Enviar búsqueda
Cargar
Infromation Security as an Institutional Priority
•
3 recomendaciones
•
896 vistas
Z
zohaibqadir
Seguir
Presented by Julia H. Allen Networked Systems Survivability; Carnegie Mellon University.
Leer menos
Leer más
Denunciar
Compartir
Denunciar
Compartir
1 de 31
Recomendados
Puppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability Exploits
ecarrow
Hakin9 interview w Prof Sood
Hakin9 interview w Prof Sood
Zsolt Nemeth
Ehc brochure
Ehc brochure
Ehab El Barbary
Think like a hacker for better security awareness
Think like a hacker for better security awareness
COMSATS
Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?
Trend Micro (EMEA) Limited
Security, Privacy and the Future Internet
Security, Privacy and the Future Internet
Fraunhofer Institute for Secure Information Technology
Info sec 12 v1 2
Info sec 12 v1 2
Prof John Walker FRSA Purveyor Dark Intelligence
Models of Escalation and De-escalation in Cyber Conflict
Models of Escalation and De-escalation in Cyber Conflict
Zsolt Nemeth
Recomendados
Puppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability Exploits
ecarrow
Hakin9 interview w Prof Sood
Hakin9 interview w Prof Sood
Zsolt Nemeth
Ehc brochure
Ehc brochure
Ehab El Barbary
Think like a hacker for better security awareness
Think like a hacker for better security awareness
COMSATS
Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?
Trend Micro (EMEA) Limited
Security, Privacy and the Future Internet
Security, Privacy and the Future Internet
Fraunhofer Institute for Secure Information Technology
Info sec 12 v1 2
Info sec 12 v1 2
Prof John Walker FRSA Purveyor Dark Intelligence
Models of Escalation and De-escalation in Cyber Conflict
Models of Escalation and De-escalation in Cyber Conflict
Zsolt Nemeth
[CB19] Keynote:Hacking the Bomb - Cyber Threats and Nuclear Weapons by Andrew...
[CB19] Keynote:Hacking the Bomb - Cyber Threats and Nuclear Weapons by Andrew...
CODE BLUE
CH11-Managing Computing Securely, Safely and Ethically
CH11-Managing Computing Securely, Safely and Ethically
Sukanya Ben
Emerging cyber threats_report2012
Emerging cyber threats_report2012
day4justice
Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010
graywilliams
20111214 iisf shinoda_
20111214 iisf shinoda_
Directorate of Information Security | Ditjen Aptika
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015
Mark Lanterman
Sivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 Environment
Vinoth Sivasubramanan
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
Andris Soroka
A theoretical superworm
A theoretical superworm
UltraUploader
Darktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystem
Austin Eppstein
Cloud Computing White Paper
Cloud Computing White Paper
Chris O'Neal
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Trend Micro
Ethical hacking
Ethical hacking
Umang Patel
Nss repko
Nss repko
rrepko
Compliance standards interoperability - Zoltan Precsenyi
Compliance standards interoperability - Zoltan Precsenyi
e-Democracy Conference
Cyber defense: Understanding and Combating the Threat
Cyber defense: Understanding and Combating the Threat
IBM Government
AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...
AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...
pharmaindexing
Newsletter: BDPA Washington DC (Oct 2011)
Newsletter: BDPA Washington DC (Oct 2011)
BDPA Education and Technology Foundation
SIA-Q1-2016
SIA-Q1-2016
Owais Hassan
Screenplay Cyber Planet: Cast of Characters (Bios)
Screenplay Cyber Planet: Cast of Characters (Bios)
Michael Knapp
Cuadernillo tutoria 3
Cuadernillo tutoria 3
JEDANNIE Apellidos
Award-CC: Dokumentation 2016 für Partner und Sponsoren
Award-CC: Dokumentation 2016 für Partner und Sponsoren
Award Corporate Communications
Más contenido relacionado
La actualidad más candente
[CB19] Keynote:Hacking the Bomb - Cyber Threats and Nuclear Weapons by Andrew...
[CB19] Keynote:Hacking the Bomb - Cyber Threats and Nuclear Weapons by Andrew...
