Information Security Risk Management in HEIs: From Processes to Operationalization Wolfgang Hommel, Stefan Metzger, Michael Steinke

Transcription

1 Information Security Risk Management in HEIs: From Processes to Operationalization Wolfgang Hommel, Stefan Metzger, Michael Steinke EUNIS 2015 Dundee,

2 Leibniz Supercomputing Centre (LRZ) Photo: Ernst A. Graf, 2012 Data center for all Munich HEIs o o o 130,000+ users (~180,000+ systems) Comm. network spawns 550+ buildings 100+ PB file servers/backup/archive National HPC center o Flagship: SuperMUC, 3 PetaFlops o Large Linux cluster (~ 10k cores) o Gauss Computing Centre member 2

3 Doing information risk management together Cooperative approach: Risk management can t be done by one person or HEI s higher-level management alone Template supporting this cooperative approach can be adapted on every HEI s infrastructure (available at: Motivation on discussion and feedback for further improvement of template 3

4 Overview Motivation Risk management in HEIs an analyst s perspective Gap between reading about risk management and doing it Template based risk management Objectives and benefits Design process Selected content Next steps 4

5 SANS Analyst survey (June 2014): Higher education: Open and secure? 55% of organisations lacking formal risk assessment and remediation policies Data at risk: Personal identifiable data (PII) receives special attention 46% of organisations don t encrypt PII on transit Security Teams understaffed and under budget 5

6 Technicians Business processes Decentral organisation, but cooperative HEI s CRM... Faculty RM (Team / IO)... Service administrators... Service administrators 6

7 Decentral information flows, but also cooperative HEI s CRM... Faculty RM (Team / IO)... Service administrators... Service administrators 7

8 Continuous risk management process Define your risk appetite Establish the RM context Higher-level management RM Team Administrators Identify threats Likelihood & Impact Remediation Implemented safeguards 8

9 Where do I start and what do I do in there? Establish the RM context Higher-level management focuses on (business) processes Technicians and system administrators focus on information, hard-/software and operational details Acquire identical data (RM tools on market lack required import functions) Administrators cover identical threats delegate to special groups (e.g. facility management,...) Remediation through mapping of safeguards to threat 9

10 Template based risk management Desired benefits Enables involved stakeholders to contribute to HEI s overall risk management Current overall HEI s or faculty-/service-specific risk levels For technically staff: Is the service s risk level acceptable? nothing to do! If risk level is not acceptable Who has to respond? 10

11 How we created the risk management template Interview LRZ security team Interview LRZ administrators Existing LRZ security concepts Standards/Frameworks (ISO/IEC 27005, BSI IT Base protection, Literature: scientific papers, various web sources Template s content and structure Continual improvement Management approval and commitment LRZ Risk management template 11

12 Template content overview Document s structure: Metadata / introduction Risk acceptance Risk management context Threat identification + Risk assessment Remediation / measures 12

13 Metadata and introduction Metadata Author and version information Storage location Last modification / update until Introduction Objectives (HEI s overall risk level vs. staff s perspective) Cooperative risk management process How to complete 13

14 HEI s risk appetite / acceptance Curve through risk assessment matrix divides risks in acceptable or not Criteria for risk acceptance (financial impact) (legal, contractual liability) How many users are affected? What is an acceptable MTTR? PII processed or not? Position/group of affected user 14

15 HEI s risk management context Systems or / asset s prioritization From: SANS Analyst Survey Higher Education: Open and secure (June 2014) 15

16 Technicians risk management context Bases on HEI s primary assets definition (Technical) secondary assets Hardware Installed software / base services Processed information and its flows (Operational details) 16

17 Threat identification Threat catalogues (ISO/IEC 27005, BSI IT base protection,...) How to find further threat events Structured, scenario based description of threat events Actor (trigger or cause of a threat) Threat type (e.g. malicious intent, failure,...) Event description Asset / asset group affected (Time) 17

18 Risk assessment & remediation Each administrator / faculty RM staff can do it, but have also be done by HEI s RM Structured, also template-based description of measures Start easy, become complex! Try simple (technical) solutions first Share your information/knowledge and solutions with others Generate HEI-wide synergies, esp. for cost-intensive measures 18

19 Next steps Continuously improve LRZ risk management template Discussions in regional and national groups Web-application (released as open-source) Support of importing existing data Central storage Reporting of service-/group- or HEI-wide risk level Statistics and Export functions 19

20 Conclusion Our template-based risk management approach... helps doing (technical) risk management... helps service owners to decide if further action is required... provides an estimation of overall risk-level for HEIs... it is not finalized yet but a good starting point PDF of current version at We welcome any feedback! riskmgmtdoc@lrz.de How to make the template more intuitive to use? Which topics should be covered additionally? Another/better risk management approach? Let s talk about 20