1 / 22

Asset-based Security: Planning for the Shift

Learn about the importance of asset-based security and how to shift your approach in order to protect critical systems and data.

dickersona
Download Presentation

Asset-based Security: Planning for the Shift

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Disintegrating Perimeter: Planning for the Shift to Asset-based Security Adam Goldstein CCNP CISSP IT Security Officer Villanova University

  2. Introduction • Overview of Villanova and IT • Academic Strategic Plan • Evaluation of our environment • Need for shift in our approach Villanova University 2005

  3. Discussion Outline • Define Asset-based approach • The Disintegrating Perimeter and other challenges • The Plan • IT Security Model • Strategic Plan • IT Scorecard Villanova University 2005

  4. Asset-based Security: Focuses security efforts based on the value of the information system and data Villanova University 2005

  5. Why Asset-based Security • Higher education institutions face different challenges in providing information assurance • Internal security incidents on the rise • Cannot secure every system Villanova University 2005

  6. The Disintegrating Perimeter • Technological Changes • Elevated Risks • Obstacles for Higher Education Institutions Villanova University 2005

  7. Disintegrating Perimeter-Technological Changes • Mobile Computing/Wireless Networks • Increased Remote Access Needs • Third-Party integration • Business partners • Research projects • Other institutions Villanova University 2005

  8. Disintegrating Perimeter-Elevated Risks Improper Handling of University Data - Intent to commit fraud - Intent to commit espionage - Intent to harm an institution’s reputation Disruption of Critical Services - Unintentional disruption - Malicious disruption Unauthorized Access to University IT Resources Villanova University 2005

  9. The Disintegrating Perimeter-Higher Ed Obstacles • Public Access Requirements • Diversity of Systems • Diversity of User Population • Limited staff and resources for information security Villanova University 2005

  10. Shifting Focus- Asset-based Security • In this environment, Information Assurance cannot be an all or nothing proposition • The most important information “assets” must be protected first Villanova University 2005

  11. Strategic Approach- The Plan • Set goals by adopting a security model • Measure existing compliance with model • Create initiatives to improve compliance • Prioritize initiatives • Track progress Villanova University 2005

  12. Purpose of the Security Model The Model intends to: • Detail Villanova University’s overall vision of information technology security • Set security standards for University IT systems and processes Villanova University 2005

  13. Format of Security Model • The model uses a hierarchical architecture • All University systems and processes are placed in a clearly defined security layer • Each layer sets standards for security controls, administrative procedures, user interaction, and acceptable risk. • The boundaries between the layers serve to prevent unauthorized access from lower security layers to higher security layers Villanova University 2005

  14. Security Model Layers There are three layers to the Security Model: • University Systems – Systems not directly administered by UNIT • Core UNIT Systems – Academic, Administrative and IT systems administered by UNIT • Security Domains – Systems that contain sensitive data, perform critical University functions, and/or require high security environments Villanova University 2005

  15. Security Layer Definition Each layer is defined by the following criteria: • Included Systems: The systems and resources that fall under the specific layer • Security Controls: Specify the baseline security standards required at the given level. Controls include: • Technical Controls: Hardware and software security requirements • Administrative Controls: Required security measures for system administration • User Interaction: Security requirements for system users • Exposures: Assumed risk at the given layer Villanova University 2005

  16. Strategic Plan- Initiatives • Assessment of our current state against the Security Model highlighted deficiencies • Determined initiatives to protect assets • Prioritized initiatives and developed multi-year plan Villanova University 2005

  17. Strategic Plan – Technical Initiatives • Firewalls/network segmentation • Network traffic scanning • Integrity checking • Enhanced monitoring tools • Secure remote access Villanova University 2005

  18. Strategic Plan- Administrative Initiatives • Change management procedure • Incident Response Policy • Security Standards • Internal information system audit process • Security Monitoring Procedure • Data Handling Procedure • “Focused” User Awareness Campaign Villanova University 2005

  19. Strategic Plan- IT Security Scorecard • Developed a scorecard that rated compliance with the security model • Updated quarterly to monitor improvements • Highlights weaknesses and aids in setting priorities Villanova University 2005

  20. Benefits of Asset-based Approach • Critical systems better protected from internal threats • Critical data is more secure • Heightened awareness among end users • System owners more involved with security practices • Increased compliance with security standards • Lowered incident response time Villanova University 2005

  21. Challenges to Asset-based Approach • Overcoming “higher ed” obstacles • Legacy systems • Asset inventory Villanova University 2005

  22. Thanks! adam.goldstein@villanova.edu Villanova University 2005

More Related