ISE Northeast Executive Forum and Awards

Similar documents
Designing & Building an Information Security Program. To protect our critical assets

Designing & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF)

The Value of Vulnerability Management*

Big Data, Big Risk, Big Rewards. Hussein Syed

Information Technology Strategic Plan

Governance, Risk, and Compliance (GRC) White Paper

INFORMATION SECURITY STRATEGIC PLAN

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

Security Controls What Works. Southside Virginia Community College: Security Awareness

CONSULTING IMAGE PLACEHOLDER

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

5 TIPS FOR MAXIMIZING THE VALUE OF YOUR SECURITY ASSESSMENT

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

CYBER SECURITY SERVICES PWNED

RSA Archer Risk Intelligence

Cybersecurity Awareness for Executives

Everything You Always Wanted to Know About Log Management But Were Afraid to Ask. August 21, 2013

Address C-level Cybersecurity issues to enable and secure Digital transformation

Department of Technology Services

Think like an MBA not a CISSP

Vendor Risk Management Financial Organizations

Cybersecurity The role of Internal Audit

How to set up a CSIRT in an ITIL driven organization. Christian Proschinger Raiffeisen Informatik GmbH

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Information Governance Roadmap

Cybersecurity Strategic Consulting

Security Services. A Solution for Providing BPM of Security Services within the Enterprise Environment.

Dr. Anton Security Warrior Consulting

KEY TRENDS AND DRIVERS OF SECURITY

Information Security Plan May 24, 2011

Top Ten Technology Risks Facing Colleges and Universities

Security Metrics. A Beginner's Guide. Caroline Wong. Mc Graw Hill. Singapore Sydney Toronto. Lisbon London Madrid Mexico City Milan New Delhi San Juan

Strategic Plan FY

Security Management. Keeping the IT Security Administrator Busy

Harmonizing Your Compliance and Security Objectives. Bonnie A. Goins Adjunct Professor, Illinois Institute of Technology

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

Data Governance Policy. Staff Only Students Only Staff and Students. Vice-Chancellor

State of South Carolina Initial Security Assessment

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

Certified Information Security Manager (CISM)

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

Hot Topics in IT. CUAV Conference May 2012

Information Security Training & Awareness

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Logging In: Auditing Cybersecurity in an Unsecure World

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

2014 Vendor Risk Management Benchmark Study

Privacy Governance and Compliance Framework Accountability

Defending Against Data Beaches: Internal Controls for Cybersecurity

Planning for a Successful Information Governance Program. Kathy Downing, MA, RHIA CHPS,PMP AHIMA Senior Director IG

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

IIA Conference. September 18, Paige Needling Director, Global Information Security Recall, Inc.

A Cybersecurity Strategy

NNIT Cybersecurity. A new threat landscape requires a new approach

WHITE PAPER. Mitigate BPO Security Issues

Information Security Management System for Microsoft s Cloud Infrastructure

Over 20 years experience in Information Security Management, Risk Management, Third Party Oversight and IT Audit.

University Information Technology Security Program Standard

PCI Compliance for Cloud Applications

By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd

Ecom Infotech. Page 1 of 6

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Logging and Auditing in a Healthcare Environment

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

933 COMPUTER NETWORK/SERVER SECURITY POLICY

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

CYBER SECURITY, A GROWING CIO PRIORITY

Firewall Administration and Management

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

Internal audit strategic planning Making internal audit s vision a reality during a period of rapid transformation

Altius IT Policy Collection Compliance and Standards Matrix

Microsoft s Compliance Framework for Online Services

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Customer-Facing Information Security Policy

Risk & Audit Committee California Public Employees Retirement System

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Existing Technologies and Data Governance

Richard Gadsden Information Security Office Office of the CIO Information Services

Transcription:

ISE Northeast Executive Forum and Awards October 3, 2013 Company Name: Project Name: Presenter: Presenter Title: University of Massachusetts Embracing a Security First Approach Larry Wilson Chief Information Security Officer ISE Northeast Executive Forum and Awards 2013 #ISEnortheast

