• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
CyberSecurity - Linda Sharp
 

CyberSecurity - Linda Sharp

on

  • 601 views

 

Statistics

Views

Total Views
601
Views on SlideShare
600
Embed Views
1

Actions

Likes
0
Downloads
14
Comments
0

1 Embed 1

http://marketing.schooldude.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    CyberSecurity - Linda Sharp CyberSecurity - Linda Sharp Presentation Transcript

    • Cyber Security Linda Sharp CoSN Cyber Security Project Director SchoolDude University 2009
    • Understanding the Issues
      • Four Reasons to Pay Attention to K-12 Network Security
      • 1. Protect data
      • 2. Prevent misuse of resources
      • 3. Prevent interruption of operations
      • ( Protecting the Core Mission: Learning)
      • 4. Keep kids safe
      SchoolDude University 2009
    • Reliance on Technology
      • For instructional activities
      • For business operations
      • For student data and recordkeeping
      • For assessment and accountability
      • For internal and external communication
      • Other areas of reliance in your schools?
      SchoolDude University 2009
    • The Evolution of Intent From Hobbyists to Professionals SchoolDude University 2009 THREAT SEVERITY 1990 1995 2000 2005 WHAT’S NEXT? 2007 Threats becoming increasingly difficult to detect and mitigate FINANCIAL: Theft & Damage FAME: Viruses and Malware TESTING THE WATERS: Basic Intrusions and Viruses
    • Financial Impact
      • 2004 – Cyber Attack impact in business was $226 billion
      • 2008 – One of top 4 US priority security issues.
      • Cyber Crime has overtaken drugs for financial impact.
      SchoolDude University 2009
    • Legal Impact
      • FERPA
      • CIPA
      • HIPAA
      • COPA
      • FRCP 34
      SchoolDude University 2009
    • Legal Impact
      • Data
        • Personal, Private, Sensitive Information
      • Information Sharing
        • Internal
        • External
      • Backup/Restore
        • Where and how
      SchoolDude University 2009
    • Legal Impact
      • Acceptable Use Policies (AUP)
        • Who should sign AUP?
        • What should be included?
          • Internet usage
          • Data protection and privacy
          • Rules/regulations
          • Consequences
      SchoolDude University 2009
    • Safety vs. Security
      • Safety: Individual behavior
      • Security : An organizational responsibility
      SchoolDude University 2009
    • Five Guiding Questions
      • What needs to be protected?
      SchoolDude University 2009
    • Five Guiding Questions
      • What needs to be protected?
      • What are our weaknesses?
      SchoolDude University 2009
    • Five Guiding Questions
      • What needs to be protected?
      • What are our weaknesses?
      • What are we protecting against?
      SchoolDude University 2009
    • Five Guiding Questions
      • What needs to be protected?
      • What are our weaknesses?
      • What are we protecting against?
      • What happens if protection fails?
      SchoolDude University 2009
    • Five Guiding Questions
      • What needs to be protected?
      • What are our weaknesses?
      • What are we protecting against?
      • What happens if protection fails?
      • What can we do to eliminate vulnerabilities and threats and reduce impacts?
      SchoolDude University 2009
    • Three Strategic Areas
      • People
      • Policy
      • Technology
      SchoolDude University 2009
    • Three Action Themes
      • Prevention
      • Monitoring
      • Maintenance
      SchoolDude University 2009
    • Questions to Ask
      • Do we have a security plan?
      SchoolDude University 2009
    • Questions to Ask
      • Do we have adequate security and privacy policies in place?
        • District Security Rules
        • Legal Review
        • External Controls
      SchoolDude University 2009
    • Questions to Ask
      • Are our network security procedures and tools up to date?
        • Hardware
        • Software
        • Monitoring
      SchoolDude University 2009
    • Questions to Ask
      • Is our network perimeter secured against intrusion?
        • Design
        • Laptops
        • Wireless Security
        • Passwords
      SchoolDude University 2009
    • Questions to Ask
            • Is our network physically secure?
              • Environmental Hazards
              • Physical Security
      SchoolDude University 2009
