ECRC Privacy and Security Subcommittee, DTC and TIF-S Recommendations for Five Central Security Program Initiatives

Transcription

1 ECRC Privacy and Security Subcommittee, DTC and TIF-S Recommendations for Five Central Security Program Initiatives ECRC Subcommittee Web Application Vulnerability Scanning DTC (6/1/0) TIF (23/3/0) All campus unit Web applications hosting data protected by law and/or policy will be subject to Web application vulnerability scanning. Web sites hosting information for which unauthorized alteration could damage university reputation, present life/safety risks or increase university liability are also required to be subject to Web vulnerability scans. The security program will acquire/support effective Web application vulnerability scanning systems. There will be no campus unit use charge for accessing Web application vulnerability scanning systems. The security program will provide use specifications for dynamic application versus application code vulnerability scanning. If an application test or development environment is required to conduct scanning, the campus unit hosting the Web content is responsible to work with central security staff to conduct the scan(s). Units will provide developers to assist in Web application vulnerability scanning. ITPS resources, if needed by the campus unit, will be available to assist in scanning and/or configuring a virtualized test environment for scans. Campus unit application owners are responsible for timely vulnerability mitigation. The campus central security program will offer training and guidance for use of Web application vulnerability scanning tools. The central security program will also offer instruction for secure coding for Web applications to campus Web developers. The central security program should evaluate cost benefit of use Web application firewalls to provide additional privacy and security protection for Web applications and Web sites. DTC members endorsed the recommendations from TIF, as outlined to the right and ranked Web application vulnerability scanning the #1 central IT security measure. Highlights from the discussion: Clarify/prioritize which Web apps fall under the scope of this recommendation e.g., anything with data restricted by policy (PII, FERPA, etc.); public-facing applications/systems; etc. Set up a pilot or proof-of-concept project to assess whether the current Web app vulnerability scanning tool/policy can be successful if applied broadly Ensure sufficient staff resources (e.g., Omen s time) are allocated in support of the scanning service Offer training to departments, including on how to interpret scanning results and remediation measures Change cost sharing to effort sharing between IET and campus departments Revise third bullet in TIF s recommendation to read IET is requested to maintain the expertise to assist units with vulnerability evaluation of Web applications." o Continue providing a Web application vulnerability scanning service. o In consultation with the campus technical community, outline the minimum requirements for the environment in which Web application development work is done (i.e. separate test and production environments, secure coding practices, source code vulnerability scanning, etc.). o Maintain the expertise to assist units with final vulnerability evaluation of any Web application before the application becomes "live". o Use the team of Web Application Scanning Experts to assist campus Web developers with: Setting up an environment for secure Web application development Training on coding practices and tools for scanning source and completed Web applications Scanning and assistance with remediation of Web vulnerabilities discovered through the scanning and other processes --- remediation responsibility is of the unit. o Code scanning must complement static scanners, with trained staff to provide code scanning service. Costs associated with these services are born jointly by IET and campus units developing Web applications. 1

2 Personal Identity Information Scanning DTC (6/0/0) TIF (23/1/2) University owned data with content protected by law and/or policy, whether residing of university-owned or personally owned computers, must be protected from unauthorized access. Computers with restricted university data will be scanned and such information protected from unauthorized access. Where scanning is not possible or restricted data must reside on the computer, whole disk encryption will be installed on the university-owned or personally owned computer. The initial priority for PII scanning and PII data protection will be university owned computers. The security program will initiate a campus information awareness campaign regarding PII protection. The central security program will work with the campus technical community to identify those areas of high risk (including faculty administered systems) that have not completed recent scanning and assist with PII scanning and remediation. Units must scan computing systems with a higher risk of PII storage (e.g., computers used for personnel administration) annually to ensure PII is protected from unauthorized access. As appropriate, use of whole disk encryption may be used to mitigate risks where PII data retention on portable devices is required. The central security program will provide assistance to perform PII scanning in FY Thereafter, PII scanning assistance will be performed by unit staff or conducted by ITPS staff on a recharge basis for units. PII scanning and whole disk encryption software will be acquired/supported by the central security program. DTC members unanimously endorsed the recommendations from TIF, as outlined on the right, and ranked personal identity information the #2 central IT security measure. Highlights from the discussion: Why are there still so many sources of PII data across campus? IET should work with system owners to remove the PII data Which devices should be scanned for PII (e.g., it s impossible to scan personal devices every time they connect to the campus network); broad agreement that all universityowned devices should be scanned for PII. Questions to ECRC P&S Subcommittee Does university owned data on personal devices represent a risk that must be controlled? If so, should campus policy clarify this risk and required mitigation? Work with the campus technical community to identify those areas of high risk (including faculty administered systems) that have not completed recent scanning and assist with PII scanning and remediation. IET will perform this campus-wide high-risk clean-up once, and then maintain the expertise to assist (with charge-back) those units that continue to struggle with performing their own scanning and remediation regularly. Expand on the existing information campaign to the general campus to enlighten faculty/students/staff of what PII is, and the dangers of storing it. The campaign should follow the general effort currently underway to improve the campus communities' awareness of smartphone security. If campus risk managers and the campus technical community determine that the steps outlined above still leave an unacceptable exposure for the campus, a more restrictive policy, potentially including exclusion of systems from network access, should be explored. The required scanning and remediation tools should be funded by the central security program. 2

