defining university it security today and tomorrow
TRANSCRIPT
-
7/26/2019 Defining University IT Security Today and Tomorrow
1/25
DefiningUniversityIT Security Today
and Tomorrow
John L. Baines, AD, IT Policy & Compliance, OIT Security & Compliance Unit
CSAM 2013 event - [email protected] - (919)513-7482
Date: Tuesday 10/22/2013
Time: 12 noon to 1 p.m.
Place:
Avent Ferry Room 112
mailto:[email protected]:[email protected]:[email protected] -
7/26/2019 Defining University IT Security Today and Tomorrow
2/25
University IT Security is Difficult!
University Values:
Openness
Independance
Sharing
Variety
IT Security Requires:
Monitoring
Prevention
Boundaries
Controls & Standards
More of a perception than a reality...
-
7/26/2019 Defining University IT Security Today and Tomorrow
3/25
-
7/26/2019 Defining University IT Security Today and Tomorrow
4/25
-
7/26/2019 Defining University IT Security Today and Tomorrow
5/25
Context of Government pressures
Government wants universities to operate more
like businesses:
Cut expenses Accountability for funding, rather than education
Achieve cost-efficiency
Generate more of own income
Can be seen in part in emphasis on:
Foundation donations
Research grants
-
7/26/2019 Defining University IT Security Today and Tomorrow
6/25
-
7/26/2019 Defining University IT Security Today and Tomorrow
7/25
ISO 27XXX Timeline
-
7/26/2019 Defining University IT Security Today and Tomorrow
8/25
27000 to 27005 - Basics
27000 - Overview & vocabulary
27001 - ISMS (How to? - formal specification)
27002 - Best practices (What to? - controls)27003- Implementation guidance for 27001
27004 - Infosec metrics
27005 - Infosec risk management
http://iso27001security.com/html/27005.htmlhttp://iso27001security.com/html/27004.htmlhttp://iso27001security.com/html/27004.htmlhttp://iso27001security.com/html/27002.htmlhttp://iso27001security.com/html/27001.htmlhttp://iso27001security.com/html/27005.htmlhttp://iso27001security.com/html/27004.htmlhttp://iso27001security.com/html/27003.htmlhttp://iso27001security.com/html/27002.htmlhttp://iso27001security.com/html/27002.htmlhttp://iso27001security.com/html/27001.htmlhttp://iso27001security.com/html/27000.html -
7/26/2019 Defining University IT Security Today and Tomorrow
9/25
ISO 27XXX current status
22 standards published
34 standards being updated or in
preparation
5 new work itemsbeing considered eDiscovery
Investigative project coordination (12, 38, 41, 42, 43)
Personally Identifiable Information (PII) and Privacy
Taxonomy Supply Chain Security
Most ISO 27K publications expand on
27001/27002 in more detailed guidance, for
specific industries, or special IT disciplines
http://iso27001security.com/html/other_27k.htmlhttp://iso27001security.com/html/other_27k.html -
7/26/2019 Defining University IT Security Today and Tomorrow
10/25
ISO 27000 Overview & Vocabulary
Initial version introduced 2009
Second edition 27000:2012 current
Overview - how to plan & implement ISO 27K
Introduction to information security, risk
management and management systems
ISM terms being transferred from existing
ISO27k standards as new versions published Available as a FREE digital download
ISO/IEC & IEEE terms are searchable
online
http://pascal.computer.org/sev_display/index.actionhttp://pascal.computer.org/sev_display/index.actionhttp://pascal.computer.org/sev_display/index.actionhttp://pascal.computer.org/sev_display/index.actionhttp://pascal.computer.org/sev_display/index.actionhttp://standards.iso.org/ittf/PubliclyAvailableStandards/c056891_ISO_IEC_27000_2012(E).zip -
7/26/2019 Defining University IT Security Today and Tomorrow
11/25
ISO 27002:2013
Synchronized with ISO 27001:2013
To reflect current best practice, the updated ISO/IEC 27002:2013 is
the reference handbook for selecting controls for use within an
Information Security Management System (ISMS) based on ISO/IEC
27001. It can also be used as a guidance document for any
organization wishing to implement commonly accepted informationsecurity controls.
