7/26/2019 Defining University IT Security Today and Tomorrow

1/25

DefiningUniversityIT Security Today

and Tomorrow

John L. Baines, AD, IT Policy & Compliance, OIT Security & Compliance Unit

CSAM 2013 event - jlbaines@ncsu.edu - (919)513-7482

Date: Tuesday 10/22/2013

Time: 12 noon to 1 p.m.

Place:

Avent Ferry Room 112

mailto:jlbaines@ncsu.edumailto:jlbaines@ncsu.edumailto:jlbaines@ncsu.edu

7/26/2019 Defining University IT Security Today and Tomorrow

2/25

University IT Security is Difficult!

University Values:

Openness

Independance

Sharing

Variety

IT Security Requires:

Monitoring

Prevention

Boundaries

Controls & Standards

More of a perception than a reality...

7/26/2019 Defining University IT Security Today and Tomorrow

3/25

7/26/2019 Defining University IT Security Today and Tomorrow

4/25

7/26/2019 Defining University IT Security Today and Tomorrow

5/25

Context of Government pressures

Government wants universities to operate more

like businesses:

Cut expenses Accountability for funding, rather than education

Achieve cost-efficiency

Generate more of own income

Can be seen in part in emphasis on:

Foundation donations

Research grants

7/26/2019 Defining University IT Security Today and Tomorrow

6/25

7/26/2019 Defining University IT Security Today and Tomorrow

7/25

ISO 27XXX Timeline

7/26/2019 Defining University IT Security Today and Tomorrow

8/25

27000 to 27005 - Basics

27000 - Overview & vocabulary

27001 - ISMS (How to? - formal specification)

27002 - Best practices (What to? - controls)27003- Implementation guidance for 27001

27004 - Infosec metrics

27005 - Infosec risk management

http://iso27001security.com/html/27005.htmlhttp://iso27001security.com/html/27004.htmlhttp://iso27001security.com/html/27004.htmlhttp://iso27001security.com/html/27002.htmlhttp://iso27001security.com/html/27001.htmlhttp://iso27001security.com/html/27005.htmlhttp://iso27001security.com/html/27004.htmlhttp://iso27001security.com/html/27003.htmlhttp://iso27001security.com/html/27002.htmlhttp://iso27001security.com/html/27002.htmlhttp://iso27001security.com/html/27001.htmlhttp://iso27001security.com/html/27000.html

7/26/2019 Defining University IT Security Today and Tomorrow

9/25

ISO 27XXX current status

22 standards published

34 standards being updated or in

preparation

5 new work itemsbeing considered eDiscovery

Investigative project coordination (12, 38, 41, 42, 43)

Personally Identifiable Information (PII) and Privacy

Taxonomy Supply Chain Security

Most ISO 27K publications expand on

27001/27002 in more detailed guidance, for

specific industries, or special IT disciplines

http://iso27001security.com/html/other_27k.htmlhttp://iso27001security.com/html/other_27k.html

7/26/2019 Defining University IT Security Today and Tomorrow

10/25

ISO 27000 Overview & Vocabulary

Initial version introduced 2009

Second edition 27000:2012 current

Overview - how to plan & implement ISO 27K

Introduction to information security, risk

management and management systems

ISM terms being transferred from existing

ISO27k standards as new versions published Available as a FREE digital download

ISO/IEC & IEEE terms are searchable

online

http://pascal.computer.org/sev_display/index.actionhttp://pascal.computer.org/sev_display/index.actionhttp://pascal.computer.org/sev_display/index.actionhttp://pascal.computer.org/sev_display/index.actionhttp://pascal.computer.org/sev_display/index.actionhttp://standards.iso.org/ittf/PubliclyAvailableStandards/c056891_ISO_IEC_27000_2012(E).zip

7/26/2019 Defining University IT Security Today and Tomorrow

11/25

ISO 27002:2013

Synchronized with ISO 27001:2013

To reflect current best practice, the updated ISO/IEC 27002:2013 is

the reference handbook for selecting controls for use within an

Information Security Management System (ISMS) based on ISO/IEC

27001. It can also be used as a guidance document for any

organization wishing to implement commonly accepted informationsecurity controls.

