SlideShare a Scribd company logo
Pittsburgh, PA 15213-3890




   Information Security as an
   Institutional Priority

   Julia H. Allen
   Networked Systems Survivability/CERT
   Software Engineering Institute
   Carnegie Mellon University
   Pittsburgh, PA 15213-3890




   ® CERT, CERT Coordination Center, OCTAVE, CMM, CMMI, and Carnegie Mellon are registered in
   the U.S. Patent and Trademark Office
   Sponsored by the U.S. Department of Defense


© 2005 by Carnegie Mellon University                                                  page 1
What Might Security as an
Institutional Priority Look Like?
Leaders direct and control the institution to establish and
sustain a culture of security in the institution’s conduct
  • beliefs, values, behaviors, capabilities, and actions
Security is viewed as a non-negotiable requirement of being ‘in
business.’ [Allen 05]

In institutions of higher education: [EDUCAUSE 03]
  • Leadership purported to be reactive rather than proactive
  • Lack of clearly defined goals
  • Goals of security, academic freedom, intellectual freedom
     viewed as antithetical

Allen, Julia. “Governing for Enterprise Security: An Introduction.” June, 2005.
EDUCAUSE Center for Applied Research. “Information Technology Security: Governance, Strategy,
and Practice in Higher Education.” 2003.
  © 2005 by Carnegie Mellon University                                               page 2
What Might Security as an
Institutional Priority Look Like? (cont)
Information security is a human enterprise
  • “lack of security awareness by users” cited as top obstacle
  • overriding impact of human complexities, inconsistencies,
    and peculiarities

People can become the most effective layer in an
organization's defense-in-depth strategy
  • with proper training, education, motivation

The first step is making sure they operate in a security
conscious culture.

Ernst & Young. "Global Information Security Survey 2004."
http://www.ey.com/global/download.nsf/UK/Survey_-
_Global_Information_Security_04/$file/EY_GISS_%202004_EYG.pdf
 © 2005 by Carnegie Mellon University                           page 3
American Council on Education
Letter to Presidents Regarding Cybersecurity

  • Set the tone
  • Establish responsibility for campus-wide cybersecurity
    at the cabinet level
  • Ask for a periodic cybersecurity risk assessment
  • Request updates to your cybersecurity plans on a
    regular basis




From ACE President David Ward (February 28, 2003)
http://www.acenet.edu/washington/letters/2003/03march/cyber.cfm

© 2005 by Carnegie Mellon University                              page 4
EDUCAUSE Framework for Action
 • Make IT security a priority in higher education
 • Revise institutional security policies; improve the use
   of existing security tools
 • Improve security for future research and education
   networks
 • Improve collaboration between higher education,
   industry, and government
 • Integrate work in higher education with the national
   effort to strengthen critical infrastructure


Called for in EDUCAUSE “Higher Education Contribution to National Strategy to Secure
Cyberspace,” Jul 02 and [EDUCAUSE 03]
Cited in The National Strategy to Secure Cyberspace, Feb 03.

  © 2005 by Carnegie Mellon University                                                 page 5
Questions to Ask
What is at risk?

How much security is enough?

How does an institution of higher
education (IHE)
 • achieve and sustain adequate
   security?




© 2005 by Carnegie Mellon University   page 6
Growth in Number of Vulnerabilities
                   Reported to the CERT/CC




© 2005 by Carnegie Mellon University                     page 7
Attack Sophistication vs. Intruder Knowledge
   email propagation of malicious code
                                                                                                          DDoS attacks

 “stealth”/advanced scanning techniques                                                                increase in worms

                                                                                                      sophisticated command
widespread attacks using NNTP to distribute attack                                                           & control




                                                                                                                                         Attack Sophistication
   widespread attacks on DNS infrastructure


  executable code attacks (against browsers)                                                        anti-forensic techniques

      automated widespread attacks                                                                   home users targeted

           GUI intruder tools                                                                        distributed attack tools
            hijacking sessions
                                                                                                     increase in wide-scale
                                                                                                    Trojan horse distribution
        Internet social engineering                    widespread
                  attacks                            denial-of-service
                                                         attacks                                        Windows-based
                                                                                                      remote controllable
                                                                         techniques to analyze
                                                                         code for vulnerabilities    Trojans (Back Orifice)
                                      automated probes/scans              without source code
                  packet spoofing

                 1990                                    Intruder Knowledge                                   2004


            © 2005 by Carnegie Mellon University                                                                                page 8
Response Time

                                          Human response: impossible
                                          Automated response: Will need
                                          new paradigms                                      “Flash” Threats
                                          Proactive blocking: possible
                       Seconds
Contagion Timeframe




                                          Human response: difficult/impossible          “Warhol” Threats
                        Minutes           Automated response: possible


                         Hours                                                  Blended Threats
                                          Human response: possible

                                                                         e-mail Worms
                          Days
                                                             Macro Viruses
                      Weeks or
                       months               File Viruses


                      © 2005 by Carnegie Mellon University                                                 page 9
What Is At Risk?
 • Trust
 • Reputation; image
 • Stakeholder value
 • Community confidence
 • Regulatory compliance; fines, jail time
 • “Customer” retention, growth (staff, faculty,
   students, alumni, funding agencies)
 • “Customer” and partner identity, privacy
 • Ability to offer, fulfill transactions
 • Staff, student morale


© 2005 by Carnegie Mellon University           page 10
Trust
“The central truth is that information security is a
means, not an end. Information security serves the
end of trust. Trust is efficient, both in business and in
life; and misplaced trust is ruinous, both in business
and in life.

Trust makes it possible to proceed where proof is
lacking. As an end, trust is worth the price. Without
trust, information is largely useless.”


Geer, Daniel E. “Why Information Security Matters.” Cutter Consortium Business-IT Strategies
Vol. 7, No. 3, 2004.


 © 2005 by Carnegie Mellon University                                                   page 11
Responsibility to Protect Digital Assets

In excess of 80 percent of an organization’s intellectual
property is in digital form [Business Week]

Duty of Care: Governance of Digital Security
   • Govern institutional operations
   • Protect critical assets and processes
   • Govern employee conduct
   • Protect reputation
   • Ensure compliance requirements are met

Business Judgment Rule: That which a reasonably
prudent director of a similar institution would have used

[Jody Westby, PricewaterhouseCoopers, Congressional Testimony; case law]
 © 2005 by Carnegie Mellon University                                      page 12
Barriers to Tackling Security
• Abstract, concerned with hypothetical events
• A holistic, enterprise-wide problem; not just
  technical
• No widely accepted measures/indicators
• Disaster-preventing rather than payoff-producing
  (like insurance)
• Installing security safeguards can have negative
  aspects (added cost, diminished performance,
  inconvenience)



  © 2005 by Carnegie Mellon University           page 13
Questions to Ask
What is at risk?

