Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two

Similar documents
Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Information Security in Universities

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One

Policy Document. Communications and Operation Management Policy

Client Security Risk Assessment Questionnaire

Securing the Service Desk in the Cloud

Supplier Security Assessment Questionnaire

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Ellucian Cloud Services. Joe Street Cloud Services, Sr. Solution Consultant

A Decision Maker s Guide to Securing an IT Infrastructure

RISK ASSESSMENT GUIDELINES

External Supplier Control Requirements

Guide to Vulnerability Management for Small Companies

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

Certified Information Systems Auditor (CISA)

Security Tool Kit System Checklist Departmental Servers and Enterprise Systems

Retention & Destruction

Security Controls What Works. Southside Virginia Community College: Security Awareness

IBX Business Network Platform Information Security Controls Document Classification [Public]

Managing internet security

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Information security controls. Briefing for clients on Experian information security controls

Newcastle University Information Security Procedures Version 3

Security Threat Risk Assessment: the final key piece of the PIA puzzle

INFORMATION TECHNOLOGY SECURITY STANDARDS

Estate Agents Authority

Supplier Information Security Addendum for GE Restricted Data

A Rackspace White Paper Spring 2010

FINAL May Guideline on Security Systems for Safeguarding Customer Information

SRA International Managed Information Systems Internal Audit Report

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

BMC s Security Strategy for ITSM in the SaaS Environment

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

IT - General Controls Questionnaire

Small Business IT Risk Assessment

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

How small and medium-sized enterprises can formulate an information security management system

Tenzing Security Services and Best Practices

Technology Risk Management

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

FMCS SECURE HOSTING GUIDE

How To Protect Decd Information From Harm

Projectplace: A Secure Project Collaboration Solution

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

How To Audit Health And Care Professions Council Security Arrangements

Information Technology

<cloud> Secure Hosting Services

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Music Recording Studio Security Program Security Assessment Version 1.1

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

U06 IT Infrastructure Policy

GUIDELINES ON CONTROL OBJECTIVES & PROCEDURES FOR OUTSOURCED SERVICE PROVIDERS

Secure, Scalable and Reliable Cloud Analytics from FusionOps

Regulations on Information Systems Security. I. General Provisions

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

Agenda. Cyber Security: Potential Threats Impacting Organizations 1/6/2015. January 10, 2015 Scott Petree

Security Controls for the Autodesk 360 Managed Services

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy

Logging In: Auditing Cybersecurity in an Unsecure World

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

CONTENTS. Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Introduction. PCI DSS Overview

GoodData Corporation Security White Paper

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

External Supplier Control Requirements

Automation Suite for. 201 CMR Compliance

F G F O A A N N U A L C O N F E R E N C E

OCR LEVEL 3 CAMBRIDGE TECHNICAL

How-To Guide: Cyber Security. Content Provided by

Lot 1 Service Specification MANAGED SECURITY SERVICES

Summary of Information Technology General Control Environment Findings for the year ended 30 June 2015

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

ICANWK406A Install, configure and test network security

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Network and Security Controls

HIPAA Compliant Infrastructure Services. Real Security Outcomes. Delivered.

AUDIT REPORT WEB PORTAL SECURITY REVIEW FEBRUARY R. D. MacLEAN CITY AUDITOR

How To Protect Yourself From A Hacker Attack

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

Outsourcing and Information Security

SECURITY OVERVIEW FOR MY.ENDNOTE.COM. In line with commercial industry standards, Thomson Reuters employs a dedicated security team to protect our

RMS. Privacy Policy for RMS Hosting Plus and RMS(one) Guiding Principles

<Insert Picture Here> How to protect sensitive data, challenges & risks

Transcription:

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Data Handling in University Case Study- Information Security in University

Agenda Case Study Background Information Frameworks Confidentiality-Integrity-Availability (CIA) Information Security Risk Management (ISRM) People-Process-Technology (PPT) Plan-Do-Check-Act (PDCA) Conclusion 1

Case Study A hypothetical scenario To understand how to apply the information security frameworks To illustrate how the frameworks help the evaluation and design of relevant controls Examples of controls to be implemented 2

Background Information The Hypothetical Scenario Current Situation: No centralised system Research information handled by staff members individually Information sharing is difficulty Research Management System ( RMS ) Proposed System Owner: Research Services Department System Users: Research Services administrators Research Services/ departmental accountants Researchers and faculty managers/ administrators User Interface: Web-based user interface 3

Background Information Proposed System Functions: Research Accounting Fund Management Researcher/ Staff Information Proposal Management Research Project Management Publication Management Resource Management (e.g. data, information, subscription, space ) Compliance Review Management Reporting 4

Background Information Proposed Interfaces: Accounting information with existing university ERP accounting system Research space information with existing facility management system Tailored interfaces for research data/ information with specific external sponsors RMS ERP Accounting Facility Management External Sponsors 5

Frameworks The Information Security Frameworks Confidentiality, Integrity and Availability ("CIA") Information Security Risk Management ( ISRM ) People, Process and Technology ("PPT") Plan-Do-Check-Act ( PDCA ) Frameworks are used as a starting point to facilitate security consideration when implementing new system/ process. 6

