Upload
avery-popish
View
217
Download
1
Tags:
Embed Size (px)
Citation preview
© 2005, EDUCAUSE/Internet2 Computer and Network Security Task Force
Information Security Governance: The Buck Stops Where?
Mark LukerVice President, EDUCAUSE
EDUCAUSE WRC 2005
Information Security Governance:A Call to Action
“The road to information security goes through corporate governance. America cannot solve its cyber security challenges by delegating them to government officials or CIOs. The best way to strengthen US information security is to treat it as a corporate governance issue that requires the attention of Boards and CEOs.”
Corporate Governance Task Force Reportwww.cyberpartnership.org
Why is Information Security Board Material?
Disruption of critical operations Loss of intellectual property Loss of trust and reputation Penalties from federal and state laws Liabilities may arise from lawsuits Threats to national security
Not Just a Technical Issue
Just as institutional policy is too important to leave to the lawyers…
Information security is too important to leave to the Chief Information Officer and the Chief Security Officer
Security Laws and Regulations FERPA Health Insurance Portability and
Accountability Act (HIPAA) Gramm-Leach-Bliley Act California: SB1386 Proposed S.1350: Notification of Risk to
Personal Data Act (Sen. Feinstein) Maryland: Data Security (and Privacy
Policies) Threats of further congressional action
Legal Issues Publications
IT Security for Higher Education: A Legal Perspective (March 2003)
http://www.educause.edu/ir/library/pdf/CSD2746.pdf
Liability for Negligent Security: Implications for Policy and Practice(October 2003)
http://www.educause.edu/ir/library/pdf/CSD2746.pdf
Do regulations matter?
Over 50% of respondents said that regulations and legal requirements drive security actions.
Toby Weiss
Computer Associates
National Context 1999: “Higher Ed Threatens National Security” 2000: EDUCAUSE/Internet2 Task Force on
Computer and Network Security 9/11: Raises the stakes 2003: National Strategy to Secure Cyberspace 2003: National Cyber Security Summit Throughout: Many leaks of personal, medical,
and financial information; intruders in our systems; attacks from us on others
National Strategy Feb 2003 Higher Ed a Critical Sector
Teach security officers Study security Threaten national security
Join national effort Fix our problems voluntarily or … Same boat as large corporations
National Summit Dec 2003 Task Forces
Awareness for Home Users & Small Businesses
Cyber Security Early Warning Software Development Lifecycle Technical Standards Corporate Governance
ISG Report: Executive Summary
If businesses, educational institutions, and non-profit organizations are to make significant progress securing their information assets, executives must make information security an integral part of core business operations. There is no better way to accomplish this goal than to highlight it as part of the existing internal controls and policies that constitute corporate governance.
ISG Framework Information Security Program
ISO/IEC 17799 Federal Information Security
Management Act (FISMA) Roles and Responsibilities Reporting
Information Security Program
Provide security for networks and systems
Policies and procedures to assess security risks; full lifecycle
Security awareness training Periodic testing; remedial action
processes Incident response procedures Business continuity plans
ISG Roles & Responsibilities Board responsibilities
Strategic oversight; alignment CEO responsibilities
Assign responsibility, accountability, and authority; oversee compliance
Executive responsibilities Security commensurate with risk;
integrate with operations
ISG Roles & Responsibilities Senior Managers responsibilities
Risk assessment, implement policies, secure operations
All employees responsibilities Awareness; compliance; reporting
ISG Reporting Adequacy, effectiveness,
acceptable residual risk reported to executives
Independent evaluation reported to the board
ISG Assessment Tool Business Dependency
Organizational Reliance on IT Risk Management People Processes Technology (last)
Organizational Reliance on IT Dependence upon information technology
systems and the Internet to conduct academic, research, and outreach programs and offer support services
Value of organization’s intellectual property stored or transmitted in electronic form
Impact of major system downtime on operations
Risk of losing personal information
Higher Education Characteristics Distributed, “light” management Changing mix of employees, students,
visitors Stakeholder sensitivity to privacy Reputation very important May have academic or research
programs in sensitive areas Potential impact on national or critical
infrastructure
Risk Management Does your organization have a
documented information security program?
Has your company conducted a risk assessment to identify the key objectives that need to be supported by your information security program?
Has your organization identified critical assets and the functions that rely on them?
Has a cost been assigned to the loss of each critical asset or function?
Impact of Security Risk=Threats x Vulnerabilities x
Impact Impact: Types of Risks
Operational Financial Reputational Legal Strategic
People Is there a person or organization that has
information security as their primary duty, with responsibility for maintaining the security program and ensuring compliance?
Does your information security function have the authority and resources it needs to manage and ensure compliance with the information security program?
Is responsibility clearly assigned for all areas of the information security architecture, compliance, processes and audits?
People (Cont’d) Does the information security function
report regularly to the executive staff and board of directors on the compliance of the business to and the effectiveness of the information security program and policies?
Have you implemented an information security education and awareness program such that all employees, contractors, and external providers know the information security policies that apply to them and understand their responsibilities?
Processes Does your institution have an official
information security architecture, based on your risk management analysis and information security strategy?
Do you have processes and procedures for involving the security personnel in evaluating and addressing any security impacts before the purchase or introduction of new systems?
Are there specific, documented, security-related configuration settings for all systems and applications?
Information Security Policies Based on your information security risk
management strategy, do you have written corporate information security policies that address each of the following areas? Individual employee responsibilities for
information security practices Acceptable use of computers, e-mail, Internet,
and intranet Protection of organizational assets, including IP
Is there a method for communicating security policies to all employees?
Security Program Administration Does your organization periodically test and
evaluate/audit your information security program, practices, controls, and techniques to ensure they are effectively implemented?