CODE BLUE
CH11-Managing Computing Securely, Safely and Ethically
CH11-Managing Computing Securely, Safely and Ethically
Sukanya Ben
Emerging cyber threats_report2012
Emerging cyber threats_report2012
day4justice
Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010
graywilliams
20111214 iisf shinoda_
20111214 iisf shinoda_
Directorate of Information Security | Ditjen Aptika
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015
Mark Lanterman
Sivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 Environment
Vinoth Sivasubramanan
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
Andris Soroka
A theoretical superworm
A theoretical superworm
UltraUploader
Darktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystem
Austin Eppstein
Cloud Computing White Paper
Cloud Computing White Paper
Chris O'Neal
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Trend Micro
Ethical hacking
Ethical hacking
Umang Patel
Nss repko
Nss repko
rrepko
Compliance standards interoperability - Zoltan Precsenyi
Compliance standards interoperability - Zoltan Precsenyi
e-Democracy Conference
Cyber defense: Understanding and Combating the Threat
Cyber defense: Understanding and Combating the Threat
IBM Government
AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...
AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...
pharmaindexing
Newsletter: BDPA Washington DC (Oct 2011)
Newsletter: BDPA Washington DC (Oct 2011)
BDPA Education and Technology Foundation
SIA-Q1-2016
SIA-Q1-2016
Owais Hassan
La actualidad más candente
(19)
[CB19] Keynote:Hacking the Bomb - Cyber Threats and Nuclear Weapons by Andrew...
[CB19] Keynote:Hacking the Bomb - Cyber Threats and Nuclear Weapons by Andrew...
CH11-Managing Computing Securely, Safely and Ethically
CH11-Managing Computing Securely, Safely and Ethically
Emerging cyber threats_report2012
Emerging cyber threats_report2012
Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010
20111214 iisf shinoda_
20111214 iisf shinoda_
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015
Sivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 Environment
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
A theoretical superworm
A theoretical superworm
Darktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystem
Cloud Computing White Paper
Cloud Computing White Paper
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Ethical hacking
Ethical hacking
Nss repko
Nss repko
Compliance standards interoperability - Zoltan Precsenyi
Compliance standards interoperability - Zoltan Precsenyi
Cyber defense: Understanding and Combating the Threat
Cyber defense: Understanding and Combating the Threat
AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...
AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...
Newsletter: BDPA Washington DC (Oct 2011)
Newsletter: BDPA Washington DC (Oct 2011)
SIA-Q1-2016
SIA-Q1-2016
Destacado
Screenplay Cyber Planet: Cast of Characters (Bios)
Screenplay Cyber Planet: Cast of Characters (Bios)
Michael Knapp
Cuadernillo tutoria 3
Cuadernillo tutoria 3
JEDANNIE Apellidos
Award-CC: Dokumentation 2016 für Partner und Sponsoren
Award-CC: Dokumentation 2016 für Partner und Sponsoren
Award Corporate Communications
JobScout Media Kit
JobScout Media Kit
MyJobScout
Seminario 'Energía Solar: Cocinando con Fotones'
Seminario 'Energía Solar: Cocinando con Fotones'
SEAS, Estudios Superiores Abiertos
El Proyecto Matriz 5 Constitucion Europea La Gran Mentira
El Proyecto Matriz 5 Constitucion Europea La Gran Mentira
guest7da378
Modelos de negocio para distribución de contenido creativo por Internet
Modelos de negocio para distribución de contenido creativo por Internet
Iván Lasso
Mastering the mobile check in digital dealer october 2012
Mastering the mobile check in digital dealer october 2012
Cars.com
Case study for st bernard's
Case study for st bernard's
Andy Brown
Revista nº 169 - Mayo 2013
Revista nº 169 - Mayo 2013