Frameworks- CIA The CIA Concept Confidentiality Keeping sensitive information protected Availability Integrity Keeping information available and accessible Keeping information intact and valid 7

Frameworks- ISRM Identify Information Assets Risk Assessment Security Control Security Awareness 11

Frameworks- PPT People Process Technology Information security is not only related to computer systems. People are always the weakest link. A complete framework is required to manage information security. 12

Frameworks- PDCA Plan-Do-Check-Act (PDCA) A model adopted by ISO27001 Act Plan Check Do 14

Frameworks Applying the Frameworks 15

CIA Confidentiality What objects (data/ information/ process) should not be disclosed to unauthorised subjects? Accounting information Funding information Research information/ Proposal/ Project Management Publications Should research assistant have access to accounting information? NO Should researchers and departmental managers have access to all funding information? NO Will it be on an as-needed basis? YES Should Research Services department have access to research results and data in-progress? NO- but they should have access to the status of research Who should have access to the publications? Defined by the research team according to requirements Confidentiality Availability Integrity 16

CIA Confidentiality What objects (data/ information/ process) should not be disclosed to unauthorised subjects? Resource Management Compliance Review Other public information? System Administration System Database Who should have access? The Research Service Coordinators Research team, as-needed (by roles or project) Who should have access? Research team and appointed investigators Publicly published research (publication) only Who should have the administrator privileged? Dedicated Research Services Manager only Who should have direct database access? Vendor/ Dedicated Database Administrator with proper segregation of duties and approval 17

CIA Integrity Objects retain their veracity and are only intentionally modified by authorised subjects. Accounting Funding Researcher Particulars Proposal Project Management Resources Management Compliance Management Reports Integrity Requirement High High Medium Medium Low Low Medium High Confidentiality Availability Integrity 18

CIA Integrity Data consistency with external or internal systems Researchers Particulars Resource Management Information Research Data/ Result (External sponsor liked) Accounting Records Publications Campus Records External Facility Management System External Sponsors Data/ Result Campus ERP Accounting System External Publication Portals Consider: System Interface Real-time synchronisation & heart-beat Automated reconciliation (e.g. day-end) Manual reconciliation reports Streamlined administration process (e.g. staff particulars) 19

CIA Availability Authorised subjects are granted timely and uninterrupted access to objects. Data Accounting Medium Printed period report for historical data Funding Medium N/A Researcher Particulars Low Campus records/ peer information Project Management High N/A Publication Low Other publishing portals Resource Management Medium N/A Compliance Medium N/A Management Reports Project Management Information - Pending Tasks Criticality of - Research SystemResults Alternatives - Project Availability Timeline - Status Tracking - Team collaboration Critical for research progress Medium Printed management reports Confidentiality Availability Integrity 20

ISRM Identifying Information Asset Objects retain their veracity and are only intentionally modified by authorised subjects. Modules Accounting Funding Information Asset Historical financial data (project and campus-wide research function) Costing data and calculation Budget Salary- [Sensitive] Current sources of fund (Gift/ Trust/ Government) Potential sources of fund- [Sensitive] Fund related contractual requirements (compliance) Fund status and utilisation Identify Information Assets 21

ISRM Identifying Information Asset Modules Researcher Information Research Project Management Information Asset Personal data of research teams- [Private] Contacting information Academic background Assessment and appraisal Project Management Project timeline Project tracking Financial data Research Data- [Confidential] Research work-in-progress (WIP) Data and statistics (e.g. medical information of research subject) Research results Business confidential information (e.g. unpatented WIP) Identify Information Assets 22

ISRM Identifying Information Asset Modules Publication Management Resource Management Compliance Review Management Reporting Information Asset Public and restricted publications Centralised subscription database Shared research information and statistic Space utilisation Contractual/ regulatory requirements- [Sensitive] Project compliance status Consolidated financial performance and position Project and staff performance assessment Overall research project status tracking Available in both electronic and printed-copies Identify Information Assets 23

ISRM Identifying Information Asset - The process (examples) Step 1: The data Step 2: System and media Step 3: Organisation Objective Step 4: Criticality Research Data/ Results Storage: Database, file server In-transit: Interface with external sponsors View: Access by research team Backup: Backup tapes Fulfil contractual requirements (e.g. confidentiality of data) Observe regulation (e.g. privacy of research subjects) In case of breach: -Withdrawal of fund -Loss of competitiveness -Litigation -Damage to reputation Researchers Particular Storage: Database View: Access by administrator and research team Backup: Backup tapes Observe regulatory requirements (Personal Data (Privacy) Ordinance) - Litigation in case of breach Identify Information Assets 24

ISRM Risk Assessment Risk Assessment- Assignment of value for potential harm/ loss Quantitative Qualitative $ $ $ $ $ Annualised Loss Expectancy (ALE) Annualised Rate of Occurrence (ARO) Single Loss Expectancy (SLE) Asset Valuation (AV) Exposure Factor (EF) $ $ $ $ $ 5 4 3 2 1 SLE = AV x EF ALE = SLE x ARO Risk Assessment 25

