Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
CACUBO 2018Loyola University Chicago
Jim PardonekInformation Security Officer
Jim SibenallerAVP – Enterprise Systems Services
Loyola University Chicago
October 2018
I HAVE AN INFORMATION SECURITY PROGRAM, WHAT AM I MISSING?
CACUBO 2018Loyola University Chicago2
A Little About Jim P.
Loyola University Chicago Information Security Officer Over 30 Years in Information Technology Over 15 Years in Information Security
BS, MS, Purdue University School of Technology
Certified Information Systems Security Professional Since 2003
Certified Ethical Hacker Since 2010
CACUBO 2018Loyola University Chicago3
A Little About Jim S
AVP – Enterprise Systems Services- Loyola University Chicago
Responsibilities IT Governance Admin/ERP/Student Systems Database Administration PMO Enterprise Architecture Information Security
Over 30 Years in Information Technology 20+ years of Applications, project Mgmt & Enterprise Architecture 10 Years in Information Security
BSCS – Aurora University
CACUBO 2018Loyola University Chicago4
Agenda
Business Drivers of Information Security Information Security Program Approach Goals and Objectives Program Component Overview Security in Layers The 12 Information Security Components Defining “Right Fit” Questions
CACUBO 2018Loyola University Chicago5
Poll Question
How do you rank your information security program? A. Mature B Somewhat mature C Not so Mature D Not Mature at all.
CACUBO 2018Loyola University Chicago
Information Security Business DriversTargets – Our Assets
311,000+ SSNs 15,000+ Credit Card numbers Student/Parent Financial/Personal Data
Also, information on high-profile students or parents
External Threats Identity Theft
Hackers and Organized Crime Spammers / Phishers
14.5 billion spam emails are sent every single day1
Human Error Physical Theft (of electronic devices/data) Regulations and Laws Acts of God
Internal Threats Students
Unauthorized grade changes Harassment of another student or faculty member
Faculty and staff Disgruntled employees Negligent or untrained employees
6
CACUBO 2018Loyola University Chicago
Information Security Goals & Objectives
• Prevent compromise of Loyola Protected and Sensitive Data• Protect the integrity of critical systems• Monitor for intrusion and misuse of systems• Maintain the availability of systems required by students, faculty and staff
Maintain confidentiality, integrity, and availability of information
systems
• Protect the confidentiality of student, parent, faculty and staff personal information• Maintain compliance with regulations (PCI, FERPA, HIPAA, PIPA, GDPR), laws, and contractual
agreements• Limit liability
Protect Loyola’s reputation
• Balance the “freedom of academic information” with the protection of assets and safety of device computing
• Inform the Loyola community of protective measures to take against existing and upcoming security threats
• Provide technology that mitigates the risks of security threats
Enable Loyola to provide a safe computing environment for
students, faculty, staff and guests
• Provide assistance and consultation on information security and risk management issues• Facilitate and coordinate security audits and assessments of information technology
infrastructure• Provide reasonable assurance that security objectives are being achieved• Identify and coordinate vulnerability identification and remediation
Identify and provide guidance on risk management and information
security issues
CACUBO 2018Loyola University Chicago8
The Approach
Top Down Approach – Sell the Program Start with the CIO/Sponsor Get Buy-in Define and present Business Drivers
Presentation to Governance Groups Steering Committees Senior Leadership
Take the “Show on the Road” Present defined Goals and Objectives Define the Components
Loyola University Chicago Confidential Materials – Do not Distribute
CACUBO 2018Loyola University Chicago10
University Information Security Office @ LUCKey Duties
Information Security Officer Program execution & governance Policy definition Incident response
Senior Security Analyst Security operations center monitoring Cyber threat analysis Server vulnerability assessments Computer forensics Incident investigation support NGFW configuration and support SIEM analysis
Security Administrators (2) Security operations center response Cyber threat protection Application vulnerability assessments Payment Card Industry (PCI) compliance Awareness and training administration
SIS/ERP Security Administrator Student system roles & permissions Personally Identifiable Information (PII) compliance Non-Affiliated Person access
Student Workers (2) Web site administration & up-keep Reporting & metrics Research
Information Security Officer
Senior Security Analyst
Security Administrator
Security Administrator
SIS/ERP Security
Administrator
Student Worker
Student Worker
CACUBO 2018Loyola University Chicago
Awareness, Education & Training
Incident Response
Governance Data Identification, Analysis & Forensics
Policies, Procedures & Guidelines
Risk Assessment Program
Vulnerability Assessments
Cyber Threat Protection
Audit, Compliance & Regulations Secure Access
Security Operations Center ERP Security Services
11
Information Security Program Components
CACUBO 2018Loyola University Chicago13
GovernanceGovernance (How we Operate)
Information Security Advisory Board Recommends and Develops Policies and Procedures Assists management in securing University information assets Provides guidance and oversight in the creation of an information
security strategy and risk management program. Decides on project priorities Ensures compliance to applicable laws, regulations and contractual
requirements Monitoring the effectiveness of the information security program Serves as an advocate of the information security program.
