Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Information Security in Universities

Similar documents
Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

FINAL May Guideline on Security Systems for Safeguarding Customer Information

ISO Controls and Objectives

OCR LEVEL 3 CAMBRIDGE TECHNICAL

Risk Assessment Guide

ISO27001 Controls and Objectives

Guide to Vulnerability Management for Small Companies

External Supplier Control Requirements

INFORMATION TECHNOLOGY SECURITY STANDARDS

Network Security Policy

Nine Steps to Smart Security for Small Businesses

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy

Top tips for improved network security

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics

The Ministry of Information & Communication Technology MICT

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

F G F O A A N N U A L C O N F E R E N C E

Supplier Security Assessment Questionnaire

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

External Supplier Control Requirements

HIPAA Security Alert

CONTENTS. Security Policy

Managing internet security

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

How To Protect Decd Information From Harm

Agenda. Cyber Security: Potential Threats Impacting Organizations 1/6/2015. January 10, 2015 Scott Petree

Information Security

Third Party Security Requirements Policy

DBC 999 Incident Reporting Procedure

Supplier Information Security Addendum for GE Restricted Data

So the security measures you put in place should seek to ensure that:

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Information Technology Security Procedures

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Data Management Policies. Sage ERP Online

Privacy + Security + Integrity

Service Children s Education

Attachment A. Identification of Risks/Cybersecurity Governance

Hengtian Information Security White Paper

RISK ASSESSMENT GUIDELINES

10 Smart Ideas for. Keeping Data Safe. From Hackers

INFORMATION SECURITY FOR YOUR AGENCY

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training - Session One

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

EXIN Information Security Foundation based on ISO/IEC Sample Exam

Data Security Incident Response Plan. [Insert Organization Name]

SecurityMetrics Vision whitepaper

Unit 3 Cyber security

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Information Security It s Everyone s Responsibility

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

How To Ensure Network Security

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

1. (a) Full name of proposer including trading names if any (if not a limited company include full names of partners) Date established

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

UBC Incident Response Plan

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

ULH-IM&T-ISP06. Information Governance Board

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers Your Interactive Guide to the Digital World

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS

A practical guide to IT security

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Client Security Risk Assessment Questionnaire

Music Recording Studio Security Program Security Assessment Version 1.1

Information Security It s Everyone s Responsibility

Security Basics: A Whitepaper

Information Incident Management Policy

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

SNAP WEBHOST SECURITY POLICY

Building The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord

BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN

Information Technology Services Information Security Incident Response Plan

Regulations on Information Systems Security. I. General Provisions

Information Security Awareness Training

1B1 SECURITY RESPONSIBILITY

Transcription:

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Information Security in Universities

Agenda Information Security Management in Universities Recent Information Security Incidents Information Security Risk Management Information Asset in Universities Information Security Risk Assessment Information Security Controls Information Security Awareness Case Study IT Outsourcing 1

Recent Information Security Incidents Recent Information Security Incidents in Universities Hackers target leading climate research unit Computer data breach at EIU investigated Personal The e-mail data system is of one of the world's leading climate always research valuable units has been breached by hackers. to hackers E-mails reportedly from the University of East Anglia's Climatic Research Unit (CRU), including personal exchanges, appeared on the internet on Thursday. A university spokesman confirmed the email system had been hacked and that information was taken and published without permission. Mr Cluley added that universities were vulnerable to attacks by hackers because so many people required access to IT systems. Source: BBC Nov 20, 2009 Difficult to manage user access rights in universities CHARLESTON -- An investigation into a breach of computer security at Eastern Illinois University has not yet determined if personal data was stolen from a list of about 9,000 people, a university official said Friday. Eastern has mailed letters to 9,000 former, prospective and current undergraduate students regarding the breach of files that contain personal information... A machine was compromised by a virus so we don t believe it was a targeted attack against the university data system, said Adam Dodge, assistant director of information security for Eastern Information Technology Services. Virus is a key threat That caused the university s Office of Admissions server to be infected with a number of viruses, to including the universities several that could allow an external person to access because the server. access to the internet cannot be controlled, mainly Source: Journal Gazette Times-Courier due Dec to 04, academic 2009 freedom issue 2

