northwestern university information technology information and systems security/compliance february...

Northwestern University Information Technology

Information and Systems Security/Compliance

February 2005


Dave Kovarik

• Office: (847) 467-5930

• Email: [email protected]

• 1800 Sherman Ave., Evanston, Suite 600

• 20+ years in Information Security practice

• CISSP: Certified Info Systems Security Professional

• CISM: Certified Information Security Manager




Office of the Vice President

Mort Rahimi, VP & CTO

Pat Todus, AVP & Deputy CIO

Dave KovarikDirector

Sharlene MielkeDisaster Recovery

Roger SafianInformation Security


• Purpose

Enable the University to conductits business in a secure manner

Maintain that delicate balance between service and security



• Primary Areas of Responsibility

Security – Information Protection Services

Disaster Recovery / Business Continuity

Compliance - Regulatory, University policy



• Basic Tenets of Information Security - CIA Confidentiality

Integrity

Availability/Accessibility

…and a few more Control (access)

Individual accountability

Audit trails (monitoring)



• Provide direction

Plans: Strategic, Operational

Security Architecture - compatible with and complimentary of the System Architecture

Aligned with business plans



• We want to be your Business Partner

Working together toward common goals

Design information protection solutions that

support your business

• We have a Service &

Support Orientation



• Develop University policy and standards that

address information assets

A collaborative effort, exercising sound

judgment, across all lines

• Focused on Individual Responsibility

and Accountability



• Accommodates regulatory and legislative

requirements (HIPAA, FERPA, GLBA,

Sarbanes-Oxley, U.S. Patriot Act, DMCA, FTC,

government-funded programs, et al)

• Employs business and industry “best practice”

• Ensures availability through recoverability



• Innovative and flexible, focused on…

People (Largest Asset & Vulnerability)

Process

Technology

• Based on Risk

Protection commensurate with value



• Risk Assessment Recognize Threat conditions (now and

foreseeable) Establish our Vulnerability to threat

conditions Determine the Risk

• Risk Management Control, minimize, eliminate, transfer or

otherwise mitigate the risk



• Forward-looking Anticipating and responding to client needs Requires early involvement

• Effective protection schemes Efficient in terms of resources: cost, time,

personnel and delivery Provide a competitive advantage:

“Client Confidence” factor



• Security Awareness and Training

What’s in it for me?

Timely, Consistent, Persistent

“Tell ‘em, tell ‘em again, then tell ‘em one

more time, just to be sure!”

• Communication

360 degrees



• Dave Kovarik (847) 467-5930 [email protected]

• Sharlene Mielke (847) 467-7804 [email protected]

• Roger Safian (847) 491-4058 [email protected]



Thank You !!!

Your Questions / Discussion are Welcome…


northwestern university information technology information and systems security/compliance february...

Documents