information security compliance · 2014. 9. 3. · • compliance is not equal to security, but it...
TRANSCRIPT
Information Security Compliance
Ingredients for Success
Lewis Watkins, [email protected]
The University of Texas System
The University of Texas System
MISSIONS• Research• Instruction• Patient Care• Public Service
1
• 9 Academic Institutions• 6 Medical Institutions• U. T. System Administration• U. T. Investment Management
Company (UTIMCO)
~ 186,000 students~ 78,000 faculty & staff
UT System Information Security Program Mission
Establish and maintain at each U. T. Institution an Information Security program that:
effectively reduces risk and secures the information assets;
is documented and verifiable; and
meets regulatory compliance requirements
What are we Protecting?
Computers and other computing devices
Data Storage and Print Devices
Software
Networks
Digital Data
Information Resources:
What are we Protecting?
Service Availability
Intellectual Property
Brand Name
Privacy
Compliance
Institutional Integrity:
With “What” are we Complying?
PCI
GLB
FISMA
SOX
HIPAA
FERPA
TAC 202
With more to come!
Information SecurityCompliance includes these and other regulations.
How Higher Education Differs From Other Organizations
• Missions• Governance• Funding• Constituencies• Cultures/Traditions• Threat Environment
Photo Credit: Andrey Kravtsov, University of Chicago
Success Ingredient #1You need a Simple Framework
A four question framework for taking on the monster!
Repeatedly Ask and Answer these 4 questions to navigate through the complexity and maintain focus!
Success Ingredient #1A Four Question Framework
What type of incidents are occurring? What’s “not happening” that hinders security?
What’s happening
around here?
1. What’s Happening?
Success Ingredient #1 A Four Question Framework
What’s most important to protect?What’s important to do in order to bolster information security?
What really needs to be protected?
2. What’s Important?
Success Ingredient #1 A Four Question Framework
What strategies return the biggest payoff?What measures help track effectiveness?
What strategies
really work?
3. What’s Effective?
Success Ingredient #1 A Four Question Framework
What will we likely encounter tomorrow?What can we do now to prepare?What are we missing?
I wonder what they
will do next?
4. What’s next?
Success Ingredient #2You need a Roadmap
Standards Metrics &Outcomes
Oversight Technology
Success Ingredient #2You need a Roadmap
Tasks not started
Tasks underway
Tasks completed
Success Ingredient #3Critical Success Factors
• CISO• Leadership• Security and IT Teams• Community
Will
Support
Permission
Trust
SkillPeople 70%, Technology 30%
KnowledgeInstitution, Culture, Compliance, Risks,
Technology
GovernanceRoles & Responsibilities, Decentralized IT Staff
ResourcesPeople, Time, Money, Technology, Base Infrastructure
Where deficiencies exist, the task becomes one of addressing the deficiency.
Success Ingredient #4Defense in “Depth”
Defense in Depth (using multiple layered defense techniques) is a basic principle known to most all information security professionals.
Yes, We know this already, so could we just move on!
Success Ingredient #5Defense in “Breadth”
Photo Credit: Andrey Kravtsov, University of Chicago
It’s Important to secure Central IT.
But also the distributed departments - where most breaches occur!
And outsourcers / business partners.
Success Ingredient #5Defense in “Breadth”
Photo Credit: Andrey Kravtsov, University of Chicago
• Securing outlying departments is our greatest challenge.
• We have too many holes in our security fabric.
• It’s not a technology problem, but one of training, persuasion, will, trust, support, and accountability.
Success Ingredient #5Defense in “Breadth”
Photo Credit: Andrey Kravtsov, University of Chicago
• Visibility – The institution’s CISO needs the ability to see, measure, and influence device state across the whole enterprise in real time.
• “Black hole” areas are where we can expect to be taken by surprise. We must adopt strategies to secure and verify the security of these areas.
• “You can't change what you don't acknowledge.”Dr. Phil
Black hole areas pose high risk!
Success Ingredient #6Concrete Program Structure
U. T. System Requires thateach institution have…
An Information Security Program approved by the President each year to include:
Annual Risk Assessment (What’s Important and What’s Next?
Defined Elements – based on ISO 17799 (What’s Important?)
Defined Metrics (What’s Happening and What’s Effective?)
Action, Training, and Monitoring Plans (Define Strategies)
Quarterly and Annual Reporting (What’s Happening, What’s Effective, and What’s Next?)
Required ProgramElement Categories
1. Information Security Governance
2. Policies, Procedures, Standards
3. Asset / Data Classification
4. Risk Assessment and Management
5. Compliance
6. Access Management
7. Change Management
8. Configuration Management
9. Data Backup and Recovery
10. Disaster Recovery
11. Incident Management
12. Physical Security
13. Device Use and Security
14. Application Development and Acquisition
15. Electronic Records Management
Required Program Metrics
1. Number of Computing Devices
2. Configuration Visibility
3. Encryption Deployment
4. Anti-virus/malwareDeployment
5. Number of Outreach Activities
6. Number of Assurance Activities
7. Number of Incidents
9. Incident Costs
10. Systems Lacking Disaster Recovery Plan
11. Number of Employees Receiving Basic Training
12. Number of Technical Employees receiving Specialized Training.
13. Information Security Budget
14. Compliance for TAC 202, UTS 165, HIPAA, PCI
Success Ingredient #7Audit and Compliance Involvement
“Industry leaders are conducting internal audit and IT security monitoring eight times more frequently than are the industry laggards and five times more frequently than firms operating at industry norm.”
Improving IT Compliance2006 IT Compliance Benchmark ReportSymantec Corporation
• Vulnerabilities must be discovered and acknowledged to be addressed.
• Things that get measured, audited, and/or reviewed get attended to.
Lessons Learned Learning!
• Many institutions do not know what is running on their networks and do not have the visibility needed to “do the job” in an accountable way.
• We consistently see breakdowns in communications between Information Security and “Operations” or “Networking” when handing off security items to be addressed. A follow-up mechanism is needed to ensure changes are executed.
• Compliance is not equal to Security, but it correlates to Security and is much easier to measure. We must not equate these measures.
• Complex organizations will never achieve 100% compliance, but can achieve “practical compliance.”
MoreLessons Learned Learning!
• Technology is a part – but only a small part of the answer to achieving a compliant and secure environment – it’s mostly a people thing!
• We are making good progress on current issues such as SSN elimination, but worse threats are being born at an even faster rate.
• As some of our technical defenses start to fail, we must become better at “thinking out of the box” and devising totally new approaches to security.
• Information Security and Compliance is very hard work because of its scope and depth, but mostly because of the cultural, people, a trust issues. And these are the issues that many professionals shy away from.
