community it webinar - crafting it security policy apr 2015
TRANSCRIPT
Webinar Tips
• InteractAsk questions via chat
Connect on Twitter
• Focus Avoid multitasking. You may just miss
the best part of the presentation
• Webinar PowerPoint & RecordingPowerPoint and recording links will be
shared after the webinar
About Community IT
Our skilled and certified team of IT professionals
serves the greater Washington nonprofit community,
helping organizations of all sizes and capacities to…
Advance mission through the effective use of
technology.
Invested
Work exclusively with nonprofit organizations, serving over 900
since 1993.
Strategic
Help our clients make IT decisions that support mission.
Collaborative
Team of over 30 staff who empower you to make informed IT
choices.
• IT Threat landscape in 2015
• CIA Security Framework
• Security as IT Policy
• IT Policy Guidelines
Agenda
• Target & Home Depot
• Celebrity iCloud hack
• Sony Pictures, “Dark Hotel”
• Heartbleed, Sandworm, Wirelurker
• Superfish
Record year for breaches
• Firewalls only protect the data that stays
behind them
• Passwords are no longer secure
• Anyone can be a hacker
Times have changed
• Who can read the data?
• Controlling access to the data
Risk: Disclosure of information
Confidentiality
LOW MODERATE HIGH
Disclosure of
information could
be expected to
have a limited
adverse effect
Disclosure of
information could
be expected to
have a serious
adverse effect
Disclosure of
information could
be expected to
have a severe or
catastrophic effect
• Who can edit data?
• Ensuring accuracy of the data
Risk: Modification or destruction of data
Integrity
LOW MODERATE HIGH
Modification or
destruction of data
could be expected
to have a limited
adverse effect
Modification or
destruction of data
could be expected
to have a serious
adverse effect
Modification or
destruction of data
could be expected
to have a severe or
catastrophic effect
• Is data accessible?
• Ensuring access to the data when needed
Risk: Disruption of access to information
Availability
LOW MODERATE HIGH
Disruption of access to
or use of information
could be expected to
have a limited
adverse effect
Disruption of access
to or use of
information could
be expected to
have a serious
adverse effect
Disruption of access
to or use of
information could be
expected to have a
severe or catastrophic effect
Inventory
Your Data
http://commons.wikimedia.org/wiki/File:Modern_warehouse_with
_pallet_rack_storage_system.jpg
• Exhaustive list of all organizational data
• Analyze it from the 3 CIA Perspectives
• Assign a Low, Moderate, High Risk
Inventory your Data
• PDF of signed Annual Performance Review
• Confidentiality: Limit to HR and Supervisor (this may
be a regulatory issue) - HIGH
• Integrity: Data should not change and must have
utmost confidence file is not altered - HIGH
• Availability: Needed only upon request, 2-3 days -
LOW
CIA analysis
• Accounting System
• Confidentiality: Limit to Finance Department and
President - MODERATE
• Integrity: Constantly updated. Roll back last thirty days’
activity. Must have record of who changed what. - HIGH
• Availability: Downtime 8 hrs acceptable. - MODERATE
CIA analysis
CIA Inventory
Confidentiality Integrity Availability
Sensitive Data
Medical Records High High High
Donor Contacts Moderate High Moderate
Financial System Moderate High Moderate
HR Records High Moderate Low
Less Sensitive
Email Moderate High High
Grant Proposals Low Moderate High
Program Mgmt Low Moderate Moderate
Agreed upon system of principles
to guide IT decision making
and achieve certain IT outcomes.
Written as a Statement of intent
implemented as IT procedure or protocol.
IT Policy
http://en.wikipedia.org/wiki/Policy
Organization agrees on decisions and
outcomes related to IT Security.
Agreement is documented in writing.
IT Policy
Informs both Architecture and Process.
Should include:
• Identity and Access Management
• Endpoint Management
• Data Retention
IT Department Policy
• Segregate data based on inventory
• Restrict/remove remote access to sensitive
data
• Consider logging and monitoring
Confidentiality Applied
• Maintain anti-virus & anti-malware
• Restrict permissions as much as possible
• “Harden” servers
• Scan for vulnerabilities on a schedule
• Lock doors and install fire alarms
Integrity Applied
• Identify availability requirements
• Invest appropriately
• Backup rule: KISS!
• Keep extra hardware on hand
• Develop business continuity plan
Availability Applied
End user
Policy
http://commons.wikimedia.org/wiki/File:The_Park_Northpoint_-_Open_Plan_Office_Space.jpg
• Security Culture & End-User Training
• Password Policy
• BYOD (and BYOA) Policy
• written Appropriate Use Policy
End User Policy
If Putin gave you a USB charger…
http://www.worldcrunch.com/rss/default/m1c0s13958/#.VL_ExMaH044
would you use it?
• User awareness is best defense
• How do we engage users?
• Make it mandatory, but fun
• Training should be ongoing
• Must be embraced by all staff
End-User Training
• Should passwords be changed regularly?
• Can they be complex enough to be
secure?
• Where else are company passwords being
used?
Password Policy
• Password managers allow users to store
many passwords conveniently
• Best generate passwords and warn to
change after breaches
• Options: LastPass, 1Password
Secret Server, AuthAnvil
Password Management
• Adds physical security to password
• Much easier to use and deploy than it was
two years ago
• Google Authenticator
Dual Factor Authentication (2FA)
http://commons.wikimedia.org/wiki/File:EToken_PASS.jpg
BYOD Security Risks
“Bring Your Own Device”
• Confidentiality – Data leakage
• Integrity – “Vector” into the company
• Availability – Malware, Targeted hacking
Legal Risks
• Legislated law is thin
• Case law is uncertain
• Exempt staff working without
compensation
• Personal device and data could be
subpoenaed
Financial Risks
• Stipends might cost more
• IT Support can become entangled
• Exempt staff need to be paid
• Mobile Device Management (MDM)
can be expensive
BYOD policy questions
• What level of access is provided?
• What level of support is provided?
And for which staff?
• Should devices be managed and
controlled? For which staff?
CIA Inventory
Data Confidentiality Integrity Availability Policy
Sensitive
Medical Records High High Highno BYOD,
segment wifi
Donor Contacts Mod High Mod Published App
Financial System Mod High Mod Published App
HR Records High Mod Low no BYOD
Less Sensitive
Email Mod Mod High BYOD
Grant Proposals Low Mod High BYOD
Program Mgmt Low Mod Mod BYOD
Upcoming Webinar
Microsoft Ignite Recap
Thursday May 21
4:00 – 5:00 PM EST
Matthew Eshleman & Steve Longenecker
After the webinar
Connect with us
Provide feedback
Short survey after you exit the webinar. Be sure to
include any questions that were not answered.
Missed anything?
Link to slides & recording will be emailed to you.
Questions?
Author: DuMont Television/Rosen Studios, New York-photographer, Uploaded by We hope at en.wikipedia
http://commons.wikimedia.org/wiki/File:20_questions_1954.JPG