isaac @ texas state - a success story the isaac value proposition at texas state university-san...
TRANSCRIPT
ISAAC @ Texas State - A Success Story
The ISAAC Value Proposition at
Texas State University-San Marcos
Don VolzSpecial Assistant to the
Vice President for Information Technology
2
ISAAC @ Texas State
Texas State Profile (we’re big, complex, and … )– Public, state-assisted, 5th largest university in Texas– 30,800 students:
• ~6,000 on-campus residents, ~14,000 San Marcos metro residents– 101 bachelor’s, 88 master’s, 10 doctoral programs– 9 colleges, 43 academic departments & schools, 28 centers & institutes– Main campus in San Marcos, TX -- satellite campus in Round Rock, TX
IT both centralized and decentralized (… technologically diverse)– Tech platforms: Unix (various), Linux, Windows, MacOS, … even OpenVMS – Central IT administers 2 highly virtualized, mostly redundant data centers and
offers a full suite of IT support services, including network management, enterprise systems, help desk, computer repair, technology procurement, classroom technology support, instructional design, etc.
– Unit-specific IT infrastructure and support varies by unit• Server farms and administrators• Faculty/staff desktop hardware and software support• Lab administration
– Trending toward greater centralization (in part due to ISAAC)
3
ISAAC @ Texas State
Pre-2006 State (the way we were)– No centralized Information Security function– Security responsibilities distributed across central IT and beyond
2006 (in the beginning …)– IT Security function established within Office of the VPIT – IT Security’s Mission: implement and sustain a university-wide
information security program– Initial Program Goals
• Inventory information assets and rank by criticality and risk• Quickly mitigate risks to most critical and vulnerable assets• Bring ALL assets into compliance with state information security
standards (TAC 202 – Texas Administrative Code, Chapter 202)• Establish policies and processes that sustain standards compliance
and continuously improve information security posture
4
ISAAC @ Texas State
Planning Assumptions (confronting the brutal facts)– Previous Higher Ed breaches – mostly unit-administered assets
• Large quantities of sensitive and confidential information• Protections often minimal, overly permissive, and/or out-of-date• Limited awareness of security threats, standards, best practices
– Campus culture – carrots work better than sticks• IT Security must be a proactive, collaborative enabler • IT Security must be a trusted risk management partner • IT Security must clearly appreciate the business need• IT Security must NOT be the “security gestapo” • Compliance is not the goal, but one method for managing risk
– A never ending journey • Information security will never be finished• Owners/administrator relationships must be nurtured• Security Training/Tools → empowered allies on the front line
5
ISAAC @ Texas State
First Things First (let’s get this party started)
– Find most critical assets and assets at greatest risk• Outreach to asset sysadmins by IT Security; to VPs/Deans by VPIT • Network mapping exercises and in-person visitation• Registered asset data into a database• 27 environments prioritized for risk assessment
– Establish risk assessment methodology and tools• Must be standards-based, aligned with TAC 202, Web-enabled • Must produce measurable outcomes• Found ISAAC (http://net.educause.edu/ir/library/powerpoint/EDU0460.pps)
• Acquired access to hosted version of ISAAC used by TAMU system institutions (just as if Texas State was a member)
6
ISAAC @ Texas State
2007 - First Real Assessments (crawling before we walk)– IT Security acquires ISAAC user accounts
• Conducts pilot assessments of IT servers• Authors reference materials specific to Texas State
– IT Security completes in-person, on-site assessments• Visits locations of 27 highest priority environments• Completes ISAAC assessment with asset owner/sysadmin• Provides mitigation alternatives with monthly follow-up• Produces 1st Information Security State of the University report
– First Lessons Learned• Limited knowledge of standards, best practices, security threats• Basic concepts (e.g., data classification, FERPA) often foreign to
system administrators• Unit system administrators are silo’d and rarely communicate• Low hanging fruit: remove unnecessary sensitive data, employ
basic device hardening, relocate hosts/services to data centers
7
ISAAC @ Texas State
2008 – The Second Time Around (a new and better approach)– # of assessments double (27 to 65), individual visits not feasible – Workshop approach: 12, 3-hour workshops over 3-month period– Workshop agenda
• Announced IT Security’s new pen testing service • Introduced new .NET Server registration application• Provided overview of ISAAC and risk assessment methodology• Attendees entered/updated server registration data• Attendees began (some even completed) ISAAC risk assessment process
– IT Security answered questions, facilitated discussion, …– Following workshop, attendees certified and submitted assessments – Attendees judged workshop approach as “highly effective” – As in 2007, IT Security
• Proposed options, facilitated resolution of risk and compliance issues• Aggregated assessment data• Produced 2nd annual IT Security State of the University report, noting status
changes from previous year
8
ISAAC @ Texas State
2009 – Gaining Momentum (Reaping Rewards)– Audit reviews the risk assessment process, six prior-year assessments.
• Process findings are positive – enhancement recommendations shared with TAMU for consideration in next ISAAC release
• Spot check findings positive – recommended mitigation actions were in place and operational
– Workshop approach enhanced and expanded– Announced new required components
• Identity Finder® sensitive data discovery• Penetration testing by IT Security
Outcomes to Date (where’s the beef?)
9
ISAAC @ Texas State
10
ISAAC @ Texas State
11
ISAAC @ Texas State
Cost vs. Benefit (getting more than we ever bargained for)– TAMU’s charge to us is minimal (4 digits/year)
– Annualized assessment process staffing: 25% - 50% of an FTE
– Increases owner and administrator awareness of state standards
– Promotes common understanding and institutional standards
– Enhances the dialogue and relationships among all IT support staff
– Reduction and consolidation of server environments begets:• corresponding reduction in space utilization and power consumption• greater leveraging of data center virtualization technologies• enhanced resource monitoring and availability
– Provides benchmark and metrics for tracking changes
– Most important, measurably improves campus-wide security posture
The ISAAC Tool and Methodology was key to making these things happen and we are eagerly anticipating the next ISAAC release
12
ISAAC @ Texas State
Contact InformationDon Volz
512-245-9650
More Details about ISAAC @ Texas State– The Journey to a Successful Risk Assessment – One Strategy Unveiled,
presented at the EDUCAUSE Southwest Regional Conference (2/19/2010)
– The Texas State IT Security Web site
http://security.vpit.txstate.edu