ISRM Risk Assessment- Example Asset Asset Valuation Vulnerabilities & Threats Impact Occurrence ALE Research Data -Withdrawal of fund - Loss of competitive advantage - Litigation - Damage to reputation =$1,000,000 Vulnerabilities: Unencrypted data transfer with external sponsors Threats: Interception of data in-transit Leakage of confidential research data ARO = 0.2 / Year EF = 30% = AV x EF x ARO = $1,000,000 x 30% x 0.2 = $60,000 Quantitative - How much to pay for countermeasure? 5 3 4 2 Avg. = 3.5 Qualitative - How to prioritise for resource allocation? Risk Assessment 26

ISRM Security Control Research Data: Quantitative- ALE = $60,000 If control can be implemented with an averaged annual cost below $60,000 to prevent/ detect/ correct the occurrence of leakage of research data, such control can be considered Qualitative- ALE= 3.5 With limited fund in implementing controls to protect the RMS, funds should be allocated to identified assets of higher averaged priority. Administrative Logical Physical Detective Corrective Preventive Security Control 27

ISRM Security Control Research Data Protection- Considering Control Implementation Implementing a network-based data leakage prevention system with an annual total cost of $300,000 may not be justified solely in preventing the loss of research data leakage (due to low expected occurrence of such event). Implementing data encryption for all external interfaces with research data transfer is expected to mitigate over 80% of the exposure to research data leakage. The implementation involves an annual cost of $10,000. This control may be considered in mitigating the risk of research data leakage. Implementing a more granular access control mechanism is estimated to cost $8,000 per annum averaged. This control may also be considered together with the data encryption control. Security Control 28

ISRM Security Awareness Assuming the a granular access control to research data is to be implemented- Security awareness to both the research team and Research Services administrators should be conducted to cover: Importance of research data Importance of the access control implemented How to design an effective access control according to the project nature Importance of regular access right maintenance and review Security Awareness 29

PPT People Required expertise to manage the RMS- Technical and management competence. Additional personnel required for the implementation and operation of RMS - Factored in during the budget preparation Consider users acceptance of the system. Consider rolling out the RMS in phases to build acceptance and to smooth migration Management awareness of the potential difficulties, risk and the importance of management support Regular communication to all relevant parties If PEOPLE are not ready for the new system, should we consider postponing the implementation? People 30

PPT Process Vendor selection criteria Security policies Security audit requirements System hardening baseline Third-party service support Change management cycle Patch management process User awareness program Incident management User administration Consider: Availability of such processes Applicability of such processes over the new RMS Requirement of additional process to cater for the implementation of RMS User awareness of the processes Process 31

PPT Technology Network access controls (e.g. firewall, IPS, logs ) User access controls (e.g. login mechanism- SSO) Anti-virus on end-user (Research Services & departmental) machines Physical access control to servers and network equipments Specific technical considerations- to help people follow process System configured password configuration requirements (password length, complexity & expiry) Restricted access to RMS by pre-configured IP address Input validation Tech. 32

PDCA Act Security improvement plan Review and update of ISMS components, such as policy and procedures. Plan Business objective & requirements System/ user requirements Asset identification Risk assessment Control design and implementation Process documentation/ policies Check Review of effectiveness of existing and new controls Self internal compliance audits Review of risk assessment Do Implementing new controls and processes in phases Conduct user awareness training 33

PDCA Act Security improvement plan Review and update of ISMS components, such as policy and procedures. Check Review of effectiveness of existing and new controls Self internal compliance audits Review of risk assessment Plan Business objective & requirements System/ user requirements Asset identification CHECK & ACT Risk assessment Control design and implementation On-going Process documentation/ policies Review and Do Update Implementing new controls and processes in phases Conduct user awareness training 34

Conclusion The information security frameworks facilitate the management process in considering the handling of data and implementation of system/ process. Identifying asset Determining security requirement Risk assessment Control evaluation Control implementation Process monitoring and update Availability Confidentiality Act Check Integrity Process Plan Do People Technology Identify Information Assets Risk Assessment Security Control Security Awareness 35

Conclusion Suggested Controls: Detective Corrective Preventive Administrative Rotation of administrator duties Management review of access controls Review of IPS, firewall and web application logs Data reconciliation (between RMS, ERP and facility management systems Business continuity plan Disaster recovery plan Separation of duties Technical training for responsible IT personnel Communicated security policy User account administration Logical Network Intrusion Detection System especially for externally exposed hosts (external interface) System logs System integrity check Network Intrusion Prevention System Anti-virus software Granular access control to personal data and research information Data encryption for external interfaces Web-based authentication Anti-virus software Physical Data Centre/ Research Office Camera & alarms Security guards Regular asset count Emergency power supply Physical access control (e.g. swipe cards, biometric locks) to computer facilities Environment controls Regular offsite backup of data 36

Q&A? 37

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information