3 Campus Vulnerability Scanning DTC (5/0/0) TIF (26/0/0) All campus unit VLANs will be subject to centrally administered vulnerability scanning conducted over the network. Campus units are responsible for responding to scanning system alerts/warnings. Units must provide staff to respond to alerts/warning or engage ITPS recharge assistance for such support. The central security program will assist campus units to configure unit VLAN firewalls to support daily network vulnerability scans. The campus Computer Vulnerability Scanning Policy, PPM , will be updated to include a provision for senior administrators to exempt a VLAN under their purview from network vulnerability scans. Such exemptions will be reviewed by the campus IT Security Coordinator. If this review indicates the exemption may present excessive university risk, the exemption will be forwarded to the ECRC Privacy and Security Subcommittee for evaluation. The subcommittee may raise exemption approval to the ECRC. DTC members endorsed the recommendation from TIF, as outlined to the right, and ranked campus vulnerability scanning the #4 central IT security measure. Identify campus unit VLAN firewalls that are blocking participation in the Secalert. Once identified, IET will work with each campus unit to determine any technical/business justification for non-participation. IET will provide technical assistance to those units that need help unblocking Secalart scans. Justification for Secalert bypass must be approved by the campus unit senior administrator in consultation with the campus IT Security Coordinator. Justification will be filed with the campus IT Security Coordinator and reviewed on an annual basis. Revise campus policy , Campus Vulnerability Scanning Policy to reflect the policy change for bypass approval. 3

4 VLAN Firewalls DTC (5/0/0) TIF (26/0/0) The campus technical community, in consultation with IET, will identify those VLANS that currently have no VLAN firewall or a poorly supported VLAN firewall. VLAN administrators are required to install and maintain effective ingress and egress rules on VLAN firewalls per campus policy. The security program will identify solutions for improperly firewalled VLAN's (including hardware, software, maintenance, policy management, etc.). The security program will consult with campus VLAN firewall administrators to implement a VLAN firewall and, where needed, provide one-time VLAN firewall hardware subsidization. On-going costs of VLAN firewall support is the responsibility of campus units. If the campus unit VLAN administrator is unable to comply with campus Cybersafety requirements for use of VLAN firewalls, the security program will work with the unit administrators (i.e. MSO, Chair) to understand the firewall requirements and the long-term costs. If all other measures fail to bring the VLAN into CyberSafety compliance, the central security program will implement a VLAN firewall with a standard ruleset on behalf of the unit. The installation expense will be covered by the security program; however,on-going firewall maintenance will be recharged to the campus unit (up to $700 per month). Campus units without VLAN firewalls, or approved exceptions, will be subject to disconnection from the campus network. At the request of a campus unit, the central security program will conduct penetration tests on a recharge basis and security program resource availability. DTC members unanimously endorsed the recommendations from TIF, as outlined below, and ranked VLAN firewalls the #3 central IT security measure. No ingress/egress traffic should be permitted to campus unit VLANs without a VLAN firewall. o The campus technical community, in consultation with IET, should work to identify those VLANS that currently either have no firewall or have a poorly supported firewall. VLAN administrators are required to install and maintain ingress and egress VLAN firewalls as part of CyberSafety policy. o Identify solutions for these improperly firewalled VLAN's (including hardware, software, maintenance, rules management, etc.). o Consult with the VLAN firewall administrators and share the onetime cost of implementing proper firewall solutions with the effected campus unit. On-going costs of VLAN maintenance and programming will be born by the effected campus unit. If the VLAN administrator is unable to comply with Cybersafety requirements, IET will work with the Unit Administrators (i.e. MSO, Chair) on understanding the requirements and the longterm costs. If all other measures fail to bring the VLAN into CyberSafety compliance, IET is authorized to implement a VLAN firewall with a standard ruleset without the unit's permission (at campus expense), and start charging the VLAN owner for ongoing firewall maintenance. The time-frame between initial contact with the unit and forced compliance should be set (90- days was suggested). o In consultation with the campus technical community, continue to explore more robust, central firewall solutions. As the costs of these solutions decreases to make them an affordable replacement for the current VLAN-by-VLAN firewall solutions, IET is requested to pilot a solution both within IET and with at least three campus units to determine the feasibility of more central firewall deployment and management. Any solution must include the ability for local firewall administrators to make immediate changes to firewall rules to respond to the immediate needs of their local environment. o Maintain the personnel and expertise available to perform adhoc penetration testing at the request and expense of units making security changes. o IET is requested to explore the option of a "wired MoobileNet" so that network devices not in compliance with unit VLAN firewall requirements (or other non-cybersafety compliance problems) can easily be excluded from the unit VLAN. 4

