Lunch & Learn Series Subscribe!

Transcription

1 Lunch & Learn Series Noon on the 3 rd Tuesday of each month Security.uconn.edu for detailed information L&L RFC Subscribe! Presentation schedule is still being worked out Contact Jason Pufahl (jason.pufahl@uconn.edu) or Lorraine Costanzo (lorraine.costanzo@uconn.edu) if you have presentation topics or would like to present

2 University Risk Profile and Remediation Steps

3 Background 10 Risks Categories Basic Risk Assessment Completed Initiatives Assigned to each Risk Initiatives May Contribute to Remediation of Multiple Risks

4 Assumptions Security Governance Established and Aligned with University Governance Technical Security Council Executive Security Council Requires a University Effort (discussion, buy-in, implementation time, support). Cannot be Accomplished Solely in UITS Initiatives Based on a Plan

5 University Risk Profile H E F G A I C B H D J A. Data Loss B. Operational Continuity C. Unauthorized Electronic Access D. Software Vulnerabilities E. Education and Training Impact F. Compliance G. Unauthorized Physical Access H. Server and Desktop Security I. Governance J. Identity and Access Management L L Likelihood H

6 Data Loss Description The University needs to identify where all business and confidential data resides so that it can protect the data from unauthorized access or disclosure. Scope University initiative will result in the identification and security of confidential information and the reduction of the number of storage locations. Initiative applies to systems of record as well as user workstations. Risks/Impact Loss of Intellectual Property Loss of Confidential Data Loss of Business Processing Privileges Breach Costs Credit Monitoring Forensics Investigations Compliance Issues Initiatives Data Inventorying Technologies/Processes Data Loss Prevention (DLP) Encryption Solutions (Data at rest/motion) Centralized File Services Backup Strategies Data Owners/Processes Established

7 Data Loss FY11 (2010) FY12 (2011) FY13 (2012) FY14 (2013) FY15 (2014) Encryption/Data Detection Data Centralization Database and System Security Sustainment

8 Operational Continuity/Disaster Recovery Description In the event of any significant interruption to service (power outage, server site unavailability, natural disaster, terrorist attack), the University does not have the plans or infrastructure in place to continue any critical operations. Risks/Impact Communication Systems Could Be Unavailable for Extended Periods Administrative Systems Unable To Pay Vendors Unable To Pay Faculty and Staff Unable To Access Student Records Compliance Issues Scope University-wide initiative will result in the prioritization of critical services and an established secondary computing site with redundant services implemented and tested. Initiatives Business Continuity Plans Secondary Data Center Network Redundancy Critical Server Redundancy DNS/DHCP (Infrastructure) Upgrades Backup Strategies

9 Operational Continuity/Disaster Recovery FY11 (2010) FY12 (2011) FY13 (2012) FY14 (2013) FY15 (2014) Planning Foundation Implementation Phase Data 2 Center and Redundancy Backup and Storage System and Service Redundancy Implementation Sustainment Sustainment

10 Compliance Description The University is not compliant with federal and state regulations (PCI, HIPAA, GLBA) and does not have suitable procedures to ensure continued compliance. Risks/Impact Fines Incarceration Increased Compliance Requirements Loss of Business Privileges Financial Aid Credit Card Transaction Processing Scope Implement processes and controls to ensure the University achieves and maintains compliance with Federal Regulations and industry standards (HIPAA, GLBA, FERPA, MA 201 CMR 17, PCI DSS, etc.). Initiatives Information Security Risk Assessment ISO Mapping (PCI ) Incident Response Incident Detection Capabilities Process Improvements Centralized Logging Policy Review/Modification

11 Compliance FY11 (2010) FY12 (2011) FY1 (2012) FY14 (2013) FY15 (2014) Risk Assessments PCI/HIPAA GLBA & Policies Best Practices Implementation, Departmental Risk Assessments & Sustainment

12 Education and Training Description The University needs to provide critical technical/business staff and system users with the appropriate levels of security training to ensure systems and data are protected. Risks/Impact Poorly-Configured Systems Easily-Guessed Passwords Increased Security Incidents Unintentional Security Violations Insider Threats Compliance Issues Scope Develop and implement an information security training program that ensures that IT system administrators, the IT security council and end users have appropriate information security training. Initiatives Training for Technical Security Council User Security Awareness Training L&L

13 Education and Training FY11 (2010) FY12 (2011) FY13 (2012) FY14 (2013) FY15 (2014) Technical Security Council Training User Training Implemented Ongoing Training

14 Security Governance Description The University cannot adequately identify, prioritize or build consensus to address existing security issues. Risks/Impact Inability to Coordinate Security Initiatives Resource Allocation Issues No Forward Progress Lack of Buy-in Scope Initiative will establish security governance as part of the University governance strategy. Initiatives Establish Technical Security Council Establish Executive Security Council Develop Metrics and Reporting Models

