OFFICE of the CHIEF INFORMATION SECURITY OFFICER. 2011 Information Security and Privacy Annual Report



Similar documents
An Information Security and Privacy Perspective for Procurement Services Projects

Evaluation Report. Office of Inspector General

Information Security Plan May 24, 2011

End-user Security Analytics Strengthens Protection with ArcSight

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

NATIONAL CYBER SECURITY AWARENESS MONTH

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

INSTANT MESSAGING SECURITY

GEARS Cyber-Security Services

University System of Maryland University of Maryland, College Park Division of Information Technology

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

2010 AICPA Top Technology Initiatives. About the Presenter. Agenda. Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP

Cisco IPS Tuning Overview

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Network Security Policy

Information Security Program CHARTER

Personal Information Threats & Risks: Responding to an Evolving Landscape with an Integrated Data Protection Approach

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak CR V4.1

Best Practices for Building a Security Operations Center

October 10, Report on Web Applications #13-205

How To Prevent Hacker Attacks With Network Behavior Analysis

Data Security and Healthcare

Strategic Plan for Technology

Cisco Security Optimization Service

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

HoneyBOT User Guide A Windows based honeypot solution

Description: Course Details:

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

Malicious Network Traffic Analysis

Networking for Caribbean Development

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Auburn Montgomery. Registration and Security Policy for AUM Servers

Protecting Your Organisation from Targeted Cyber Intrusion

Security for NG9-1-1 SYSTEMS

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DR V2.0

Advice from the Trenches: Preparing for the Challenges and Pressures of a Security Incident Investigation

Through the Security Looking Glass. Presented by Steve Meek, CISSP

Security Controls for the Autodesk 360 Managed Services

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Capture Link Server V1.00

INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS

Information Technology Strategic Plan

Defending Against Data Beaches: Internal Controls for Cybersecurity

How To Protect Your Network From Attack From A Network Security Threat

Information Security Program Management Standard

State of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard

Internet Security Protecting Your Business. Hayden Johnston & Rik Perry WYSCOM

Global Partner Management Notice

SECURITY MANAGEMENT PRACTICES

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Department of Education. Network Security Controls. Information Technology Audit

PCI 3.0 Making Payment Security Business As Usual

Microsoft s cybersecurity commitment

Getting Ahead of Malware

Data Security Incident Response Plan. [Insert Organization Name]

BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

How To Audit The Mint'S Information Technology

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Newcastle University Information Security Procedures Version 3

University Information Technology Security Program Standard

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

INFORMATION TECHNOLOGY DIVISIONAL PLAN SUMMARY - DRAFT -

Title: Data Security Policy Code: Date: rev Approved: WPL INTRODUCTION

2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team

Five keys to a more secure data environment

Managing internet security

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

User Security Education and System Hardening

UNCLASSIFIED. Briefing to Critical Infrastructure Sector Organizations on the Canadian Cyber Incident Response Centre (CCIRC)

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

How To Protect Your Network From Attack From Outside From Inside And Outside

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

CITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION ELECTRONIC MAIL AND BULK ELECTRONIC DISTRIBUTION

National Cyber Security Policy -2013

CounselorMax and ORS Managed Hosting RFP 15-NW-0016

Codes of Connection for Devices Connected to Newcastle University ICT Network

The Protection Mission a constant endeavor

Symantec Endpoint Protection Analyzer Report

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Incident Response. Proactive Incident Management. Sean Curran Director

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Internet threats: steps to security for your small business

University of Wisconsin-Madison Policy and Procedure

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

Web App Security Audit Services

DATA SECURITY AGREEMENT. Addendum # to Contract #

UCF Security Incident Response Plan High Level

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Information Security

Microsoft Systems Architecture 2.0 (MSA 2.0) Security Review An analysis by Foundstone, Inc.

