1 / 14

NSF and IT Security

NSF and IT Security. George O. Strawn NSF CIO. Outline. Confessions of a CIO Otoh NSF matters IT security progress at NSF IT security progress in the Community The future of IT security. Confessions of a CIO.

mills
Download Presentation

NSF and IT Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NSF and IT Security George O. Strawn NSF CIO

  2. Outline • Confessions of a CIO • Otoh • NSF matters • IT security progress at NSF • IT security progress in the Community • The future of IT security

  3. Confessions of a CIO • To a scientist, there are more interesting things in the world than IT security • Until I became a CIO, I also had little interest in the subject • I was surprised to find out how much can be done for IT security with today’s tools (ie, we’re not using the tools we have) • I worry about unfunded mandates, too

  4. But … • It’s not interesting doing no science on a shut-down-for-scrubbing facility • Attending to IT security requires a culture change for most people and organizations • You have to learn what are the elements of a IT security program • Full cost accounting would show that lost productivity and remediation can exceed the cost of a security program

  5. NSF Matters • NSF makes $5B+ of assistance awards annually, many to faculty and students at US colleges and universities • Assistance awards are outside the FARs; they used to be viewed as gifts to HE; now they are viewed as highly orchestrated purchases of research capability • NSF awardees are bound by terms and conditions, which tend to say what is required, but not how to do it

  6. More NSF context • NSF support can be approximately divided into $3B for research; $1B for education; and $1B for research tools • Of the $1B support for research tools, 36 projects are designated as MREFC-class facilities (called large facilities below) • Most of our large facilities look to the CIO like networked computers with strange I/O devices attached. • We are focusing on large facility IT security

  7. IT Security at NSF • Management committed to IT security as a strategic priority • The staff created and implemented of a comprehensive IT security program • We have received sustained levels of investment (~10% of IT budget) • We have performance goals and measures

  8. Security Management at NSF • Roles and responsibilities (CIO & SISO) • Policies and procedures (SWG) • FISMA, including system inventory and Certification & Accreditation (C&A) • Plan of action and milestones (POAM) • Security reviews and assessments (contingency planning, DR, Coop) • Security awareness and training

  9. Security Technology at NSF • Connectivity standards (and deconn) • External and internal networks • Laptop scanning • Firewall architecture • Vulnerability scans and penetration tests • Anti-virus protection • Patch management • Intrusion detection

  10. Thinking about ITsec • Consider both risk (possible damage) and vulnerability (possible danger) • Design security into systems • Keep hackers out: proactive security • Detect computer incidents • Report and remediate: reactive security

  11. Keeping them out • Firewall(s): shut down all possible ports and open necessary ports by special rules • Passwords: use strong passwords and change them; consider OTP • Encrypt wireless net traffic • Run the latest virus scans constantly • Patch, patch, patch known vulnerabilities • Attack your own system

  12. Detection/Reaction • Intrusion Detection services • Intrusion Detection techniques • CIRT (computer incident response team) • Report to Fed CIRC (federal computer incident report center)

  13. Progress in the Community • FacSec subgroup of NSF Security Working Group (SWG) • Large Facility Security Workshop(s) • Educause Security Task Force/Internet2 • HE moving towards • Separating authentication and authorization • Using stronger authentication • Sharing/bridging authentication

  14. The future of IT security • Culture changes slowly: management attention and/or incidents can speed it up • Investment is required • Next generation IT security products and services may be better • Next generation hackers will be worse • Good luck to us all!

More Related