1 / 18

state of the it security program uthsc-h fy 04

Introduction. Statement of Purpose/GoalsOrganizational Structure of IT Security ProgramWhat does IT Security do?The

benjamin
Download Presentation

state of the it security program uthsc-h fy 04

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. State of the IT Security Program @ UTHSC-H FY04 Randle Moore Chief Information Security Officer

    3. Statement of Purpose The purpose of the IT Security Program at UTHSC-H is to provide a secure information technology infrastructure for schools and departments to utilize in the pursuit of the institution's goals in research, teaching, and healthcare.

    4. Goals of IT Security Program C Confidentiality Ensuring that information is viewed only by authorized individuals. I Integrity Ensuring that data and systems are accurate and not modified by unauthorized processes or personnel. A Availability Ensuring that data is available for use when needed.

    5. Organizational Structure IT Security Steering Team Consists of representatives from each school/unit Responsible for setting security policy/procedure Ultimate authority for determining exceptions to policy IT Security Core Team Provide technical guidance to ITS Steering Team Determine security solutions to support policy IT Security Technical Team Provide technical input to the impacts of policy or solutions Discuss methods of security integration IT Security Group

    6. ITS Program Components Skilled Staff - 5 personnel Policies & Procedures HOOP 13 IT Security Policies (www.uth.tmc.edu/itsecurity) Risk Assessments Vulnerability Inventory Disaster Recovery HIPAA Security Training All Employees Internal department and IS staff E-mail Campaign Architecture/Technology Redundant hardware (firewalls, IDS/IPS, routers, etc.) Internal security zones prevent spread of infection Secure wireless infrastructure Anti-virus, desktop firewall software SPAM management software Patch management tools Data encryption (digital IDs, sFTP, SSH, etc.) Monitoring and Logging Firewall IDS/IPS Remote Access (Dial-up, VPN) MRTG and Packetshaper (track bandwidth utilization) Data Backups Different schedule based on risk assessment Incident Handling & Reporting Auto-alerts allow 24/7 response (staff can respond to incidents from home) Quarantine plan for virus/worm outbreaks Monthly report to DIR and Executive Management Maintain Remote Access Security VPNs Modems Business Partner Peering Relationships Assist in compliance with federal, state, and UT System mandates (TAC 202, FERPA, HIPAA, etc.)

    7. The Why of IT Security Academic and research endeavors are increasingly dependent on information technology. Integrating security into the equation helps ensure technology can be trusted and is available when it is needed. Historically, security on the Internet has been an afterthought. Unfortunately for us, the digital landscape has changed.

    8. The Why of IT Security One new virus for every hour of every day P2P file sharing, instant messaging, and IRC are significant vectors of infection (7 of top ten threats used one or more of these) Average time from vulnerability announcement to exploit code is under six days 30,000 machine bot networks Attacks against user system and web applications are on the rise

    9. The Why of IT Security Threat Model Malicious Individuals (Hackers/Crackers) Disgruntled Employees/Students Viruses/Worms SoBig.F, MS Blaster, etc. Spyware Gator, Hotbar, NetOptimizer, etc. Denial of Service (DoS) Attacks (including unauthorized use of resources) Organized Crime

    10. Why are hackers interested in us? Easy target (much more open security posture) High-Value target (Lots of bandwidth) Illegal file sharing DoS attacks Visibility (name in the paper) Data theft/manipulation SSNs Patient data Research data

    11. How are we doing? Since the security programs inception, we have done a fantastic job of securing the perimeter. While the perimeter security must still be maintained, focus needs to shift to the internal threat, including our business partners. Training and security awareness are key. Compliance and accountability (requires executive backing) are fundamental.

    12. Viruses, Worms, and Spyware Many devastating virus and worm attacks have literally shut down other TMC and UT component networks over the past year. (SQL Slammer, SoBig.F, MS Blaster, etc.) Our network has remained functional with only isolated cases of infection, almost entirely caused by personnel or students connecting laptops infected off-campus Spyware continues to be a pervasive problem on-campus, due to a lack of user education and security controls on the desktops

    13. Internal Penetration Test Recent assessment by IT Security Team showed significant internal problems: Account Management and Password policies not being enforced everywhere Too many users have local administrator access Improper level of security placed on new servers/applications Access was achieved to patient data, student data, employee data (including SSNs), UTPD alarm system server, badging server, HRMS, and over 300 desktops. Lists of passwords were available from many systems, including the main University LDAP servers.

    14. Cost of IT Security Program It is easy to see IT Security as a cost center Security is typically viewed as a negative deliverable (if nothing bad happens) Metrics are difficult to develop without comparison (we didnt get this, but THEY did) Security is not a cost, but a benefit.

    15. Why the cost disparity? Not all traditional security functions are managed by the central IT Security Team: Disaster Recovery Planning Host-based solutions (desktop anti-virus, firewall, patching solutions, etc.) SPAM Management E-mail Virus Scanning User Account Management Good perimeter defense

    16. CIAS Top 3 Barriers Resource Allocation: Security programs are underfunded. Based on available data, the UTHSC-H IT Security program does not compare favorably to other UT components. Decentralized IT: Decentralization introduces significant risk to information systems. UTHSC-H has made some progress towards centralizing IT, but has some additional work left to do in this area. Accountability: Academic environments are used to an open, shared environment with little to no accountability for information security. This remains a significant problem.

    17. Conclusion UTHSC-H has a sound IT Security program. To date, it has been successful in protecting the institutions information resources. Constant effort is required to maintain the current infrastructure, keep up with emerging threats, and to bolster areas needing improvement. Additional consolidation of IT resources, as well as better coordination of IT Security projects is needed.

    18. Q & A

More Related