Centralizing IT Risk Assessment and  Measuring Security Policy Compliance Kent Knudsen and Jeff McCabe Texas A&M Universit...
<ul><li>Large, Decentralized Campus </li></ul><ul><li>Over 44,000 Students </li></ul><ul><li>Over 10,000 Faculty </li></ul...
© Copyright 2004 – Kent Knudsen, Texas A&M University Challenges of Decentralized Security <ul><li>Some departments have f...
Which Security Standard? First, you have to decide upon a security standard . . . “ If you aim at nothing, you’ll hit it e...
Which Security Standard? U.S. Standards: If your organization needs a benchmark based on industry best practices, there ar...
Which Security Standard? U.S. Standards: Additional sources:   <ul><li>Office of Management and Budget (OMB)   (www.whiteh...
Which Security Standard? U.S. Standards: Several U.S. industry and governmental entities have produced guidelines and stan...
Which Security Standard? International Standards : <ul><li>The ISO17799 Standard   (www.iso17799-web.com) </li></ul><ul><l...
Auditors as Partners <ul><li>Establish lines of regular communication </li></ul><ul><li>Discuss challenges and common goal...
Build an InfoSec Community <ul><li>Create an affiliation of campus IT </li></ul><ul><li>personnel </li></ul><ul><li>Create...
Towards Institutional Assessment and Compliance <ul><li>The time expended by IT personnel  </li></ul><ul><li>should be a c...
Security Best Practices. . . What We Know <ul><li>The approach of beginning each risk assessment from scratch with a group...
Centralized Information Security Program IT Risk Assessment and Security Policy Compliance Measurement © Copyright 2004 – ...
What is ISAAC? © Copyright 2004 – Kent Knudsen, Texas A&M University <ul><li>“ Information Security Program in a box” </li...
© Copyright 2004 – Kent Knudsen, Texas A&M University Centralized Information Security Program <ul><li>Assesses the securi...
What is ISAAC? © Copyright 2004 – Kent Knudsen, Texas A&M University A Web-based Solution Providing . . . <ul><li>Automate...
What is ISAAC? © Copyright 2004 – Kent Knudsen, Texas A&M University <ul><li>Consistent, repeatable baseline assessment </...
What is ISAAC? © Copyright 2004 – Kent Knudsen, Texas A&M University <ul><li>Departmental registration of system types and...
What is ISAAC? © Copyright 2004 – Kent Knudsen, Texas A&M University <ul><li>Centralized databases provide (continued):   ...
What is ISAAC? © Copyright 2004 – Kent Knudsen, Texas A&M University <ul><li>Business Continuity Module:   </li></ul><ul><...
What is ISAAC? © Copyright 2004 – Kent Knudsen, Texas A&M University <ul><li>The State of Texas requires that  </li></ul><...
What is ISAAC? © Copyright 2004 – Kent Knudsen, Texas A&M University <ul><li>Physical Security Module:   </li></ul><ul><ul...
What is ISAAC? © Copyright 2004 – Kent Knudsen, Texas A&M University <ul><li>Security Forms and Templates Module:   </li><...
ISAAC Because . . .  It Works <ul><li>Initial Implementation (2002): </li></ul><ul><li>Achieved  100% participation  from ...
ISAAC Because . . . Best of Breed RA <ul><li>Core assessment based on established NIH risk  </li></ul><ul><li>methodology ...
ISAAC Because . . .  Part of Security Policy ISAAC  
ISAAC Because . . . Assessment  Flexibility <ul><li>An annual process that yields an  </li></ul><ul><li>institutional wide...
ISAAC Because . . .  Department Flexibility <ul><li>Assessment report includes a  </li></ul><ul><li>“ corrective action” p...
ISAAC Benefits . . .  Easy to Implement <ul><li>The Departmental IT Staff (System Admins) already feel harried and were no...
ISAAC Benefits . . . Easily Adapted <ul><li>“ Raising the Bar” on security -   </li></ul><ul><li>Each year ISAAC is evalua...