Title Code of practice for information security controls
Technically and structurally revised over ISO 27002:2005
Comparison 27002:2005 27002:2013
Clauses X 11 14
Objectives X.Y 39 35
Controls X.Y.Z 133 114 +++
-
7/26/2019 Defining University IT Security Today and Tomorrow
12/25
ISO 27002 Structure
Clause - X (e.g. 13. Communications
Security)
Objective - X.Y (e.g. 13.2 Information
Transfer Control - X.Y.Z (e.g. 13.2.1...)
Implementation Guidance -
where the rubber meets the road.
NCSU-SecurityFramework-DetailedAnalysis-withPrioritization-Revised
https://docs.google.com/a/ncsu.edu/document/d/1rzaWwFQCb08P2D-mSJUcTAZ3AQtYGxc8CfluydpgVPw/edithttps://docs.google.com/a/ncsu.edu/document/d/1rzaWwFQCb08P2D-mSJUcTAZ3AQtYGxc8CfluydpgVPw/edit -
7/26/2019 Defining University IT Security Today and Tomorrow
13/25
ISO 27002:13 Clauses & Objectives
http://iso27001security.com/html/27002.html#Contents -
7/26/2019 Defining University IT Security Today and Tomorrow
14/25
- comprehensive
-
7/26/2019 Defining University IT Security Today and Tomorrow
15/25
UNC ITSC Security Framework - Goals
1. Develop a common framework by which each UNC
campus can develop their campus IT Security Policies
2. Design a framework which is designed to meet the
broad and unique range of security requirements on
each campus:
Administrative Systems, Academic Systems,
Research Systems, Student/Faculty/Staff access
3. Provide guidelines, direction and best practice
examples to campuses as needed4. Provide a uniform compliance environment for the NC
Office of the State Auditor and other Governmental
Agencies (e.g. DoD!)
-
7/26/2019 Defining University IT Security Today and Tomorrow
16/25
The UNC System Security Framework
- UNC Cause 2011
Presenter(s): Chuck Curry,
Margaret Umphrey, Paul Hudy
The UNC CIOs charged the
UNC Security Council to come
up with
a security framework that
could be implemented on
each UNC campus and
provide a common
measurement baseline
The Security Council has putforward the ISO 27002
framework
Each UNC-System campus
Evaluating current policies
and procedures against that
framework.
Establishing a current
baseline Producing an internal gap -
analysis
Plan for moving toward and
maintaining compliance
This framework mapped to other
documents and standards
NIST
CoBIT,
NC Statewide Information
Security Manual,
etc.
-
7/26/2019 Defining University IT Security Today and Tomorrow
17/25
UNC Systems Security Framework -
ISO 27002 - UNC Cause 2012 (1)
Presenters:
Mardecia Bell NC State University
Paul Hudy General Administration
Margaret Umphrey East Carolina University
-
7/26/2019 Defining University IT Security Today and Tomorrow
18/25
UNC Systems Security Framework -
ISO 27002 - UNC Cause 2012 (2)
Reported:
December 2011: The UNC-ITSC recommended the
adoption of ISO 27002 as common security framework
January 2012: UNC CIO Council acceptedrecommendation
April 2012: Chancellors of all UNC system institutions
submitted letters to UNC-GA indicating adoption
July 2012: Each campus performed a gap analysis of
ISO 27002 framework and existing policies.
-
7/26/2019 Defining University IT Security Today and Tomorrow
19/25
UNC Systems Security Framework -
ISO 27002 - UNC Cause 2012 (3)
Policies, gaps, priorities, status:
Crosswalk -
Notate existing policies->
Identify gaps Risk assessment:
Analyze gaps
Describe plans for compliance, mitigation, or
alternative controls
Priorities and costs
Implement Over 80% UNC System IT Security Units have completed
gap analysis & risk assessment - submitted to UNC-GA.