How much security is enough?

How does an IHE
 • achieve and sustain adequate security?




© 2005 by Carnegie Mellon University        page 14
Shift the Security Perspective
                       From               To
Scope:                Technical problem   Institutional problem
Ownership:            IT                  Institutional
Funding:              Expense             Investment
Focus:                Intermittent        Integrated
Driver:               External            Institution
Application:          Platform/practice   Process
Goal:                 IT security         Institutional
                                          continuity/resilience




   © 2005 by Carnegie Mellon University                  page 15
Security to Resiliency

  Managing to threat and                    Managing to impact and
  vulnerability                             consequence
  No articulation of desired state     to   Adequate security defined as
                                            desired state
  Possible security technology
  overkill                                  Security in sufficient balance to
                                            cost, risk




© 2005 by Carnegie Mellon University                                            page 16
A Resilient Institution Is Able To. . .

• withstand systemic discontinuities and adapt to new
  risk environments [Starr 03]
• be sensing, agile, networked, prepared [Starr 03]
• dynamically reinvent institutional models and
  strategies as circumstances change [Hamel 04]
• have the capacity to change before the case for
  change becomes desperately obvious [Hamel 04]




© 2005 by Carnegie Mellon University                  page 17
Security Strategy Questions
• What needs to be protected? Why does it
  need to be protected? What happens if it is not
  protected?

• What potential adverse consequences need to
  be prevented? At what cost? How much
  disruption can we stand before we take
  action?

• How do we effectively manage the residual
  risk?


 © 2005 by Carnegie Mellon University               page 18
Defining Adequate Security

The condition where the protection strategies

for an organization's critical assets and processes

are commensurate with the organization's risk
appetite and risk tolerances



Risk appetite and risk tolerance as defined by COSO’s Enterprise Risk Management
Integrated Framework, September, 2004.

[Allen 05]
© 2005 by Carnegie Mellon University                                     page 19
Determining Adequate Security
Depends On . . .
• Organizational factors: size, complexity, asset criticality,
  dependence on IT, impact of downtime

• Market factors: provider of critical infrastructure,
  openness of network, customer privacy, regulatory
  pressure, public disclosure

• Principle-based decisions: Accountability, Awareness,
  Compliance, Effectiveness, Ethics, Perspective/Scope,
  Risk Management, etc.


[Allen 05]

 © 2005 by Carnegie Mellon University                    page 20
Adequate Security and Operational
Risk
“Appropriate security is that which protects the organization
from undue operational risks in a cost-effective manner.”
[Sherwood 03]

“With the advent of regulatory agencies assessing a
organization’s aggregate operational risk, there needs to be
a way of looking at the organization as a whole rather than
its many parts.” [Milus 04]


[According to Basel II, operational risks are risks of loss resulting from inadequate
or failed internal processes, people, and systems or from external events.
http://www.bis.org/publ/bcbs107.htm]

 © 2005 by Carnegie Mellon University                                             page 21
Questions to Ask

What is at risk?

How much security is enough?

How does an IHE
 • achieve and sustain adequate
   security?




© 2005 by Carnegie Mellon University   page 22
Shift the Security Approach

      Ad-hoc and                       to   Managed and
      tactical                              strategic

     irregular                                systematic
     reactive                                 adaptive
     immeasurable                             measured
     absolute                                 adequate


 Security activities and measures of security performance
 are visibly aligned with strategic drivers and critical
 success factors.
© 2005 by Carnegie Mellon University                        page 23
Mobilizing Capabilities to Achieve/Sustain Adequate Security

Critical Success                                ES Governance:
Factors: determine                              policy, oversight,
priorities                                      sponsorship

                                                                               Audit: evaluates



                                                       Risk Mgmt:
                                                       clarifies risk
                                                       tolerance, impacts




                                                            IT Ops: delivers
     Project Mgmt:                                          secure service,
     plans, tracks,                                         protects assets       Security: defines
     ensures completion                                                           controls for key IT
                                                                                  ops processes



                                               Process Mgmt:
                                               enables



        © 2005 by Carnegie Mellon University                                              page 24
Mobilizing to Achieve/Sustain Adequate Security
                                                                                                          IT Ops Processes                    •   Problem/Incident Mgmt
                                                                                                          • Asset Management                  •   Availability Management
    Critical Success                  Priorities                                                          • Release Mgmt                      •   Integrity Management
                                                                                                          • Configuration Mgmt                •   Confidentiality/Privacy
    Factors: determine                                                                                    • Change Mgmt                           Management
                                                                     Measures
    priorities
                                                                                                                                      Findings
                                                                               ES Governance:                                         Extent of compliance
                                                                                                                                      Recommendations
                                                                               policy, oversight,
                                              Tasks, Improvements
                                                                               sponsorship                Determine Current State


                                                                                Evaluate

                                        Strategies, Recommendations,
                                        Actions
                                                                                                                                                  Audit: evaluates
                       Risk Mgmt: clarifies                     Plan inputs, priorities
                       risk tolerance, risks,
                       impacts
                                                                                                                            Results
                                                                                             IT Ops: delivers
                        Prioritized tasking                                                  secure service,                          Evaluation, Eval criteria
                                                                                             protects assets
                                                   Status, Plan updates, Resources,
                                                   Measures, New improvements,
                                                   Business case data
Plans, Status,                                                                                                                                        Requirements
Business case                                                                                                                                         Controls
                                                                                                      Process definitions                             Process steps

    Project Mgmt:
                                    Contributing process areas                                                                                    Security: defines
    plans, tracks, ensures                                                                          Process Mgmt:
    completion                                                                                      enables                                       controls for key IT
                                                            Actions, Process Definitions,                                                         ops processes
                                                            Measures, Status, Plan updates