ISAAC Results © Copyright 2004 – Kent Knudsen, Texas A&M University <ul><li>Individual Risk Reports for departments and a ...
ISAAC Outcomes © Copyright 2004 – Kent Knudsen, Texas A&M University <ul><li>Increases awareness of Information Security  ...
ISAAC Outcomes © Copyright 2004 – Kent Knudsen, Texas A&M University <ul><li>Ability to track and trend risk ratings over ...
Any  Questions? Contact Information: E-mail:  [email_address] [email_address] Postal: Computing & Information Services Tex...
Upcoming SlideShare
Loading in …5
×

Centralizing IT Risk Assessment and Measuring Security Policy ...

591
-1

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
591
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Centralizing IT Risk Assessment and Measuring Security Policy ...

  1. 1. Centralizing IT Risk Assessment and Measuring Security Policy Compliance Kent Knudsen and Jeff McCabe Texas A&M University EDUCAUSE 2004 Denver, CO October 20 Copyright 2004 Kent Knudsen. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
  2. 2. <ul><li>Large, Decentralized Campus </li></ul><ul><li>Over 44,000 Students </li></ul><ul><li>Over 10,000 Faculty </li></ul><ul><li>and Staff </li></ul><ul><li>Over 60,000 nodes </li></ul><ul><li>Over 214 depts. </li></ul><ul><li>Diverse departments with different budgets, IT requirements / experience, priorities, and cultures. </li></ul>Challenges of Decentralized Security
  3. 3. © Copyright 2004 – Kent Knudsen, Texas A&M University Challenges of Decentralized Security <ul><li>Some departments have full-time, trained IT staff – while other departments rely on student workers (or worse, have no IT staff) </li></ul><ul><li>Diversity of operating systems (Apple/Mac, Linux, MVS, Novell, Unix, Windows, etc.) – difficult to be an expert on more than one platform </li></ul><ul><li>Libraries must provide access to information resources to both the University populous and the community at large </li></ul><ul><li>Research computers funded by grants that have little or no provision for security measures </li></ul><ul><li>Need a forum to allow IT staff to share best practices and tips on securing the various platforms </li></ul>
  4. 4. Which Security Standard? First, you have to decide upon a security standard . . . “ If you aim at nothing, you’ll hit it every time”
  5. 5. Which Security Standard? U.S. Standards: If your organization needs a benchmark based on industry best practices, there are several sources available: <ul><li>State and Local Standards </li></ul><ul><li>Obviously, compliance with your state and local security standards should be measured. However, if your state and local standards are incomplete or lacking, there are other standards to consider. </li></ul><ul><li>NIST Computer Security Resource Center (csrc.nist.gov) </li></ul><ul><li>The NIST CSRC provides several publications (FIPS PUBS) and other documents to serve as standards. </li></ul>
  6. 6. Which Security Standard? U.S. Standards: Additional sources: <ul><li>Office of Management and Budget (OMB) (www.whitehouse.gov/omb/circulars) </li></ul><ul><li>Provides circular A-130 - pertaining to information security of federal systems. </li></ul><ul><li>DITSCAP – DoD IT Security Certification and Accreditation Process that includes standards (www.dtic.mil) </li></ul><ul><li>The Department of Defense provides the DITSCAP process that can serve as a resource for additional security measures. </li></ul>
  7. 7. Which Security Standard? U.S. Standards: Several U.S. industry and governmental entities have produced guidelines and standards – visit the link below for a comprehensive list. http://iase.disa.mil/policy.html#ditscap
  8. 8. Which Security Standard? International Standards : <ul><li>The ISO17799 Standard (www.iso17799-web.com) </li></ul><ul><li>The ISO17799 Standard is a set of security standards (based on the British Standards Institution - BS 7799) adopted and approved by the ISO, IEC and JTC1 (International Electrotechnical Commission, International Organization for Standardization and Joint Technical Committee) and is available for a fee. </li></ul><ul><li>The Common Criteria (www.commoncriteria.org) </li></ul><ul><li>The Common Criteria project was started in 1993 in order to bring together various standards (TCSEC, ITSEC, etc.) into a single international standard for IT security evaluation. </li></ul>