Title Code of practice for information security controls

Technically and structurally revised over ISO 27002:2005

Comparison 27002:2005 27002:2013

Clauses X 11 14

Objectives X.Y 39 35

Controls X.Y.Z 133 114 +++

7/26/2019 Defining University IT Security Today and Tomorrow

12/25

ISO 27002 Structure

Clause - X (e.g. 13. Communications

Security)

Objective - X.Y (e.g. 13.2 Information

Transfer Control - X.Y.Z (e.g. 13.2.1...)

Implementation Guidance -

where the rubber meets the road.

NCSU-SecurityFramework-DetailedAnalysis-withPrioritization-Revised

https://docs.google.com/a/ncsu.edu/document/d/1rzaWwFQCb08P2D-mSJUcTAZ3AQtYGxc8CfluydpgVPw/edithttps://docs.google.com/a/ncsu.edu/document/d/1rzaWwFQCb08P2D-mSJUcTAZ3AQtYGxc8CfluydpgVPw/edit

7/26/2019 Defining University IT Security Today and Tomorrow

13/25

ISO 27002:13 Clauses & Objectives

http://iso27001security.com/html/27002.html#Contents

7/26/2019 Defining University IT Security Today and Tomorrow

14/25

- comprehensive

7/26/2019 Defining University IT Security Today and Tomorrow

15/25

UNC ITSC Security Framework - Goals

1. Develop a common framework by which each UNC

campus can develop their campus IT Security Policies

2. Design a framework which is designed to meet the

broad and unique range of security requirements on

each campus:

Administrative Systems, Academic Systems,

Research Systems, Student/Faculty/Staff access

3. Provide guidelines, direction and best practice

examples to campuses as needed4. Provide a uniform compliance environment for the NC

Office of the State Auditor and other Governmental

Agencies (e.g. DoD!)

7/26/2019 Defining University IT Security Today and Tomorrow

16/25

The UNC System Security Framework

- UNC Cause 2011

Presenter(s): Chuck Curry,

Margaret Umphrey, Paul Hudy

The UNC CIOs charged the

UNC Security Council to come

up with

a security framework that

could be implemented on

each UNC campus and

provide a common

measurement baseline

The Security Council has putforward the ISO 27002

framework

Each UNC-System campus

Evaluating current policies

and procedures against that

framework.

Establishing a current

baseline Producing an internal gap -

analysis

Plan for moving toward and

maintaining compliance

This framework mapped to other

documents and standards

NIST

CoBIT,

NC Statewide Information

Security Manual,

etc.

7/26/2019 Defining University IT Security Today and Tomorrow

17/25

UNC Systems Security Framework -

ISO 27002 - UNC Cause 2012 (1)

Presenters:

Mardecia Bell NC State University

Paul Hudy General Administration

Margaret Umphrey East Carolina University

7/26/2019 Defining University IT Security Today and Tomorrow

18/25

UNC Systems Security Framework -

ISO 27002 - UNC Cause 2012 (2)

Reported:

December 2011: The UNC-ITSC recommended the

adoption of ISO 27002 as common security framework

January 2012: UNC CIO Council acceptedrecommendation

April 2012: Chancellors of all UNC system institutions

submitted letters to UNC-GA indicating adoption

July 2012: Each campus performed a gap analysis of

ISO 27002 framework and existing policies.

7/26/2019 Defining University IT Security Today and Tomorrow

19/25

UNC Systems Security Framework -

ISO 27002 - UNC Cause 2012 (3)

Policies, gaps, priorities, status:

Crosswalk -

Notate existing policies->

Identify gaps Risk assessment:

Analyze gaps

Describe plans for compliance, mitigation, or

alternative controls

Priorities and costs

Implement Over 80% UNC System IT Security Units have completed

gap analysis & risk assessment - submitted to UNC-GA.