andalumedio
Vlecko HR certificate
Vlecko HR certificate
Denise Laros
E-Wave Networks PVT. LTD>
E-Wave Networks PVT. LTD>
ewavenetworks
ESCAYOLAS RAOS, POLIGONO DE RAOS, 11 CAMARGO, CANTABRIA ESPAÑA
ESCAYOLAS RAOS, POLIGONO DE RAOS, 11 CAMARGO, CANTABRIA ESPAÑA
Prefabricados Raos
Energia e espirito
Energia e espirito
Eduardo Cardoso Teixeira
Smarter Use Cases
Smarter Use Cases
Smarter Engagement
Trabajo informatica Componentes del Ordenador
Trabajo informatica Componentes del Ordenador
manriquecampoyalejandro
Salida o campamento
Salida o campamento
yogurdepato
Prospecto protovit de bayer
Prospecto protovit de bayer
BCNPharma.com
SEPA Joven Valencia 2011
SEPA Joven Valencia 2011
Dentaid
ISP consult présentation
ISP consult présentation
saber haouet
Destacado
(20)
Screenplay Cyber Planet: Cast of Characters (Bios)
Screenplay Cyber Planet: Cast of Characters (Bios)
Cuadernillo tutoria 3
Cuadernillo tutoria 3
Award-CC: Dokumentation 2016 für Partner und Sponsoren
Award-CC: Dokumentation 2016 für Partner und Sponsoren
JobScout Media Kit
JobScout Media Kit
Seminario 'Energía Solar: Cocinando con Fotones'
Seminario 'Energía Solar: Cocinando con Fotones'
El Proyecto Matriz 5 Constitucion Europea La Gran Mentira
El Proyecto Matriz 5 Constitucion Europea La Gran Mentira
Modelos de negocio para distribución de contenido creativo por Internet
Modelos de negocio para distribución de contenido creativo por Internet
Mastering the mobile check in digital dealer october 2012
Mastering the mobile check in digital dealer october 2012
Case study for st bernard's
Case study for st bernard's
Revista nº 169 - Mayo 2013
Revista nº 169 - Mayo 2013
Vlecko HR certificate
Vlecko HR certificate
E-Wave Networks PVT. LTD>
E-Wave Networks PVT. LTD>
ESCAYOLAS RAOS, POLIGONO DE RAOS, 11 CAMARGO, CANTABRIA ESPAÑA
ESCAYOLAS RAOS, POLIGONO DE RAOS, 11 CAMARGO, CANTABRIA ESPAÑA
Energia e espirito
Energia e espirito
Smarter Use Cases
Smarter Use Cases
Trabajo informatica Componentes del Ordenador
Trabajo informatica Componentes del Ordenador
Salida o campamento
Salida o campamento
Prospecto protovit de bayer
Prospecto protovit de bayer
SEPA Joven Valencia 2011
SEPA Joven Valencia 2011
ISP consult présentation
ISP consult présentation
Similar a Infromation Security as an Institutional Priority
Cyber crime trends in 2013
Cyber crime trends in 2013
The eCore Group
NetWitness
NetWitness
TechBiz Forense Digital
The Vigilant Enterprise
The Vigilant Enterprise
Booz Allen Hamilton
Offensive malware usage and defense
Offensive malware usage and defense
Christiaan Beek
Realities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
Network Security Research Paper
Network Security Research Paper
Pankaj Jha
Cisco Addresses the Full Attack Continuum
Cisco Addresses the Full Attack Continuum
Cisco Security
Trend Micro - Targeted attacks: Have you found yours?
Trend Micro - Targeted attacks: Have you found yours?
Global Business Events
Endpoint Protection
Endpoint Protection
Sophos
BYOD and Your Business
BYOD and Your Business
cherienetclarity
Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?
Trend Micro (EMEA) Limited
Cyber Safety Awareness Training (Brochure)
Cyber Safety Awareness Training (Brochure)
NAFCU Services Corporation
Cybersecurity Risk from User Perspective
Cybersecurity Risk from User Perspective
AvinantaTarigan
PCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio Panada
IBM Danmark
Enterprise Immune System
Enterprise Immune System
Austin Eppstein
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
Trend Micro - is your cloud secure
Trend Micro - is your cloud secure
Kappa Data
Data mining in security: Ja'far Alqatawna
Data mining in security: Ja'far Alqatawna
Maribel García Arenas
Weaponised Malware & APT Attacks: Protect Against Next-Generation Threats
Weaponised Malware & APT Attacks: Protect Against Next-Generation Threats
Lumension
White Paper: Is Your Network Safe Behind Just a Firewall?
