new roadmaps in information security - eunis.org · educause helps people who lead, manage, and use...

New Roadmaps in

Information Security

June 12, 2015

EUNIS Congress 2015

EDUCAUSE helps people who lead, manage, and use

technology to make better decisions about

Enterprise systems

Strategic leadership

Teaching and learning

Cybersecurity

Visit us at www.educause.edu.

EDUCAUSE

Cybersecurity Initiative

Established 2000

Yearly Security Professionals Conference

Mentoring Program

The Information Security Guide

The EDUCAUSE Cybersecurity Initiative (also referred to

as the Higher Education Information Security Council or

HEISC) guides and informs higher education institutions

regarding information security, privacy, risk, and data

protection policy and practices.

We Are Here

It’s Scary “Out There”

Information Security is a

Higher Ed Top 10 IT Issue

Not Just Once in 2015…

Source: EDUCAUSE Top 10 IT Issues, Trends Interactive Graphic.

Information Security is a

Higher Ed Top 10 IT Issue

Source: EDUCAUSE Top 10 IT Issues, Trends Interactive Graphic.

But Twice.

We Know Stealing

Data is the Goal

User credentials/passwords

Personally identifiable information

Financial information

Health information

Proprietary information/trade secrets

Research data

Information about how networks and IT resources

work

Confidential information that, if released, could cause

personal embarrassment

Data Breaches by Industry

Europe

Source: Center for Media, Data and Society, Data Breaches in Europe: Reported Breaches of Compromised Personal Records in Europe, 2005-2014, October 2015.

(2005-September 2014)

COM

EDU

GOV

MED MIL NGO

-

100

200

300

400

500

600

0 20 40 60 80 100 120 140

Nu

mb

er

of

Re

cord

s Ex

po

sed

(m

illio

ns)

Number of Breaches

Data Breaches by Industry

US

Source: Just in Time Research: Data Breaches in Higher Education (ECAR, May 2014).

(2005- April 2014)

Points of Interest

2015 Information Security

Strategic Issues

1. Developing an effective information

security strategy.

2. Ensuring that members of the

institutional community receive

infosec education & training.

3. Developing security policies for

mobile, cloud, & digital resources.

4. Using risk management

methodologies to identify & address

infosec priorities.

5. Developing, testing, & refining

incident response capabilities.

Issue #1: Information

Security Strategy

High level set of priorities

Links information security goals to the

institutional mission

A good strategy bolsters trust, reduces risk,

ensures reliable operations

Gaps Between

Importance and Effectiveness

Source: Getting Your Ducks in a Row: IT Governance, Risk, and Compliance Programs in Higher Education (ECAR, June 2014).

Top Three InfoSec

Leader Titles

All (n=545)

International

(n=34)

European

(n=7) US (n=480)

CIO serves in role 17.43% (3) 11.76% (3) 17.71% (3)

CISO 18.17% (2) 14.71% (2) 22.22% (2) 18.75% (2)

InfoSec Officer 19.08% (1) 8.82% 11.11% (3) 19.38% (1)

Mgr., IT Security 2.57% 14.71% (2) 11.11% (3) 1.67%

Network Administrator 2.94% 2.94% 11.11% (3) 2.92%

Other 15.96% 29.41% (1) 44.44% (1) 14.79%

Source: EDUCAUSE Core Data Service, Module 7, Question 2 (2014).

Institutional

Governance Practices


Recommendations:

Information Security Strategy

Understand that information security is an

institutional issue

Designate an individual responsible for

information security

Use existing IT governance, risk, and

compliance structures to elevate information

security concerns

Issue #2:

InfoSec Education & Training

IT systems and data used daily

Community members trust the institution to

secure personal data

Institutional data also needs to be protected

People are the biggest threats to data

Data Breaches in

Higher Education

Source: Just in Time Research: Data Breaches in Higher Education (ECAR, May 2014).

36%

30%

17%

7%

5% 3%

0% 1%

US

HACK DISC PORT STAT PHYS INSD CARD UNKN

n=562

Source: Center for Media, Data and Society, Data Breaches in Europe: Reported Breaches of Compromised Personal Records in Europe, 2005-2014, October 2015.

45%

36%

18%

European

Stolen (HACK) Exposed Online (DISC) Missing/Stolen Hardware (PORT)

n=11

Mandatory

InfoSec Training


0% 10% 20% 30% 40% 50% 60%

Faculty

Students

IT Staff

New Employees

Available-not mandatory

Mandatory Self-Defense Education

All (545)

International (34)

European (7)

US (480)

Recommendations:

InfoSec Education & Training

Realize that infosec education is difficult

Align training topics to particularized

institutional needs

Consider tying some types of training to

system access

Think about mandatory training opportunities

Issue #3: Security Policies for

Mobile, Cloud, & Digital

Proliferation of user devices (BYOE)