  9. 9. Auditors as Partners <ul><li>Establish lines of regular communication </li></ul><ul><li>Discuss challenges and common goals </li></ul><ul><li>Offer to answer questions and guide </li></ul><ul><li>them to understand IT security issues </li></ul>
  10. 10. Build an InfoSec Community <ul><li>Create an affiliation of campus IT </li></ul><ul><li>personnel </li></ul><ul><li>Create a monthly meeting to discuss </li></ul><ul><li>information security issues (online for </li></ul><ul><li>multi-campus participation) </li></ul><ul><li>Provide a discussion list for sharing </li></ul><ul><li>information between meetings, and for </li></ul><ul><li>discussing issues in a timely manner </li></ul>
  11. 11. Towards Institutional Assessment and Compliance <ul><li>The time expended by IT personnel </li></ul><ul><li>should be a consideration and kept to an </li></ul><ul><li>effective minimum </li></ul><ul><li>In considering the various assessment methodologies and approaches – you want to avoid the situation where progress is dependent on numerous individuals and their schedules (avoid death by committee scenario) </li></ul>
  12. 12. Security Best Practices. . . What We Know <ul><li>The approach of beginning each risk assessment from scratch with a group of people was not practical for our diverse environment – so we reviewed a multitude of assessment methodologies to produce a “best of breed” product. </li></ul><ul><li>Also, a large number of threats are already known, and security standards have been established, therefore we chose to design a tool that establishes a good security baseline. </li></ul>
  13. 13. Centralized Information Security Program IT Risk Assessment and Security Policy Compliance Measurement © Copyright 2004 – Kent Knudsen, Texas A&M University Texas A&M’s Answer . . .
  14. 14. What is ISAAC? © Copyright 2004 – Kent Knudsen, Texas A&M University <ul><li>“ Information Security Program in a box” </li></ul><ul><li>ISAAC – </li></ul><ul><ul><li>I nformation </li></ul></ul><ul><ul><li>S ecurity </li></ul></ul><ul><ul><li>A wareness, </li></ul></ul><ul><ul><li>A ssessment, and </li></ul></ul><ul><ul><li>C ompliance </li></ul></ul>
  15. 15. © Copyright 2004 – Kent Knudsen, Texas A&M University Centralized Information Security Program <ul><li>Assesses the security posture of diverse information systems </li></ul><ul><li>Measures compliance with Information Security standards </li></ul><ul><li>Security awareness training (focused on various audiences) </li></ul><ul><li>Monthly Information Security Forum and e-mail discussion List </li></ul><ul><li>Mechanism for reporting security incidents </li></ul><ul><li>Guides for creating Business Continuity / Disaster Recovery plans </li></ul><ul><li>A checklist for annual inspections of the physical security </li></ul>ISAAC - a web-based “information security program in a box”. Thinking inside the box…
  16. 16. What is ISAAC? © Copyright 2004 – Kent Knudsen, Texas A&M University A Web-based Solution Providing . . . <ul><li>Automated Risk Assessment (standardized) </li></ul><ul><li>Security Awareness Training (including validation) </li></ul><ul><li>Business Continuity / Disaster Recovery Planning Guide </li></ul><ul><li>Security Incident Reporting System (web) </li></ul><ul><li>Physical Security Check List </li></ul><ul><li>Security Forms and Templates </li></ul>Non-invasive, platform independent system to inform and assist departmental IT personnel with InfoSec program:
  17. 17. What is ISAAC? © Copyright 2004 – Kent Knudsen, Texas A&M University <ul><li>Consistent, repeatable baseline assessment </li></ul><ul><li>Covers both operational and technical requirements </li></ul><ul><li>Most admins can complete an assessment < 2 hrs </li></ul><ul><li>Results are combined into an overall assessment </li></ul><ul><li>Risk report has a consistent format to assist our </li></ul><ul><li>“ team members”, the auditors </li></ul><ul><li>A standardized risk assessment process </li></ul>