White Paper: Is Your Network Safe Behind Just a Firewall?
Windstream Enterprise
Similar a Infromation Security as an Institutional Priority
(20)
Cyber crime trends in 2013
Cyber crime trends in 2013
NetWitness
NetWitness
The Vigilant Enterprise
The Vigilant Enterprise
Offensive malware usage and defense
Offensive malware usage and defense
Realities of Security in the Cloud
Realities of Security in the Cloud
Network Security Research Paper
Network Security Research Paper
Cisco Addresses the Full Attack Continuum
Cisco Addresses the Full Attack Continuum
Trend Micro - Targeted attacks: Have you found yours?
Trend Micro - Targeted attacks: Have you found yours?
Endpoint Protection
Endpoint Protection
BYOD and Your Business
BYOD and Your Business
Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?
Cyber Safety Awareness Training (Brochure)
Cyber Safety Awareness Training (Brochure)
Cybersecurity Risk from User Perspective
Cybersecurity Risk from User Perspective
PCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio Panada
Enterprise Immune System
Enterprise Immune System
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
Trend Micro - is your cloud secure
Trend Micro - is your cloud secure
Data mining in security: Ja'far Alqatawna
Data mining in security: Ja'far Alqatawna
Weaponised Malware & APT Attacks: Protect Against Next-Generation Threats
Weaponised Malware & APT Attacks: Protect Against Next-Generation Threats
White Paper: Is Your Network Safe Behind Just a Firewall?
White Paper: Is Your Network Safe Behind Just a Firewall?
Más de zohaibqadir
Technology Entrepreneurship (Assign No 2)
Technology Entrepreneurship (Assign No 2)
zohaibqadir
Technology Entrepreneurship (assig no 2)
Technology Entrepreneurship (assig no 2)
zohaibqadir
175 PMP Sample Questions
175 PMP Sample Questions
zohaibqadir
PgM ITTOs
PgM ITTOs
zohaibqadir
Project Management Institute
Project Management Institute
zohaibqadir
ADDRESSING CORPORATE CONCERNS
ADDRESSING CORPORATE CONCERNS
zohaibqadir
Más de zohaibqadir
(6)
Technology Entrepreneurship (Assign No 2)
Technology Entrepreneurship (Assign No 2)
Technology Entrepreneurship (assig no 2)
Technology Entrepreneurship (assig no 2)
175 PMP Sample Questions
175 PMP Sample Questions
PgM ITTOs
PgM ITTOs
Project Management Institute
Project Management Institute
ADDRESSING CORPORATE CONCERNS
ADDRESSING CORPORATE CONCERNS
Infromation Security as an Institutional Priority
1.
Pittsburgh, PA 15213-3890
Information Security as an Institutional Priority Julia H. Allen Networked Systems Survivability/CERT Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 ® CERT, CERT Coordination Center, OCTAVE, CMM, CMMI, and Carnegie Mellon are registered in the U.S. Patent and Trademark Office Sponsored by the U.S. Department of Defense © 2005 by Carnegie Mellon University page 1
2.
What Might Security
as an Institutional Priority Look Like? Leaders direct and control the institution to establish and sustain a culture of security in the institution’s conduct • beliefs, values, behaviors, capabilities, and actions Security is viewed as a non-negotiable requirement of being ‘in business.’ [Allen 05] In institutions of higher education: [EDUCAUSE 03] • Leadership purported to be reactive rather than proactive • Lack of clearly defined goals • Goals of security, academic freedom, intellectual freedom viewed as antithetical Allen, Julia. “Governing for Enterprise Security: An Introduction.” June, 2005. EDUCAUSE Center for Applied Research. “Information Technology Security: Governance, Strategy, and Practice in Higher Education.” 2003. © 2005 by Carnegie Mellon University page 2
3.
What Might Security
as an Institutional Priority Look Like? (cont) Information security is a human enterprise • “lack of security awareness by users” cited as top obstacle • overriding impact of human complexities, inconsistencies, and peculiarities People can become the most effective layer in an organization's defense-in-depth strategy • with proper training, education, motivation The first step is making sure they operate in a security conscious culture. Ernst & Young. "Global Information Security Survey 2004." http://www.ey.com/global/download.nsf/UK/Survey_- _Global_Information_Security_04/$file/EY_GISS_%202004_EYG.pdf © 2005 by Carnegie Mellon University page 3
4.
