what every cbo should know about it security l.
Skip this Video
Loading SlideShow in 5 Seconds..
What Every CBO Should Know About IT Security PowerPoint Presentation
Download Presentation
What Every CBO Should Know About IT Security

Loading in 2 Seconds...

play fullscreen
1 / 22

What Every CBO Should Know About IT Security - PowerPoint PPT Presentation

  • Uploaded on

Robert Clark Director of Internal Auditing Georgia Institute of Technology Jack Suess VP of Information Technology University of Maryland, Baltimore County. What Every CBO Should Know About IT Security. Monday, July 10, 2006. Overview.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'What Every CBO Should Know About IT Security' - dana

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
what every cbo should know about it security

Robert ClarkDirector of Internal AuditingGeorgia Institute of Technology

Jack SuessVP of Information TechnologyUniversity of Maryland, Baltimore County

What Every CBO Should Know About IT Security

Monday, July 10, 2006

  • Why IT Security should be everyone’s concern – not just the IT staff
  • Plethora of legal compliance issues
  • Potential risk factors facing organizations
  • Case studies and high profile examples
  • Fiduciary role of managers in safeguarding these assets
  • Effective practices from which to leverage
  • Resources and guidance available
introduction to the security task force of educause
Introduction to the Security Task Force of EDUCAUSE
  • Formed in July 2000
  • Current Co-chairs:
    • Jack Suess, UMBC (2003-2006)
    • Joy Hughes, George Mason University (2004-2007)
  • Executive Committee of CIO’s, Security Professionals, and Professional Staff
  • EDUCAUSE & Internet2 Staff Support
  • Coordination with Higher Education IT Alliance
strategic goals of the security task force
Strategic Goals of the Security Task Force

Overarching Goals

  • Education and Awareness across the campus and within our IT organizations
  • Standards, Policies, and Procedures
  • Security Architecture and Tools
  • Organization, Information Sharing, and Incident Response

Focused Activities

  • Data privacy and protection
  • Incident detection and response
rapid increase in regulatory issues over data
Rapid increase in regulatory issues over data
  • Gramm-Leach-Bliley Act
  • Sarbanes-Oxley (not “directly” applicable to higher ed, but indirectly)
  • California SB 1386 and 23 other state data disclosure laws
  • VISA/Mastercard PCI requirements
  • OMB sets guidelines for Federal employee laptop security
imperative for action
Imperative for Action
  • Over fifty universities have had public data disclosures the last 18 months
  • Total number of individuals impacted is over 2.5 million
  • At least a half-dozen incidents have had direct costs for remediation and notification exceeding one million dollars
what are the causes of personal information release
What Are The Causes of Personal Information Release?
  • Most of these releases were in tertiary systems supporting a single department or were associated with an individual’s laptop or desktop computer
  • The reason for these releases run the gamut - stolen laptops, virus and worms, unpatched software, programming errors, and human error
  • CIFAC, an NSF sponsored study on security incidents found in reviewing incidents that the overwhelming cause was inadequate management oversight (insufficient procedures or processes) or inadequate training
when bad stuff happens
When Bad Stuff Happens…
  • Ohio University – 5 intrusions resulting in compromise of personal data for 300,000 students and alumni
    • Will spend over $4M to upgrade IT security and policies
  • GMU – compromise of personal data on campus card server for over 30,000
  • UC Berkeley - stolen laptop with 1.4 million ID’s resulted in largest higher-ed notification to date
  • Georgia Tech – 57,000 credit card numbers accessed
whose problem is it git example
Whose Problem Is IT? GIT Example
  • IT staff – (Examining systems; forensic analysis)
  • Internal Auditing – (Investigating incident; examining controls; facilitating discussions with appropriate management; dealing with VISA; interacting with law enforcement)
  • CBO – (Examining GIT policies; VISA threatened to pull the plug on ALL credit card processing at GIT; would have had significant impact on other areas of GIT operations)
  • Legal Affairs – (Negotiations with VISA; dealing with Attorney General; FBI, GBI, Secret Service)
  • Ferst Center for the Arts Management – (All ticketing operations suspended; major PR issues with customers; over 30,000 first class letters sent to customers affected; Help Line staffed)
  • Auxiliary Services management; Institute Communications and Public Affairs (dealing with media); Chief of Police; Office of the President
lessons learned
Lessons Learned
  • Well designed process for responding to IT incidents provided clear guidance
  • http://www.audit.gatech.edu/IAcollabrative2.pdf
  • Evident that this was an “Institute issue,” not just an “IT issue” (shared responsibility)
  • Strong collaboration amongst management to ensure consistent action
  • Costly – total “cost” in time for those involved over $100K
  • Led to other initiatives to locate sensitive info across campus
  • Led to committee to establish Data Access Policy
  • Led to increased awareness of IT risk assessment
what s keeping us from doing this right
What’s Keeping Us From Doing This Right?
  • Organizational challenges for IT security
  • The tension between the academy and the enterprise
  • Lack of adequate knowledge about the nature of IT issues
  • Over reliance on techno-centric solutions
  • IT security not recognized a shared responsibility
  • Security viewed as counter to organizational productivity
  • Reactive responses vs. systemic framework for sustainable solutions
  • No budgets established and resources allocated to conduct IT risk assessments
  • Unclear on guidance to adopt and effective practices to follow
review of industry frameworks
Review of Industry Frameworks
  • COSO (Committee of Sponsoring Organizations of the Treadway Commission) 1987-1992
  • COBIT (Control Objectives for Information and related Technology) 1996-2000
  • OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) 2001
  • ISO 17799 (International Organization for Standardization – Information Technology: Code of Practice for Information Security) 2000
new 2004 erm coso framework
New (2004) ERM COSO Framework

