The document outlines a discussion on information security at the Rochester Institute of Technology, including the roles of the Information Security Office and the importance of establishing comprehensive security policies and awareness training. It emphasizes the need for various types of policies, standards, and practices to effectively manage information security risks while ensuring compliance with laws and regulations. Additionally, it covers penetration testing as a method to verify vulnerabilities within systems and the planning and reporting processes involved.

1. Copyright © 2014 Rochester Institute of Technology
UNYCC
Information Security
Discussion
Facilitated by
Rochester Institute of Technology
February 24, 2014

2. Copyright © 2014 Rochester Institute of Technology
Agenda
• Policy
• Jonathan Maurer, Information Security
Officer
• Security Awareness
• Ben Woelk, Program Manager
• Penetration Testing
• Paul Lepkowski, Enterprise Information
Security Lead Engineer

3. Copyright © 2014 Rochester Institute of Technology
About RIT
• RIT Environment
– 18,000 students
– 3,500 faculty and
staff
– International
Locations
– ~40,000+ systems on
the network at any
given time
– Very skilled IT
security students
• RIT ISO
– 4 full time
• Information Security
Officer
• Program Manager
• Lead Security Engineer
• Sr. Forensics Investigator
– 4+ student employees
• Mix of coop and part-time

4. Copyright © 2014 Rochester Institute of Technology
Information
Security Policy
Jonathan Maurer
Information Security Officer
RIT Information Security Office
February 24, 2014

5. Copyright © 2014 Rochester Institute of Technology
Agenda
• Policy Introduction
• Architecture
• Types of Policies
• Example Components
• Policy Development
• Ingredients
• Processes
• Discussion

6. Copyright © 2014 Rochester Institute of Technology
Policy Introduction

7. Copyright © 2014 Rochester Institute of Technology
Policy Introduction
• Policy is the essential foundation of an
effective information security program
• Policy objectives
– Reduced risk
– Compliance with laws and regulations
– Assurance of confidentiality, integrity and
continuity of operations (availability).
• Policies are the least expensive means of
control and often the most difficult to
implement

8. Copyright © 2014 Rochester Institute of Technology
Policy Considerations
• Basic rules for shaping a policy
– Policy should never conflict with law
– Policy must be able to stand up in court if
challenged
– Policy must be properly and administered
• Policies are important reference documents
– For internal audits
– For the resolution of legal disputes about
management's due diligence
– Policy documents can act as a clear statement of
management's intent

9. Copyright © 2014 Rochester Institute of Technology
Policy Architecture
• Policies
– Enterprise information security program policy
– Issue-specific information security policies
• Standards
– A more detailed statement of what must be done
to comply with policy
• Practices
– Procedures and guidelines explain how
employees will comply with policy

10. Copyright © 2014 Rochester Institute of Technology
Policies, Standards, & Practices

11. Copyright © 2014 Rochester Institute of Technology
Enterprise Information Security
Policy (EISP)
• Sets strategic direction, scope, and tone for
organization’s security efforts
• Assigns responsibilities for various areas of
information security
• Guides development, implementation, and
management requirements of information
security program

12. Copyright © 2014 Rochester Institute of Technology
Example EISP Components
• Statement of purpose
– An overview of the organizational philosophy on
security
• Information technology security elements
– Defines information security
• Need for information technology security
– Justifies importance of information security in the
organization
• Information technology security responsibilities and roles
– Defines organizational structure
• Reference to other information technology standards and
guidelines

13. Copyright © 2014 Rochester Institute of Technology
Issue-Specific Security Policy (ISSP)
• Provides detailed, targeted guidance
– Begins with introduction to fundamental
technological philosophy of the organization
– Instructs the organization in secure use of a
technology systems
• Protects organization from inefficiency and ambiguity
– Documents how the technology-based system is
controlled
– Identifies the processes and authorities that
provide this control
• Indemnifies the organization against liability for an
employee’s inappropriate or illegal system use

14. Copyright © 2014 Rochester Institute of Technology
Example ISSP Components
• Statement of Purpose
– Scope and applicability
– Definition of technology addressed
– Responsibilities
• Authorized Access and Usage of Equipment
– User access
– Fair and responsible use
– Protection of privacy
• Prohibited Usage of Equipment
– Disruptive use or misuse
– Criminal use
– Offensive or harassing materials
– Copyrighted, licensed or other
intellectual property
– Other restrictions
• Systems management
– Management of stored materials
– Employer monitoring
– Virus protection
– Physical security
– Encryption
• Violations of policy
– Procedures for reporting violations
– Penalties for violations
• Policy review and modification
– Scheduled review of policy and
procedures for modification
• Limitations of liability
– Statements of liability or disclaimers