5 System Integrity Monitoring DTC (6/0/0) TIF (25/1/0) A centrally managed Security Information and Event Management (SIEM) system will greatly enhance the campus capability to provide real-time security analysis, alerts and take preventive action in response to malicious activity and/or attacks on campus network, computers or data. These alerts will reduce campus incident exposure to privacy/security breaches. The subcommittee acknowledges that units participating in a centrally managed SIEM solution will meet the Cyber-safety audit log security requirements defining log use, inspection, analysis and retention. In consultation with the campus technical community, requirements for a SIEM system will be developed and released for acquisition in FY The initial priority for SIEM deployment will be for log management within IET systems with subsequent expansion to campus unit logging systems in FY Tripwire will continue to be licensed for campus unit use. DTC members unanimously endorsed the recommendation from TIF, as outlined to the right, and ranked system integrity management the #4 central IT security measure. In consultation with the campus technical community, evaluate Security Information Event Management (SEIM) systems. If a system is chosen for campus use, it should integrate with FLOW data from the campus network routers, collect and analyze "syslog" files from IET and campus unit servers, and send alerts to interested parties when automated analysis determines a potential threat. Work with the ECRC P&S Subcommittee to determine if unit use of the chosen SEIM system precludes the unit's "log file monitoring" Cybersafety requirement. This recommendation does not affect Tripwire. 5

6 Individual Cost Estimates for Recommended Five Central Security Program Initiatives (new labor adjusted to start 10/2012) Security service Service Upgrade All campus unit VLANs will be subject to centrally administered vulnerability scanning conducted over the network. Campus units are responsible for responding to scanning system alerts/warnings. Units must provide staff to respond to alerts/warning or engage ITPS recharge assistance for such support. One-time FY12-13 Ongoing FY12-13 One-time FY13-14 Ongoing FY13-14 Network and Host Vulnerability Scanning The central security program will assist campus units to configure unit VLAN firewalls to support daily network vulnerability scans. The campus Computer Vulnerability Scanning Policy, PPM , will be updated to include a provision for senior administrators to exempt a VLAN under their purview from network vulnerability scans. The campus IT Security Coordinator will review such exemptions. If this review indicates the exemption may present excessive university risk, the exemption will be forwarded to the ECRC Privacy and Security Subcommittee for evaluation. The subcommittee may raise exemption approval to the ECRC. $0 $0 $0 $0 System Integrity Monitoring and Reporting A centrally managed Security Information and Event Management (SIEM) system will greatly enhance the campus capability to provide real-time security analysis, alerts and take preventive action in response to malicious activity and/or attacks on campus network, computers or data. These alerts will reduce campus incident exposure to privacy/security breaches. The subcommittee acknowledges that units participating in a centrally managed SIEM solution will meet the Cybersafety audit log security requirements defining log use, inspection, analysis and retention. In consultation with the campus technical community, requirements for a SIEM system will be developed and released for acquisition in FY The initial priority for SIEM deployment will be for log management within IET systems with subsequent expansion to campus unit logging systems in FY Tripwire will continue to be licensed for campus unit use. $130,000 $25,000 $201,790 $35,000 6

