Download
information security program n.
Skip this Video
Loading SlideShow in 5 Seconds..
Information Security Program PowerPoint Presentation
Download Presentation
Information Security Program

Information Security Program

187 Views Download Presentation
Download Presentation

Information Security Program

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Information Security Program March 22, 2017 Tom Ambrosi Chief Information Security Officer

  2. https://er.educause.edu/articles/2017/1/top-10-it-issues-2017-foundations-for-student-successhttps://er.educause.edu/articles/2017/1/top-10-it-issues-2017-foundations-for-student-success

  3. Penn State University President – Eric Barron • “We all will need to take additional steps to protect ourselves, our identities and our information from a new global wave of cybercrime and cyberespionage," Barron said in his statement. "Well-funded and highly skilled cyber criminals have become brazen in their attacks on a wide range of businesses and government agencies, likely in search of sensitive information and intellectual property.“ • "In this particular case we are dealing with the highest level of sophistication," Barron said. "Unfortunately, we now live in an environment where no computer network can ever be completely, 100 percent secure.“ Mandiant • "Advanced cyberattacks like this -- sophisticated, difficult to detect and often linked to international threat actors -- are 'the new normal,'" said Nick Bennett, Mandiant's senior manager of professional services. "No company or organization is immune -- the world's leading banks, energy companies, retailers and educational institutions have all been and will be targets."

  4. Program Requirements/Drivers • Required to comply with Federal, State & Industry Standards & Regulations • FERPA • HIPAA • PCI DSS v3.1 – 6.1, 10.6, 12.2 • GLBA • Washington State OCIO Policy 141 – Securing Information Technology Assets

  5. Program Governance Initiatives • Governance Structure • Information Security Program Strategy • Information Security Policies • University Security Policy • Update to University Data Policies • Security & Privacy Accountabilities, Roles & Responsibilities • Standards & Compliance Frameworks • PCI, HIPAA Requirements / Drivers

  6. Executive Perspectives on Top Risks for 2017 https://www.protiviti.com/US-en/insights/protiviti-top-risks-survey

  7. Executive Perspectives on Top Risks for 2017

  8. Institutional Risk Areas For Public Research Institutions • Financial & Economic Conditions • Ability to Recruit Quality Students, Faculty & Staff • Business Continuity • Physical Infrastructure • WSU IT Infrastructure • Legal & Regulatory Compliance • Safety & Security • Research • Reputation & Brand Requirements / Drivers

  9. Information Security & Privacy Risk Areas • Cyber Attacks & Data Security • Advanced Threats to C-I-A • Data Privacy Breaches • Federal, State, Industry Regulations • Legal & Regulatory Compliance • Outsourcing & Cloud Computing • Mobile Devices • Incident Response • Identity & Access Mgmt • Education, Training & Awareness • Business Continuity & Disaster Recovery Requirements / Drivers

  10. Managing Security & Privacy Risk • Establish Risk Mgmt Framework • Consistent with Enterprise Risk Mgmt • Identify, Assess, Respond, Monitor • Risk Mgmt Objectives • Support Strategic Decision Making & Planning • Allocate Resources Effectively • Better able to meet Compliance Requirements • Provide Optimized set of Risk Mitigations • Enable University Mission & Business Objectives • with acceptable level of risk • Security & Privacy Risks are Institutional Risks Requirements / Drivers

  11. Risk = Likelihood x Impact • Each Vulnerability/Threat Pair will be evaluated for • Likelihood of Occurrence • Impact Classification • Risk Level Assigned

  12. Responsibilities • Protecting Data Security & Privacy is a shared responsibility • Promote a Risk-Aware Culture • Understand risks to your business & potential impacts to the University • Be Proactive – Avoiding risk is Accepting risk • Escalate critical risks to Senior Leadership • Include risk assessment processes into business processes • Ensure all employees are aware of their responsibilities • Provide training for employees that is appropriate to their roles & responsibilities

  13. Questions?

  14. Executive Perspectives on Top Risks for 2017

  15. Executive Perspectives on Top Risks for 2017