American Council on
Education Letter to Presidents Regarding Cybersecurity • Set the tone • Establish responsibility for campus-wide cybersecurity at the cabinet level • Ask for a periodic cybersecurity risk assessment • Request updates to your cybersecurity plans on a regular basis From ACE President David Ward (February 28, 2003) http://www.acenet.edu/washington/letters/2003/03march/cyber.cfm © 2005 by Carnegie Mellon University page 4
5.
EDUCAUSE Framework for
Action • Make IT security a priority in higher education • Revise institutional security policies; improve the use of existing security tools • Improve security for future research and education networks • Improve collaboration between higher education, industry, and government • Integrate work in higher education with the national effort to strengthen critical infrastructure Called for in EDUCAUSE “Higher Education Contribution to National Strategy to Secure Cyberspace,” Jul 02 and [EDUCAUSE 03] Cited in The National Strategy to Secure Cyberspace, Feb 03. © 2005 by Carnegie Mellon University page 5
6.
Questions to Ask What
is at risk? How much security is enough? How does an institution of higher education (IHE) • achieve and sustain adequate security? © 2005 by Carnegie Mellon University page 6
7.
Growth in Number
of Vulnerabilities Reported to the CERT/CC © 2005 by Carnegie Mellon University page 7
8.
Attack Sophistication vs.
Intruder Knowledge email propagation of malicious code DDoS attacks “stealth”/advanced scanning techniques increase in worms sophisticated command widespread attacks using NNTP to distribute attack & control Attack Sophistication widespread attacks on DNS infrastructure executable code attacks (against browsers) anti-forensic techniques automated widespread attacks home users targeted GUI intruder tools distributed attack tools hijacking sessions increase in wide-scale Trojan horse distribution Internet social engineering widespread attacks denial-of-service attacks Windows-based remote controllable techniques to analyze code for vulnerabilities Trojans (Back Orifice) automated probes/scans without source code packet spoofing 1990 Intruder Knowledge 2004 © 2005 by Carnegie Mellon University page 8
9.
Response Time
Human response: impossible Automated response: Will need new paradigms “Flash” Threats Proactive blocking: possible Seconds Contagion Timeframe Human response: difficult/impossible “Warhol” Threats Minutes Automated response: possible Hours Blended Threats Human response: possible e-mail Worms Days Macro Viruses Weeks or months File Viruses © 2005 by Carnegie Mellon University page 9
10.
What Is At
Risk? • Trust • Reputation; image • Stakeholder value • Community confidence • Regulatory compliance; fines, jail time • “Customer” retention, growth (staff, faculty, students, alumni, funding agencies) • “Customer” and partner identity, privacy • Ability to offer, fulfill transactions • Staff, student morale © 2005 by Carnegie Mellon University page 10
11.
Trust “The central truth
is that information security is a means, not an end. Information security serves the end of trust. Trust is efficient, both in business and in life; and misplaced trust is ruinous, both in business and in life. Trust makes it possible to proceed where proof is lacking. As an end, trust is worth the price. Without trust, information is largely useless.” Geer, Daniel E. “Why Information Security Matters.” Cutter Consortium Business-IT Strategies Vol. 7, No. 3, 2004. © 2005 by Carnegie Mellon University page 11
12.
Responsibility to Protect
Digital Assets In excess of 80 percent of an organization’s intellectual property is in digital form [Business Week] Duty of Care: Governance of Digital Security • Govern institutional operations • Protect critical assets and processes • Govern employee conduct • Protect reputation • Ensure compliance requirements are met Business Judgment Rule: That which a reasonably prudent director of a similar institution would have used [Jody Westby, PricewaterhouseCoopers, Congressional Testimony; case law] © 2005 by Carnegie Mellon University page 12
13.
Barriers to Tackling
Security • Abstract, concerned with hypothetical events • A holistic, enterprise-wide problem; not just technical • No widely accepted measures/indicators • Disaster-preventing rather than payoff-producing (like insurance) • Installing security safeguards can have negative aspects (added cost, diminished performance, inconvenience) © 2005 by Carnegie Mellon University page 13
14.