7 All campus unit Web applications hosting data protected by law and/or policy will be subject to Web application vulnerability scanning. Web sites hosting information for which unauthorized alteration could damage university reputation, present life/safety risks or increase university liability are also required to be subject to Web vulnerability scans. The security program will acquire/support effective Web application vulnerability scanning systems. There will be no campus unit use charge for accessing Web application vulnerability scanning systems. Web Application Vulnerability Scanning The security program will provide use specifications for dynamic application versus application code vulnerability scanning. If an application test or development environment is required to conduct scanning, the campus unit hosting the Web content is responsible to work with central security staff to conduct the scan(s). Units will provide developers to assist in Web application vulnerability scanning. ITPS resources, if needed by the campus unit, will be available to assist in scanning and/or configuring a virtualized test environment for scans. Network Traffic Control In/Out of unit VLANs (Campus Unit VLAN Firewall Management) Campus unit application owners are responsible for timely vulnerability mitigation. The campus central security program will offer training and guidance for use of Web application vulnerability scanning tools. The central security program will also offer instruction for secure coding for Web applications to campus Web developers. The central security program should evaluate cost benefit of use Web application firewalls to provide additional privacy and security protection for Web applications and Web sites. The campus technical community, in consultation with IET, will identify those VLANS that currently have no VLAN firewall or a poorly supported VLAN firewall. VLAN administrators are required to install and maintain effective ingress and egress rules on VLAN firewalls per campus policy. The security program will identify solutions for improperly firewalled VLAN's (including hardware, software, maintenance, policy management, etc.). The security program will consult with campus VLAN firewall administrators to implement a VLAN firewall and, where needed, provide one-time VLAN firewall hardware subsidization. On-going costs of VLAN firewall support is the responsibility of campus units. If the campus unit VLAN administrator is unable to comply with campus Cybersafety requirements for use of VLAN firewalls, the security program will work with the unit administrators (i.e. MSO, Chair) to understand the firewall requirements and the long-term costs. If all other measures fail to bring the VLAN into CyberSafety compliance, the central security program will implement a VLAN firewall with a standard ruleset on behalf of the unit. The security program will cover the installation expense; however, on-going firewall maintenance will be recharged to the campus unit (up to $700 per month). Campus units without VLAN firewalls, or approved exceptions, will be subject to disconnection from the campus network. $146,188 $12,500 $0 $29,875 At the request of a campus unit, the central security program will conduct penetration tests on a recharge basis and security program resource availability. $287,813 $0 $0 $101,790 7

8 University owned data with content protected by law and/or policy, whether residing of universityowned or personally owned computers, must be protected from unauthorized access. Computers with restricted university data will be scanned and such information protected from unauthorized access. Where scanning is not possible or restricted data must reside on the computer, whole disk encryption will be installed on the university-owned or personally owned computer. The initial priority for PII scanning and PII data protection will be university owned computers. The security program will initiate a campus information awareness campaign regarding PII protection. Personal Identity Information (PII) Scanning The central security program will work with the campus technical community to identify those areas of high risk (including faculty administered systems) that have not completed recent scanning and assist with PII scanning and remediation. Units must scan computing systems with a higher risk of PII storage (e.g., computers used for personnel administration) annually to ensure PII is protected from unauthorized access. As appropriate, use of whole disk encryption may be used to mitigate risks where PII data retention on portable devices is required. The central security program will provide assistance to perform PII scanning in FY Thereafter, PII scanning assistance will be performed by unit staff or conducted by ITPS staff on a recharge basis for units. PII scanning and whole disk encryption software will be acquired/supported by the central security program. $303,250 $5,000 $0 $110,790 Total for Five Initiatives $867,250 $42,500 $201,790 $277,455 Base Security Program $0 $1,354,898 $0 $1,387,970 Totals $867,250 $1, $201,790 $1,665,425 8