Cyber Security Linda Sharp CoSN Cyber Security  Project Director  SchoolDude University 2009
Understanding the Issues <ul><li>Four Reasons to Pay Attention to K-12 Network Security </li></ul><ul><li>1.  Protect data...
Reliance on Technology <ul><li>For instructional activities </li></ul><ul><li>For business operations </li></ul><ul><li>Fo...
The Evolution of Intent  From Hobbyists to Professionals SchoolDude University 2009 THREAT SEVERITY 1990 1995 2000 2005 WH...
Financial Impact <ul><li>2004 – Cyber Attack impact in business was $226 billion </li></ul><ul><li>2008 – One of top 4 US ...
Legal Impact <ul><li>FERPA </li></ul><ul><li>CIPA </li></ul><ul><li>HIPAA </li></ul><ul><li>COPA </li></ul><ul><li>FRCP 34...
Legal Impact <ul><li>Data </li></ul><ul><ul><li>Personal, Private, Sensitive Information </li></ul></ul><ul><li>Informatio...
Legal Impact <ul><li>Acceptable Use Policies (AUP) </li></ul><ul><ul><li>Who should sign AUP? </li></ul></ul><ul><ul><li>W...
Safety vs. Security <ul><li>Safety:   Individual behavior </li></ul><ul><li>Security :  An organizational responsibility <...
Five Guiding Questions <ul><li>What needs to be protected?   </li></ul>SchoolDude University 2009
Five Guiding Questions <ul><li>What needs to be protected?   </li></ul><ul><li>What are our weaknesses?   </li></ul>School...
Five Guiding Questions <ul><li>What needs to be protected?   </li></ul><ul><li>What are our weaknesses?   </li></ul><ul><l...
Five Guiding Questions <ul><li>What needs to be protected?   </li></ul><ul><li>What are our weaknesses?   </li></ul><ul><l...
Five Guiding Questions <ul><li>What needs to be protected?   </li></ul><ul><li>What are our weaknesses?   </li></ul><ul><l...
Three Strategic Areas <ul><li>People  </li></ul><ul><li>Policy  </li></ul><ul><li>Technology </li></ul>SchoolDude Universi...
Three Action Themes <ul><li>Prevention  </li></ul><ul><li>Monitoring  </li></ul><ul><li>Maintenance </li></ul>SchoolDude U...
Questions to Ask <ul><li>Do we have a security plan?   </li></ul>SchoolDude University 2009
Questions to Ask <ul><li>Do we have adequate security and privacy policies in place?   </li></ul><ul><ul><li>District Secu...
Questions to Ask <ul><li>Are our network security procedures and tools up to date?   </li></ul><ul><ul><li>Hardware </li><...
Questions to Ask <ul><li>Is our network perimeter secured against intrusion?   </li></ul><ul><ul><li>Design </li></ul></ul...
Questions to Ask <ul><ul><ul><ul><li>Is our network physically secure?   </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>...
Questions to Ask <ul><li>Have we made our users part of the solution?   </li></ul><ul><ul><li>Awareness </li></ul></ul><ul...
Questions to Ask <ul><li>Are we prepared to survive a security crisis?   </li></ul><ul><ul><li>Backups </li></ul></ul><ul>...
Security Planning Protocol SchoolDude University 2009 Outcome: Security Project Description      goals    processes    ...
Leadership Team <ul><li>Create Leadership Team and Set Security Goals </li></ul><ul><ul><ul><li>Purpose :  Clarify IT’s ro...
Leadership Team <ul><li>Leadership Team Personnel </li></ul><ul><li>IT Leadership </li></ul><ul><li>Administrators – distr...
District Security Checklist <ul><li>Self Assessment Checklist </li></ul>SchoolDude University 2009
Risk Analysis <ul><ul><ul><li>What’s at risk?   </li></ul></ul></ul><ul><ul><ul><li>Vulnerabilities and Threats </li></ul>...
Security Planning Grid SchoolDude University 2009 Security Area Basic Developing Adequate Advanced Management Leadership: ...
Security Planning Grid <ul><li>Provides benchmarks for assessing key security preparedness factors   </li></ul><ul><li>Use...
Planning Security Grid <ul><ul><li>Prioritize solutions </li></ul></ul><ul><ul><li>Action plan </li></ul></ul><ul><ul><li>...
