I HAVE AN INFORMATION SECURITY PROGRAM, WHAT AM I …cacubo.org/wp-content/uploads/2018/09/203-I-have-an... · 2018-09-23 · Vulnerability Assessments. Vulnerability Assessments

CACUBO 2018Loyola University Chicago

Jim PardonekInformation Security Officer

Jim SibenallerAVP – Enterprise Systems Services

Loyola University Chicago

October 2018

I HAVE AN INFORMATION SECURITY PROGRAM, WHAT AM I MISSING?

CACUBO 2018Loyola University Chicago2

A Little About Jim P.

Loyola University Chicago Information Security Officer Over 30 Years in Information Technology Over 15 Years in Information Security

BS, MS, Purdue University School of Technology

Certified Information Systems Security Professional Since 2003

Certified Ethical Hacker Since 2010


A Little About Jim S

AVP – Enterprise Systems Services- Loyola University Chicago

Responsibilities IT Governance Admin/ERP/Student Systems Database Administration PMO Enterprise Architecture Information Security

Over 30 Years in Information Technology 20+ years of Applications, project Mgmt & Enterprise Architecture 10 Years in Information Security

BSCS – Aurora University


Agenda

Business Drivers of Information Security Information Security Program Approach Goals and Objectives Program Component Overview Security in Layers The 12 Information Security Components Defining “Right Fit” Questions


Poll Question

How do you rank your information security program? A. Mature B Somewhat mature C Not so Mature D Not Mature at all.


Information Security Business DriversTargets – Our Assets

311,000+ SSNs 15,000+ Credit Card numbers Student/Parent Financial/Personal Data

Also, information on high-profile students or parents

External Threats Identity Theft

Hackers and Organized Crime Spammers / Phishers

14.5 billion spam emails are sent every single day1

Human Error Physical Theft (of electronic devices/data) Regulations and Laws Acts of God

Internal Threats Students

Unauthorized grade changes Harassment of another student or faculty member

Faculty and staff Disgruntled employees Negligent or untrained employees

6


Information Security Goals & Objectives

• Prevent compromise of Loyola Protected and Sensitive Data• Protect the integrity of critical systems• Monitor for intrusion and misuse of systems• Maintain the availability of systems required by students, faculty and staff

Maintain confidentiality, integrity, and availability of information

systems

• Protect the confidentiality of student, parent, faculty and staff personal information• Maintain compliance with regulations (PCI, FERPA, HIPAA, PIPA, GDPR), laws, and contractual

agreements• Limit liability

Protect Loyola’s reputation

• Balance the “freedom of academic information” with the protection of assets and safety of device computing

• Inform the Loyola community of protective measures to take against existing and upcoming security threats

• Provide technology that mitigates the risks of security threats

Enable Loyola to provide a safe computing environment for

students, faculty, staff and guests

• Provide assistance and consultation on information security and risk management issues• Facilitate and coordinate security audits and assessments of information technology

infrastructure• Provide reasonable assurance that security objectives are being achieved• Identify and coordinate vulnerability identification and remediation

Identify and provide guidance on risk management and information

security issues


The Approach

Top Down Approach – Sell the Program Start with the CIO/Sponsor Get Buy-in Define and present Business Drivers

Presentation to Governance Groups Steering Committees Senior Leadership

Take the “Show on the Road” Present defined Goals and Objectives Define the Components

Loyola University Chicago Confidential Materials – Do not Distribute


University Information Security Office @ LUCKey Duties

Information Security Officer Program execution & governance Policy definition Incident response

Senior Security Analyst Security operations center monitoring Cyber threat analysis Server vulnerability assessments Computer forensics Incident investigation support NGFW configuration and support SIEM analysis

Security Administrators (2) Security operations center response Cyber threat protection Application vulnerability assessments Payment Card Industry (PCI) compliance Awareness and training administration

SIS/ERP Security Administrator Student system roles & permissions Personally Identifiable Information (PII) compliance Non-Affiliated Person access

Student Workers (2) Web site administration & up-keep Reporting & metrics Research

Information Security Officer

Senior Security Analyst

Security Administrator

Security Administrator

SIS/ERP Security

Administrator

Student Worker

Student Worker


Awareness, Education & Training

Incident Response

Governance Data Identification, Analysis & Forensics

Policies, Procedures & Guidelines

Risk Assessment Program

Vulnerability Assessments

Cyber Threat Protection

Audit, Compliance & Regulations Secure Access

Security Operations Center ERP Security Services

11

Information Security Program Components

Presenter

Presentation Notes

Governance The system and processes by which Loyola directs and controls IT security Policies, Procedures, Standards and Guidelines Documents that state in writing how Loyola wants to protect its information assets Incident Response An organized approach to addressing and managing the aftermath of a security breach or attack Cyber Threat Protection Components that identify a circumstance or event that indicates the potential to exploit vulnerability Vulnerability Assessments The process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system Risk Assessment Program How Loyola identifies potential hazards and analyzes what could happen if a hazard occurs Awareness, Education & Training Newsletters, social media, brown bag, video Audit, Compliance & Regulations PII, PCI-DSS, FERPA, HIPAA, GLBA, GDPR, Red Flag Security Operations Center Audit IT infrastructure and application logs via SIEM technologies to provide alerts and details of suspicious activity Data Identification, Analysis & Forensics The recovery and investigation of material found in digital devices Secure Access VPN and Remote Access Services ERP Security Services Roles and Access Permissions for PeopleSoft


GovernanceGovernance (How we Operate)

Information Security Advisory Board Recommends and Develops Policies and Procedures Assists management in securing University information assets Provides guidance and oversight in the creation of an information

security strategy and risk management program. Decides on project priorities Ensures compliance to applicable laws, regulations and contractual

requirements Monitoring the effectiveness of the information security program Serves as an advocate of the information security program.


