new roadmaps in information security - eunis.org · educause helps people who lead, manage, and use...
TRANSCRIPT
EDUCAUSE helps people who lead, manage, and use
technology to make better decisions about
Enterprise systems
Strategic leadership
Teaching and learning
Cybersecurity
Visit us at www.educause.edu.
EDUCAUSE
Cybersecurity Initiative
Established 2000
Yearly Security Professionals Conference
Mentoring Program
The Information Security Guide
The EDUCAUSE Cybersecurity Initiative (also referred to
as the Higher Education Information Security Council or
HEISC) guides and informs higher education institutions
regarding information security, privacy, risk, and data
protection policy and practices.
Information Security is a
Higher Ed Top 10 IT Issue
Not Just Once in 2015…
Source: EDUCAUSE Top 10 IT Issues, Trends Interactive Graphic.
Information Security is a
Higher Ed Top 10 IT Issue
Source: EDUCAUSE Top 10 IT Issues, Trends Interactive Graphic.
But Twice.
We Know Stealing
Data is the Goal
User credentials/passwords
Personally identifiable information
Financial information
Health information
Proprietary information/trade secrets
Research data
Information about how networks and IT resources
work
Confidential information that, if released, could cause
personal embarrassment
Data Breaches by Industry
Europe
Source: Center for Media, Data and Society, Data Breaches in Europe: Reported Breaches of Compromised Personal Records in Europe, 2005-2014, October 2015.
(2005-September 2014)
COM
EDU
GOV
MED MIL NGO
-
100
200
300
400
500
600
0 20 40 60 80 100 120 140
Nu
mb
er
of
Re
cord
s Ex
po
sed
(m
illio
ns)
Number of Breaches
Data Breaches by Industry
US
Source: Just in Time Research: Data Breaches in Higher Education (ECAR, May 2014).
(2005- April 2014)
2015 Information Security
Strategic Issues
1. Developing an effective information
security strategy.
2. Ensuring that members of the
institutional community receive
infosec education & training.
3. Developing security policies for
mobile, cloud, & digital resources.
4. Using risk management
methodologies to identify & address
infosec priorities.
5. Developing, testing, & refining
incident response capabilities.
Issue #1: Information
Security Strategy
High level set of priorities
Links information security goals to the
institutional mission
A good strategy bolsters trust, reduces risk,
ensures reliable operations
Gaps Between
Importance and Effectiveness
Source: Getting Your Ducks in a Row: IT Governance, Risk, and Compliance Programs in Higher Education (ECAR, June 2014).
Top Three InfoSec
Leader Titles
All (n=545)
International
(n=34)
European
(n=7) US (n=480)
CIO serves in role 17.43% (3) 11.76% (3) 17.71% (3)
CISO 18.17% (2) 14.71% (2) 22.22% (2) 18.75% (2)
InfoSec Officer 19.08% (1) 8.82% 11.11% (3) 19.38% (1)
Mgr., IT Security 2.57% 14.71% (2) 11.11% (3) 1.67%
Network Administrator 2.94% 2.94% 11.11% (3) 2.92%
Other 15.96% 29.41% (1) 44.44% (1) 14.79%
Source: EDUCAUSE Core Data Service, Module 7, Question 2 (2014).
Institutional
Governance Practices
Source: Getting Your Ducks in a Row: IT Governance, Risk, and Compliance Programs in Higher Education (ECAR, June 2014).
Recommendations:
Information Security Strategy
Understand that information security is an
institutional issue
Designate an individual responsible for
information security
Use existing IT governance, risk, and
compliance structures to elevate information
security concerns
Issue #2:
InfoSec Education & Training
IT systems and data used daily
Community members trust the institution to
secure personal data
Institutional data also needs to be protected
People are the biggest threats to data
Data Breaches in
Higher Education
Source: Just in Time Research: Data Breaches in Higher Education (ECAR, May 2014).
36%
30%
17%
7%
5% 3%
0% 1%
US
HACK DISC PORT STAT PHYS INSD CARD UNKN
n=562
Source: Center for Media, Data and Society, Data Breaches in Europe: Reported Breaches of Compromised Personal Records in Europe, 2005-2014, October 2015.
45%
36%
18%
European
Stolen (HACK) Exposed Online (DISC) Missing/Stolen Hardware (PORT)
n=11
Mandatory
InfoSec Training
Source: EDUCAUSE Core Data Service, Module 7, Question 10 (2014).
0% 10% 20% 30% 40% 50% 60%
Faculty
Students
IT Staff
New Employees
Available-not mandatory
Mandatory Self-Defense Education
All (545)
International (34)
European (7)
US (480)
Recommendations:
InfoSec Education & Training
Realize that infosec education is difficult
Align training topics to particularized
institutional needs
Consider tying some types of training to
system access
Think about mandatory training opportunities
Issue #3: Security Policies for
Mobile, Cloud, & Digital
Proliferation of user devices (BYOE)
Proliferation of outsourced services
Policies govern use of institutional data no
matter where its stored or how its accessed
Institutional IT
Strategies In Place
Source: EDUCAUSE Core Data Service, Module 1, Question 8 (2014).
0%
20%
40%
60%
80%
100%
BYOD Cloud Wireless access Mobile applications
Institutional IT Strategies--Mobility
All (829)
International (48)
European (9)
US (720)
Usage Guidance for
Mobile Devices
Source: EDUCAUSE Core Data Service, Module 7, Question 5 (2014).