                      Prioritized tasking



                 © 2005 by Carnegie Mellon University                                                                                                    page 25
What Might Security as an Institutional
Priority Look Like? (cont)
• No longer solely under IT’s control
• Achievable, measurable objectives are defined and
  included in strategic and operational plans
• Departments/functions across the institution view
  security as part of their job (e.g., HR, Audit) and are so
  measured
• Adequate and sustained funding is a given
• Senior leaders visibly sponsor and measure this work
  against defined performance parameters
• Considered a requirement of being ‘in business’

© 2005 by Carnegie Mellon University                  page 26
Information Security Governance
Resources
April 2004: Corporate Governance Task Force report on
Information Security Governance (Appendix E)
http://www.cyberpartnership.org/init-governance.html;

November 2004: EDUCAUSE ISG Assessment Tool for
Higher Education
http://www.educause.edu/LibraryDetailPage/666?ID=SE
C0421
Section I: Organizational Reliance on IT
Section II: Risk Management
Section III: People
Section IV: Processes
Section V: Technology
© 2005 by Carnegie Mellon University                    page 27
Legal Perspective: IT Security for
 Higher Education
  •     Analyze applicable state laws and municipal ordinances
  •     Assess IS vulnerabilities and risks
  •     Review and update IS policies & procedures
  •     Review personnel policies & procedures for access to
        sensitive information
  •     Scrutinize relationships with third-party vendors
  •     Review the institution’s insurance policies
  •     Develop a rapid response plan & incident response team
  •     Work together with higher education associations &
        coalitions to develop standards relating to IS
“IT Security for Higher Education: A Legal Perspective.” Salomon, Kenneth; Cassat, Peter; Thibeau,
Briana. Dow, Lohnes & Albertson, PLLC. EDUCAUSE/Internet2 Computer and Network Security
Task Force, 2003. http://www.educause.edu/ir/library/pdf/csd2746.pdf


      © 2005 by Carnegie Mellon University                                                 page 28
EDUCAUSE Resources
• Center for Applied Research (ECAR):
  http://www.educause.edu/ecar
• Security Task Force:
  http://www.educause.edu/security
• The Effective IT Security Guide for Higher
  Education
• Computer and Network Security in Higher
  Education
• Security Discussion Group
• Security Professionals Conference


© 2005 by Carnegie Mellon University           page 29
For More Information
• Governing for Enterprise Security
  (http://www.cert.org/governance/ges.html)
• Enterprise Security Management
  (http://www.cert.org/nav/index_green.html)
• CERT web site (http://www.cert.org); ITPI web
  site (http://www.itpi.org); SEI web site
  (http://www.sei.cmu.edu)

• jha@cert.org




  © 2005 by Carnegie Mellon University            page 30
References
[Hamel 04] Hamel, Gary; Valikangas, Liisa. “The Quest for Resilience,” Harvard
Business Review, September 2003.

[Milus 04]       Milus, Stu. “The Institutional Need for Comprehensive Auditing
Strategies.” Information Systems Control Journal, Volume 6, 2004.

[Sherwood 03] Sherwood, John; Clark; Andrew; Lynas, David. “Systems and Business
Security Architecture.” SABSA Limited, 17 September 2003. Available at
http://www.alctraining.com.au/pdf/SABSA_White_Paper.pdf.

[Starr 03]      Starr, Randy; Newfrock, Jim; Delurey, Michael. “Enterprise Resilience:
Managing Risk in the Networked Economy.” strategy+business, Spring 2003. Also
appears in “Enterprise Resilience: Risk and Security in the Networked World: A
strategy+business Reader.” Randall Rothenberg, ed.

[Westby 04]     Westby, Jody. “Information Security: Responsibilities of Boards of
Directors and Senior Management.” Testimony before the House Committee on
Government Reform: Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census, September 22, 2004. Available at
http://www.reform.house.gov/UploadedFiles/Westby1.pdf.



   © 2005 by Carnegie Mellon University                                           page 31

More Related Content

What's hot

[CB19] Keynote:Hacking the Bomb - Cyber Threats and Nuclear Weapons by Andrew...
[CB19] Keynote:Hacking the Bomb - Cyber Threats and Nuclear Weapons by Andrew...[CB19] Keynote:Hacking the Bomb - Cyber Threats and Nuclear Weapons by Andrew...
[CB19] Keynote:Hacking the Bomb - Cyber Threats and Nuclear Weapons by Andrew...
CODE BLUE
 
CH11-Managing Computing Securely, Safely and Ethically
CH11-Managing Computing Securely, Safely and EthicallyCH11-Managing Computing Securely, Safely and Ethically
CH11-Managing Computing Securely, Safely and Ethically
Sukanya Ben
 
Emerging cyber threats_report2012
Emerging cyber threats_report2012Emerging cyber threats_report2012
Emerging cyber threats_report2012
day4justice
 
Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010
graywilliams
 
20111214 iisf shinoda_
20111214 iisf shinoda_20111214 iisf shinoda_
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015
Mark Lanterman
 
Sivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk  Management In The  Web 2.0  EnvironmentSivasubramanian Risk  Management In The  Web 2.0  Environment
Sivasubramanian Risk Management In The Web 2.0 Environment
Vinoth Sivasubramanan
 
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS   ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...DSS   ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
Andris Soroka
 
A theoretical superworm
A theoretical superwormA theoretical superworm
A theoretical superworm
UltraUploader
 
Darktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystemDarktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystem
Austin Eppstein
 
Cloud Computing White Paper
Cloud Computing White PaperCloud Computing White Paper
Cloud Computing White Paper
Chris O'Neal
 
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryCountering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Trend Micro
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Umang Patel
 
Nss repko
Nss repkoNss repko
Nss repko
rrepko
 
Compliance standards interoperability - Zoltan Precsenyi
Compliance standards interoperability - Zoltan PrecsenyiCompliance standards interoperability - Zoltan Precsenyi
Compliance standards interoperability - Zoltan Precsenyi
e-Democracy Conference
 
Cyber defense: Understanding and Combating the Threat
Cyber defense: Understanding and Combating the ThreatCyber defense: Understanding and Combating the Threat
Cyber defense: Understanding and Combating the Threat
IBM Government
 
AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...
AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...
AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...
pharmaindexing
 
Newsletter: BDPA Washington DC (Oct 2011)
Newsletter: BDPA Washington DC (Oct 2011)Newsletter: BDPA Washington DC (Oct 2011)
Newsletter: BDPA Washington DC (Oct 2011)
BDPA Education and Technology Foundation
 
SIA-Q1-2016
SIA-Q1-2016SIA-Q1-2016
SIA-Q1-2016
Owais Hassan
 

What's hot (19)

[CB19] Keynote:Hacking the Bomb - Cyber Threats and Nuclear Weapons by Andrew...
[CB19] Keynote:Hacking the Bomb - Cyber Threats and Nuclear Weapons by Andrew...[CB19] Keynote:Hacking the Bomb - Cyber Threats and Nuclear Weapons by Andrew...
[CB19] Keynote:Hacking the Bomb - Cyber Threats and Nuclear Weapons by Andrew...
 
