Defining University IT Security Today and Tomorrow

Download Defining University IT Security Today and Tomorrow

Post on 01-Mar-2018

216 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    1/25

    DefiningUniversityIT Security Today

    and Tomorrow

    John L. Baines, AD, IT Policy & Compliance, OIT Security & Compliance Unit

    CSAM 2013 event - jlbaines@ncsu.edu - (919)513-7482

    Date: Tuesday 10/22/2013

    Time: 12 noon to 1 p.m.

    Place:

    Avent Ferry Room 112

    mailto:jlbaines@ncsu.edumailto:jlbaines@ncsu.edumailto:jlbaines@ncsu.edu
  • 7/26/2019 Defining University IT Security Today and Tomorrow

    2/25

    University IT Security is Difficult!

    University Values:

    Openness

    Independance

    Sharing

    Variety

    IT Security Requires:

    Monitoring

    Prevention

    Boundaries

    Controls & Standards

    More of a perception than a reality...

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    3/25

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    4/25

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    5/25

    Context of Government pressures

    Government wants universities to operate more

    like businesses:

    Cut expenses Accountability for funding, rather than education

    Achieve cost-efficiency

    Generate more of own income

    Can be seen in part in emphasis on:

    Foundation donations

    Research grants

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    6/25

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    7/25

    ISO 27XXX Timeline

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    8/25

    27000 to 27005 - Basics

    27000 - Overview & vocabulary

    27001 - ISMS (How to? - formal specification)

    27002 - Best practices (What to? - controls)27003- Implementation guidance for 27001

    27004 - Infosec metrics

    27005 - Infosec risk management

    http://iso27001security.com/html/27005.htmlhttp://iso27001security.com/html/27004.htmlhttp://iso27001security.com/html/27004.htmlhttp://iso27001security.com/html/27002.htmlhttp://iso27001security.com/html/27001.htmlhttp://iso27001security.com/html/27005.htmlhttp://iso27001security.com/html/27004.htmlhttp://iso27001security.com/html/27003.htmlhttp://iso27001security.com/html/27002.htmlhttp://iso27001security.com/html/27002.htmlhttp://iso27001security.com/html/27001.htmlhttp://iso27001security.com/html/27000.html
  • 7/26/2019 Defining University IT Security Today and Tomorrow

    9/25

    ISO 27XXX current status

    22 standards published

    34 standards being updated or in

    preparation

    5 new work itemsbeing considered eDiscovery

    Investigative project coordination (12, 38, 41, 42, 43)

    Personally Identifiable Information (PII) and Privacy

    Taxonomy Supply Chain Security

    Most ISO 27K publications expand on

    27001/27002 in more detailed guidance, for

    specific industries, or special IT disciplines

    http://iso27001security.com/html/other_27k.htmlhttp://iso27001security.com/html/other_27k.html
  • 7/26/2019 Defining University IT Security Today and Tomorrow

    10/25

    ISO 27000 Overview & Vocabulary

    Initial version introduced 2009

    Second edition 27000:2012 current

    Overview - how to plan & implement ISO 27K

    Introduction to information security, risk

    management and management systems

    ISM terms being transferred from existing

    ISO27k standards as new versions published Available as a FREE digital download

    ISO/IEC & IEEE terms are searchable

    online

    http://pascal.computer.org/sev_display/index.actionhttp://pascal.computer.org/sev_display/index.actionhttp://pascal.computer.org/sev_display/index.actionhttp://pascal.computer.org/sev_display/index.actionhttp://pascal.computer.org/sev_display/index.actionhttp://standards.iso.org/ittf/PubliclyAvailableStandards/c056891_ISO_IEC_27000_2012(E).zip
  • 7/26/2019 Defining University IT Security Today and Tomorrow

    11/25

    ISO 27002:2013

    Synchronized with ISO 27001:2013

    To reflect current best practice, the updated ISO/IEC 27002:2013 is

    the reference handbook for selecting controls for use within an

    Information Security Management System (ISMS) based on ISO/IEC

    27001. It can also be used as a guidance document for any

    organization wishing to implement commonly accepted informationsecurity controls.

