defining university it security today and tomorrow

Download Defining University IT Security Today and Tomorrow

Post on 01-Mar-2018

216 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    1/25

    DefiningUniversityIT Security Today

    and Tomorrow

    John L. Baines, AD, IT Policy & Compliance, OIT Security & Compliance Unit

    CSAM 2013 event - jlbaines@ncsu.edu - (919)513-7482

    Date: Tuesday 10/22/2013

    Time: 12 noon to 1 p.m.

    Place:

    Avent Ferry Room 112

    mailto:jlbaines@ncsu.edumailto:jlbaines@ncsu.edumailto:jlbaines@ncsu.edu
  • 7/26/2019 Defining University IT Security Today and Tomorrow

    2/25

    University IT Security is Difficult!

    University Values:

    Openness

    Independance

    Sharing

    Variety

    IT Security Requires:

    Monitoring

    Prevention

    Boundaries

    Controls & Standards

    More of a perception than a reality...

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    3/25

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    4/25

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    5/25

    Context of Government pressures

    Government wants universities to operate more

    like businesses:

    Cut expenses Accountability for funding, rather than education

    Achieve cost-efficiency

    Generate more of own income

    Can be seen in part in emphasis on:

    Foundation donations

    Research grants

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    6/25

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    7/25

    ISO 27XXX Timeline

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    8/25

    27000 to 27005 - Basics

    27000 - Overview & vocabulary

    27001 - ISMS (How to? - formal specification)

    27002 - Best practices (What to? - controls)27003- Implementation guidance for 27001

    27004 - Infosec metrics

    27005 - Infosec risk management

    http://iso27001security.com/html/27005.htmlhttp://iso27001security.com/html/27004.htmlhttp://iso27001security.com/html/27004.htmlhttp://iso27001security.com/html/27002.htmlhttp://iso27001security.com/html/27001.htmlhttp://iso27001security.com/html/27005.htmlhttp://iso27001security.com/html/27004.htmlhttp://iso27001security.com/html/27003.htmlhttp://iso27001security.com/html/27002.htmlhttp://iso27001security.com/html/27002.htmlhttp://iso27001security.com/html/27001.htmlhttp://iso27001security.com/html/27000.html
  • 7/26/2019 Defining University IT Security Today and Tomorrow

    9/25

    ISO 27XXX current status

    22 standards published

    34 standards being updated or in

    preparation

    5 new work itemsbeing considered eDiscovery

    Investigative project coordination (12, 38, 41, 42, 43)

    Personally Identifiable Information (PII) and Privacy

    Taxonomy Supply Chain Security

    Most ISO 27K publications expand on

    27001/27002 in more detailed guidance, for

    specific industries, or special IT disciplines

    http://iso27001security.com/html/other_27k.htmlhttp://iso27001security.com/html/other_27k.html
  • 7/26/2019 Defining University IT Security Today and Tomorrow

    10/25

    ISO 27000 Overview & Vocabulary

    Initial version introduced 2009

    Second edition 27000:2012 current

    Overview - how to plan & implement ISO 27K

    Introduction to information security, risk

    management and management systems

    ISM terms being transferred from existing

    ISO27k standards as new versions published Available as a FREE digital download

    ISO/IEC & IEEE terms are searchable

    online

    http://pascal.computer.org/sev_display/index.actionhttp://pascal.computer.org/sev_display/index.actionhttp://pascal.computer.org/sev_display/index.actionhttp://pascal.computer.org/sev_display/index.actionhttp://pascal.computer.org/sev_display/index.actionhttp://standards.iso.org/ittf/PubliclyAvailableStandards/c056891_ISO_IEC_27000_2012(E).zip
  • 7/26/2019 Defining University IT Security Today and Tomorrow

    11/25

    ISO 27002:2013

    Synchronized with ISO 27001:2013

    To reflect current best practice, the updated ISO/IEC 27002:2013 is

    the reference handbook for selecting controls for use within an

    Information Security Management System (ISMS) based on ISO/IEC

    27001. It can also be used as a guidance document for any

    organization wishing to implement commonly accepted informationsecurity controls.