Recent Information Security Incidents Recent Information Security Incidents in Universities UC Berkeley computers hacked, 160,000 at risk Hackers broke into the University of California at Berkeley's health services center computer and potentially stole the personal information of more than 160,000 students, alumni, and others, the university announced Friday. Health services hold At particular risk of massive identity amount theft are some of 97,000 individuals whose personal Social Security numbers were accessed information the breach, which but it's still unclear whether hackers were able to match up those is easily SSNs with overlooked. individual names, Shelton Waggener, UCB's chief technology officer, said in a press conference Friday afternoon. Hacking incident on J-school Web server triggers notices to affected Hackers applicants tend to attack universities because they know the security is weak. BERKELEY University of California, Berkeley, officials announced today (Tuesday, Aug. 11) that the campus will be notifying approximately 490 individuals of a computer security incident involving the Graduate School of Journalism. Campus officials discovered during a computer security check that a hacker had gained access to the journalism school's primary Web server. The server contained much of the same material visible on the public face of the Web site. However, the server also contained a database with Social Security numbers and/or dates of birth belonging to 493 individuals who applied for admission to the journalism school between September 2007 and May 2009. Although there is no evidence that the intruder stole or even viewed information from the database containing the Social Security numbers, it is possible that such action could have occurred, campus computer security experts said. Consequently, UC Berkeley decided to err on the side of caution and notify the 493 student applicants of the incident. Letters are being sent out this week from the journalism school. Source: BBC Nov 20, 2009 Source: Journal Gazette Times-Courier Dec 04, 2009 3

Recent Information Security Incidents Statistics from Technology Crime Division of the HK Police: Title of Offence 2000 2001 2002 2003 2004 2005 2006 2007 2008 Unauthorised Access to Computer by telecommunication 275 33 26 47 11 8 6 6 7 Access to Computer with Criminal Dishonest Intent 0 81 138 356 329 441 471 333 277 Criminal Damage 15 27 16 16 11 6 5 4 3 Obtaining Property by Deception 29 32 45 86 105 145 193 215 387 Obtaining Services by Deception 0 33 19 17 15 9 12 8 5 Thefts (E-banking related) 0 8 6 8 19 3 0 1 2 Others 49 21 22 58 70 41 54 67 110 Total 368 235 272 588 560 653 741 634 791 Source: http://www.police.gov.hk/hkp-home/english/tcd/overview.htm, Jan 2010 4

Recent Information Security Incidents Why Universities? Hacking for challenge/ fun (external and student hackers / professional and script kiddies) Scale of universities helps creating noise in community (reputation attack) Universities computers- a great candidate for zombie machines Relatively weak security perimeter Enormous personal information Valuable research data There is always a motivation Statistics on Data leakage Incidents 5

Information Security Risk Management Identify Information Assets Risk Assessment Security Control Security Awareness 6

Information Assets in Universities Information Asset - definable piece of information, stored in any form, that has value to the organisation Personal Information Student records Employee records Payroll information Information security is all about protecting the CIA of information assets Academic Information Student grade information Research data University policies Confidential data obtained from third parties 7

Information Assets in Universities More information assets. University web sites Software and applications Computer servers and terminals Network and network devices IT service provider of outsourced services 010010101011010101001 011101010001010101110 100010100010111010101 101010001011101010010 101101011101010011110 010100010101011010101 001011101010001010101 110100010100010111010 101101010001011101010 010101101011101010011 8

Information Assets in Universities Threats to Information Asset

Information Assets in Universities Threats Deliberate actions by people inside your organisation outside your organisation (e.g. hackers attack) Accidental actions by people inside your organisation outside your organisation (e.g. dumping students personal data into rubbish bin) System problems hardware software malicious code Other (e.g. computer virus) Other events power cut telecommunications failure natural disaster Other Information Asset Outcomes Disclosure of asset Modification of the asset Destruction or loss of the asset, the hardware it it resides upon, or the software that interacts with it it Interruption of access to the asset Financial and Reputation Loss 10

