CyberSecurity - Linda Sharp
Upcoming SlideShare
Loading in...5
×
 

CyberSecurity - Linda Sharp

on

  • 650 views

 

Statistics

Views

Total Views
650
Views on SlideShare
649
Embed Views
1

Actions

Likes
0
Downloads
14
Comments
0

1 Embed 1

http://marketing.schooldude.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

CyberSecurity - Linda Sharp CyberSecurity - Linda Sharp Presentation Transcript

  • Cyber Security Linda Sharp CoSN Cyber Security Project Director SchoolDude University 2009
  • Understanding the Issues
    • Four Reasons to Pay Attention to K-12 Network Security
    • 1. Protect data
    • 2. Prevent misuse of resources
    • 3. Prevent interruption of operations
    • ( Protecting the Core Mission: Learning)
    • 4. Keep kids safe
    SchoolDude University 2009
  • Reliance on Technology
    • For instructional activities
    • For business operations
    • For student data and recordkeeping
    • For assessment and accountability
    • For internal and external communication
    • Other areas of reliance in your schools?
    SchoolDude University 2009
  • The Evolution of Intent From Hobbyists to Professionals SchoolDude University 2009 THREAT SEVERITY 1990 1995 2000 2005 WHAT’S NEXT? 2007 Threats becoming increasingly difficult to detect and mitigate FINANCIAL: Theft & Damage FAME: Viruses and Malware TESTING THE WATERS: Basic Intrusions and Viruses
  • Financial Impact
    • 2004 – Cyber Attack impact in business was $226 billion
    • 2008 – One of top 4 US priority security issues.
    • Cyber Crime has overtaken drugs for financial impact.
    SchoolDude University 2009
  • Legal Impact
    • FERPA
    • CIPA
    • HIPAA
    • COPA
    • FRCP 34
    SchoolDude University 2009
  • Legal Impact
    • Data
      • Personal, Private, Sensitive Information
    • Information Sharing
      • Internal
      • External
    • Backup/Restore
      • Where and how
    SchoolDude University 2009
  • Legal Impact
    • Acceptable Use Policies (AUP)
      • Who should sign AUP?
      • What should be included?
        • Internet usage
        • Data protection and privacy
        • Rules/regulations
        • Consequences
    SchoolDude University 2009
  • Safety vs. Security
    • Safety: Individual behavior
    • Security : An organizational responsibility
    SchoolDude University 2009
  • Five Guiding Questions
    • What needs to be protected?
    SchoolDude University 2009
  • Five Guiding Questions
    • What needs to be protected?
    • What are our weaknesses?
    SchoolDude University 2009
  • Five Guiding Questions
    • What needs to be protected?
    • What are our weaknesses?
    • What are we protecting against?
    SchoolDude University 2009
  • Five Guiding Questions
    • What needs to be protected?
    • What are our weaknesses?
    • What are we protecting against?
    • What happens if protection fails?
    SchoolDude University 2009
  • Five Guiding Questions
    • What needs to be protected?
    • What are our weaknesses?
    • What are we protecting against?
    • What happens if protection fails?
    • What can we do to eliminate vulnerabilities and threats and reduce impacts?
    SchoolDude University 2009
  • Three Strategic Areas
    • People
    • Policy
    • Technology
    SchoolDude University 2009
  • Three Action Themes
    • Prevention
    • Monitoring
    • Maintenance
    SchoolDude University 2009
  • Questions to Ask
    • Do we have a security plan?
    SchoolDude University 2009
  • Questions to Ask
    • Do we have adequate security and privacy policies in place?
      • District Security Rules
      • Legal Review
      • External Controls
    SchoolDude University 2009
  • Questions to Ask
    • Are our network security procedures and tools up to date?
      • Hardware
      • Software
      • Monitoring
    SchoolDude University 2009
  • Questions to Ask
    • Is our network perimeter secured against intrusion?
      • Design
      • Laptops
      • Wireless Security
      • Passwords
    SchoolDude University 2009
  • Questions to Ask
          • Is our network physically secure?
            • Environmental Hazards
            • Physical Security
    SchoolDude University 2009
  • Questions to Ask
    • Have we made our users part of the solution?