    Title Code of practice for information security controls

    Technically and structurally revised over ISO 27002:2005

    Comparison 27002:2005 27002:2013

    Clauses X 11 14

    Objectives X.Y 39 35

    Controls X.Y.Z 133 114 +++

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    12/25

    ISO 27002 Structure

    Clause - X (e.g. 13. Communications

    Security)

    Objective - X.Y (e.g. 13.2 Information

    Transfer Control - X.Y.Z (e.g. 13.2.1...)

    Implementation Guidance -

    where the rubber meets the road.

    NCSU-SecurityFramework-DetailedAnalysis-withPrioritization-Revised

    https://docs.google.com/a/ncsu.edu/document/d/1rzaWwFQCb08P2D-mSJUcTAZ3AQtYGxc8CfluydpgVPw/edithttps://docs.google.com/a/ncsu.edu/document/d/1rzaWwFQCb08P2D-mSJUcTAZ3AQtYGxc8CfluydpgVPw/edit
  • 7/26/2019 Defining University IT Security Today and Tomorrow

    13/25

    ISO 27002:13 Clauses & Objectives

    http://iso27001security.com/html/27002.html#Contents
  • 7/26/2019 Defining University IT Security Today and Tomorrow

    14/25

    - comprehensive

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    15/25

    UNC ITSC Security Framework - Goals

    1. Develop a common framework by which each UNC

    campus can develop their campus IT Security Policies

    2. Design a framework which is designed to meet the

    broad and unique range of security requirements on

    each campus:

    Administrative Systems, Academic Systems,

    Research Systems, Student/Faculty/Staff access

    3. Provide guidelines, direction and best practice

    examples to campuses as needed4. Provide a uniform compliance environment for the NC

    Office of the State Auditor and other Governmental

    Agencies (e.g. DoD!)

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    16/25

    The UNC System Security Framework

    - UNC Cause 2011

    Presenter(s): Chuck Curry,

    Margaret Umphrey, Paul Hudy

    The UNC CIOs charged the

    UNC Security Council to come

    up with

    a security framework that

    could be implemented on

    each UNC campus and

    provide a common

    measurement baseline

    The Security Council has putforward the ISO 27002

    framework

    Each UNC-System campus

    Evaluating current policies

    and procedures against that

    framework.

    Establishing a current

    baseline Producing an internal gap -

    analysis

    Plan for moving toward and

    maintaining compliance

    This framework mapped to other

    documents and standards

    NIST

    CoBIT,

    NC Statewide Information

    Security Manual,

    etc.

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    17/25

    UNC Systems Security Framework -

    ISO 27002 - UNC Cause 2012 (1)

    Presenters:

    Mardecia Bell NC State University

    Paul Hudy General Administration

    Margaret Umphrey East Carolina University

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    18/25

    UNC Systems Security Framework -

    ISO 27002 - UNC Cause 2012 (2)

    Reported:

    December 2011: The UNC-ITSC recommended the

    adoption of ISO 27002 as common security framework

    January 2012: UNC CIO Council acceptedrecommendation

    April 2012: Chancellors of all UNC system institutions

    submitted letters to UNC-GA indicating adoption

    July 2012: Each campus performed a gap analysis of

    ISO 27002 framework and existing policies.

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    19/25

    UNC Systems Security Framework -

    ISO 27002 - UNC Cause 2012 (3)

    Policies, gaps, priorities, status:

    Crosswalk -

    Notate existing policies->

    Identify gaps Risk assessment:

    Analyze gaps

    Describe plans for compliance, mitigation, or

    alternative controls

    Priorities and costs

    Implement Over 80% UNC System IT Security Units have completed

    gap analysis & risk assessment - submitted to UNC-GA.

