Enterprise Security

Enterprise Security

Mark Bruhn, Assoc. VP, Indiana University

Jack Suess, VP of IT, UMBC

Presenter’s Background

Mark Bruhn Supervised IU security operations in various forms

from 1988 to 2006 Executive Director of REN-ISAC Held leadership positions in the security task force

since 2002 on Awareness and Policy/Legal groups

Jack Suess Co-Chair of task force since 2003. Coordinated effective practice workgroup

Format for this Session

This session on enterprise security is intended to be interactive.

The format we will use is to ask questions of you and collectively reflect on the answers we get.

Our goal is to build on the collective expertise in the room and have you leave here with some tangible steps to take to improve security when you return back to campus.

Question 1. Priority

The 2006 EDUCAUSE survey of top-10 issues listed Security and Identity Management the #1 issue. How many in this room listed this #1? Why? How many in this room consider this their

number one responsibility? How are you evaluated on this?

Does your IT strategic plan have a section on security?

Question 2. Technology

What technologies are deployed on your campus? Firewall(s) VPN Intrusion Detection System Intrusion Prevention System Security updates for computers

How does IdM relate to security?

Question 3. Effectiveness

With all we have spent on security technology do we feel more secure today than 4 years ago? Why or why not?

Question 4. Policy

What is the process for identifying and developing policies and procedures related to security?

How is compliance monitored and enforced? HIPAA, GLBA, FERPA

What is the role of IT in this?

Question 5. Data Policy

Do you have a data classification policy that is actively enforced? What classifications are used? Is training provided for end-users? Is the training mandatory?

Question 6. Organization

How is your organization organized for security? Who has a CISO and to whom do they report? How many security staff do you have? Is that

a useful metric? What is the role of the CIO? How is funding for security handled? How does this relate to physical security?

Question 7. IT Staff

How is security integrated into the jobs of all central IT staff? What is the role of certification? Where do you send staff for training?

How is security integrated into the jobs of IT in the departments? What level of centralization is occurring?

Question 8. People

What responsibility do students, faculty, and staff have for securing both their campus and personal machines?

What are the repercussions if they don’t secure their machines?

How are users educated on social engineering exploits such as phishing?

Question 9. Risk Management

What group on campus has responsibility for risk management? What role does auditing play?

How many have done a risk assessment of at least some departments on campus?

How many have a formal process for risk assessment that you use across campus?

How many have done an institution-wide risk assessment? How frequent?

What are the barriers?

Question 10. Identify Protection

Is there an identity management system on campus? How does it relate to your campus ID card and Library?

Have you defined non-public information (NPI) in your data access policy?

How is authentication and authorization to/on systems handled?

Question 11. Data Breach

Do you have a plan for what to do if you have a data breach? Does it involve groups outside of IT? Who will take the lead?Do you have plans or contracts in place with partners for the following: Digital forensics; Crisis management; Call center operations; Identity theft counseling?

From whose pocket will the funds come?

What to Take Away

Technology devices can help but can’t guarantee you won’t have an incident. There are no silver bullets.

Don’t stovepipe security under CISO. Security must be everyone’s job #1, including yours!

Engage your leadership team around this issue.

Develop a comprehensive risk management program across the institution and insist in leadership buy in.

Invest in training campus staff across the board.

Management oversight is key. Development of policies and procedures is essential. Begin to look at and work towards ISO 17799.

Security Resources

Have someone join the security discussion email list.Send staff to the Security Professionals conference in April 2007.EDUCAUSE/Internet2 Security Task Forcehttp://www.educause.edu/securityEffective Security Practices Guidehttp://www.educause.edu/security/guideInternet2 Security Initiativeshttp://security.internet2.eduResearch and Education Networking ISAChttp://www.ren-isac.net