Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:



Similar documents
Attachment A. Identification of Risks/Cybersecurity Governance

Network Security Policy

Specific observations and recommendations that were discussed with campus management are presented in detail below.

Security Management. Keeping the IT Security Administrator Busy

Information Security Program

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Information Security Policy

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Payment Card Industry Data Security Standard

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Information Resources Security Guidelines

OCIE CYBERSECURITY INITIATIVE

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

SANS Top 20 Critical Controls for Effective Cyber Defense

Information Security Plan May 24, 2011

The Protection Mission a constant endeavor

UF IT Risk Assessment Standard

R345, Information Technology Resource Security 1

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

PCI DSS Requirements - Security Controls and Processes

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Information Security It s Everyone s Responsibility

Evaluation Report. Office of Inspector General

Information Technology Security Review April 16, 2012

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

The Impact of HIPAA and HITECH

HIPAA Security Alert

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

Information Security Program Management Standard

INFORMATION SECURITY California Maritime Academy

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

CHIS, Inc. Privacy General Guidelines

Principles of Information Security, Fourth Edition. Chapter 12 Information Security Maintenance

Vulnerability Management Policy

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

CA Vulnerability Manager r8.3

Approved by President Mohammed Qayoumi. Reviews: IT Management Advisory Committee

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Data Security Incident Response Plan. [Insert Organization Name]

Department of Education. Network Security Controls. Information Technology Audit

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

The Business Case for Security Information Management

THE TOP 4 CONTROLS.

Information Security It s Everyone s Responsibility

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Sygate Secure Enterprise and Alcatel

Information Security: A Perspective for Higher Education

SUPPLIER SECURITY STANDARD

Cisco Security Optimization Service

VA Office of Inspector General

How To Audit The Mint'S Information Technology

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Data Management Policies. Sage ERP Online

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Payment Card Industry Data Security Standard

How To Protect Your Data From Theft

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

IBM Security QRadar Vulnerability Manager

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

Extreme Networks Security Analytics G2 Vulnerability Manager

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Executive Overview...4. Importance to Citizens, Businesses and Government...5. Emergency Management and Preparedness...6

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Supplier Information Security Addendum for GE Restricted Data

Client Security Risk Assessment Questionnaire

Top Ten Technology Risks Facing Colleges and Universities

Looking at the SANS 20 Critical Security Controls

Guide to Vulnerability Management for Small Companies

PCI Compliance. Top 10 Questions & Answers

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

Utica College. Information Security Plan

Did you know your security solution can help with PCI compliance too?

Cybersecurity Health Check At A Glance

Critical Controls for Cyber Security.

ISAAC Risk Assessment Training

Miami University. Payment Card Data Security Policy

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Information Blue Valley Schools FEBRUARY 2015

HIPAA Compliance Evaluation Report

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

UIT Security is responsible for developing security best practices, promoting security awareness, coordinating security issues, and conducting

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Keyfort Cloud Services (KCS)

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

Transcription:

Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance for all information security is the responsibility of the (ISO). This document provides a broad overview of the FY2009/2010 information security program for your review and approval per the referenced statute. The IT security program plans for FY2009/2010 outlined below provide for the continuation of a mature, successful security program for the University of Texas at El Paso (UTEP). Program Highlights for FY2009/2010 Web Applications Vulnerability Scanning Configuration Management Laptop Encryption Data Leak Prevention Risk Assessments for UTEP Departments Mission Statement The mission of the (ISO) is to protect information acquired and found throughout the university by conducting risk assessments on all sensitive information, promoting security related training and awareness programs, monitoring university systems, and auditing and compliance in support of the university s missions and goals. Authority State Law: TAC 202.70 requires that each institution of higher education have an information security program: (2) All institutions of higher education are required to have an information resources security program consistent with these standards, and the institution of higher education head is responsible for the protection of information resources. University : UTS 165 Bulletin #2 - Baseline Standard for Programs. Bulletin Purpose: Each Entity of the University of Texas System is charged with establishing and maintaining a standards and risk based Program (Security Program) that: 1 Texas Administrative Code, Title 1, Part 10, Chapter 202, Subchapter B, Rule 202.71 (d)(2): The r shall document and maintain an up-to-date information security program. The information security program must be approved by the state agency or his or her designated representative(s).