15. Copyright © 2014 Rochester Institute of Technology
Standards
• A more detailed statement of what must be done to
comply with policy
• Articulate requirements for Technology, People and
Processes
Processes

16. Copyright © 2014 Rochester Institute of Technology
Practices
• Procedures and guidelines explain how
employees will comply with policy
• Reasons to separate out practices from
standards:
– Needs to be known by a small population
– Requires more frequent change than review
processes allow
– Provides the Information Security Office
professional judgment and discretion
– Protects confidential details from unauthorized
parties

17. Copyright © 2014 Rochester Institute of Technology
Policy Development

18. Copyright © 2014 Rochester Institute of Technology
Policy Ingredients
External
• Laws
• Security Standards
• Best Practices
• Benchmarks
Internal
• Governance
• Strategy
• Management
• Environment
• Culture
Policies, Standards and Practices

19. Copyright © 2014 Rochester Institute of Technology
Planning
“Plans are meaningless,
Planning is everything.”
- Dwight Eisenhower
19

20. Copyright © 2014 Rochester Institute of Technology
• Revised policies • Educated
community
• Compliance with
policies
• Draft policies• Structure and
team
• Review as dictated
by governance
process
• Identify issues,
gaps and
implications
• Management
Support
• Distribution
mechanisms
• Training &
Awareness
• Resource
prioritization and
allocation
• Impacted
organizations
implement policies
• Determine goals
• Consider
ingredients
• Write policies
ORGANIZE DRAFT REVIEW COMMUNICATE
1 2 3 4
IMPLEMENT
5
• Develop
governance
process
• Clarify roles and
responsibilities
• Fill roles with key
stakeholders
Process > Output
Key Activities
Key Deliverables
Maintain

21. Copyright © 2014 Rochester Institute of Technology
3 Completely Different Processes

22. Copyright © 2014 Rochester Institute of Technology
Key Learnings

23. Copyright © 2014 Rochester Institute of Technology
RIT Key Learnings
• Key Learnings
– Author to Facilitator
• Role shift for ISO during processes
– Patience is a virtue
• Tortoise and the Hare
• More heterogeneous = more complicated governance process
– Short and Simple
• Plain language
• Object-oriented
– Communication is key
• Means disseminated, read, understood, agreed-to, and
uniformly enforced. Understanding > Compliance
• Exception Process

24. Copyright © 2014 Rochester Institute of Technology
Experiences of Other
Universities and Colleges

25. Copyright © 2014 Rochester Institute of Technology
Security Awareness and
Training
Ben Woelk
Program Manager
RIT Information Security Office
February 24, 2014

26. Copyright © 2014 Rochester Institute of Technology
Overview
• Basic Security Awareness Principles
• What we’re doing at RIT
• What other colleges and universities are
doing

27. Copyright © 2014 Rochester Institute of Technology
EDUCAUSE Resources
• EDUCAUSE HEISC A&T Working Group
• Cybersecurity Awareness Resource Library
– https://wiki.internet2.edu/confluence/display/itsg2/Cybersecu
rity+Awareness+Resource+Library
• Security Awareness Quick Start Guide
– https://wiki.internet2.edu/confluence/display/itsg2/Security+A
wareness+Quick+Start+Guide
• Security Awareness Detailed Instruction Manual
– https://wiki.internet2.edu/confluence/display/itsg2/Security+A
wareness+Detailed+Instruction+Manual

28. Copyright © 2014 Rochester Institute of Technology
HEISC Quick Start Guide Overview
1. Establish an Information Security Program
2. Develop a Security Awareness Plan
3. Adopt and Modify “Key Messages”
4. Establish a Security Awareness Website
5. Use HEISC Awareness Posters and Videos

29. Copyright © 2014 Rochester Institute of Technology
Quick Start Guide
6. Present “Key Messages” and Campus
Resources in Existing Training Venues
7. Publish Original or Republish HEISC Articles
(or Ads) in Existing Campus Publications
8. Participate in National Cyber Security
Awareness Month (NCSAM)
9. Measure the Effectiveness of Your Program
Annually
10.Automate Services (Feeds, etc.)

30. Copyright © 2014 Rochester Institute of Technology
Establish an Information Security Program
• Information Security Guide: Effective
Practices and Solutions for Higher Education
– https://wiki.internet2.edu/confluence/display/itsg2/
Home

31. Copyright © 2014 Rochester Institute of Technology
Develop a Security Awareness
Plan
• Components
– Audience analysis
– Key messages
– Communications channels
– Calendar of promotions
– Develop relationships

32. Copyright © 2014 Rochester Institute of Technology
Audience Analysis
• Who are your audiences?
• How do they communicate now?