Identification Information Assets Process Step 1: Identify the boundaries of what is to be protected Step 2: Identify the information assets and the media/systems in which they are handled Step 3: Identify relationships between the assets/media/ systems and the organisational objectives Step 4: Identify those critical to organisational objectives Student s personal data Student s phone number stored in PC of individuals Objective : Compliancepersonal data protection What will happen if there is a security breach to the C, I or A of this data? Considerations: Nature: location, assets and technology Types of information that are sensitive and confidential Considerations: Users given access to the information How that information is provided Considerations: Organisational objectives How they are affected by information assets Considerations: Likelihood and the impact of the information assets affecting the organisational objectives 11

Information Security Risk Assessment Risk Assessment- Assignment of value for potential harm/ loss Quantitative Qualitative $ $ $ $ $ Annualised Loss Expectancy (ALE) Annualised Rate of Occurrence (ARO) Single Loss Expectancy (SLE) Asset Valuation (AV) Exposure Factor (EF) $ $ $ $ $ 5 4 3 2 1 SLE = AV x EF ALE = SLE x ARO 12

Information Security Risk Assessment Risk Assessment- Example Asset Asset Valuation Vulnerabilities & Threats Impact Occurrence ALE University Website Lost of productivity; cost of information; cost of rebuilding services =$30,000 Vulnerabilities: Outdated patch, unnecessary services Threats: Unauthorised intrusion; defacement Unavailability of website and student portal ARO = 2 / Year EF = 40% = AV x EF x ARO = $30,000 x 40% x 2 = $24,000 Quantitative -How much to pay for countermeasure? 2 3 3 1 Avg. = 2.3 Qualitative - How to prioritise for resource allocation? 13

Information Security Risk Assessment Cost of Security Control Potential Loss 14

Areas of Information Security Risk in Universities Category Examples of Risk Recommendations Lack of information Establish information classification and handling classification procedures Sensitive information being Raise user awareness disclosed to the public Information Handling Logical Access Network Security Outsourcing Shared accounts Weak password settings Abuse of super user accounts External / Internal threats (e.g. Hacking, denial of service, viruses, malware) Wireless network sniffing Compliance risk Lack of security controls in third party services Implement strong password policies and configurations. Restrictions and policy on the use of privileged/administrator accounts. Promotion of user awareness on the concept of accountability. Segregate the network into different segments. Installation of devices such as firewall and Intrusion Detection System. Periodic firewall log review. Installation of virus and spyware detection systems. Perform periodic scanning on network and computers. Non-disclosure agreement Include clauses regarding security requirements in the SLA 15

Areas of Information Security Risk in Universities Category Examples of Risk Recommendations User Account Access / Administration Excess access rights granted User access review Classify data and create data ownerships. Segregation of duties. Physical Security Incident Management Information Security Awareness Loss of portable devices Decentralised location of computer servers Stealing of hardware Vandalism Errors overlooked or not resolved on a timely basis Lack of accountability Social engineering Difficulties in promoting security awareness to academic staff and students Portable device encryption Security guards. Swipe card/biometrically controlled access points. Access control lists. Perimeter controls. Escalation procedures. Investigation procedures. Defined roles and responsibilities. Regular information Security Awareness Training. Management commitment in building good security culture. 16

Information Security Controls Information Security Triad Foundation Availability Integrity -HARDWARE- -NETWORK- -SOFTWARE- Confidentiality Physical People Procedures 17

Information Security Controls General Users IT Professionals Physical People Procedures Are your thumb-drives secured? Do you keep your office door locked always? Are you aware of your role? Do you know about YOUR information? Do you know what to do when there is a security incident? Do you know the POLICY? Are the data centre secured? Do you have sufficient offsite backups? Are there security professionals in the team? Are the users well trained? Are the policies/ procedures up-to-date? How do you communicate them to the users? FOUNDATION 18

Information Security Controls Types of Information Security Controls Know when it occurs Administrative Logical Physical Detective Corrective Preventive Rectify when it occurs Limitations No 100% assurance Breakdown e.g. misunderstand/ mistake Involve human judgement Management override Collusion Avoid its occurrence 19