7/26/2019 Defining University IT Security Today and Tomorrow

20/25

ISO 27002 Benefits

Stakeholder confidence increased

Technology independent

Strategic comprehensive baseline

Basis for assessing risk & cost trade-offs

More accurate & reliable security audits

More effective tactical security

7/26/2019 Defining University IT Security Today and Tomorrow

21/25

Adoption of ISO 27002 - UNC System

Licensing:

UNC-GA purchased a system-wide license of ISO/IEC

27002 from the American National Standards Institute

Each campus makes the ISO 27002 standard availableas a read-only reference to all faculty, staff and students

Addressing Identified Gaps - Each Campus:

Setting prioritization

Establishing an implementation plan Gross estimate of work required for compliance

ITSC collection & sharing of policies and best practices

7/26/2019 Defining University IT Security Today and Tomorrow

22/25

Compliance versus Security

Compliance 27002 Sets a baseline

Gives a list of best practices that are accepted as

reasonably comprehensive Does not guarantee security

Must go further than strict compliance

Must accommodate change:

Environment Threats

Controls

Techniques

Compliance must not equal complacency!

7/26/2019 Defining University IT Security Today and Tomorrow

23/25

Questions?

7/26/2019 Defining University IT Security Today and Tomorrow

24/25

http://shop.bsigroup.com/ProductDetail/?pid=000000000030186138

http://www.27000.org/iso-27002.htm

http://webstore.iec.ch/preview/info_isoiec27002%7Bed2.0%7Den.pdf

http://www.itgovernance.co.uk/shop/p-1463-an-introduction-to-isoiec-27001-2013.aspx#.Ul3ysVA_v-c

http://orangeparachute.com/services/iso-270012013-transition-services/?gclid=CO28hMmhmroCFYWe4AodtF4AmQ

http://cms_apps.ncat.edu/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=18&type=2

http://cms_apps.ncat.edu/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=18&type=2http://orangeparachute.com/services/iso-270012013-transition-services/?gclid=CO28hMmhmroCFYWe4AodtF4AmQhttp://www.itgovernance.co.uk/shop/p-1463-an-introduction-to-isoiec-27001-2013.aspx#.Ul3ysVA_v-chttp://webstore.iec.ch/preview/info_isoiec27002%7Bed2.0%7Den.pdfhttp://www.27000.org/iso-27002.htmhttp://shop.bsigroup.com/ProductDetail/?pid=000000000030186138

7/26/2019 Defining University IT Security Today and Tomorrow

25/25

Function specific guidelines

IT particular

1. 27017/27018will be cloud computing

2. 27031:2011is business continuity

3. 27032:2012covers cybersecurity

4. 27033is / will cover IT network

security

5. 27034is application security

6. 27035:2011on IS incident

management

7. 27039concerns IDS/IPS (IntrusionDetection and Prevention Systems)

8. 27040guideline on storage security.

9. 27044guideline on SIEM (Security

Incident and Event Management)

Legal evidence

1. 27037:2012covers digital evidence.

2. 27038will be a specification for digital

redaction.

3. 27041guideline on assurance for

digital evidence investigation

methods.

4. 27042guideline on analysis and

interpretation of digital evidence.

5. 27043guideline on digital evidenceinvestigation principles and

processes.

http://iso27001security.com/html/27044.htmlhttp://iso27001security.com/html/27044.htmlhttp://iso27001security.com/html/27039.htmlhttp://iso27001security.com/html/27034.htmlhttp://iso27001security.com/html/27033.htmlhttp://iso27001security.com/html/27031.htmlhttp://iso27001security.com/html/27017.htmlhttp://iso27001security.com/html/27018.htmlhttp://iso27001security.com/html/27044.htmlhttp://iso27001security.com/html/27039.htmlhttp://iso27001security.com/html/27034.htmlhttp://iso27001security.com/html/27033.htmlhttp://iso27001security.com/html/27031.htmlhttp://iso27001security.com/html/27017.htmlhttp://iso27001security.com/html/27018.htmlhttp://iso27001security.com/html/27043.htmlhttp://iso27001security.com/html/27042.htmlhttp://iso27001security.com/html/27041.htmlhttp://iso27001security.com/html/27038.htmlhttp://iso27001security.com/html/27037.htmlhttp://iso27001security.com/html/27044.htmlhttp://iso27001security.com/html/27040.htmlhttp://iso27001security.com/html/27039.htmlhttp://iso27001security.com/html/27035.htmlhttp://iso27001security.com/html/27034.htmlhttp://iso27001security.com/html/27033.htmlhttp://iso27001security.com/html/27032.htmlhttp://iso27001security.com/html/27031.htmlhttp://iso27001security.com/html/27018.htmlhttp://iso27001security.com/html/27017.html