CH11-Managing Computing Securely, Safely and Ethically
CH11-Managing Computing Securely, Safely and EthicallyCH11-Managing Computing Securely, Safely and Ethically
CH11-Managing Computing Securely, Safely and Ethically
 
Emerging cyber threats_report2012
Emerging cyber threats_report2012Emerging cyber threats_report2012
Emerging cyber threats_report2012
 
Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010
 
20111214 iisf shinoda_
20111214 iisf shinoda_20111214 iisf shinoda_
20111214 iisf shinoda_
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015
 
Sivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk  Management In The  Web 2.0  EnvironmentSivasubramanian Risk  Management In The  Web 2.0  Environment
Sivasubramanian Risk Management In The Web 2.0 Environment
 
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS   ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...DSS   ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
 
A theoretical superworm
A theoretical superwormA theoretical superworm
A theoretical superworm
 
Darktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystemDarktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystem
 
Cloud Computing White Paper
Cloud Computing White PaperCloud Computing White Paper
Cloud Computing White Paper
 
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryCountering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep Discovery
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Nss repko
Nss repkoNss repko
Nss repko
 
Compliance standards interoperability - Zoltan Precsenyi
Compliance standards interoperability - Zoltan PrecsenyiCompliance standards interoperability - Zoltan Precsenyi
Compliance standards interoperability - Zoltan Precsenyi
 
Cyber defense: Understanding and Combating the Threat
Cyber defense: Understanding and Combating the ThreatCyber defense: Understanding and Combating the Threat
Cyber defense: Understanding and Combating the Threat
 
AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...
AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...
AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...
 
Newsletter: BDPA Washington DC (Oct 2011)
Newsletter: BDPA Washington DC (Oct 2011)Newsletter: BDPA Washington DC (Oct 2011)
Newsletter: BDPA Washington DC (Oct 2011)
 
SIA-Q1-2016
SIA-Q1-2016SIA-Q1-2016
SIA-Q1-2016
 

Viewers also liked

Screenplay Cyber Planet: Cast of Characters (Bios)
Screenplay Cyber Planet: Cast of Characters (Bios)Screenplay Cyber Planet: Cast of Characters (Bios)
Screenplay Cyber Planet: Cast of Characters (Bios)
Michael Knapp
 
Cuadernillo tutoria 3
Cuadernillo tutoria 3Cuadernillo tutoria 3
Cuadernillo tutoria 3
JEDANNIE Apellidos
 
Award-CC: Dokumentation 2016 für Partner und Sponsoren
Award-CC: Dokumentation 2016 für Partner und SponsorenAward-CC: Dokumentation 2016 für Partner und Sponsoren
Award-CC: Dokumentation 2016 für Partner und Sponsoren
Award Corporate Communications
 
JobScout Media Kit
JobScout Media Kit JobScout Media Kit
JobScout Media Kit
MyJobScout
 
Seminario 'Energía Solar: Cocinando con Fotones'
Seminario 'Energía Solar: Cocinando con Fotones'Seminario 'Energía Solar: Cocinando con Fotones'
Seminario 'Energía Solar: Cocinando con Fotones'
SEAS, Estudios Superiores Abiertos
 
El Proyecto Matriz 5 Constitucion Europea La Gran Mentira
El Proyecto Matriz 5 Constitucion Europea La Gran MentiraEl Proyecto Matriz 5 Constitucion Europea La Gran Mentira
El Proyecto Matriz 5 Constitucion Europea La Gran Mentira
guest7da378
 
Modelos de negocio para distribución de contenido creativo por Internet
Modelos de negocio para distribución de contenido creativo por InternetModelos de negocio para distribución de contenido creativo por Internet
Modelos de negocio para distribución de contenido creativo por Internet
Iván Lasso
 
Mastering the mobile check in digital dealer october 2012
Mastering the mobile check in digital dealer october 2012Mastering the mobile check in digital dealer october 2012
Mastering the mobile check in digital dealer october 2012
Cars.com
 
Case study for st bernard's
Case study for st bernard'sCase study for st bernard's
Case study for st bernard's
Andy Brown
 
Revista nº 169 - Mayo 2013
Revista nº 169 - Mayo 2013Revista nº 169 - Mayo 2013
Revista nº 169 - Mayo 2013
andalumedio
 
Vlecko HR certificate
Vlecko HR certificateVlecko HR certificate
Vlecko HR certificateDenise Laros
 
E-Wave Networks PVT. LTD>
E-Wave Networks PVT. LTD>E-Wave Networks PVT. LTD>
E-Wave Networks PVT. LTD>
ewavenetworks
 
ESCAYOLAS RAOS, POLIGONO DE RAOS, 11 CAMARGO, CANTABRIA ESPAÑA
ESCAYOLAS RAOS, POLIGONO DE RAOS, 11 CAMARGO, CANTABRIA ESPAÑAESCAYOLAS RAOS, POLIGONO DE RAOS, 11 CAMARGO, CANTABRIA ESPAÑA
ESCAYOLAS RAOS, POLIGONO DE RAOS, 11 CAMARGO, CANTABRIA ESPAÑA
Prefabricados Raos
 
Energia e espirito
Energia e espiritoEnergia e espirito
Energia e espirito
Eduardo Cardoso Teixeira
 
Smarter Use Cases
Smarter Use CasesSmarter Use Cases
Smarter Use Cases
Smarter Engagement
 
Trabajo informatica Componentes del Ordenador
Trabajo informatica Componentes del OrdenadorTrabajo informatica Componentes del Ordenador
Trabajo informatica Componentes del Ordenador
manriquecampoyalejandro
 
Salida o campamento
Salida o campamentoSalida o campamento
Salida o campamento
yogurdepato
 
Prospecto protovit de bayer
Prospecto protovit de bayerProspecto protovit de bayer
Prospecto protovit de bayerBCNPharma.com
 