University of Massachusetts Providing High Quality Education for 140 Years 2013 World University Ratings: 42 nd of Top 100 Universities 5 Campuses + Systems Office 72,000 Students 17,500 Faculty & Staff UMass Online - 120 Degree & Certificate Programs ISE Northeast Executive Forum and Awards 2013 #ISEnortheast 2

Our Security-first approach What s at Stake UMASS Security Program Goals UMASS Security Program Design UMASS Security Program Implementation Roadmap UMASS Security Program Operations Center Summary of Results Lessons Learned / Best Practices ISE Northeast Executive Forum and Awards 2013 #ISEnortheast 3

What s at Stake The University Environment Threats: Ever changing threat landscape consisting of internal and external threats. Vulnerabilities: Complex / unstructured / decentralized administrative and academic computing and communications environment across 5 independent campuses and systems office. High Value Assets: Intellectual property, research data, student records, employee records, financial data, alumni donations, health records, credit cards. The Challenge The Controls: Design, acquire, implement, maintain and operate a comprehensive set of security controls that safeguard university computing resources and information assets. ISE Northeast Executive Forum and Awards 2013 #ISEnortheast 4

UMASS Security Program Goals 1. Develop university-wide security framework and strategic programs. 2. Align with industry best practices [ISO 27002, SANS 20 Critical Security Controls]. 3. Manage security throughout its lifecycle by integrating into normal operations. 4. Invest in resources (staffing, training), and technology to implement and manage the security controls. 5. Develop an implementation roadmap inclusive of all campuses and departments. 6. Develop a comprehensive communication program to increase stakeholder awareness. ISE Northeast Executive Forum and Awards 2013 #ISEnortheast 5

UMASS Security Program Design UMass Information Security Program Management & Communications General Computer Controls (GCCs) Cyber-security Controls People Focus Risk Management Policy / Program Marketing & Communications Awareness Training Process Focus Secure Applications IT Operations Access Controls Records Retention Technology Focus SANS 20 Critical Security Controls ISO 27002 Foundation SANS 20 Critical Security Controls Policy, Legal, and Regulatory Framework (UMass Security Policy, WISP, Mass Privacy, PCI, SOX, HIPAA, FERPA, ) ISE Northeast Executive Forum and Awards 2013 #ISEnortheast 6

UMASS Security Program Implementation Roadmap Phase 1 Phase 2 Phase 3 Phase 4 Planning & Approval Design & Resources Implement & Operate Assurance & Metrics Security Capability Initiate stakeholder program Policy, Plan, Controls, Governance Design Security Programs & Controls Assign Program Resources Purchase Cyber-security Technologies Implement & Manage Program Controls Conduct Campus Risk Assessments Document Program Status & Reports Program Evolution ISE Northeast Executive Forum and Awards 2013 #ISEnortheast 7

UMASS Security Program Operations Center Input Output Incident Response Team Help Desk Information Security Operations Center (ISOC) Work Requests, Tickets, Audit Findings (Build, Buy, Outsource, Cloud) Advisories & Incidents CSIRT IT Operations Scan, Monitor, Filter, Contain Data Breaches Management Team Intelligence Feeds Zero-day Threats, Zero-day Vulnerabilities Alerts, Metrics & Reports ISE Northeast Executive Forum and Awards 2013 #ISEnortheast 8

Summary of Results 2012 Accomplishments Established security program and deliverables based on SANS Controls Conducted university-wide gap assessment to determine current state of compliance Developed budget, timeline, resources, campus implementation plans Established university-wide governance team and project teams 2013 Accomplishments Established Phase 1 Implementation Plan based on quick wins and maximum impact Purchased technology (as needed) and implemented Phase 1 SANS controls Developed management reporting to track implementation and compliance Established Phase 2 (2014) Implementation Plans ISE Northeast Executive Forum and Awards 2013 #ISEnortheast 9

Lessons Learned / Best Practices Start with the Design: Get management buy-in including budget, resources and timelines. Implement in Phases: Quick wins, maximum impact need success stories! Communicate Often: Monthly implementation and compliance reports. Work with Partners: Including SANS, vendors / service providers to improve technology and service offerings information security is a team sport! ISE Northeast Executive Forum and Awards 2013 #ISEnortheast 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information