-
7/26/2019 Defining University IT Security Today and Tomorrow
20/25
ISO 27002 Benefits
Stakeholder confidence increased
Technology independent
Strategic comprehensive baseline
Basis for assessing risk & cost trade-offs
More accurate & reliable security audits
More effective tactical security
-
7/26/2019 Defining University IT Security Today and Tomorrow
21/25
Adoption of ISO 27002 - UNC System
Licensing:
UNC-GA purchased a system-wide license of ISO/IEC
27002 from the American National Standards Institute
Each campus makes the ISO 27002 standard availableas a read-only reference to all faculty, staff and students
Addressing Identified Gaps - Each Campus:
Setting prioritization
Establishing an implementation plan Gross estimate of work required for compliance
ITSC collection & sharing of policies and best practices
-
7/26/2019 Defining University IT Security Today and Tomorrow
22/25
Compliance versus Security
Compliance 27002 Sets a baseline
Gives a list of best practices that are accepted as
reasonably comprehensive Does not guarantee security
Must go further than strict compliance
Must accommodate change:
Environment Threats
Controls
Techniques
Compliance must not equal complacency!
-
7/26/2019 Defining University IT Security Today and Tomorrow
23/25
Questions?
-
7/26/2019 Defining University IT Security Today and Tomorrow
24/25
http://shop.bsigroup.com/ProductDetail/?pid=000000000030186138
http://www.27000.org/iso-27002.htm
http://webstore.iec.ch/preview/info_isoiec27002%7Bed2.0%7Den.pdf
http://www.itgovernance.co.uk/shop/p-1463-an-introduction-to-isoiec-27001-2013.aspx#.Ul3ysVA_v-c
http://orangeparachute.com/services/iso-270012013-transition-services/?gclid=CO28hMmhmroCFYWe4AodtF4AmQ
http://cms_apps.ncat.edu/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=18&type=2
http://cms_apps.ncat.edu/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=18&type=2http://orangeparachute.com/services/iso-270012013-transition-services/?gclid=CO28hMmhmroCFYWe4AodtF4AmQhttp://www.itgovernance.co.uk/shop/p-1463-an-introduction-to-isoiec-27001-2013.aspx#.Ul3ysVA_v-chttp://webstore.iec.ch/preview/info_isoiec27002%7Bed2.0%7Den.pdfhttp://www.27000.org/iso-27002.htmhttp://shop.bsigroup.com/ProductDetail/?pid=000000000030186138 -
7/26/2019 Defining University IT Security Today and Tomorrow
25/25
Function specific guidelines
IT particular
1. 27017/27018will be cloud computing
2. 27031:2011is business continuity
3. 27032:2012covers cybersecurity
4. 27033is / will cover IT network
security
5. 27034is application security
6. 27035:2011on IS incident
management
7. 27039concerns IDS/IPS (IntrusionDetection and Prevention Systems)
8. 27040guideline on storage security.
9. 27044guideline on SIEM (Security
Incident and Event Management)
Legal evidence
1. 27037:2012covers digital evidence.
2. 27038will be a specification for digital
redaction.
3. 27041guideline on assurance for
digital evidence investigation
methods.
4. 27042guideline on analysis and
interpretation of digital evidence.
5. 27043guideline on digital evidenceinvestigation principles and
processes.
http://iso27001security.com/html/27044.htmlhttp://iso27001security.com/html/27044.htmlhttp://iso27001security.com/html/27039.htmlhttp://iso27001security.com/html/27034.htmlhttp://iso27001security.com/html/27033.htmlhttp://iso27001security.com/html/27031.htmlhttp://iso27001security.com/html/27017.htmlhttp://iso27001security.com/html/27018.htmlhttp://iso27001security.com/html/27044.htmlhttp://iso27001security.com/html/27039.htmlhttp://iso27001security.com/html/27034.htmlhttp://iso27001security.com/html/27033.htmlhttp://iso27001security.com/html/27031.htmlhttp://iso27001security.com/html/27017.htmlhttp://iso27001security.com/html/27018.htmlhttp://iso27001security.com/html/27043.htmlhttp://iso27001security.com/html/27042.htmlhttp://iso27001security.com/html/27041.htmlhttp://iso27001security.com/html/27038.htmlhttp://iso27001security.com/html/27037.htmlhttp://iso27001security.com/html/27044.htmlhttp://iso27001security.com/html/27040.htmlhttp://iso27001security.com/html/27039.htmlhttp://iso27001security.com/html/27035.htmlhttp://iso27001security.com/html/27034.htmlhttp://iso27001security.com/html/27033.htmlhttp://iso27001security.com/html/27032.htmlhttp://iso27001security.com/html/27031.htmlhttp://iso27001security.com/html/27018.htmlhttp://iso27001security.com/html/27017.html