Do you conduct a periodic independent evaluation /audit of your information security program and practices for each business unit?
Does each periodic independent evaluation/audit test the effectiveness of information security policies, procedure, and practices of a representative subset of each business unit’s information systems?
Leadership Matters There is a positive impact when the
president and provost are actively involved in the development of IT security policy.
Only 14 percent regularly report incidents to senior management.
EDUCAUSE Center for Applied Research, 2003
Letter to Presidents (February 2003) Set the tone: ensure that all campus stakeholders know that
you take Cybersecurity seriously. Insist on community-wide awareness and accountability.
Establish responsibility for campus-wide Cybersecurity at the cabinet level. At a large university, this responsibility might be assigned to the Chief Information Officer. At a small college, this person may have responsibility for many areas, including the institutional computing environment.
Ask for a periodic Cybersecurity risk assessment that identifies the most important risks to your institution. Manage these risks in the context of institutional planning and budgeting.
Request updates to your Cybersecurity plans on a regular basis in response to the rapid evolution of the technologies, vulnerabilities, threats, and risks.
David WardPresident, American Council on Education
Key Messages to Executives College and university networks, if
not secured, pose a threat to the institution
Personal information, institutional data, and intellectual property, if not protected, can be compromised or disclosed without authorization
College and university networks, if not secured, pose a threat to others
Key Messages to Executives Success will require
“mainstreaming” information security into the normal governance process of the institution.
Each member of the community has a role to play.
Top-level leadership is required for this change in culture.
Help is available:
EDUCAUSE/Internet2Computer and Network Security Task
Force
http://www.educause.edu/security
Security for the Here and Now
Working groups in awareness and training, effective practices, risk assessment, policies and legal issues, and emerging technologies
New annual conference for security practitioners in higher education
A Framework for Action pledging increased executive support New book Computer and Network Security in Higher
Education, edited by Mark Luker and Rodney Petersen Effective IT Security Practices Guide and over 40 campus case
studies EDUCAUSE Center for Applied Research Bulletins: Computer
and Network Security and Higher Education's Core Values and Life with HIPAA: A Primer for Higher Education
Results to date in Security
An e-mail Security discussion list with over 1,300 subscribers A partnership between EDUCAUSE and the Center for Internet
Security The Information Security Governance Self Assessment Tool for
Higher Publication of Principles to Guide Efforts to Improve Computer
and Network Security for Higher Education and IT security for Higher Education: A Legal Perspective
A CD that contains Cybersecurity Awareness Resources for the Higher Education Community
A blog plus a large number of presentations and articles
Working with Others - 1
National Infrastructure Protection Center (NIPC), formerly in the FBI, now in the Department of Homeland Security (DHS)
InfraGard National Centers of Excellence in Information Assurance
(formerly NSA centers) Center for Information Security Cybersecurity Forum for Higher Education (for
cybersecurity issues of industry and higher education) US-Computer Emergency Readiness Team (US-CERT) NSF planning workshops
Working with Others - 2
National Cybersecurity Partnership – a broad coalition of security experts in industry and higher education that drew up specific plans to improve our cybersecurity (without government intervention)
Congressman Adam Putnam’s (R-FL) Corporate Information Security Working Group – a parallel coalition with many of the same players formed by Congressman Putnam, then of the House Committee on Government Reform’s Subcommittee on Technology and Information Policy, to help determine if congressional intervention would indeed be required
Partnership for Critical Infrastructure Security (PCIS) – the newly formed national organization of Sector Coordinators, each of which represents the cybersecurity activities of a single critical sector.
Major Points Information Security is now critically important
to the institution and the nation Success will require a complete new system of
people, processes, and technology Risk assessment is used to balance investment
with risk Executive leadership and board oversight will be
required on an ongoing bases Each person in the institution has a role Model programs and guidelines are available
Questions for discussion1. How much does your campus rely on IT and IS?2. Do you have a documented security program with
someone in charge? Have you done a risk assessment?
3. How often do you report on compliance and effectiveness to leaders and the board?
4. Do you have written policies and procedures appropriate for faculty, staff, students, others?
5. To what extent do deans, directors, department heads, and other administrators feel, and are held, responsible for information security in their own units?
Questions for discussion How would you describe your institution’s
relative reliance on information technology and networks for operations and business continuity?
To what extent has your institution documented an information security program with a person or office designated with responsibility and authority for information security? How far has your institution gone in terms of conducting a risk assessment to identify the key objectives that need to be supported by your information security program?
Questions for discussion What is the reporting frequency from the
information security function to institutional leaders and the governing board on the compliance of the institution with, and the effectiveness of, the information security program and policies?
To what extent has your institution developed written information security policies and procedures, based on a risk management strategy, that are consistent, easy to understand, and readily available to administrators, faculty, employees, students, contractors, and partners?
Questions for discussion To what extent do deans, directors,
department heads, and other administrators feel, and are held, responsible for information security in their own units?
Questions for discussion How would you describe your institution’s relative reliance on information
technology and networks for operations and business continuity? To what extent has your institution documented an information security program
with a person or office designated with responsibility and authority for information security? How far has your institution gone in terms of conducting a risk assessment to identify the key objectives that need to be supported by your information security program?
What is the reporting frequency from the information security function to institutional leaders and the governing board on the compliance of the institution with, and the effectiveness of, the information security program and policies?
To what extent has your institution developed written information security policies and procedures, based on a risk management strategy, that are consistent, easy to understand, and readily available to administrators, faculty, employees, students, contractors, and partners?
To what extent do deans, directors, department heads, and other administrators feel, and are held, responsible for information security in their own units?