Welcome to Today s NACUBO Webcast. Our program will begin shortly with a brief introduction on how to use the desktop interface.

Transcription

1 Welcome to Today s NACUBO Webcast Our program will begin shortly with a brief introduction on how to use the desktop interface.

2 Desktop Interface Media Player Element Display Element Toolbar Quick Question Primary Toolbar

3 CPE Credit You must complete surveys to receive CPE credit Resource Page Click directly in the element area to answer survey questions

4 How to Ask Questions Select Expert from the dropdown menu Type your question Click on Submit The Online Experts InBox button will illuminate when you receive a response. To view the answer to your question, click on this button and then select Answered Questions.

5 Reviewing Elements To review elements, use the Review and Preview buttons in the Element toolbar. Click on the Sync button to rejoin the presenter. NOTE: This button appears unplugged if you are not synchronized with the presenter. Sync Review Preview Enlarge

6 Buffering If you experience sustained periods of buffering, click on the Speed button and select a lower stream rate. Contact the helpdesk at Speed Button

7 Managing your IT Risk March 20, 2007

8 Today s Presenters Henry DeVries VP, CIO and CFO Calvin College Joy R. Hughes VP and CIO George Mason University Keith Bushey Asst. VP and Chief Safety Officer George Mason University

9 Our Agenda Today Introduction The Incident at George Mason Lessons Learned Managing CyberSecurity Risks Best Practices: Policies and Tools Risk Management Teams Moving Forward Questions

10 Introduction

11 Risk Management A familiar concept for CFOs We often think of this in terms of: finances, reputation, operations, etc We are accustomed to manage or shift this risk by: Insurance, standard operating procedures, policy development, etc. What about CyberRisks?

12 Why Worry? There were 328 reported data breach incidents in Involving over 100 million data records containing personally identifiable information Higher education had 52 52% by outside hackers, 3X next highest ca. 40% by theft of hardware Cf. Privacy Rights Clearinghouse

13 Why Us? Our operations are almost completely dependent on information technology and the attendant data We hold terabytes of data including personal identity information Our campus computing environments are relatively open and very public Our enfranchised populations include some persons with high levels of IT skills and lots time on their hands

14 Why Now? State laws now require public reporting and notification to affected individuals Starting in California, July 2003 now, over 30 states So, this makes the news: June, 2005 incident with up to 40 million credit cards A hot button for many For the 7 th year in a row, identity theft tops the FTC s annual list of top consumer complaints (36%).

15 The Incident at George Mason

16 The Incident Discover Preserve, Contain, Restore Determine Extent of Risk to Private Data Notify stakeholders

17 Reactions of Stakeholders Most people don t understand the forensics environment Individuals weren t able to weigh the risks Funding agencies jumped to conclusions The legislature rushed to judgment

18 Stakeholders, cont. Media had a great time! Profiteers went into feeding frenzy

19 Multiple Investigations ITU Campus and County Police Forensics company FBI

20 The Conundrum of Audit Policies What servers get attacked, and why? What servers get audited?

21 Lessons Learned

22 Recap of Lessons Learned Before the Incident: Train first responders Need a data stewardship policy Find those SSNs The importance of logging Need an Incident notification plan

23 Recap of Lessons Learned After the Incident: Clarify the charge to forensics The FBI Take steps to reduce panic

24 Strategies to Improve They are all my servers! Take control, the $$$ will follow - agree to take over departmental servers - arrange for selected server audits - arrange for enterprise assessments - trusted laptop program

25 Strategies to Improve New Policies Employee hire letters Employee performance plans Hide machines from the Internet Data stewardship policy Incident response policy

26 Strategies to Improve Executive Enterprise Risk Management Risk Assessment Prioritizing Risks Finding Funding Business Continuity

27 Managing Cybersecurity Risks

28 Manage Cybersecurity (CS) Risks Same as Other Risks? Yes! Assess holistically (physical, personnel, & technical) Prioritize risks at the executive level Allocate funding to remediate highest priority risks Create a multi-year plan

29 But CS Risks Are Different from Other Risks Greater Sense of Urgency stakeholders lose confidence if private data is compromised funders and regulators lose confidence if institution is not seen as "best practice continuity of operations impossible if computer/communications systems fail Escalating external threats from gangs of e-criminals require ongoing costly investments, so broad campus buy-in is needed.

30 Toxic Data Data that, if accessed by unauthorized persons, could cause severe reputational, monetary, legal, or operational damage. Data in this category include but are not limited to: SSNs coupled with other demographic data, classified or sensitive research, medical records, accusations/investigations of criminal activity, passwords to university systems, bank account and credit card PINs

31 Best Practices

32 Best Practices? If you have a CS incident that results in toxic data being transferred to e-criminals abroad,would you be able to validate that you have been following the best practices in cybersecurity?

33 One Answer to Best Practices Question Compare your institution to the 492 IHEs responding in 2005 to the EDUCAUSE Center for Applied Research (ECAR) Security Survey.

34 Best Practice Policies Individual employee responsibilities for information security practices (73% of responding institutions hold individuals responsible for failing to take measures to protect their computers and private data. ) Protection of organizational assets (73%) Managing privacy issues, including breaches of personal information (72%) Incident reporting and response (69%) Disaster recovery contingency planning (68%)

35 More Best Practice Policies Investigation and correction of the causes of security failures (68%) Notification of security events to: individuals, the law, etc. (67%) Sharing, storing, and transmitting data (51%) Data classification, retention, and destruction (51%) Identity Management (50%)

36 Best Practice Security Tools Perimeter firewalls 77% of institutions Centralized backups 77% VPNs for remote access 75% Enterprise directory 75% Interior network firewalls 65% Intrusion detection 62% Active filtering 59% Intrusion prevention 44% (up from 33%) Security Standards for Applications 32% (up from 27%)

37 Risk Management Teams

38 Mason's Executive Enterprise Risk Management Group (EERMG) Members co-chairs: Senior VP for Finance and Administration, CIO; other members: Controller, Vice Provost for Academic Affairs, Chief Safety Officer, etc.

39 EERMG Tasks Prioritize which offices will have their risks assessed by the risk team continuity of operations toxic data Approve small grants to remediate risks on the spot secure toxic data protect personal safety Prioritize remaining risks & submit to University Budget Group Oversee continuity of operations planning and implementation

40 The Risk Team Chief Safety Officer and IT Security Director conduct risk assessments in the prioritized units. physical, personnel, technical remediate "on the ground" when feasible report higher cost risks to EERMG EERMG then prioritizes risks for remediation University Budget Group sets aside a pot of money each year to remediate high $$ risks marked as top priority by the EERMG.

41 Budget Group s Goals for High Dollar Funding to Remediate CS Risks 1. Take care of the high $$ risks discovered during risk assessment that are deemed very high priority by the EERMG. 2. Increase likelihood the university will be judged as following best practices in the protection of toxic data in the event of an incident.

42 Moving Forward

43 Building Partnerships Off Campus County emergency response services City emergency response services Public Private Task Force Regional Council of Governments Virginia Department of Emergency Management Department of Homeland Security

44 Table Top Exercises Desk Top exercise Specific scope and objective Involve maximum # of players Short time frame Real world events Include external partners Don t make it too tough, at least initially

45 Funding Federal Emergency Management Agency Grants Commercial Equipment Direct Assistance Program (CEDAP) Urban Area Security Initiative (UASI) Grants State Grants End of Year Funds

46 Questions

47 Thank You For Your Participation Please complete our online evaluation