39%
21%
27%
9%
3%
International (n=34)
29%
26%
25%
15%
5%
All (n=545)
44%
11%
44%
European (n=7)
29%
26%
24%
15%
5%
US (n=480)
Recommendations: Security Policies for
Mobile, Cloud, & Digital
Recognize that the BYOE paradigm is here
to stay
Consider policies that are based on data
sensitivity, not specific technologies
Understand that the institution might have
different protection needs for data in storage,
transit, and use
Issue #4:
Using Risk Management Methods
The potential for an unplanned, negative
business outcome; IT risk is a business risk
Risks create challenges in meeting strategic
goals
Identifying risks, assessing, and prioritizing
them is a continual process
Institutional Risk
Management Practices
Source: Getting Your Ducks in a Row: IT Governance, Risk, and Compliance Programs in Higher Education (ECAR, June 2014).
Balance Between
Risk Control & Openness
Source: Getting Your Ducks in a Row: IT Governance, Risk, and Compliance Programs in Higher Education (ECAR, June 2014).
Recommendations:
Using Risk Management Methods
Understand that risk management is a
process
Seek to collaborate with others when
addressing IT risk
Use existing IT risk or enterprise risk
management structures to elevate
information security concerns
Issue #5:
Incident Response Capabilities
Incidents are inevitable; data breaches are
inevitable
Incident management has a lifecycle
Plan in advance for incidents
Incident Response
Unit Responsibility
Source: EDUCAUSE Core Data Service, Module 7, Question 1 (2014).
0%
20%
40%
60%
80%
100%
Central Shared System NA
Incident Management
All (545)
International (34)
European (7)
US (480)
Incident Response Metrics
Source: EDUCAUSE Core Data Service, Module 7, Question 12 (2014).
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Incident rate
Mean time between security incidents
Mean time to incident discovery
Mean time to recovery
Percentage of incidents detected by internal controls
Incident Response Metrics
All (545)
International (34)
European (7)
US (480)
Recommendations:
Incident Response Capabilities
If you're currently dealing with a security
incident, remember these four basic tips:
1. Don't panic
2. Do a quick assessment
3. Report the problem
4. Determine a course of action
Good incident management practices will
help prevent future incidents
Collaboration is required
Core Data Service
3 Easy Steps
CONTRIBUTE ADD DATA
CDS SURVEY
COMPARE ACCESS DATA
CDS REPORTING
INTERPRET VIEW TRENDS
CDS PUBLICATIONS
Steps for
Successful Benchmarking
Source: EDUCAUSE Review, Benchmarking to Inform Planning: The EDUCAUSE Core Data Service (2015).
Information Security
Program Maturity
Information security program maturity is
assessed in five key areas:
1. Information Security Organization
2. Information Security Policy
3. Data Security and Data Management
Processes
4. Access Control Processes
5. Information System Security Processes
Information Security
Program Maturity
Information security maturity is measured
on the following scale:
1. Absent/Ad hoc (low maturity)
2. Repeatable
3. Defined
4. Managed
5. Optimized (high maturity
Organizational Capacity for
Information Security
Source: EDUCAUSE Core Data Service, Module 7, Question 5 (2014).
1
2
3
4
5
Organization
Policy
Data Security and DataManagement Processes
Access Control Processes
Information Systems SecurityProcesses
International
International
International Composite Score: 2.6 (median scores)
Organizational Capacity for
Information Security
Source: EDUCAUSE Core Data Service, Module 7, Question 5 (2014).
1
2
3
4
5
Organization
Policy
Data Security and DataManagement Processes
Access Control Processes
Information Systems SecurityProcesses
International
Europe
International Composite Score: 2.6 European Composite Score: 2.6 (median scores)
Organizational Capacity for
Information Security
Source: EDUCAUSE Core Data Service, Module 7, Question 5 (2014).
1
2
3
4
5
Organization
Policy
Data Security and DataManagement Processes
Access Control Processes
Information Systems SecurityProcesses
International
Europe
U.S. Non Spec
International Composite Score: 2.6 European Composite Score: 2.6 US Composite Score: 2.9 (median scores)
InfoSec Program
Assessment Tool
Self-assessment tool
Based on ISO 27002
104 questions
Appropriate for institutional or unit use
View tool at: http://www.educause.edu/library/resources/information-security-program-assessment-tool
Information Security Guide
Effective practices and solutions
Created by higher ed security professionals
for higher ed security professionals
Based on ISO 27002
View the Information Security Guide at: http://www.educause.edu/security/guide
Professional Development
Acknowledgment of new
roles
Focus on information
security leadership
Mentoring
Working Groups
Evolution and Ascent of the CISO (EDUCAUSE Review): https://www.educause.edu/visuals/shared/er/extras/2014/CISO/index.html CPO in Higher Education (EDUCAUSE Review): http://www.educause.edu/ero/article/chief-privacy-officer-higher-education
A model for IT leadership
Source: EDUCAUSE and Jisc, Defining the Strategic Leader (March 2015).
Questions?
Please ask questions so
that I don’t have to show
vacation pictures to
entertain you for these
last few minutes.
Joanna Grama
@runforserenity