Questions to Ask What
is at risk? How much security is enough? How does an IHE • achieve and sustain adequate security? © 2005 by Carnegie Mellon University page 14
15.
Shift the Security
Perspective From To Scope: Technical problem Institutional problem Ownership: IT Institutional Funding: Expense Investment Focus: Intermittent Integrated Driver: External Institution Application: Platform/practice Process Goal: IT security Institutional continuity/resilience © 2005 by Carnegie Mellon University page 15
16.
Security to Resiliency
Managing to threat and Managing to impact and vulnerability consequence No articulation of desired state to Adequate security defined as desired state Possible security technology overkill Security in sufficient balance to cost, risk © 2005 by Carnegie Mellon University page 16
17.
A Resilient Institution
Is Able To. . . • withstand systemic discontinuities and adapt to new risk environments [Starr 03] • be sensing, agile, networked, prepared [Starr 03] • dynamically reinvent institutional models and strategies as circumstances change [Hamel 04] • have the capacity to change before the case for change becomes desperately obvious [Hamel 04] © 2005 by Carnegie Mellon University page 17
18.
Security Strategy Questions •
What needs to be protected? Why does it need to be protected? What happens if it is not protected? • What potential adverse consequences need to be prevented? At what cost? How much disruption can we stand before we take action? • How do we effectively manage the residual risk? © 2005 by Carnegie Mellon University page 18
19.
Defining Adequate Security The
condition where the protection strategies for an organization's critical assets and processes are commensurate with the organization's risk appetite and risk tolerances Risk appetite and risk tolerance as defined by COSO’s Enterprise Risk Management Integrated Framework, September, 2004. [Allen 05] © 2005 by Carnegie Mellon University page 19
20.
Determining Adequate Security Depends
On . . . • Organizational factors: size, complexity, asset criticality, dependence on IT, impact of downtime • Market factors: provider of critical infrastructure, openness of network, customer privacy, regulatory pressure, public disclosure • Principle-based decisions: Accountability, Awareness, Compliance, Effectiveness, Ethics, Perspective/Scope, Risk Management, etc. [Allen 05] © 2005 by Carnegie Mellon University page 20
21.
Adequate Security and
Operational Risk “Appropriate security is that which protects the organization from undue operational risks in a cost-effective manner.” [Sherwood 03] “With the advent of regulatory agencies assessing a organization’s aggregate operational risk, there needs to be a way of looking at the organization as a whole rather than its many parts.” [Milus 04] [According to Basel II, operational risks are risks of loss resulting from inadequate or failed internal processes, people, and systems or from external events. http://www.bis.org/publ/bcbs107.htm] © 2005 by Carnegie Mellon University page 21
22.
Questions to Ask What
is at risk? How much security is enough? How does an IHE • achieve and sustain adequate security? © 2005 by Carnegie Mellon University page 22
23.
Shift the Security
Approach Ad-hoc and to Managed and tactical strategic irregular systematic reactive adaptive immeasurable measured absolute adequate Security activities and measures of security performance are visibly aligned with strategic drivers and critical success factors. © 2005 by Carnegie Mellon University page 23
24.
Mobilizing Capabilities to
Achieve/Sustain Adequate Security Critical Success ES Governance: Factors: determine policy, oversight, priorities sponsorship Audit: evaluates Risk Mgmt: clarifies risk tolerance, impacts IT Ops: delivers Project Mgmt: secure service, plans, tracks, protects assets Security: defines ensures completion controls for key IT ops processes Process Mgmt: enables © 2005 by Carnegie Mellon University page 24
25.