Transcription:

OFFICE of the CHIEF INFORMATION SECURITY OFFICER 2011 Information Security and Privacy Annual Report

From the UW Chief Information Security Officer R The UW Office of the Chief Information Security Officer promotes a culture of information security and privacy. Services are designed to help UW units understand risks by analyzing and forecasting threats to information security, researching applicable information security and privacy laws, providing education on safeguarding institutional information, consulting on incident management, and managing policies and strategic solutions for UW s institutional information. More info ciso.uw.edu The Information Age is in full bloom at the University of Washington. The University s ability to succeed in its critical mission is dependent on dynamic and powerful information and communication technologies. Unprecedented access to an enormous and ever-growing volume of information and the ability to create, process, analyze and use it conveniently is now essential. However, these benefits come with unique security and privacy challenges. The goal of the Office of the Chief Information Security Officer (CISO) is to help the University community understand and manage those challenges. This goal allows the Office of the CISO team members to meet and collaborate with talented and dedicated colleagues across the entire University, and we view this as a privilege. It s a front-row seat on the inner workings of an incredible world of education, research, culture, and community events. Credits UW Office of the CISO WRITING: Kirk Bailey, Suzanne Blais, Bryan Egan, Zephyr McLaughlin, Ann Nagel, Daniel Schwalbe, Leif Tishendorf, Braden Vinroe CREATIVE DIRECTION AND EDITING: Melissa Albin-Wurzer PHOTOGRAPHY: Melissa Albin-Wurzer, Zephyr McLaughlin, Braden Vinroe UW Creative Communications DESIGN: Karin Mellskog Table of Contents Risk Management...1 Information Security and Privacy Landscape...1 2011 Accomplishments...2 Consulting...3 Threat Report...4 Visualizing Information Security and Privacy...6 Information Assurance Atlas...6 Privacy Program Updates...7 Data Security Agreement...7 Cloud Services Initiative...7 Incident Management Update...8 10 Things to Do to Secure Data And 5 Do Nots...8 2012 Goals...9

Risk Management The Office of the CISO takes a multi-faceted approach to addressing the UW s information security and privacy. We believe this approach supports the efforts to secure and protect UW data. On a semi-annual basis, representatives from the Office of the CISO, Office of Research, UW Medicine, and Office of Planning and Budgeting assess information security and privacy risk for all of the UW; this includes scoring 63 objectives and 49 threats. Direction and reviews for this risk assessment are provided by the Privacy Assurance and Systems Security Council, chaired by the UW CISO. Results are used to inform the UW s information security and privacy initiatives and services. ACCT ORG 5.00 POL ACCT ORG POL PHY ASSET 4.00 3.00 2.00 1.00 0.00 AUD RISK SAMPLE RISK REPORT PHY ASSET AUD RISK TECH PRI Risk Assessment Based On: 63 Objectives 49 Threats TECH PRI OPS IM OPS IM IMON EDU Capability Level Risk Score IMON EDU Threat Index Score High Medium Overall Risk Low ORG POL AUD RISK PRI IM EDU IMON OPS TECH PHY ASSET ACCT Spring Fall Biennium Goal Information Security and Privacy Landscape Developing and implementing a successful plan to address security and privacy challenges, assess risks, and protect UW information involves contending with the diverse elements of a changing landscape, including: Rollout of innovative technology across the UW with less time and resources to understand and address institutional risk. Reliance on Web-based technology, such as mobile technology, that is increasingly challenging to identify and secure. Increasing threats that target UW confidential information and intellectual property. Inconclusive forensic evidence for new technology solutions may result in the need for the UW to issue data breach notifications. This may cause unnecessary financial harm to the individuals the UW serves and unnecessary financial, operational, compliance, and reputational harm to the UW. Resource constraints that make UW institutional information, information systems, computerized devices and technology infrastructure more vulnerable. 2011 INFORMATION SECURITY AND PRIVACY ANNUAL REPORT UW OFFICE OF THE CISO 1