SEPA Joven Valencia 2011
SEPA Joven Valencia 2011SEPA Joven Valencia 2011
SEPA Joven Valencia 2011
Dentaid
 
ISP consult présentation
ISP  consult présentationISP  consult présentation
ISP consult présentationsaber haouet
 

Viewers also liked (20)

Screenplay Cyber Planet: Cast of Characters (Bios)
Screenplay Cyber Planet: Cast of Characters (Bios)Screenplay Cyber Planet: Cast of Characters (Bios)
Screenplay Cyber Planet: Cast of Characters (Bios)
 
Cuadernillo tutoria 3
Cuadernillo tutoria 3Cuadernillo tutoria 3
Cuadernillo tutoria 3
 
Award-CC: Dokumentation 2016 für Partner und Sponsoren
Award-CC: Dokumentation 2016 für Partner und SponsorenAward-CC: Dokumentation 2016 für Partner und Sponsoren
Award-CC: Dokumentation 2016 für Partner und Sponsoren
 
JobScout Media Kit
JobScout Media Kit JobScout Media Kit
JobScout Media Kit
 
Seminario 'Energía Solar: Cocinando con Fotones'
Seminario 'Energía Solar: Cocinando con Fotones'Seminario 'Energía Solar: Cocinando con Fotones'
Seminario 'Energía Solar: Cocinando con Fotones'
 
El Proyecto Matriz 5 Constitucion Europea La Gran Mentira
El Proyecto Matriz 5 Constitucion Europea La Gran MentiraEl Proyecto Matriz 5 Constitucion Europea La Gran Mentira
El Proyecto Matriz 5 Constitucion Europea La Gran Mentira
 
Modelos de negocio para distribución de contenido creativo por Internet
Modelos de negocio para distribución de contenido creativo por InternetModelos de negocio para distribución de contenido creativo por Internet
Modelos de negocio para distribución de contenido creativo por Internet
 
Mastering the mobile check in digital dealer october 2012
Mastering the mobile check in digital dealer october 2012Mastering the mobile check in digital dealer october 2012
Mastering the mobile check in digital dealer october 2012
 
Case study for st bernard's
Case study for st bernard'sCase study for st bernard's
Case study for st bernard's
 
Revista nº 169 - Mayo 2013
Revista nº 169 - Mayo 2013Revista nº 169 - Mayo 2013
Revista nº 169 - Mayo 2013
 
Vlecko HR certificate
Vlecko HR certificateVlecko HR certificate
Vlecko HR certificate
 
E-Wave Networks PVT. LTD>
E-Wave Networks PVT. LTD>E-Wave Networks PVT. LTD>
E-Wave Networks PVT. LTD>
 
ESCAYOLAS RAOS, POLIGONO DE RAOS, 11 CAMARGO, CANTABRIA ESPAÑA
ESCAYOLAS RAOS, POLIGONO DE RAOS, 11 CAMARGO, CANTABRIA ESPAÑAESCAYOLAS RAOS, POLIGONO DE RAOS, 11 CAMARGO, CANTABRIA ESPAÑA
ESCAYOLAS RAOS, POLIGONO DE RAOS, 11 CAMARGO, CANTABRIA ESPAÑA
 
Energia e espirito
Energia e espiritoEnergia e espirito
Energia e espirito
 
Smarter Use Cases
Smarter Use CasesSmarter Use Cases
Smarter Use Cases
 
Trabajo informatica Componentes del Ordenador
Trabajo informatica Componentes del OrdenadorTrabajo informatica Componentes del Ordenador
Trabajo informatica Componentes del Ordenador
 
Salida o campamento
Salida o campamentoSalida o campamento
Salida o campamento
 
Prospecto protovit de bayer
Prospecto protovit de bayerProspecto protovit de bayer
Prospecto protovit de bayer
 
SEPA Joven Valencia 2011
SEPA Joven Valencia 2011SEPA Joven Valencia 2011
SEPA Joven Valencia 2011
 
ISP consult présentation
ISP  consult présentationISP  consult présentation
ISP consult présentation
 

Similar to Infromation Security as an Institutional Priority

Cyber crime trends in 2013
Cyber crime trends in 2013 Cyber crime trends in 2013
Cyber crime trends in 2013
The eCore Group
 
NetWitness
NetWitnessNetWitness
The Vigilant Enterprise
The Vigilant EnterpriseThe Vigilant Enterprise
The Vigilant Enterprise
Booz Allen Hamilton
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
Christiaan Beek
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
Network Security Research Paper
Network Security Research PaperNetwork Security Research Paper
Network Security Research Paper
Pankaj Jha
 
Cisco Addresses the Full Attack Continuum
Cisco Addresses the Full Attack ContinuumCisco Addresses the Full Attack Continuum
Cisco Addresses the Full Attack Continuum
Cisco Security
 
Trend Micro - Targeted attacks: Have you found yours?
Trend Micro - Targeted attacks: Have you found yours?Trend Micro - Targeted attacks: Have you found yours?
Trend Micro - Targeted attacks: Have you found yours?
Global Business Events
 
Endpoint Protection
Endpoint ProtectionEndpoint Protection
Endpoint Protection
Sophos
 
BYOD and Your Business
BYOD and Your BusinessBYOD and Your Business
BYOD and Your Business
cherienetclarity
 
Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?
Trend Micro (EMEA) Limited
 
Cyber Safety Awareness Training (Brochure)
Cyber Safety Awareness Training (Brochure)Cyber Safety Awareness Training (Brochure)
Cyber Safety Awareness Training (Brochure)
NAFCU Services Corporation
 
Cybersecurity Risk from User Perspective
Cybersecurity Risk from User PerspectiveCybersecurity Risk from User Perspective
Cybersecurity Risk from User Perspective
AvinantaTarigan
 
PCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaPCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio Panada
IBM Danmark
 
Enterprise Immune System
Enterprise Immune SystemEnterprise Immune System
Enterprise Immune System
Austin Eppstein
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
Trend Micro - is your cloud secure
Trend Micro - is your cloud secureTrend Micro - is your cloud secure
Trend Micro - is your cloud secure
Kappa Data
 
Data mining in security: Ja'far Alqatawna
Data mining in security: Ja'far AlqatawnaData mining in security: Ja'far Alqatawna
Data mining in security: Ja'far Alqatawna
Maribel García Arenas
 