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    20/25

    ISO 27002 Benefits

    Stakeholder confidence increased

    Technology independent

    Strategic comprehensive baseline

    Basis for assessing risk & cost trade-offs

    More accurate & reliable security audits

    More effective tactical security

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    21/25

    Adoption of ISO 27002 - UNC System

    Licensing:

    UNC-GA purchased a system-wide license of ISO/IEC

    27002 from the American National Standards Institute

    Each campus makes the ISO 27002 standard availableas a read-only reference to all faculty, staff and students

    Addressing Identified Gaps - Each Campus:

    Setting prioritization

    Establishing an implementation plan Gross estimate of work required for compliance

    ITSC collection & sharing of policies and best practices

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    22/25

    Compliance versus Security

    Compliance 27002 Sets a baseline

    Gives a list of best practices that are accepted as

    reasonably comprehensive Does not guarantee security

    Must go further than strict compliance

    Must accommodate change:

    Environment Threats

    Controls

    Techniques

    Compliance must not equal complacency!

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    23/25

    Questions?

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    24/25

    http://shop.bsigroup.com/ProductDetail/?pid=000000000030186138

    http://www.27000.org/iso-27002.htm

    http://webstore.iec.ch/preview/info_isoiec27002%7Bed2.0%7Den.pdf

    http://www.itgovernance.co.uk/shop/p-1463-an-introduction-to-isoiec-27001-2013.aspx#.Ul3ysVA_v-c

    http://orangeparachute.com/services/iso-270012013-transition-services/?gclid=CO28hMmhmroCFYWe4AodtF4AmQ

    http://cms_apps.ncat.edu/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=18&type=2

    http://cms_apps.ncat.edu/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=18&type=2http://orangeparachute.com/services/iso-270012013-transition-services/?gclid=CO28hMmhmroCFYWe4AodtF4AmQhttp://www.itgovernance.co.uk/shop/p-1463-an-introduction-to-isoiec-27001-2013.aspx#.Ul3ysVA_v-chttp://webstore.iec.ch/preview/info_isoiec27002%7Bed2.0%7Den.pdfhttp://www.27000.org/iso-27002.htmhttp://shop.bsigroup.com/ProductDetail/?pid=000000000030186138
  • 7/26/2019 Defining University IT Security Today and Tomorrow

    25/25

    Function specific guidelines

    IT particular

    1. 27017/27018will be cloud computing

    2. 27031:2011is business continuity

    3. 27032:2012covers cybersecurity

    4. 27033is / will cover IT network

    security

    5. 27034is application security

    6. 27035:2011on IS incident

    management

    7. 27039concerns IDS/IPS (IntrusionDetection and Prevention Systems)

    8. 27040guideline on storage security.

    9. 27044guideline on SIEM (Security

    Incident and Event Management)

    Legal evidence

    1. 27037:2012covers digital evidence.

    2. 27038will be a specification for digital

    redaction.

    3. 27041guideline on assurance for

    digital evidence investigation

    methods.

    4. 27042guideline on analysis and

    interpretation of digital evidence.

    5. 27043guideline on digital evidenceinvestigation principles and

    processes.

    http://iso27001security.com/html/27044.htmlhttp://iso27001security.com/html/27044.htmlhttp://iso27001security.com/html/27039.htmlhttp://iso27001security.com/html/27034.htmlhttp://iso27001security.com/html/27033.htmlhttp://iso27001security.com/html/27031.htmlhttp://iso27001security.com/html/27017.htmlhttp://iso27001security.com/html/27018.htmlhttp://iso27001security.com/html/27044.htmlhttp://iso27001security.com/html/27039.htmlhttp://iso27001security.com/html/27034.htmlhttp://iso27001security.com/html/27033.htmlhttp://iso27001security.com/html/27031.htmlhttp://iso27001security.com/html/27017.htmlhttp://iso27001security.com/html/27018.htmlhttp://iso27001security.com/html/27043.htmlhttp://iso27001security.com/html/27042.htmlhttp://iso27001security.com/html/27041.htmlhttp://iso27001security.com/html/27038.htmlhttp://iso27001security.com/html/27037.htmlhttp://iso27001security.com/html/27044.htmlhttp://iso27001security.com/html/27040.htmlhttp://iso27001security.com/html/27039.htmlhttp://iso27001security.com/html/27035.htmlhttp://iso27001security.com/html/27034.htmlhttp://iso27001security.com/html/27033.htmlhttp://iso27001security.com/html/27032.htmlhttp://iso27001security.com/html/27031.htmlhttp://iso27001security.com/html/27018.htmlhttp://iso27001security.com/html/27017.html