Proliferation of outsourced services

Policies govern use of institutional data no

matter where its stored or how its accessed

Institutional IT

Strategies In Place


0%

20%

40%

60%

80%

100%

BYOD Cloud Wireless access Mobile applications

Institutional IT Strategies--Mobility

All (829)

International (48)

European (9)

US (720)

Usage Guidance for

Mobile Devices


39%

21%

27%

9%

3%

International (n=34)

29%

26%

25%

15%

5%

All (n=545)

44%

11%

44%

European (n=7)

29%

26%

24%

15%

5%

US (n=480)

Recommendations: Security Policies for

Mobile, Cloud, & Digital

Recognize that the BYOE paradigm is here

to stay

Consider policies that are based on data

sensitivity, not specific technologies

Understand that the institution might have

different protection needs for data in storage,

transit, and use

Issue #4:

Using Risk Management Methods

The potential for an unplanned, negative

business outcome; IT risk is a business risk

Risks create challenges in meeting strategic

goals

Identifying risks, assessing, and prioritizing

them is a continual process

Institutional Risk

Management Practices


Balance Between

Risk Control & Openness


Risk Management

Methodologies


Recommendations:

Using Risk Management Methods

Understand that risk management is a

process

Seek to collaborate with others when

addressing IT risk

Use existing IT risk or enterprise risk

management structures to elevate

information security concerns

Issue #5:

Incident Response Capabilities

Incidents are inevitable; data breaches are

inevitable

Incident management has a lifecycle

Plan in advance for incidents

Incident Response

Unit Responsibility


0%

20%

40%

60%

80%

100%

Central Shared System NA

Incident Management

All (545)

International (34)

European (7)

US (480)

Incident Response Metrics


0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Incident rate

Mean time between security incidents

Mean time to incident discovery

Mean time to recovery

Percentage of incidents detected by internal controls

Incident Response Metrics

All (545)

International (34)

European (7)

US (480)

Recommendations:

Incident Response Capabilities

If you're currently dealing with a security

incident, remember these four basic tips:

1. Don't panic

2. Do a quick assessment

3. Report the problem

4. Determine a course of action

Good incident management practices will

help prevent future incidents

Collaboration is required

Where Next?

Core Data Service

3 Easy Steps

CONTRIBUTE ADD DATA

CDS SURVEY

COMPARE ACCESS DATA

CDS REPORTING

INTERPRET VIEW TRENDS

CDS PUBLICATIONS

Steps for

Successful Benchmarking

Source: EDUCAUSE Review, Benchmarking to Inform Planning: The EDUCAUSE Core Data Service (2015).


Program Maturity

Information security program maturity is

assessed in five key areas:

1. Information Security Organization

2. Information Security Policy

3. Data Security and Data Management

Processes

4. Access Control Processes

5. Information System Security Processes


Program Maturity

Information security maturity is measured

on the following scale:

1. Absent/Ad hoc (low maturity)

2. Repeatable

3. Defined

4. Managed

5. Optimized (high maturity

Organizational Capacity for



1

2

3

4

5

Organization

Policy

Data Security and DataManagement Processes

Access Control Processes

Information Systems SecurityProcesses

International

International

International Composite Score: 2.6 (median scores)




1

2

3

4

5

Organization

Policy




International

Europe

International Composite Score: 2.6 European Composite Score: 2.6 (median scores)




1

2

3

4

5

Organization

Policy




International

Europe

U.S. Non Spec

International Composite Score: 2.6 European Composite Score: 2.6 US Composite Score: 2.9 (median scores)

InfoSec Program

Assessment Tool

Self-assessment tool

Based on ISO 27002

104 questions

Appropriate for institutional or unit use

View tool at: http://www.educause.edu/library/resources/information-security-program-assessment-tool

Information Security Guide

Effective practices and solutions

Created by higher ed security professionals

for higher ed security professionals

Based on ISO 27002

View the Information Security Guide at: http://www.educause.edu/security/guide

Professional Development

Acknowledgment of new

roles

Focus on information

security leadership

Mentoring

Working Groups

Evolution and Ascent of the CISO (EDUCAUSE Review): https://www.educause.edu/visuals/shared/er/extras/2014/CISO/index.html CPO in Higher Education (EDUCAUSE Review): http://www.educause.edu/ero/article/chief-privacy-officer-higher-education

A model for IT leadership

Source: EDUCAUSE and Jisc, Defining the Strategic Leader (March 2015).

https://www.educause.edu/visuals/shared/er/extras/2014/CISO/index.html

https://www.educause.edu/visuals/shared/er/extras/2014/CISO/index.html

http://www.educause.edu/ero/article/chief-privacy-officer-higher-education











Questions?

Please ask questions so

that I don’t have to show

vacation pictures to

entertain you for these

last few minutes.

Joanna Grama

[email protected]

@runforserenity

mailto:[email protected]

new roadmaps in information security - eunis.org · educause helps people who lead, manage, and use...

Documents