secures the information assets under its stewardship against unauthorized use, disclosure, modification, damage or loss to reduce risk to acceptable levels; is documented and verifiable; and meets regulatory compliance requirements applicable to the Entity. Program Scope The program scope includes the identification of technologies utilized to minimize risk, establishment of training programs to ensure the protection and integrity of sensitive information, and establishment of procedures for enforcement by the institution. Please note that this program includes sensitive information that is entrusted to it, transmitted, processed, acquired, stored, transferred, and/or maintained by the University of Texas at El Paso. This program also applies to all individuals granted access privileges to any University Information Resources regardless of form, format, and/or affiliation. Major Accomplishments of the Previous Fiscal Year Major Accomplishments PCI environment created Systems Administrator training to meet guidelines Technical training for support staff for Laptop Encryption Compliance training for for all Faculty and Staff Launched the Awareness web site A Mock Pandemic Flu test was conducted in IT as part of the Disaster Recovery Plan Inventory of Confidential Information on business and mission critical systems Completed Risk Assessments for all servers located in the Information Technology datacenter

Action Plan The Action Plan identifies the strategies that the will pursue to address the prioritized program elements and the high risks that were identified during the risk assessment process. These are the general plans for mitigating risks. Action Plan Strategy # Strategy Addresses this Risk Source Responsible Party(s) A-1 Laptop Encryption Portability of laptops poses a risk to confidential information stored on them. Reduction of this risk can be achieved by encrypting all laptops at UTEP. UT System Security Bulletin #1 A-2 Quarterly Meetings with UTEP Sys tem Administrators A-3 Scanning of UTEP Servers to Inventory Sensitive Information A-4 Risk Assessment of UTEP Servers System Administrators are the first line defense in the protection of UTEP s information resources. Through sharing of information and providing targeted training, we can maintain information security at UTEP Effective protection and assignment of resources can only be accomplished by identifying those systems containing sensitive information Servers located throughout this campus play a valuable role in meeting the universities mission. As such, they must be assessed in order to identify threats and help allocated resources to protect these systems accordingly. Decentralized Server Audit Finding Decentralized Server Audit Finding Decentralized Server Audit Finding UTEP Sys tem Administrators

A-5 Configuration Management Implementing Configuration Management will significantly increase the ability to audit all workstations on campus for compliance with various policies and regulations. A-6 Identification of Confidential Information at rest and in motion also referred to as Data Leak Prevention. In order to prevent confidential information from being exposed, several programs will be designed and implemented to monitor network traffic. Additionally, data monitoring on university systems will be cataloged to assist in identification of confidential information at rest. A-7 Services Inventory Regular monitoring of computer system services will be performed to prevent malicious software from adding unauthorized services. This inventory service works by comparing authorized and newly introduced services, and then notifying the appropriate personnel. A-8 Network Statistics Proactively monitor network usage of all systems to identify individual systems that may be compromised or illegally downloading/sharing copyrighted material. A-9 2-Factor Authentication Implementation of an additional security measure to strengthen the security posture of all UTEP credit card processing systems. Security Program Elements FERPA HEOA A-10 Web Application Security As more applications are released on the web, it is imperative that all security risks and vulnerabilities are identified and Security Program Elements

mitigated. To assist with this, the ISO provides web application scanning and review services, also known as penetration testing, to identify sensitive information and ensure that any vulnerability identified is corrected. A-11 Update Security In an effort to minimize risk, the latest security practices will be incorporated into existing security policies. This will insure UTEP s continued efforts to either meet or exceed adherence to requirements and regulations. A-12 SSN Form Approval Insure that proper notification of any individual requested to disclose their SSN is available on all university generated forms. An approval process will be put in place to require all forms requesting this information are submitted and approved by the ISO. A-13 Time Synchronization To improve correlation of system log data, it is imperative that all systems synchronize to the same clock. This will allow for greater accuracy in generating historical timelines during investigations. Audit Finding