CACUBO 2018Loyola University Chicago14
Policies, Procedures & GuidelinesPolicies, Procedures and Guidelines
Policies and Procedures Security Policy Incident Response Access & Use Cloud Storage PII Policies Vendor Access Email
Standards and Guidelines Password Network & Firewall Server & Computer Security
CACUBO 2018Loyola University Chicago15
Incident ResponseIncident Response Development
Membership and Operation Policies/procedures (IRT Governance) Incident Response Plan
SIRT Ad-Hoc Membership based on incident type
Incident Tracking Detailed reporting Chain of custody process
Minimize Incident Occurrence
CACUBO 2018Loyola University Chicago16
Information Security – A Layered Approach Cyber Threat Protection
CACUBO 2018Loyola University Chicago17
Vulnerability AssessmentsVulnerability Assessments
Processes-Internal Perform Vulnerability Review & Risk Ranking on a regular basis Threats and Vulnerabilities listing provided by US-Cert/Homeland Security, Mitre,
NIST, etc. Review applicability of each item
to your environment Meeting of system owners/maintainers
Full Automated Vulnerability Scanning – Quarterly Schedule remediation based on:
Risk Environment (PCI first) Dependencies
Constant, ongoing process
CACUBO 2018Loyola University Chicago18
Vulnerability AssessmentsVulnerability Assessments
Processes-External Internal/external audit efforts & priorities 3rd Party Scanning
o External “Full Pen Test” – Every 3 years – Zero Critical/High Riskso External “PCI Pen Test” – Annual – Zero Critical/High/Medium Riskso PCI Scan - Monthly– Zero Critical/High/Medium Risks
3rd Party Application Assessments
CACUBO 2018Loyola University Chicago
Risk Assessment ProgramGoals
Represent & communicate information security decisions and actions based on tangible data Provide appropriate levels of security that:
o protects assetso reduces riskso are easily understood & communicatedo are easily utilized & servicedo Reviewed annually
Process Define “Acceptable Risk Definition” as it pertains to information risk
o Based on Mission, Objectives and Obligationso Based on industry standards ISO 27002, COBIT, NISTo Develop a plan for reducing unacceptably high risks to acceptable level
3rd party risk assessment
HEISC Information Security Program Self Assessment Tool
SANS Audit Checklist
19
Likelihood Impact Risk
Risk Assessment Program
CACUBO 2018Loyola University Chicago20
Risk Assessment Program
Likelihood Impact Risk
Risk Assessment Calculations
21
Loyola University Chicago Confidential Materials – Do not Distribute
Awareness Program Components Frequency and Usage
Posters Annually during Cyber Security Awareness Month
Web Site Online & available to all
Social Media Weekly postings
Newsletter Monthly distribution
Coffee Sessions Semi-annually at each campus
Department Sessions By request, average 1-2 per semester
Classroom Guest Lecture
By request, average 1-2 per semester
Emerge Class Semi-annually at each campus
Video Training Mandatory twice a semester plus additional training for “high risk” areas
HIPAA Training Annually, required for faculty & staff
Student Engagement Ad-hoc, increased awareness at student events
Awareness, Education & TrainingAwareness, Education & Training
CACUBO 2018Loyola University Chicago22
Audit, Compliance & RegulationsAudit and Compliance Programs
PII How and Where is Personal information Stored
PCI Credit Card Acceptance
HIPAA Protection and handling of PHI
GDPR EU personal information protection
Application Security Audits Ensure proper access to protected information
CACUBO 2018Loyola University Chicago23
Security Operations CenterSecurity Operations
Purpose Centralized monitoring point for visibility, alerting and
investigation or incidents or potential incidents. Automate, automate, automate SIEM IPS Vulnerability Scanning URL protection
CACUBO 2018Loyola University Chicago24
Data Identification, Analysis & ForensicsForensic Analysis
Recovery and investigation of material found in digital devices
Litigation Holds Investigation Support General data analysis for incident triage Data retrieval Tools – Encase, FTK, Kali (Backtrack)
CACUBO 2018Loyola University Chicago
Multi-Factor Authentication VPN Services Secure File Transfer Services
25
Secure AccessSecure Access
CACUBO 2018Loyola University Chicago26
ERP Security ServicesERP Security
Provides Separation of Duties Assignment of roles and permissions in PeopleSoft Control of Non-Affiliated Accounts Performs audit functions for PeopleSoft
Assists in Compliance Efforts Main point of contact for PII remediation
CACUBO 2018Loyola University Chicago27
“Right Fit” Information Security
Expanded use and reliance on technology Need to give the necessary network access to students, faculty and staff
They need to perform their roles! Academic Freedom
A barrage of internal and external security threats Student and faculty information, and sensitive research at risk.
IT departments within these organizations must be equipped to monitor and mitigate external threats such as malware and bot attacks on a daily basis, as well as managing internal threats such as student and faculty downloads and flash drive use that expose networks to potential infection.
CACUBO 2018Loyola University Chicago28
How To Forge Ahead
Get your CIO on Board Sell the story – Benefits and Risks Don’t bite off everything at once Rely on your Risk Assessment to Identify Gaps Find the initiatives that make the most impact Just keep swimming