Weaponised Malware & APT Attacks: Protect Against Next-Generation Threats
Weaponised Malware & APT Attacks: Protect Against Next-Generation ThreatsWeaponised Malware & APT Attacks: Protect Against Next-Generation Threats
Weaponised Malware & APT Attacks: Protect Against Next-Generation Threats
Lumension
 
White Paper: Is Your Network Safe Behind Just a Firewall?
White Paper: Is Your Network Safe Behind Just a Firewall?White Paper: Is Your Network Safe Behind Just a Firewall?
White Paper: Is Your Network Safe Behind Just a Firewall?
Windstream Enterprise
 

Similar to Infromation Security as an Institutional Priority (20)

Cyber crime trends in 2013
Cyber crime trends in 2013 Cyber crime trends in 2013
Cyber crime trends in 2013
 
NetWitness
NetWitnessNetWitness
NetWitness
 
The Vigilant Enterprise
The Vigilant EnterpriseThe Vigilant Enterprise
The Vigilant Enterprise
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Network Security Research Paper
Network Security Research PaperNetwork Security Research Paper
Network Security Research Paper
 
Cisco Addresses the Full Attack Continuum
Cisco Addresses the Full Attack ContinuumCisco Addresses the Full Attack Continuum
Cisco Addresses the Full Attack Continuum
 
Trend Micro - Targeted attacks: Have you found yours?
Trend Micro - Targeted attacks: Have you found yours?Trend Micro - Targeted attacks: Have you found yours?
Trend Micro - Targeted attacks: Have you found yours?
 
Endpoint Protection
Endpoint ProtectionEndpoint Protection
Endpoint Protection
 
BYOD and Your Business
BYOD and Your BusinessBYOD and Your Business
BYOD and Your Business
 
Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?
 
Cyber Safety Awareness Training (Brochure)
Cyber Safety Awareness Training (Brochure)Cyber Safety Awareness Training (Brochure)
Cyber Safety Awareness Training (Brochure)
 
Cybersecurity Risk from User Perspective
Cybersecurity Risk from User PerspectiveCybersecurity Risk from User Perspective
Cybersecurity Risk from User Perspective
 
PCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaPCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio Panada
 
Enterprise Immune System
Enterprise Immune SystemEnterprise Immune System
Enterprise Immune System
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Trend Micro - is your cloud secure
Trend Micro - is your cloud secureTrend Micro - is your cloud secure
Trend Micro - is your cloud secure
 
Data mining in security: Ja'far Alqatawna
Data mining in security: Ja'far AlqatawnaData mining in security: Ja'far Alqatawna
Data mining in security: Ja'far Alqatawna
 
Weaponised Malware & APT Attacks: Protect Against Next-Generation Threats
Weaponised Malware & APT Attacks: Protect Against Next-Generation ThreatsWeaponised Malware & APT Attacks: Protect Against Next-Generation Threats
Weaponised Malware & APT Attacks: Protect Against Next-Generation Threats
 
White Paper: Is Your Network Safe Behind Just a Firewall?
White Paper: Is Your Network Safe Behind Just a Firewall?White Paper: Is Your Network Safe Behind Just a Firewall?
White Paper: Is Your Network Safe Behind Just a Firewall?
 

More from zohaibqadir

Technology Entrepreneurship (Assign No 2)
Technology Entrepreneurship (Assign No 2)Technology Entrepreneurship (Assign No 2)
Technology Entrepreneurship (Assign No 2)
zohaibqadir
 
Technology Entrepreneurship (assig no 2)
Technology Entrepreneurship (assig no 2)Technology Entrepreneurship (assig no 2)
Technology Entrepreneurship (assig no 2)
zohaibqadir
 
175 PMP Sample Questions
175 PMP Sample Questions175 PMP Sample Questions
175 PMP Sample Questions
zohaibqadir
 
PgM ITTOs
PgM ITTOsPgM ITTOs
PgM ITTOs
zohaibqadir
 
Project Management Institute
Project Management InstituteProject Management Institute
Project Management Institute
zohaibqadir
 
ADDRESSING CORPORATE CONCERNS
ADDRESSING CORPORATE CONCERNSADDRESSING CORPORATE CONCERNS
ADDRESSING CORPORATE CONCERNS
zohaibqadir
 

More from zohaibqadir (6)

Technology Entrepreneurship (Assign No 2)
Technology Entrepreneurship (Assign No 2)Technology Entrepreneurship (Assign No 2)
Technology Entrepreneurship (Assign No 2)
 
Technology Entrepreneurship (assig no 2)
Technology Entrepreneurship (assig no 2)Technology Entrepreneurship (assig no 2)
Technology Entrepreneurship (assig no 2)
 
175 PMP Sample Questions
175 PMP Sample Questions175 PMP Sample Questions
175 PMP Sample Questions
 
PgM ITTOs
PgM ITTOsPgM ITTOs
PgM ITTOs
 
Project Management Institute
Project Management InstituteProject Management Institute
Project Management Institute
 