Training Plan This section identifies the Training Strategies (including topics, audiences, and delivery methods) to be used during the year to mitigate risk. Training Plan Strategy # Training or Strategy Target Audience Source Responsible Party(s) T-1 Handling of sensitive information: Give guidance on how to properly protect sensitive information T-2 Compliance Training: Yearly training on security areas that all faculty and staff must adhere to. T-3 PCI Training: Establish training for all users that handle and process credit card information T-4 SANs training push for all ISA's T-5 New Employee Orientation: Provide guidance on UTEP s information security policies and protecting confidential information. T-6 Student Orientation: Introduction to safe computing practices; overview of UTEP s information security policies. T-7 Acceptable Use : An effort to notify all users regarding authorized/ unauthorized use of information resources Faculty, Staff, and Student Employees Faculty, Staff, and Student Employees Faculty, Staff, and Student Employees System Administrators Faculty and Staff Students Faculty, Staff, Students, Third- Party Vendors/Consultants etc Security Security Security Security Security Security

T-8 Security Bulletins to Community: Provide timely notification of potential security risks or threats facing the community. T-9 Data Leak Prevention: Training to provide security practices to mitigate or prevent data exposure during normal work activities. Faculty, Staff, and Students Faculty, Staff, and Students Security Security Monitoring Plan The Monitoring Plan identifies all the Monitoring Strategies the institution plans to use in the coming year to identify security vulnerabilities or actual security incidents so that corrective actions are possible. Results will be reported in the quarterly reports to UT System. Monitoring Plan Strategy # Monitoring Strategy Addresses this Risk Source Responsible Party(s) M-1 Monitoring daily transmissions of sensitive information leaving UTEP s network unencrypted Prevent the disclosure of sensitive information to external parties. FERPA M-2 Daily review of system logs where credit card information is processed Detection of threats to credit card processing systems.

M-3 Security scanning of all UTEP web applications that accept credit card information Detection of security vulnerabilities in applications developed to accept credit cards. M-4 Daily monitoring of the intrusion detection system Detection of network security threats against critical systems located in the Information Technology Datacenter. FERPA M-5 Monthly monitoring of access to central database s ys t em s Review of access controls of the central databases. Prevents unauthorized users from accessing sensitive information. M-6 Monitoring of open shares on network M-7 Review of central datacenters physical security controls M-8 Vulnerability scanning of critical servers Detection of computer systems on UTEP s network that may inadvertently share sensitive information without access controls in place, Review physical security access controls to IT Datacenter and assure that unauthorized personnel cannot enter without detection. Timely detection of vulnerabilities on our servers to prevent external; threats for accessing or interrupting services. Decentralized Server Audit Finding M-9 Monitoring of permissions on open shares within the IT datacenter. M-10 Review of quarantined email messages for false positives Validation of access control permissions on server shares is paramount to preventing unauthorized access to confidential information. Allows for fine-tuning of email filtering system to minimize the amount of legitimate email blocked by our spam filtering solution. FERPA

M-11 Monitor and respond to notification of virus and confidential information exposure M-12 Respond to Copyright Infringements Complaints Timely remediation of potential data exposure to outside entities as well as altering business practices to further minimize threats or exposure. Prevent the use of state resources to download, share, or redistribute copyrighted material that is not owned by the party involved. HEOA M-13 Confidential Information Inventory Generate an accurate catalog of confidential information stored on university owned resources so that better access control measures may be placed on those systems. M-14 Account Disabling Prevents users no longer affiliated with the university to access systems they were previously authorized to use. M-15 Intrusion Prevention System (IPS) Monitoring Timely notification of threats to the PCI environment so that remediation steps can be taken. M-16 Mission Critical Systems Discover vulnerabilities on university mission-critical systems so that remediation can be accomplished before the vulnerability can be exploited. M-17 Operating System Patches and Updates Insure that operating systems within the miners domain receive critical patches whereby reducing the risk of compromise.

M-18 Administrator (ISA) Training Insure UTEP s systems administrators are receiving appropriate training in the area of information security. M-19 Change Management Validate that all business and mission critical systems follow a change management process thus reducing the risk of unauthorized system changes. M-20 Incident Resolution Follow-up on incidents to insure any security requirements have been implemented. Program Exceptions The Chief r has not granted any security element exceptions to UTEP departments.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information