33. Copyright © 2014 Rochester Institute of Technology
Key Messages
• Short and Simple

34. Copyright © 2014 Rochester Institute of Technology
Communications Channels

35. Copyright © 2014 Rochester Institute of Technology
Calendar of Promotions

36. Copyright © 2014 Rochester Institute of Technology
Education, Training & Awareness
Awareness Training Education
ISO Website
- Comprehensive
information on RIT
Information Security
New Student
Orientation
- All incoming students
GCCIS S Courses
- Enterprise Security
- Cyber Self Defense
Social Media
- 6100 face fans (320
posts)
- 1400 twitter followers
(270 tweets)
Digital Self Defense
Training
- Hundreds of employees
trained since inception
FBI Infragard
Meetings
Phishing and
Poster Campaigns
McAfee Training
- 10 IT staff trained
Rochester Security
Summit
Alerts / Advisories
- Approx. 20 annually
Incident Handling
and DR Training

37. Copyright © 2014 Rochester Institute of Technology
RIT Infosec Website

38. Copyright © 2014 Rochester Institute of Technology
RIT Social Media

39. Copyright © 2014 Rochester Institute of Technology
Posters

40. Copyright © 2014 Rochester Institute of Technology
Alerts and Advisories

41. Copyright © 2014 Rochester Institute of Technology
Lightning Talks

42. Copyright © 2014 Rochester Institute of Technology
Experiences of Other
Universities and Colleges

43. Copyright © 2014 Rochester Institute of Technology
Penetration Testing
Paul Lepkowski
CISM, CISSP, GIAC-GPEN
Enterprise Information Security Lead Engineer
RIT Information Security Office
February 24, 2014

44. Copyright © 2014 Rochester Institute of Technology
Introduction
• More focus on concepts and not as
much on tools
• Why Pen Test?
– Deeper than vulnerability scans
– Actually confirm if systems may be penetrable
– Verify vulnerabilities
– Determine what data an attack might expose

45. Copyright © 2014 Rochester Institute of Technology
Available Certifications
• GIAC-GPEN
• CEH

46. Copyright © 2014 Rochester Institute of Technology
Pen Tests At RIT
• Done on an arranged basis
• Typically internal
• Security reviews
• Scheduled audits
• Automated and manual methods
• Using several methods and tools
– Metasploit Pro
– Core Impact – we discontinued this – cost
– Kali Linux

47. Copyright © 2014 Rochester Institute of Technology
Internal or External
• Internal
– Only if you have the skillset on staff
– Certified staff
– Done from the inside network
– Some or significant knowledge about network
– Minimal recon phases needed
• External
– Expensive
– May have more capabilities from off-campus

48. Copyright © 2014 Rochester Institute of Technology
Pen Testing – Planning Areas

49. Copyright © 2014 Rochester Institute of Technology
Pen Testing - Planning
• Determine scope
• Determine who
• Non-disclosure agreement
• Gather inventory
• Determine schedule
• Determine tools
• Determine if security controls should be on or
off?
• Systems be done as is or should they patch
before?

50. Copyright © 2014 Rochester Institute of Technology
Planning (con’t)
• Communication plan
• Boundaries if penetration happens
• Written permission
• Plan of attack
• System preparation

51. Copyright © 2014 Rochester Institute of Technology
Implementation
• Follow your plan
• Be careful with improvising – legal and scope
issues?
• If security control changes needed (i.e.
firewall rule changes), contact them
• Fill out your checklist
• Monitor the tests

52. Copyright © 2014 Rochester Institute of Technology
Implementation (con’t)
• Be ready for phone calls/emails if testing
causes problems
• Need to be able to stop testing immediately if
problems arise
• Try to multi-task without creating extra noise
• Exploitation?
• Remember to close any open firewall rules if
they were open for testing window!

53. Copyright © 2014 Rochester Institute of Technology
Reporting
• Who
– Customer
– ISO
– Audit?
• What
– Introduction
– Scope
– Tested systems / applications
– Results

54. Copyright © 2014 Rochester Institute of Technology
Reporting (con’t)
• Risks
– Penetrations?
• How
• What data accessed
• Could data be viewed, modified, deleted, moved
• System integrity
• Listener?
• Payload (malware) install?

55. Copyright © 2014 Rochester Institute of Technology
Reporting (con’t)
• Suggested remediations / prevention
– Patch
– Configuration
– Policies
– Additional security controls
• Timing
– Issue report right away depending on severity of
issues

56. Copyright © 2014 Rochester Institute of Technology
Experiences of Other
Universities and Colleges