Plan, Test, Plan, Test….. <ul><ul><li>Scenario: &quot;Despite our best intentions...&quot; </li></ul></ul><ul><ul><ul><li>...
Plan, Test, Plan, Test….. <ul><ul><li>XXXXX School District </li></ul></ul><ul><ul><ul><li>Monday, February 11, 2008 </li>...
Plan, Test, Plan, Test….. <ul><ul><ul><li>Decision to notify and “how to respond?&quot; </li></ul></ul></ul><ul><ul><ul><l...
<ul><li>The worst case scenario . . . </li></ul><ul><li>NO PLAN! </li></ul>SchoolDude University 2009
SchoolDude University 2009 Questions and Comments?
<ul><li>www.securedistrict.org </li></ul>SchoolDude University 2009 www.cosn.org
Thank you Sponsors SchoolDude University 2009
<ul><li>Linda Sharp </li></ul><ul><li>CoSN Project Manager </li></ul><ul><li>Cyber Security </li></ul><ul><li>IT Crisis Pr...
Upcoming SlideShare
Loading in …5
×

CyberSecurity - Linda Sharp

808 views
730 views

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
808
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
16
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

CyberSecurity - Linda Sharp

  1. 1. Cyber Security Linda Sharp CoSN Cyber Security Project Director SchoolDude University 2009
  2. 2. Understanding the Issues <ul><li>Four Reasons to Pay Attention to K-12 Network Security </li></ul><ul><li>1. Protect data </li></ul><ul><li>2. Prevent misuse of resources </li></ul><ul><li>3. Prevent interruption of operations </li></ul><ul><li>( Protecting the Core Mission: Learning) </li></ul><ul><li>4. Keep kids safe </li></ul>SchoolDude University 2009
  3. 3. Reliance on Technology <ul><li>For instructional activities </li></ul><ul><li>For business operations </li></ul><ul><li>For student data and recordkeeping </li></ul><ul><li>For assessment and accountability </li></ul><ul><li>For internal and external communication </li></ul><ul><li>Other areas of reliance in your schools? </li></ul>SchoolDude University 2009
  4. 4. The Evolution of Intent From Hobbyists to Professionals SchoolDude University 2009 THREAT SEVERITY 1990 1995 2000 2005 WHAT’S NEXT? 2007 Threats becoming increasingly difficult to detect and mitigate FINANCIAL: Theft & Damage FAME: Viruses and Malware TESTING THE WATERS: Basic Intrusions and Viruses
  5. 5. Financial Impact <ul><li>2004 – Cyber Attack impact in business was $226 billion </li></ul><ul><li>2008 – One of top 4 US priority security issues. </li></ul><ul><li>Cyber Crime has overtaken drugs for financial impact. </li></ul>SchoolDude University 2009
  6. 6. Legal Impact <ul><li>FERPA </li></ul><ul><li>CIPA </li></ul><ul><li>HIPAA </li></ul><ul><li>COPA </li></ul><ul><li>FRCP 34 </li></ul>SchoolDude University 2009
  7. 7. Legal Impact <ul><li>Data </li></ul><ul><ul><li>Personal, Private, Sensitive Information </li></ul></ul><ul><li>Information Sharing </li></ul><ul><ul><li>Internal </li></ul></ul><ul><ul><li>External </li></ul></ul><ul><li>Backup/Restore </li></ul><ul><ul><li>Where and how </li></ul></ul>SchoolDude University 2009
  8. 8. Legal Impact <ul><li>Acceptable Use Policies (AUP) </li></ul><ul><ul><li>Who should sign AUP? </li></ul></ul><ul><ul><li>What should be included? </li></ul></ul><ul><ul><ul><li>Internet usage </li></ul></ul></ul><ul><ul><ul><li>Data protection and privacy </li></ul></ul></ul><ul><ul><ul><li>Rules/regulations </li></ul></ul></ul><ul><ul><ul><li>Consequences </li></ul></ul></ul>SchoolDude University 2009
  9. 9. Safety vs. Security <ul><li>Safety: Individual behavior </li></ul><ul><li>Security : An organizational responsibility </li></ul>SchoolDude University 2009
  10. 10. Five Guiding Questions <ul><li>What needs to be protected? </li></ul>SchoolDude University 2009
  11. 11. Five Guiding Questions <ul><li>What needs to be protected? </li></ul><ul><li>What are our weaknesses? </li></ul>SchoolDude University 2009