ADDRESSING CORPORATE CONCERNS
ADDRESSING CORPORATE CONCERNSADDRESSING CORPORATE CONCERNS
ADDRESSING CORPORATE CONCERNS
 

Infromation Security as an Institutional Priority

  • 1. Pittsburgh, PA 15213-3890 Information Security as an Institutional Priority Julia H. Allen Networked Systems Survivability/CERT Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 ® CERT, CERT Coordination Center, OCTAVE, CMM, CMMI, and Carnegie Mellon are registered in the U.S. Patent and Trademark Office Sponsored by the U.S. Department of Defense © 2005 by Carnegie Mellon University page 1
  • 2. What Might Security as an Institutional Priority Look Like? Leaders direct and control the institution to establish and sustain a culture of security in the institution’s conduct • beliefs, values, behaviors, capabilities, and actions Security is viewed as a non-negotiable requirement of being ‘in business.’ [Allen 05] In institutions of higher education: [EDUCAUSE 03] • Leadership purported to be reactive rather than proactive • Lack of clearly defined goals • Goals of security, academic freedom, intellectual freedom viewed as antithetical Allen, Julia. “Governing for Enterprise Security: An Introduction.” June, 2005. EDUCAUSE Center for Applied Research. “Information Technology Security: Governance, Strategy, and Practice in Higher Education.” 2003. © 2005 by Carnegie Mellon University page 2
  • 3. What Might Security as an Institutional Priority Look Like? (cont) Information security is a human enterprise • “lack of security awareness by users” cited as top obstacle • overriding impact of human complexities, inconsistencies, and peculiarities People can become the most effective layer in an organization's defense-in-depth strategy • with proper training, education, motivation The first step is making sure they operate in a security conscious culture. Ernst & Young. "Global Information Security Survey 2004." http://www.ey.com/global/download.nsf/UK/Survey_- _Global_Information_Security_04/$file/EY_GISS_%202004_EYG.pdf © 2005 by Carnegie Mellon University page 3
  • 4. American Council on Education Letter to Presidents Regarding Cybersecurity • Set the tone • Establish responsibility for campus-wide cybersecurity at the cabinet level • Ask for a periodic cybersecurity risk assessment • Request updates to your cybersecurity plans on a regular basis From ACE President David Ward (February 28, 2003) http://www.acenet.edu/washington/letters/2003/03march/cyber.cfm © 2005 by Carnegie Mellon University page 4
  • 5. EDUCAUSE Framework for Action • Make IT security a priority in higher education • Revise institutional security policies; improve the use of existing security tools • Improve security for future research and education networks • Improve collaboration between higher education, industry, and government • Integrate work in higher education with the national effort to strengthen critical infrastructure Called for in EDUCAUSE “Higher Education Contribution to National Strategy to Secure Cyberspace,” Jul 02 and [EDUCAUSE 03] Cited in The National Strategy to Secure Cyberspace, Feb 03. © 2005 by Carnegie Mellon University page 5
  • 6. Questions to Ask What is at risk? How much security is enough? How does an institution of higher education (IHE) • achieve and sustain adequate security? © 2005 by Carnegie Mellon University page 6
  • 7. Growth in Number of Vulnerabilities Reported to the CERT/CC © 2005 by Carnegie Mellon University page 7
  • 8. Attack Sophistication vs. Intruder Knowledge email propagation of malicious code DDoS attacks “stealth”/advanced scanning techniques increase in worms sophisticated command widespread attacks using NNTP to distribute attack & control Attack Sophistication widespread attacks on DNS infrastructure executable code attacks (against browsers) anti-forensic techniques automated widespread attacks home users targeted GUI intruder tools distributed attack tools hijacking sessions increase in wide-scale Trojan horse distribution Internet social engineering widespread attacks denial-of-service attacks Windows-based remote controllable techniques to analyze code for vulnerabilities Trojans (Back Orifice) automated probes/scans without source code packet spoofing 1990 Intruder Knowledge 2004 © 2005 by Carnegie Mellon University page 8
  • 9. Response Time Human response: impossible Automated response: Will need new paradigms “Flash” Threats Proactive blocking: possible Seconds Contagion Timeframe Human response: difficult/impossible “Warhol” Threats Minutes Automated response: possible Hours Blended Threats Human response: possible e-mail Worms Days Macro Viruses Weeks or months File Viruses © 2005 by Carnegie Mellon University page 9
  • 10. What Is At Risk? • Trust • Reputation; image • Stakeholder value • Community confidence • Regulatory compliance; fines, jail time • “Customer” retention, growth (staff, faculty, students, alumni, funding agencies) • “Customer” and partner identity, privacy • Ability to offer, fulfill transactions • Staff, student morale © 2005 by Carnegie Mellon University page 10
  • 11. Trust “The central truth is that information security is a means, not an end. Information security serves the end of trust. Trust is efficient, both in business and in life; and misplaced trust is ruinous, both in business and in life. Trust makes it possible to proceed where proof is lacking. As an end, trust is worth the price. Without trust, information is largely useless.” Geer, Daniel E. “Why Information Security Matters.” Cutter Consortium Business-IT Strategies Vol. 7, No. 3, 2004. © 2005 by Carnegie Mellon University page 11
  • 12. Responsibility to Protect Digital Assets In excess of 80 percent of an organization’s intellectual property is in digital form [Business Week] Duty of Care: Governance of Digital Security • Govern institutional operations • Protect critical assets and processes • Govern employee conduct • Protect reputation • Ensure compliance requirements are met Business Judgment Rule: That which a reasonably prudent director of a similar institution would have used [Jody Westby, PricewaterhouseCoopers, Congressional Testimony; case law] © 2005 by Carnegie Mellon University page 12
  • 13. Barriers to Tackling Security • Abstract, concerned with hypothetical events • A holistic, enterprise-wide problem; not just technical • No widely accepted measures/indicators • Disaster-preventing rather than payoff-producing (like insurance) • Installing security safeguards can have negative aspects (added cost, diminished performance, inconvenience) © 2005 by Carnegie Mellon University page 13
  • 14. Questions to Ask What is at risk? How much security is enough? How does an IHE • achieve and sustain adequate security? © 2005 by Carnegie Mellon University page 14
  • 15. Shift the Security Perspective From To Scope: Technical problem Institutional problem Ownership: IT Institutional Funding: Expense Investment Focus: Intermittent Integrated Driver: External Institution Application: Platform/practice Process Goal: IT security Institutional continuity/resilience © 2005 by Carnegie Mellon University page 15
  • 16. Security to Resiliency Managing to threat and Managing to impact and vulnerability consequence No articulation of desired state to Adequate security defined as desired state Possible security technology overkill Security in sufficient balance to cost, risk © 2005 by Carnegie Mellon University page 16
  • 17. A Resilient Institution Is Able To. . . • withstand systemic discontinuities and adapt to new risk environments [Starr 03] • be sensing, agile, networked, prepared [Starr 03] • dynamically reinvent institutional models and strategies as circumstances change [Hamel 04] • have the capacity to change before the case for change becomes desperately obvious [Hamel 04] © 2005 by Carnegie Mellon University page 17