Mobilizing to Achieve/Sustain
Adequate Security IT Ops Processes • Problem/Incident Mgmt • Asset Management • Availability Management Critical Success Priorities • Release Mgmt • Integrity Management • Configuration Mgmt • Confidentiality/Privacy Factors: determine • Change Mgmt Management Measures priorities Findings ES Governance: Extent of compliance Recommendations policy, oversight, Tasks, Improvements sponsorship Determine Current State Evaluate Strategies, Recommendations, Actions Audit: evaluates Risk Mgmt: clarifies Plan inputs, priorities risk tolerance, risks, impacts Results IT Ops: delivers Prioritized tasking secure service, Evaluation, Eval criteria protects assets Status, Plan updates, Resources, Measures, New improvements, Business case data Plans, Status, Requirements Business case Controls Process definitions Process steps Project Mgmt: Contributing process areas Security: defines plans, tracks, ensures Process Mgmt: completion enables controls for key IT Actions, Process Definitions, ops processes Measures, Status, Plan updates Prioritized tasking © 2005 by Carnegie Mellon University page 25
26.
What Might Security
as an Institutional Priority Look Like? (cont) • No longer solely under IT’s control • Achievable, measurable objectives are defined and included in strategic and operational plans • Departments/functions across the institution view security as part of their job (e.g., HR, Audit) and are so measured • Adequate and sustained funding is a given • Senior leaders visibly sponsor and measure this work against defined performance parameters • Considered a requirement of being ‘in business’ © 2005 by Carnegie Mellon University page 26
27.
Information Security Governance Resources April
2004: Corporate Governance Task Force report on Information Security Governance (Appendix E) http://www.cyberpartnership.org/init-governance.html; November 2004: EDUCAUSE ISG Assessment Tool for Higher Education http://www.educause.edu/LibraryDetailPage/666?ID=SE C0421 Section I: Organizational Reliance on IT Section II: Risk Management Section III: People Section IV: Processes Section V: Technology © 2005 by Carnegie Mellon University page 27
28.
Legal Perspective: IT
Security for Higher Education • Analyze applicable state laws and municipal ordinances • Assess IS vulnerabilities and risks • Review and update IS policies & procedures • Review personnel policies & procedures for access to sensitive information • Scrutinize relationships with third-party vendors • Review the institution’s insurance policies • Develop a rapid response plan & incident response team • Work together with higher education associations & coalitions to develop standards relating to IS “IT Security for Higher Education: A Legal Perspective.” Salomon, Kenneth; Cassat, Peter; Thibeau, Briana. Dow, Lohnes & Albertson, PLLC. EDUCAUSE/Internet2 Computer and Network Security Task Force, 2003. http://www.educause.edu/ir/library/pdf/csd2746.pdf © 2005 by Carnegie Mellon University page 28
29.
EDUCAUSE Resources • Center
for Applied Research (ECAR): http://www.educause.edu/ecar • Security Task Force: http://www.educause.edu/security • The Effective IT Security Guide for Higher Education • Computer and Network Security in Higher Education • Security Discussion Group • Security Professionals Conference © 2005 by Carnegie Mellon University page 29
30.
For More Information •
Governing for Enterprise Security (http://www.cert.org/governance/ges.html) • Enterprise Security Management (http://www.cert.org/nav/index_green.html) • CERT web site (http://www.cert.org); ITPI web site (http://www.itpi.org); SEI web site (http://www.sei.cmu.edu) • jha@cert.org © 2005 by Carnegie Mellon University page 30
31.
References [Hamel 04] Hamel,
Gary; Valikangas, Liisa. “The Quest for Resilience,” Harvard Business Review, September 2003. [Milus 04] Milus, Stu. “The Institutional Need for Comprehensive Auditing Strategies.” Information Systems Control Journal, Volume 6, 2004. [Sherwood 03] Sherwood, John; Clark; Andrew; Lynas, David. “Systems and Business Security Architecture.” SABSA Limited, 17 September 2003. Available at http://www.alctraining.com.au/pdf/SABSA_White_Paper.pdf. [Starr 03] Starr, Randy; Newfrock, Jim; Delurey, Michael. “Enterprise Resilience: Managing Risk in the Networked Economy.” strategy+business, Spring 2003. Also appears in “Enterprise Resilience: Risk and Security in the Networked World: A strategy+business Reader.” Randall Rothenberg, ed. [Westby 04] Westby, Jody. “Information Security: Responsibilities of Boards of Directors and Senior Management.” Testimony before the House Committee on Government Reform: Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, September 22, 2004. Available at http://www.reform.house.gov/UploadedFiles/Westby1.pdf. © 2005 by Carnegie Mellon University page 31