  12. 12. Five Guiding Questions <ul><li>What needs to be protected? </li></ul><ul><li>What are our weaknesses? </li></ul><ul><li>What are we protecting against? </li></ul>SchoolDude University 2009
  13. 13. Five Guiding Questions <ul><li>What needs to be protected? </li></ul><ul><li>What are our weaknesses? </li></ul><ul><li>What are we protecting against? </li></ul><ul><li>What happens if protection fails? </li></ul>SchoolDude University 2009
  14. 14. Five Guiding Questions <ul><li>What needs to be protected? </li></ul><ul><li>What are our weaknesses? </li></ul><ul><li>What are we protecting against? </li></ul><ul><li>What happens if protection fails? </li></ul><ul><li>What can we do to eliminate vulnerabilities and threats and reduce impacts? </li></ul>SchoolDude University 2009
  15. 15. Three Strategic Areas <ul><li>People </li></ul><ul><li>Policy </li></ul><ul><li>Technology </li></ul>SchoolDude University 2009
  16. 16. Three Action Themes <ul><li>Prevention </li></ul><ul><li>Monitoring </li></ul><ul><li>Maintenance </li></ul>SchoolDude University 2009
  17. 17. Questions to Ask <ul><li>Do we have a security plan? </li></ul>SchoolDude University 2009
  18. 18. Questions to Ask <ul><li>Do we have adequate security and privacy policies in place? </li></ul><ul><ul><li>District Security Rules </li></ul></ul><ul><ul><li>Legal Review </li></ul></ul><ul><ul><li>External Controls </li></ul></ul>SchoolDude University 2009
  19. 19. Questions to Ask <ul><li>Are our network security procedures and tools up to date? </li></ul><ul><ul><li>Hardware </li></ul></ul><ul><ul><li>Software </li></ul></ul><ul><ul><li>Monitoring </li></ul></ul>SchoolDude University 2009
  20. 20. Questions to Ask <ul><li>Is our network perimeter secured against intrusion? </li></ul><ul><ul><li>Design </li></ul></ul><ul><ul><li>Laptops </li></ul></ul><ul><ul><li>Wireless Security </li></ul></ul><ul><ul><li>Passwords </li></ul></ul>SchoolDude University 2009
  21. 21. Questions to Ask <ul><ul><ul><ul><li>Is our network physically secure? </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Environmental Hazards </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Physical Security </li></ul></ul></ul></ul></ul>SchoolDude University 2009
  22. 22. Questions to Ask <ul><li>Have we made our users part of the solution? </li></ul><ul><ul><li>Awareness </li></ul></ul><ul><ul><li>Training </li></ul></ul><ul><ul><li>Communications </li></ul></ul>SchoolDude University 2009
  23. 23. Questions to Ask <ul><li>Are we prepared to survive a security crisis? </li></ul><ul><ul><li>Backups </li></ul></ul><ul><ul><li>Redundant Systems </li></ul></ul><ul><ul><li>Communications Plan </li></ul></ul><ul><ul><li>Preparedness </li></ul></ul>SchoolDude University 2009
  24. 24. Security Planning Protocol SchoolDude University 2009 Outcome: Security Project Description  goals  processes  resources  decision-making standards Phase 1: Create Leadership Team & Set Security Goals Outcome: Prioritized Risk Assessment A ranked list of vulnerabilities to guide the Risk Reduction Phase Phase 2: Risk Analysis Outcome: Implemented Security Plan Risk Analysis and Risk Reduction processes must be regularly repeated to ensure effectiveness Phase 3: Risk Reduction Outcome: Crisis Management Plan A blueprint for organizational continuity Phase 4: Crisis Management
  25. 25. Leadership Team <ul><li>Create Leadership Team and Set Security Goals </li></ul><ul><ul><ul><li>Purpose : Clarify IT’s role in district mission </li></ul></ul></ul><ul><ul><ul><li>Scope : Set boundaries and budgets </li></ul></ul></ul><ul><ul><ul><li>Values : Define internal expectations and external requirements for security </li></ul></ul></ul>SchoolDude University 2009
  26. 26. Leadership Team <ul><li>Leadership Team Personnel </li></ul><ul><li>IT Leadership </li></ul><ul><li>Administrators – district and building </li></ul><ul><li>Legal counsel </li></ul><ul><li>Human resources </li></ul><ul><li>Public relations representative </li></ul><ul><li>Teachers </li></ul>SchoolDude University 2009