  • 18. Security Strategy Questions • What needs to be protected? Why does it need to be protected? What happens if it is not protected? • What potential adverse consequences need to be prevented? At what cost? How much disruption can we stand before we take action? • How do we effectively manage the residual risk? © 2005 by Carnegie Mellon University page 18
  • 19. Defining Adequate Security The condition where the protection strategies for an organization's critical assets and processes are commensurate with the organization's risk appetite and risk tolerances Risk appetite and risk tolerance as defined by COSO’s Enterprise Risk Management Integrated Framework, September, 2004. [Allen 05] © 2005 by Carnegie Mellon University page 19
  • 20. Determining Adequate Security Depends On . . . • Organizational factors: size, complexity, asset criticality, dependence on IT, impact of downtime • Market factors: provider of critical infrastructure, openness of network, customer privacy, regulatory pressure, public disclosure • Principle-based decisions: Accountability, Awareness, Compliance, Effectiveness, Ethics, Perspective/Scope, Risk Management, etc. [Allen 05] © 2005 by Carnegie Mellon University page 20
  • 21. Adequate Security and Operational Risk “Appropriate security is that which protects the organization from undue operational risks in a cost-effective manner.” [Sherwood 03] “With the advent of regulatory agencies assessing a organization’s aggregate operational risk, there needs to be a way of looking at the organization as a whole rather than its many parts.” [Milus 04] [According to Basel II, operational risks are risks of loss resulting from inadequate or failed internal processes, people, and systems or from external events. http://www.bis.org/publ/bcbs107.htm] © 2005 by Carnegie Mellon University page 21
  • 22. Questions to Ask What is at risk? How much security is enough? How does an IHE • achieve and sustain adequate security? © 2005 by Carnegie Mellon University page 22
  • 23. Shift the Security Approach Ad-hoc and to Managed and tactical strategic irregular systematic reactive adaptive immeasurable measured absolute adequate Security activities and measures of security performance are visibly aligned with strategic drivers and critical success factors. © 2005 by Carnegie Mellon University page 23
  • 24. Mobilizing Capabilities to Achieve/Sustain Adequate Security Critical Success ES Governance: Factors: determine policy, oversight, priorities sponsorship Audit: evaluates Risk Mgmt: clarifies risk tolerance, impacts IT Ops: delivers Project Mgmt: secure service, plans, tracks, protects assets Security: defines ensures completion controls for key IT ops processes Process Mgmt: enables © 2005 by Carnegie Mellon University page 24
  • 25. Mobilizing to Achieve/Sustain Adequate Security IT Ops Processes • Problem/Incident Mgmt • Asset Management • Availability Management Critical Success Priorities • Release Mgmt • Integrity Management • Configuration Mgmt • Confidentiality/Privacy Factors: determine • Change Mgmt Management Measures priorities Findings ES Governance: Extent of compliance Recommendations policy, oversight, Tasks, Improvements sponsorship Determine Current State Evaluate Strategies, Recommendations, Actions Audit: evaluates Risk Mgmt: clarifies Plan inputs, priorities risk tolerance, risks, impacts Results IT Ops: delivers Prioritized tasking secure service, Evaluation, Eval criteria protects assets Status, Plan updates, Resources, Measures, New improvements, Business case data Plans, Status, Requirements Business case Controls Process definitions Process steps Project Mgmt: Contributing process areas Security: defines plans, tracks, ensures Process Mgmt: completion enables controls for key IT Actions, Process Definitions, ops processes Measures, Status, Plan updates Prioritized tasking © 2005 by Carnegie Mellon University page 25
  • 26. What Might Security as an Institutional Priority Look Like? (cont) • No longer solely under IT’s control • Achievable, measurable objectives are defined and included in strategic and operational plans • Departments/functions across the institution view security as part of their job (e.g., HR, Audit) and are so measured • Adequate and sustained funding is a given • Senior leaders visibly sponsor and measure this work against defined performance parameters • Considered a requirement of being ‘in business’ © 2005 by Carnegie Mellon University page 26
  • 27. Information Security Governance Resources April 2004: Corporate Governance Task Force report on Information Security Governance (Appendix E) http://www.cyberpartnership.org/init-governance.html; November 2004: EDUCAUSE ISG Assessment Tool for Higher Education http://www.educause.edu/LibraryDetailPage/666?ID=SE C0421 Section I: Organizational Reliance on IT Section II: Risk Management Section III: People Section IV: Processes Section V: Technology © 2005 by Carnegie Mellon University page 27
  • 28. Legal Perspective: IT Security for Higher Education • Analyze applicable state laws and municipal ordinances • Assess IS vulnerabilities and risks • Review and update IS policies & procedures • Review personnel policies & procedures for access to sensitive information • Scrutinize relationships with third-party vendors • Review the institution’s insurance policies • Develop a rapid response plan & incident response team • Work together with higher education associations & coalitions to develop standards relating to IS “IT Security for Higher Education: A Legal Perspective.” Salomon, Kenneth; Cassat, Peter; Thibeau, Briana. Dow, Lohnes & Albertson, PLLC. EDUCAUSE/Internet2 Computer and Network Security Task Force, 2003. http://www.educause.edu/ir/library/pdf/csd2746.pdf © 2005 by Carnegie Mellon University page 28
  • 29. EDUCAUSE Resources • Center for Applied Research (ECAR): http://www.educause.edu/ecar • Security Task Force: http://www.educause.edu/security • The Effective IT Security Guide for Higher Education • Computer and Network Security in Higher Education • Security Discussion Group • Security Professionals Conference © 2005 by Carnegie Mellon University page 29
  • 30. For More Information • Governing for Enterprise Security (http://www.cert.org/governance/ges.html) • Enterprise Security Management (http://www.cert.org/nav/index_green.html) • CERT web site (http://www.cert.org); ITPI web site (http://www.itpi.org); SEI web site (http://www.sei.cmu.edu) • jha@cert.org © 2005 by Carnegie Mellon University page 30
  • 31. References [Hamel 04] Hamel, Gary; Valikangas, Liisa. “The Quest for Resilience,” Harvard Business Review, September 2003. [Milus 04] Milus, Stu. “The Institutional Need for Comprehensive Auditing Strategies.” Information Systems Control Journal, Volume 6, 2004. [Sherwood 03] Sherwood, John; Clark; Andrew; Lynas, David. “Systems and Business Security Architecture.” SABSA Limited, 17 September 2003. Available at http://www.alctraining.com.au/pdf/SABSA_White_Paper.pdf. [Starr 03] Starr, Randy; Newfrock, Jim; Delurey, Michael. “Enterprise Resilience: Managing Risk in the Networked Economy.” strategy+business, Spring 2003. Also appears in “Enterprise Resilience: Risk and Security in the Networked World: A strategy+business Reader.” Randall Rothenberg, ed. [Westby 04] Westby, Jody. “Information Security: Responsibilities of Boards of Directors and Senior Management.” Testimony before the House Committee on Government Reform: Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, September 22, 2004. Available at http://www.reform.house.gov/UploadedFiles/Westby1.pdf. © 2005 by Carnegie Mellon University page 31