Download - Office of Campus Information Security
![Page 1: Office of Campus Information Security](https://reader034.vdocuments.site/reader034/viewer/2022051401/56814596550346895db2877e/html5/thumbnails/1.jpg)
Office of Campus Information Security
Driving a Security Architecture by Assessing Risk
Stefan Wahe ([email protected])
Sr. Information Security Analyst
![Page 2: Office of Campus Information Security](https://reader034.vdocuments.site/reader034/viewer/2022051401/56814596550346895db2877e/html5/thumbnails/2.jpg)
Realizing our Principles
• Answering the question, “Why?”
• To have a common understanding of building a secure architecture.
• Developed based on NIST 800-27,, ISO 20071, CIC schools, and other publications.
![Page 3: Office of Campus Information Security](https://reader034.vdocuments.site/reader034/viewer/2022051401/56814596550346895db2877e/html5/thumbnails/3.jpg)
OCIS IT Security Principles
4. Security is a Common Understanding– Due Diligence; Manage Threats, Risks, and Costs;
and Incident Management.
3. Security is Asset Management– Classify Information; Least Privilege; and
Separation of Duties.
2. Security is Part of the Development Life Cycle– Information Privacy and Assurance; Usability; and
Defense in Depth.
1. Security is Everyone’s Responsibility
![Page 4: Office of Campus Information Security](https://reader034.vdocuments.site/reader034/viewer/2022051401/56814596550346895db2877e/html5/thumbnails/4.jpg)
Risk Assessment Process
Step 1: Letter of Engagement
Step 2: Conduct the Assessment
Step 3: Draft Report on Findings
Step 4: Communicate Findings
Step 5: Re-Assess
![Page 5: Office of Campus Information Security](https://reader034.vdocuments.site/reader034/viewer/2022051401/56814596550346895db2877e/html5/thumbnails/5.jpg)
Building a Common Understanding: Managing Risk
RiskImpact
Mitigation Controls$ Care $
$
![Page 6: Office of Campus Information Security](https://reader034.vdocuments.site/reader034/viewer/2022051401/56814596550346895db2877e/html5/thumbnails/6.jpg)
Example Question
• Does the system maintain Configuration Management methodology that includes:1. A documented process for
reviewing, approving and implementing changes
2. Version control for software system components
3. Timely identification and installation of all applicable patches for any software used in the provisioning of the CS.
![Page 7: Office of Campus Information Security](https://reader034.vdocuments.site/reader034/viewer/2022051401/56814596550346895db2877e/html5/thumbnails/7.jpg)
Common Gaps
• Common Security Gaps (examples)– The system infrastructure needs to be
segmented with robust firewall controls.
– Encryption controls and key management procedures should be implemented for data at rest.
– Restricted data needs to be sanitized in non-production environments.
– Intrusion detection, prevention and log management devices should be installed and maintained with appropriate alerting processes.
![Page 8: Office of Campus Information Security](https://reader034.vdocuments.site/reader034/viewer/2022051401/56814596550346895db2877e/html5/thumbnails/8.jpg)
Integrating a Security Culture
• Awareness and Training– SANS Secure Web Development
• Policy Development and Best Practices– Restricted Information Management Practices– Desktop Encryption Policy
• Centralized Resources– Security Event Management– Network Management– Desktop Tools– PKI
![Page 9: Office of Campus Information Security](https://reader034.vdocuments.site/reader034/viewer/2022051401/56814596550346895db2877e/html5/thumbnails/9.jpg)
Questions
• How can we help you?