  27. 27. District Security Checklist <ul><li>Self Assessment Checklist </li></ul>SchoolDude University 2009
  28. 28. Risk Analysis <ul><ul><ul><li>What’s at risk? </li></ul></ul></ul><ul><ul><ul><li>Vulnerabilities and Threats </li></ul></ul></ul><ul><ul><ul><ul><li>Identify impacts to </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>System </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>People </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>IT organizational issues </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Physical plant </li></ul></ul></ul></ul></ul><ul><ul><ul><li>Stress Test </li></ul></ul></ul>SchoolDude University 2009
  29. 29. Security Planning Grid SchoolDude University 2009 Security Area Basic Developing Adequate Advanced Management Leadership: Little participation in IT security Aware but little support provided Supports and funds security Aligns security with organizational mission Technology Network design and IT operations : broadly vulnerable security roll out is incomplete mostly secure seamless security Environmental & Physical: Infrastructure: not secure partially secure mostly secure secure End Users Stakeholders: unaware of role in security Limited awareness and training Improved awareness, Mostly trained Proactive participants in security
  30. 30. Security Planning Grid <ul><li>Provides benchmarks for assessing key security preparedness factors </li></ul><ul><li>Uses the same topic areas for consistency </li></ul><ul><li>Helps prioritize security improvement action steps </li></ul>SchoolDude University 2009
  31. 31. Planning Security Grid <ul><ul><li>Prioritize solutions </li></ul></ul><ul><ul><li>Action plan </li></ul></ul><ul><ul><li>Revise SOP </li></ul></ul>SchoolDude University 2009
  32. 32. Plan, Test, Plan, Test….. <ul><ul><li>Scenario: &quot;Despite our best intentions...&quot; </li></ul></ul><ul><ul><ul><li>Financial system backups stored within a vault below ground </li></ul></ul></ul><ul><ul><ul><li>Vault walls are constructed of cinderblocks </li></ul></ul></ul><ul><ul><ul><li>Fire destroys the building </li></ul></ul></ul><ul><ul><ul><li>Very cool to the touch </li></ul></ul></ul><ul><ul><ul><li>-- vault becomes sauna, backup tapes destroyed </li></ul></ul></ul>SchoolDude University 2009
  33. 33. Plan, Test, Plan, Test….. <ul><ul><li>XXXXX School District </li></ul></ul><ul><ul><ul><li>Monday, February 11, 2008 </li></ul></ul></ul><ul><ul><ul><li>Break-In at XXX. in XXX, CA </li></ul></ul></ul><ul><ul><ul><li>&quot;Smash and Grab&quot; -- 1 computer stolen </li></ul></ul></ul><ul><ul><ul><li>One data file including personally identifiable information on approximately 3,500 school district employees and on the employees of 12 other school districts </li></ul></ul></ul>SchoolDude University 2009
  34. 34. Plan, Test, Plan, Test….. <ul><ul><ul><li>Decision to notify and “how to respond?&quot; </li></ul></ul></ul><ul><ul><ul><li>Notification authority rests with the Superintendent </li></ul></ul></ul><ul><ul><ul><li>Elected to follow aggressive path of notification and openness </li></ul></ul></ul><ul><ul><ul><li>E-Mails, letters, contact person, Website (blog) </li></ul></ul></ul>SchoolDude University 2009
  35. 35. <ul><li>The worst case scenario . . . </li></ul><ul><li>NO PLAN! </li></ul>SchoolDude University 2009
  36. 36. SchoolDude University 2009 Questions and Comments?
  37. 37. <ul><li>www.securedistrict.org </li></ul>SchoolDude University 2009 www.cosn.org
  38. 38. Thank you Sponsors SchoolDude University 2009
  39. 39. <ul><li>Linda Sharp </li></ul><ul><li>CoSN Project Manager </li></ul><ul><li>Cyber Security </li></ul><ul><li>IT Crisis Preparedness </li></ul><ul><li>[email_address] </li></ul>SchoolDude University 2009

×