    Title Code of practice for information security controls

    Technically and structurally revised over ISO 27002:2005

    Comparison 27002:2005 27002:2013

    Clauses X 11 14

    Objectives X.Y 39 35

    Controls X.Y.Z 133 114 +++

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    12/25

    ISO 27002 Structure

    Clause - X (e.g. 13. Communications

    Security)

    Objective - X.Y (e.g. 13.2 Information

    Transfer Control - X.Y.Z (e.g. 13.2.1...)

    Implementation Guidance -

    where the rubber meets the road.

    NCSU-SecurityFramework-DetailedAnalysis-withPrioritization-Revised

    https://docs.google.com/a/ncsu.edu/document/d/1rzaWwFQCb08P2D-mSJUcTAZ3AQtYGxc8CfluydpgVPw/edithttps://docs.google.com/a/ncsu.edu/document/d/1rzaWwFQCb08P2D-mSJUcTAZ3AQtYGxc8CfluydpgVPw/edit
  • 7/26/2019 Defining University IT Security Today and Tomorrow

    13/25

    ISO 27002:13 Clauses & Objectives

    http://iso27001security.com/html/27002.html#Contents
  • 7/26/2019 Defining University IT Security Today and Tomorrow

    14/25

    - comprehensive

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    15/25

    UNC ITSC Security Framework - Goals

    1. Develop a common framework by which each UNC

    campus can develop their campus IT Security Policies

    2. Design a framework which is designed to meet the

    broad and unique range of security requirements on

    each campus:

    Administrative Systems, Academic Systems,

    Research Systems, Student/Faculty/Staff access

    3. Provide guidelines, direction and best practice

    examples to campuses as needed4. Provide a uniform compliance environment for the NC

    Office of the State Auditor and other Governmental

    Agencies (e.g. DoD!)

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    16/25

    The UNC System Security Framework

    - UNC Cause 2011

    Presenter(s): Chuck Curry,

    Margaret Umphrey, Paul Hudy

    The UNC CIOs charged the

    UNC Security Council to come

    up with

    a security framework that

    could be implemented on

    each UNC campus and

    provide a common

    measurement baseline

    The Security Council has putforward the ISO 27002

    framework

    Each UNC-System campus

    Evaluating current policies

    and procedures against that

    framework.

    Establishing a current

    baseline Producing an internal gap -

    analysis

    Plan for moving toward and

    maintaining compliance

    This framework mapped to other

    documents and standards

    NIST

    CoBIT,

    NC Statewide Information

    Security Manual,

    etc.

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    17/25

    UNC Systems Security Framework -

    ISO 27002 - UNC Cause 2012 (1)

    Presenters:

    Mardecia Bell NC State University

    Paul Hudy General Administration

    Margaret Umphrey East Carolina University

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    18/25

    UNC Systems Security Framework -

    ISO 27002 - UNC Cause 2012 (2)

    Reported:

    December 2011: The UNC-ITSC recommended the

    adoption of ISO 27002 as common security framework

    January 2012: UNC CIO Council acceptedrecommendation

    April 2012: Chancellors of all UNC system institutions

    submitted letters to UNC-GA indicating adoption

    July 2012: Each campus performed a gap analysis of

    ISO 27002 framework and existing policies.

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    19/25

    UNC Systems Security Framework -

    ISO 27002 - UNC Cause 2012 (3)

    Policies, gaps, priorities, status:

    Crosswalk -

    Notate existing policies->

    Identify gaps Risk assessment:

    Analyze gaps

    Describe plans for compliance, mitigation, or

    alternative controls

    Priorities and costs

    Implement Over 80% UNC System IT Security Units have completed

    gap analysis & risk assessment - submitted to UNC-GA.

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    20/25

    ISO 27002 Benefits

    Stakeholder confidence increased

    Technology independent

    Strategic comprehensive baseline

    Basis for assessing risk & cost trade-offs

    More accurate & reliable security audits

    More effective tactical security

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    21/25

    Adoption of ISO 27002 - UNC System

    Licensing:

    UNC-GA purchased a system-wide license of ISO/IEC

    27002 from the American National Standards Institute

    Each campus makes the ISO 27002 standard availableas a read-only reference to all faculty, staff and students

    Addressing Identified Gaps - Each Campus:

    Setting prioritization

    Establishing an implementation plan Gross estimate of work required for compliance

    ITSC collection & sharing of policies and best practices

  • 7/26/2019 Defining University IT Security Today and Tomorrow

    22/25

    Compliance versus Security

    Compliance 27002 Sets