15 IT Investment Areas How is UConn Responding to Higher Ed IT Challenges? Projects Services Inventor y Projects Services Inventory Projects Services Inventor y Projects Services Inventor y Core Infrastructure Business Systems Instruction and Learning Research and Scholarship Security, Data, and Privacy 15

16 Security Governance FY11 (2010) FY12 (2011) FY13 (2012) FY14 (2012) FY15 (2013) Councils Established Technical and Executive Councils Represented in Governance Metrics and Reporting

17 Identity And Access Management Description The University is an open and collaborative environment, requiring access for faculty, staff, students, guest lecturers, conference attendees, parents and lacks the ability to provide (and revoke) appropriate credentials that limit access to business resources. Risks/Impact Data Loss Unauthorized/Unintended Access Increased Support Costs Integration Issues Supportability of Existing Systems Compliance Issues Scope University Initiative will inventory all existing identity creation and management processes and establish a centralized and standards-based system providing granular access controls that is accessible to all departments. Initiatives Establish Initiative! Password Sync/Password Resets Documentation of Current Processes Needs Analysis Across University Development and Implementation

18 Identity And Access Management FY11 (2010) FY12 (2011) FY13 (2012) FY14 (2013) FY15 (2014) Planning and Critical Systems Changes Implementation and Process Development Sustainment

19 Server and Desktop Security Description The University is unable to centrally deploy critical software patches or verify/modify the security state of a server or workstation. Risks/Impact Increased Security Vulnerabilities Support Costs and Times Increased Inability to Provide Enterprise Level Solutions Scope Initiative will establish policies, guidelines and technical implementation details for creating standardized and secure desktop and server configurations and housing policies. Initiatives Centralized Software Patch Management Centralized Anti-Virus Server/Desktop Hardening Standards Workstations in Managed Domain (AD) Server Deployment Processes/Systems

20 Server and Desktop Security FY11 (2010) FY12 (2011) FY13 (2012) FY14 (2013) FY15 (2014) Central Management Pilot Standardization and Rollout Systems Re-evaluation and Sustainment

21 Software Vulnerabilities Description The University deploys commercial and internally-developed software without adequate vulnerability management and post-installation patching processes in place. Risks/Impact Data Loss Non-Patched/Insecure Systems Network/System Compromise Increased Support Costs Loss Of Efficiency/Increased Downtime Compliance Issues Scope University initiative to develop guidelines and processes that will enable consistent application scanning, review and patching strategies based on risk and vulnerability. Initiatives Application Vulnerability Assessments Operating System Vulnerability Assessments Penetration Testing University Change Management Processes (for shared systems)

22 Software Vulnerabilities FY11 (2010) FY12 (2011) FY13 (2012) FY14 (2013) FY15 (2014) Technical and Admin Patch Processes Code Evaluations and SDLC Change Management & Purchasing Processes Process Reviews

23 Unauthorized Electronic Access Description The University is an open and collaborative environment, requiring access for faculty, staff, students, guest lecturers, conference attendees, parents and lacks the ability to identify users, ensure the integrity of their workstations and isolate them from critical systems. Risks/Impact State or University Resources Used for Malicious/Criminal Activity Increased Time, Effort and Cost of Breach Investigations Loss of Constituent Confidence Compliance Issues Scope University-wide deployment of network access control systems and monitoring. Initiatives Network Access Control Network Segmentation (Firewalling) Remote Access Controls Intrusion/Compromise Detection & Prevention Identity Management

24 Unauthorized Electronic Access FY11 (2010) FY12 (2011) FY13 (2012) FY14 (2013) FY15 (2014) Firewalls & Network Access Control Network Segmentation & Security Architecture Penetration Testing & Re-evaluation Monitoring, Reporting, Incident Response

25 Unauthorized Physical Access Description The University combines the use of network closets with janitorial services, causing a significant risk of availability. These closets also have keys that are shared across multiple departments, causing a significant risk to security. Risks/Impact Loss of Service Data Loss Equipment Failures and Theft Compliance Issues Scope University initiative to improve access controls for building network rooms by removing shared access, ensuring all areas are locked and creating standards to improve reliability and security. Initiatives Establish Single-Purpose Network Closets Keycard-Based Entry on All Network Closets

26 Unauthorized Physical Access FY11 (2010) FY12 (2011) FY13 (2012) FY14 (2013) FY15 (2014) Data Closet Co-Location UITS/Data Center/Data Closet Access Controls

27 Summary Risk Data Loss Operational Continuity Compliance Education/Training Security Governance Identity and Access Management Server/Desktop Security Software Vulnerabilities Unauthorized Electronic Access Unauthorized Physical Access *Cost of a new university data center is not included in totals.