    • Questions to Ask
      • Have we made our users part of the solution?
        • Awareness
        • Training
        • Communications
      SchoolDude University 2009
    • Questions to Ask
      • Are we prepared to survive a security crisis?
        • Backups
        • Redundant Systems
        • Communications Plan
        • Preparedness
      SchoolDude University 2009
    • Security Planning Protocol SchoolDude University 2009 Outcome: Security Project Description  goals  processes  resources  decision-making standards Phase 1: Create Leadership Team & Set Security Goals Outcome: Prioritized Risk Assessment A ranked list of vulnerabilities to guide the Risk Reduction Phase Phase 2: Risk Analysis Outcome: Implemented Security Plan Risk Analysis and Risk Reduction processes must be regularly repeated to ensure effectiveness Phase 3: Risk Reduction Outcome: Crisis Management Plan A blueprint for organizational continuity Phase 4: Crisis Management
    • Leadership Team
      • Create Leadership Team and Set Security Goals
          • Purpose : Clarify IT’s role in district mission
          • Scope : Set boundaries and budgets
          • Values : Define internal expectations and external requirements for security
      SchoolDude University 2009
    • Leadership Team
      • Leadership Team Personnel
      • IT Leadership
      • Administrators – district and building
      • Legal counsel
      • Human resources
      • Public relations representative
      • Teachers
      SchoolDude University 2009
    • District Security Checklist
      • Self Assessment Checklist
      SchoolDude University 2009
    • Risk Analysis
          • What’s at risk?
          • Vulnerabilities and Threats
            • Identify impacts to
              • System
              • People
              • IT organizational issues
              • Physical plant
          • Stress Test
      SchoolDude University 2009
    • Security Planning Grid SchoolDude University 2009 Security Area Basic Developing Adequate Advanced Management Leadership: Little participation in IT security Aware but little support provided Supports and funds security Aligns security with organizational mission Technology Network design and IT operations : broadly vulnerable security roll out is incomplete mostly secure seamless security Environmental & Physical: Infrastructure: not secure partially secure mostly secure secure End Users Stakeholders: unaware of role in security Limited awareness and training Improved awareness, Mostly trained Proactive participants in security
    • Security Planning Grid
      • Provides benchmarks for assessing key security preparedness factors
      • Uses the same topic areas for consistency
      • Helps prioritize security improvement action steps
      SchoolDude University 2009
    • Planning Security Grid
        • Prioritize solutions
        • Action plan
        • Revise SOP
      SchoolDude University 2009
    • Plan, Test, Plan, Test…..
        • Scenario: "Despite our best intentions..."
          • Financial system backups stored within a vault below ground
          • Vault walls are constructed of cinderblocks
          • Fire destroys the building
          • Very cool to the touch
          • -- vault becomes sauna, backup tapes destroyed
      SchoolDude University 2009
    • Plan, Test, Plan, Test…..
        • XXXXX School District
          • Monday, February 11, 2008
          • Break-In at XXX. in XXX, CA
          • "Smash and Grab" -- 1 computer stolen
          • One data file including personally identifiable information on approximately 3,500 school district employees and on the employees of 12 other school districts
      SchoolDude University 2009
    • Plan, Test, Plan, Test…..
          • Decision to notify and “how to respond?"
          • Notification authority rests with the Superintendent
          • Elected to follow aggressive path of notification and openness
          • E-Mails, letters, contact person, Website (blog)
      SchoolDude University 2009
      • The worst case scenario . . .
      • NO PLAN!
      SchoolDude University 2009
    • SchoolDude University 2009 Questions and Comments?
      • www.securedistrict.org
      SchoolDude University 2009 www.cosn.org
    • Thank you Sponsors SchoolDude University 2009
      • Linda Sharp
      • CoSN Project Manager
      • Cyber Security
      • IT Crisis Preparedness
      • [email_address]
      SchoolDude University 2009