      • Awareness
      • Training
      • Communications
    SchoolDude University 2009
  • Questions to Ask
    • Are we prepared to survive a security crisis?
      • Backups
      • Redundant Systems
      • Communications Plan
      • Preparedness
    SchoolDude University 2009
  • Security Planning Protocol SchoolDude University 2009 Outcome: Security Project Description  goals  processes  resources  decision-making standards Phase 1: Create Leadership Team & Set Security Goals Outcome: Prioritized Risk Assessment A ranked list of vulnerabilities to guide the Risk Reduction Phase Phase 2: Risk Analysis Outcome: Implemented Security Plan Risk Analysis and Risk Reduction processes must be regularly repeated to ensure effectiveness Phase 3: Risk Reduction Outcome: Crisis Management Plan A blueprint for organizational continuity Phase 4: Crisis Management
  • Leadership Team
    • Create Leadership Team and Set Security Goals
        • Purpose : Clarify IT’s role in district mission
        • Scope : Set boundaries and budgets
        • Values : Define internal expectations and external requirements for security
    SchoolDude University 2009
  • Leadership Team
    • Leadership Team Personnel
    • IT Leadership
    • Administrators – district and building
    • Legal counsel
    • Human resources
    • Public relations representative
    • Teachers
    SchoolDude University 2009
  • District Security Checklist
    • Self Assessment Checklist
    SchoolDude University 2009
  • Risk Analysis
        • What’s at risk?
        • Vulnerabilities and Threats
          • Identify impacts to
            • System
            • People
            • IT organizational issues
            • Physical plant
        • Stress Test
    SchoolDude University 2009
  • Security Planning Grid SchoolDude University 2009 Security Area Basic Developing Adequate Advanced Management Leadership: Little participation in IT security Aware but little support provided Supports and funds security Aligns security with organizational mission Technology Network design and IT operations : broadly vulnerable security roll out is incomplete mostly secure seamless security Environmental & Physical: Infrastructure: not secure partially secure mostly secure secure End Users Stakeholders: unaware of role in security Limited awareness and training Improved awareness, Mostly trained Proactive participants in security
  • Security Planning Grid
    • Provides benchmarks for assessing key security preparedness factors
    • Uses the same topic areas for consistency
    • Helps prioritize security improvement action steps
    SchoolDude University 2009
  • Planning Security Grid
      • Prioritize solutions
      • Action plan
      • Revise SOP
    SchoolDude University 2009
  • Plan, Test, Plan, Test…..
      • Scenario: "Despite our best intentions..."
        • Financial system backups stored within a vault below ground
        • Vault walls are constructed of cinderblocks
        • Fire destroys the building
        • Very cool to the touch
        • -- vault becomes sauna, backup tapes destroyed
    SchoolDude University 2009
  • Plan, Test, Plan, Test…..
      • XXXXX School District
        • Monday, February 11, 2008
        • Break-In at XXX. in XXX, CA
        • "Smash and Grab" -- 1 computer stolen
        • One data file including personally identifiable information on approximately 3,500 school district employees and on the employees of 12 other school districts
    SchoolDude University 2009
  • Plan, Test, Plan, Test…..
        • Decision to notify and “how to respond?"
        • Notification authority rests with the Superintendent
        • Elected to follow aggressive path of notification and openness
        • E-Mails, letters, contact person, Website (blog)
    SchoolDude University 2009
    • The worst case scenario . . .
    • NO PLAN!
    SchoolDude University 2009
  • SchoolDude University 2009 Questions and Comments?
    • www.securedistrict.org
    SchoolDude University 2009 www.cosn.org
  • Thank you Sponsors SchoolDude University 2009
    • Linda Sharp
    • CoSN Project Manager
    • Cyber Security
    • IT Crisis Preparedness
    • [email_address]
    SchoolDude University 2009