Org. structure (e.g., Board, policies, mgmt’s risk appetite

Objectives in Strategy, Operations, Reporting,Compliance

What can go wrong?

Likelihood and impact of risks

How to manage risks? (Share, avoid, reduce, accept?)

Procedures to ensure risk mitigation is effective

Education & awareness of policies, effective practices

Mgmt reviews & Auditors assess

cobit evaluation of three key areas












COBIT: Evaluation of Three Key Areas
  • Information Criteria
    • Quality (Cost, delivery)
    • Fiduciary responsibility (Reliability, compliance, Efficiency and effectiveness)
    • Security (confidentiality, integrity, availability)
  • IT resources (Data, Application systems, Technology, Facilities, People)
  • IT Processes (Domain, Processes, Tasks/Activities)
  • Phase I: Build asset-based threat profiles
    • What’s important to the org; how are assets protected?
  • Phase II: Identify infrastructure vulnerabilities
    • IDing classes of IT components related to each critical asset; how resistant to network attacks?
  • Phase III: Develop security strategy and plans
    • ID risks to org’s critical assets; what is being done to protect them?
iso 17799 defines best practice and certification process
ISO 17799: Defines Best Practice and Certification Process

Detailed security standard; organized into ten major sections:

  • Security policy
  • Security organization
  • Asset classification & control
  • Personal security
  • Physical & environmental security
  • Communications & operations management
  • Access control
  • Systems development & maintenance
  • Business continuity management
  • Compliance
risk assessment models
Risk Assessment Models
  • NIST – Security Self-Assessment Guide for Information Technology Systems
  • NIPC (National Infrastructure Protection Center; part of Dept. of Homeland Security)
  • NSA (National Security Agency)
  • ISO 17799 (International Standards Organization, "a comprehensive set of controls comprising best practices in information security“)
  • All solid guidance but none are higher-ed focused
higher ed focused risk assessment tools
Higher-Ed focused risk assessment tools:
  • OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) - developed at the CERT Coordination Center at Carnegie Mellon University
  • STAR (Security Targeting and Analysis of Risks) – developed and used at Virginia Tech
  • Information Security Governance (ISG) Assessment Tool (http://www.educause.edu/ir/library/pdf/SEC0421.pdf)
  • EDUCAUSE Effective Practices Guidehttp://www.educause.edu/EffectivePracticesandSolutionsinSecurity/1246
  • Risk Assessment Framework:


outline of risk assessment framework
Outline of Risk Assessment Framework
  • Phase 0 : Establish Risk Assessment Criteria for the Identification and Prioritization of Critical Assets (a one-time process)
    • 1: Establish Risk Assessment Criteria
    • 2: Apply the Critical Asset Criteria to Classify Data Collections and Related Resources
  • Phase 1: Develop Initial Security Strategies
    • 1: Strategic Perspective – Senior Management
    • 2: Operational Perspective – Departmental Management
    • 3: Practice Perspective – Staff
    • 4: Consolidated View of Security Requirements
outline of risk assessment framework cont
Outline of Risk Assessment Framework (cont.)
  • Phase 2: Technological View - Identify Infrastructure Vulnerabilities
    • 5: Key Technology Components
    • 6: Selected Technology Components Evaluation
  • Phase 3: Risk Analysis - Develop Security Strategy and Plans
    • 7: Risk Assessment
    • 8: Protection Strategy and Mitigation Plans
recommendations for cbo s
Recommendations for CBO’s
  • Data disclosures put your institution at great financial risk and CBO’s need to understand the risks and issues
  • Foster collaborative relationships with the Provost, CIO, CFO, and Chief Auditor to make IT security a campus priority. Consider using the building organizational capacity model to analyze your approach to IT Security.
  • Research has shown that policies, procedures, and management oversight are the critical factors for success. This is often a strength of CBO’s that can be shared with IT.
  • Partner with IT to integrate IT security throughout your own organization and promote the message that IT security is a “shared responsibility”