006 36
IT Security’s Role• Keep the Discussion Simple
Don’t ask too many questions too soon Avoid exceptions and other minutia
• Give Examples When a laptop walks off … News Clippings, Journals, Books
• Have Answers Available Audit trails are important because … There is a centralized service for …
10/11/2006 37
Implementation Step One
Review and Document System DescriptionWhat are we trying to protect?Business NeedData Types Identify Management, Administrators,
Developers, and UsersDescribe the Infrastructure
10/11/2006 38
Implementation Step Two
Identify Assignment and ResponsibilityManagement Security Procedures
o Risk Management, Life Cycle Management, Security Program
Operational Security Procedures and Controlso Contingency Planning, Integrity, Incident Response
Technical Security Procedures and Controlso Access Controls, Audit Trials
10/11/2006 39
Implementation Step Three
Review Findings and Document Identify Risks
o What are you not doing that could cost you?Document Responsibility in Policy-Like
Statements o The System Security Manager will be responsible for
implementing and maintaining a Security Program. Master Schedule
o The System Security will implement a Security Program for the System by December 23, 2006.
10/11/2006 40
Step OneExample - System Description
What: Student Information System
Data: Sensitive Data (SSN, Financial Aid); Internal Data (Grades, FERPA)
Who: (1) Data Custodian, Registrar’s Office
(2) System Management, Central IT
Users: Functional Offices, Instructors, Students (Self-Service)
10/11/2006 41
Step TwoEx - Lets Talk Personnel Security
• Job responsibilities should be separated to reduce financial or system loss
• Background screening• User accountability• What could happen? The hiring of an
employee who has previously committed financial fraud.
10/11/2006 42
Step TwoExample - Personnel Security
Has Management identified where a segregation of duties is needed to reduce the the likelihood that deliberate security breaches will occur?
Does Management conduct background screening of Staff, as warranted (are there legislative or regulatory requirements requiring background checks)? Are Users responsible for complying with all relevant security policies and following all applicable security procedures as documented?
How does Management assure that all Users are informed of their security responsibilities?
10/11/2006 43
Step ThreeExample - Personnel Security
• Identified Risk (1) Access to sensitive data could be granted to a
new hire who previously has been found guilty of financial fraud.
• Policy-Like Statements (1) Management will identify and implement a process for
Human Resources to follow for conducting background screening on new hires. Security Manager will periodically review process.
Human Resources will conduct background screening of Staff.
10/11/2006 44
Step ThreeExample - Personnel Security
• Identified Risk (2)Since Staff are not made aware of new security
policies, they will not be able to modify their behaviors to comply with the policy that increases the level of security.
• Policy-Like Statement (2)The System Security Manager will create an
awareness training program and periodically review the program.
All Staff are required to complete a yearly security awareness training program.
10/11/2006 45
Step ThreeExample - Personnel Security
Master ScheduleSystem Cluster Item Actor (s) Feq
Personnel Security
Background Check Plan Senior Management will identify and implement a plan.
One Time
Personnel Security
Review Plan The Security Manager will periodically review the plan and submit recommendations to Management
Once a Year
Personnel Security
Conduct Background Check
Human Resources will conduct checks on new hires
Ongoing
Security Awareness
Security Awareness Program
System Security Manager will identify and implement a program
One Time
Security Awareness
Security Awareness Program
System Security Manager will periodically review and update the program,
Once a Year
Security Awareness
Complete Training All Staff will periodically complete the program.
Once a Year
10/11/2006 46
Thank You!Stefan Wahe,Enterprise Security Consultant [email protected]
Gary De CluteDoIT IT Policy Consultant
More Information about our Security Program can be fount at www.itsp.doit.wisc.edu after November 1, 2006.