Policies, Procedures & GuidelinesPolicies, Procedures and Guidelines

Policies and Procedures Security Policy Incident Response Access & Use Cloud Storage PII Policies Vendor Access Email

Standards and Guidelines Password Network & Firewall Server & Computer Security


Incident ResponseIncident Response Development

Membership and Operation Policies/procedures (IRT Governance) Incident Response Plan

SIRT Ad-Hoc Membership based on incident type

Incident Tracking Detailed reporting Chain of custody process

Minimize Incident Occurrence


Information Security – A Layered Approach Cyber Threat Protection


Vulnerability AssessmentsVulnerability Assessments

Processes-Internal Perform Vulnerability Review & Risk Ranking on a regular basis Threats and Vulnerabilities listing provided by US-Cert/Homeland Security, Mitre,

NIST, etc. Review applicability of each item

to your environment Meeting of system owners/maintainers

Full Automated Vulnerability Scanning – Quarterly Schedule remediation based on:

Risk Environment (PCI first) Dependencies

Constant, ongoing process


Vulnerability AssessmentsVulnerability Assessments

Processes-External Internal/external audit efforts & priorities 3rd Party Scanning

o External “Full Pen Test” – Every 3 years – Zero Critical/High Riskso External “PCI Pen Test” – Annual – Zero Critical/High/Medium Riskso PCI Scan - Monthly– Zero Critical/High/Medium Risks

3rd Party Application Assessments


Risk Assessment ProgramGoals

Represent & communicate information security decisions and actions based on tangible data Provide appropriate levels of security that:

o protects assetso reduces riskso are easily understood & communicatedo are easily utilized & servicedo Reviewed annually

Process Define “Acceptable Risk Definition” as it pertains to information risk

o Based on Mission, Objectives and Obligationso Based on industry standards ISO 27002, COBIT, NISTo Develop a plan for reducing unacceptably high risks to acceptable level

3rd party risk assessment

HEISC Information Security Program Self Assessment Tool

SANS Audit Checklist

19

Likelihood Impact Risk




Likelihood Impact Risk

Risk Assessment Calculations

21

Loyola University Chicago Confidential Materials – Do not Distribute

Awareness Program Components Frequency and Usage

Posters Annually during Cyber Security Awareness Month

Web Site Online & available to all

Social Media Weekly postings

Newsletter Monthly distribution

Coffee Sessions Semi-annually at each campus

Department Sessions By request, average 1-2 per semester

Classroom Guest Lecture

By request, average 1-2 per semester

Emerge Class Semi-annually at each campus

Video Training Mandatory twice a semester plus additional training for “high risk” areas

HIPAA Training Annually, required for faculty & staff

Student Engagement Ad-hoc, increased awareness at student events

Awareness, Education & TrainingAwareness, Education & Training

Presenter

Presentation Notes

. We can add the mandatory HIPAA training and a possible shift to required general information security training (a future discussion as we begin to develop a training calendar for the University).


Audit, Compliance & RegulationsAudit and Compliance Programs

PII How and Where is Personal information Stored

PCI Credit Card Acceptance

HIPAA Protection and handling of PHI

GDPR EU personal information protection

Application Security Audits Ensure proper access to protected information


Security Operations CenterSecurity Operations

Purpose Centralized monitoring point for visibility, alerting and

investigation or incidents or potential incidents. Automate, automate, automate SIEM IPS Vulnerability Scanning URL protection


Data Identification, Analysis & ForensicsForensic Analysis

Recovery and investigation of material found in digital devices

Litigation Holds Investigation Support General data analysis for incident triage Data retrieval Tools – Encase, FTK, Kali (Backtrack)


Multi-Factor Authentication VPN Services Secure File Transfer Services

25

Secure AccessSecure Access


ERP Security ServicesERP Security

Provides Separation of Duties Assignment of roles and permissions in PeopleSoft Control of Non-Affiliated Accounts Performs audit functions for PeopleSoft

Assists in Compliance Efforts Main point of contact for PII remediation


“Right Fit” Information Security

Expanded use and reliance on technology Need to give the necessary network access to students, faculty and staff

They need to perform their roles! Academic Freedom

A barrage of internal and external security threats Student and faculty information, and sensitive research at risk.

IT departments within these organizations must be equipped to monitor and mitigate external threats such as malware and bot attacks on a daily basis, as well as managing internal threats such as student and faculty downloads and flash drive use that expose networks to potential infection.


How To Forge Ahead

Get your CIO on Board Sell the story – Benefits and Risks Don’t bite off everything at once Rely on your Risk Assessment to Identify Gaps Find the initiatives that make the most impact Just keep swimming


Questions?


Thank You!Jim Pardonek, CISSP, CEHInformation Security Officer

Jim SibenallerAVP – Enterprise Systems Services