Sample Information Security Controls Detective Corrective Preventive Administrative Rotation of duties Management review of data, configuration, procedures and routines Risk management IT audit, control evaluation Business continuity plan Disaster recovery plan Separation of duties Security training Well communicated security policy User account administration Logical Network Intrusion Detection System System logs System integrity check Network Intrusion Prevention System Anti-virus software Access control Data encryption (storage and in-transit) Authentication Anti-virus software Physical Camera & alarms Security guards Regular asset count Emergency power supply Physical access control (e.g. swipe cards, biometric locks) to computer facilities Environment controls (e.g. fire, water, temperature, humidity ) Offsite backup

Sample Information Security Controls Detective Corrective Preventive Administrative Logical Physical Rotation of duties Management review of data, configuration, procedures and routines Risk management IT audit, control evaluation Network Intrusion Detection System System logs System integrity check Business continuity plan Disaster recovery plan Network Intrusion Prevention System Anti-virus software Not just the responsibility of IT Centre! Camera & alarms Security guards Regular asset count Emergency power supply Separation of duties Security training Well communicated security policy User account administration Access control Data encryption (storage and in-transit) Authentication Anti-virus software Physical access control (e.g. swipe cards, biometric locks) to computer facilities Environment controls (e.g. fire, water, temperature, humidity ) Offsite backup

Evaluation of Information Security Controls Regular evaluation of information security controls Changing environment technology, people, threats, information sharing Evaluation of adequacy in design of existing controls Identify needs to additional controls and the cost vs benefit Evaluation of operating effectiveness of existing controls Management awareness and risk acceptance Plan for improvement actions Reasons not having regular information security evaluation Lack of resources (human resources, budget ) Trusted environment (e.g. employees, students) Unlikely outbreak of security incidents/ breaches The consequence of not having regular security evaluation can be very costly 22

Information Security Awareness Management Teaching Staff Administrative Staff Students Knowledge & Attitude Security Risk & Protection of Assets SECURITY AWARENESS PROGRAM 23

Information Security Awareness Topics Sensitive information comes in contact with the individual Roles and responsibility in information security Data owner identify, classify and protect information Students Appropriate use of computer facility and network Handling procedure for sensitive information E.g. Media of transmission and cryptographic requirement Knowledge of security issues E.g. Identification of phishing email, potential damage of malwares, existence of social engineering Consequences 24

Information Security Awareness Security Awareness for: MANAGEMENT Involvement of IT management in senior management communication Understanding the importance of information security before the incidents happen Raising awareness of the needs for management support over institution-wide security awareness programme IT CENTRE Realising the senior management concern over information security Allocating resources for security awareness programmes Obtaining knowledge of up-to-date security threats Promoting the culture of security awareness within the university STAFF / STUDENTS Knowing information security via IT centre Understanding their roles in information security (e.g. regular email reminders, training, campus security awareness campaign) Top down support for security awareness within University 25

Case Study IT Outsourcing IT Outsourcing Background University Outsourcing Email (partially) Email storage, spam filtering and online organiser Email anywhere Service Provider- Unqualified SAS70 Type II Certification What are the security concerns? 26

Case Study IT Outsourcing IT Outsourcing- Security Concerns Asset Identification Email correspondences Sensitive information (email contents/ attachments) Contacts information Vulnerabilities Unencrypted data transfer/ storage System security weaknesses (e.g. outdated patches) Different legal/ regulatory requirements over personal data Other concerns Uncontrollable/ unknown security standard Inability to review the security standard of the service provider Inadequate planning 27

Case Study IT Outsourcing IT Outsourcing- Best Practice Planning The Border- define the service to be outsourced (just email? Online organiser?) Compatibility with existing process and infrastructure Risk Assessment Evaluation of certification/ accreditation (e.g. SAS70, ISO27001) Agreement Ability to perform on-site due diligence Security review (by service provider or independent party) Service level agreement (security standard) Non-disclosure agreement On-going Annual security assessment/ certification review Perform on-site due diligence Monitoring service level 28

Summary Information Security in University Universities are valuable targets Information Security Management Identifying Information Assets Risk Assessment Security Controls Security Awareness Case Studies & Best Practice- IT Outsourcing 29

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information