  18. 18. What is ISAAC? © Copyright 2004 – Kent Knudsen, Texas A&M University <ul><li>Departmental registration of system types and quantities (useful for sending targeted security alerts, among other things) </li></ul><ul><li>Centralized databases for collecting required departmental data. The databases provide: </li></ul><ul><li>Identification of mission critical and/or confidential information resources (since these resources require more security safeguards) </li></ul>
  19. 19. What is ISAAC? © Copyright 2004 – Kent Knudsen, Texas A&M University <ul><li>Centralized databases provide (continued): </li></ul><ul><ul><li>The Risk Assessment data is used to produce a composite report for the entire university, including overall percentage of compliance for each policy item on a university-wide basis </li></ul></ul><ul><ul><li>The Security Awareness Training data can be analyzed to determine the effectiveness of the training program, and is used to record quiz scores for generating completion “certificates” </li></ul></ul>
  20. 20. What is ISAAC? © Copyright 2004 – Kent Knudsen, Texas A&M University <ul><li>Business Continuity Module: </li></ul><ul><ul><li>The Business Continuity / Disaster Recovery Module contains a full-blown guideline for those departments maintaining server/client systems, and a simpler, basic plan for the desktop (peer-to-peer) environment </li></ul></ul>
  21. 21. What is ISAAC? © Copyright 2004 – Kent Knudsen, Texas A&M University <ul><li>The State of Texas requires that </li></ul><ul><li>once a month, a summary report </li></ul><ul><li>be filed detailing the month’s </li></ul><ul><li>security incidents </li></ul><ul><li>Security Incident Reporting System: </li></ul><ul><li>A web-based form for reporting various kinds of security incidents, such as: malicious code attacks, unauthorized access and use, disruption or denial of service, hoaxes, etc. </li></ul><ul><li>The SIRS database can be analyzed for trends and to measure effectiveness of various countermeasures </li></ul>
  22. 22. What is ISAAC? © Copyright 2004 – Kent Knudsen, Texas A&M University <ul><li>Physical Security Module: </li></ul><ul><ul><li>This module contains a checklist which can be printed and used as a guide for making a visual inspection of the facilities. Two examples: </li></ul></ul><ul><li>Entrances to areas of the highest sensitivity or criticality should be monitored using closed circuit television or automated systems or should be protected by guards. </li></ul><ul><li>Visitors should be escorted to and from their destination by a facility employee. </li></ul>
  23. 23. What is ISAAC? © Copyright 2004 – Kent Knudsen, Texas A&M University <ul><li>Security Forms and Templates Module: </li></ul><ul><ul><li>This module contains several items. For example: </li></ul></ul><ul><li>Promotes participation in the monthly Information Security Forum meetings and email discussion list </li></ul><ul><li>Non-Disclosure Agreement template </li></ul><ul><li>Computing Ethics / Acceptable Use template for staff </li></ul><ul><li>Sample Security Manual </li></ul><ul><li>Incident Handling Guide </li></ul><ul><li>Recommended security related email lists </li></ul>
  24. 24. ISAAC Because . . . It Works <ul><li>Initial Implementation (2002): </li></ul><ul><li>Achieved 100% participation from all 214 departments represented by 164 system administrators involving 17,000 systems </li></ul><ul><li>(servers and desktops) </li></ul><ul><li>Scalable solution </li></ul><ul><li>Produced first ever, composite risk assessment report for the University IT infrastructure </li></ul>
  25. 25. ISAAC Because . . . Best of Breed RA <ul><li>Core assessment based on established NIH risk </li></ul><ul><li>methodology </li></ul><ul><li>Modified to include components of the NIST </li></ul><ul><li>Special Publication 800-26 and the IAM </li></ul><ul><li>methodology from NSA </li></ul><ul><li>Mainly a qualitative risk assessment with a </li></ul><ul><li>quantitative risk rating (for prioritizing risk </li></ul><ul><li>management decisions) </li></ul>
  26. 26. ISAAC Because . . . Part of Security Policy ISAAC 
  27. 27. ISAAC Because . . . Assessment Flexibility <ul><li>An annual process that yields an </li></ul><ul><li>institutional wide assessment as well as individual assessments that each department can use to evaluate their risks and make risk management decisions. </li></ul><ul><li>Three risk assessment types: </li></ul><ul><ul><li>“ Departmental” (for servers and clients) </li></ul></ul><ul><ul><li>“ Desktop” (for peer-to-peer setup) </li></ul></ul><ul><ul><li>“ Good Net Neighbor” – (for public access or lab computers) </li></ul></ul>
  28. 28. ISAAC Because . . . Department Flexibility <ul><li>Assessment report includes a </li></ul><ul><li>“ corrective action” plan that gives the departmental IT staff an opportunity to recommend solutions to management for their consideration </li></ul><ul><li>Management has the flexibility to make risk management decisions for implementing the recommendations based on cost-benefit analysis </li></ul>
  29. 29. ISAAC Benefits . . . Easy to Implement <ul><li>The Departmental IT Staff (System Admins) already feel harried and were not sitting idle looking for something to do – SO, in consideration of their time, an effective and efficient assessment was key to implementation </li></ul><ul><li>We also wanted this new initiative to be palatable, and able to garner “buy in” from the departmental managers </li></ul><ul><li>We held informational forums, and offered an on-site assistance option via online calendar. (However, ISAAC was so well received, not much assistance was requested) </li></ul><ul><li>All this and more was done to ease the burden, facilitate departmental use, and to smooth implementation </li></ul>
  30. 30. ISAAC Benefits . . . Easily Adapted <ul><li>“ Raising the Bar” on security - </li></ul><ul><li>Each year ISAAC is evaluated against the current IT environment (new threats, legal and/or regulatory issues, etc.) and modified as necessary. </li></ul><ul><li>In addition, any new assessment methodologies are considered for enhancing ISAAC. </li></ul>
  31. 31. ISAAC Results © Copyright 2004 – Kent Knudsen, Texas A&M University <ul><li>Individual Risk Reports for departments and a </li></ul><ul><li>University-wide composite view of risks and security countermeasures. </li></ul><ul><li>Ability to track compliance with info security standards: </li></ul><ul><ul><li>55 policy items (49 improved compliance over last year) </li></ul></ul><ul><ul><li>Overall compliance improved to 85% </li></ul></ul><ul><ul><li>Number of systems achieving 100% compliance increased </li></ul></ul><ul><ul><li>to 24% </li></ul></ul><ul><li>The Overall Risk Rating improved from the previous year with 90% of the systems earning an “acceptable” rating. </li></ul>
  32. 32. ISAAC Outcomes © Copyright 2004 – Kent Knudsen, Texas A&M University <ul><li>Increases awareness of Information Security </li></ul><ul><li>Standards (on an annual basis). </li></ul><ul><li>Ability to assess compliance with security standards at both the departmental and university-wide levels. </li></ul><ul><li>Ability to track and trend compliance with security standards over time. </li></ul><ul><li>Corrective action plans to assist the departmental management in making risk management decisions. </li></ul>
  33. 33. ISAAC Outcomes © Copyright 2004 – Kent Knudsen, Texas A&M University <ul><li>Ability to track and trend risk ratings over time. </li></ul><ul><li>Creates a baseline risk assessment and establishes the minimum security requirements (procedural and technical). </li></ul><ul><li>A consistent and repeatable process that keeps IT staff involvement at a minimum. </li></ul>
  34. 34. Any Questions? Contact Information: E-mail: [email_address] [email_address] Postal: Computing & Information Services Texas A&M University College Station, TX 77843-3142 Centralized Information Security Program
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×