Security by the Numbers In 2011, on average 7,000 emails per month received by security@uw.edu / abuse@uw.edu 200 trouble tickets per month handled by Information Security Engineers 50,000 intrusion attempts per day blocked by the intrusion prevention service 2011 Seminars The Office of the CISO staff led Information Assurance Seminars and information sessions on the following topics: Children, Information, and the UW Personally Identifiable Information (PII) and Social Media PII and the Underground Economy Best Practices for Securing UW Confidential Information Information Security Threat Landscape Information Security and Privacy Risk Management Privacy and Incident Management Policies 2011 assessment tools to help departments and business units assess risks and make 2011 Accomplishments Risk Management and Intelligence Published operational activity and trend reports. Initiated development of risk calculated decisions about information security and privacy. Developed initial concept for the Information Assurance Atlas. Policy Finalized policies for information security and privacy roles and responsibilities, incident management, and privacy. Published UW standard Online Privacy Statement and Web Site Terms and Conditions of Use. Audit & Compliance Strengthened UW s due care position by creating an authoritative list of information security and privacy laws applicable to UW. Established ongoing collaboration meetings with UW Internal Audit, UW Medicine IT Services, UW Medicine Compliance, and School of Medicine. Privacy Developed a foundation for a comprehensive privacy program that respects personally identifiable information and helps UW address privacy obligations and risks. Operational Management Enhanced security services and vulnerability assessment consulting services for departments and business units. Upgraded intrusion prevention systems to expand capabilities and performance. Organization & Authority Expanded the Privacy Assurance and Systems Security (PASS) Council membership to include additional representation from the School of Medicine and the Office of Research. In addition to the CISO chairing the PASS Council, members of the Office of the CISO participated in the following committees and councils: Data Management Committee Information Technology Risk Council Cloud Computing Compliance Committee UW Medicine Security Program Executive Committee UW Computing Directors Digital Millennium Copyright Act Committee Husky Card Advisory Committee Emergency Management Planning Committee Compliance Operations and Financial Council Steering Committee UW Healthcare Component Compliance Group Patient Privacy Advisory Committee Education Expanded the CISO website to include risk advisories and best practices for phishing, multifunction devices, and social media. Began publishing quarterly newsletters. Supported curriculum development or guest lectures for the Information School, Mathematics, and UW Bothell. Reviewed research proposals for Applied Physics Laboratory and the Information School. Supported rollout review for the Center for Commercialization s security industry-related product. Provided information security and privacy seminars for the UW community. C 2 UW OFFICE OF THE CISO 2011 INFORMATION SECURITY AND PRIVACY ANNUAL REPORT

Consulting In 2011, we collaborated on specific topics, provided in-depth vulnerability assessments for departments and units, or supported projects in the following areas: BUSINESS UNIT, DEPARTMENT, COLLEGE, OR SCHOOL SECURITY PRIVACY OUTREACH BUSINESS UNIT, DEPARTMENT, COLLEGE, OR SCHOOL SECURITY PRIVACY OUTREACH Applied Physics Lab Arts & Sciences Dean s Office Attorney General s Office UW Division Center for Commercialization (C4C) Computer Science & Engineering Educational Outreach Foster School of Business Information School Intercollegiate Athletics (ICA) Library Systems School of Law School of Medicine School of Nursing The Graduate School The UW President s Office UW Bothell IT UW Tacoma IT External Affairs Government Relations Media Relations and Communications Office of Public Records and Open Meetings News and Information UW Marketing Finance & Facilities (F2) Financial Management Records Management Procurement Services Student Fiscal Services Internal Audit Treasury Investment Management Risk Management Facilities Services Transportation Services Campus Engineering and Operations Emergency Management Finance and Business Services Human Resources HR Campus Operations HR Information Systems Office of Planning and Budgeting Strategic Capital Resource Planning Information & Data Management Office of Research Office of Sponsored Programs Office of Research Information Systems Human Subjects Division Student Life Housing and Food Services Office of the Registrar Campus Life Student Financial Aid & Scholarships UW Police Department Undergraduate Academic Affairs Dream Project First Year Programs University Advancement Advancement Services Alumni Relations UW Information Technology Information Management Networks, Data Centers & Telecommunications Technology Management UW Medicine Compliance ITS Security Affiliate Institutions Seattle Children s Fred Hutchinson Cancer Research Center Northwest Hospital 2011 INFORMATION SECURITY AND PRIVACY ANNUAL REPORT UW OFFICE OF THE CISO 3

Threat Report: 99% of What Happens is Not in the News News stories in 2011 were replete with phishing scams, point of sale system hacks, or website compromises that released the information of thousands even hundreds of thousands of users email addresses, passwords, credit card information, and other personal details. While it is important to be aware of the latest threats facing the UW in the ever-growing online world, it should not be forgotten that old players don t always leave the field. In 2011, approximately 14 million events were stopped at the network border by the UW TippingPoint Intrusion Prevention System (IPS) systems. Over 10 million of those blocks were for MS-RPC: Microsoft Server Service Buffer Overflow (see Table 1 below and Table 2 next page) which includes a number of exploits such as Sasser, released in 2004, Spybot, also released in 2004, and Conficker, released in 2009. These viruses may no longer be in the news, but they are still very much alive, infecting systems, causing headaches around the world, and threatening the UW network. News reports lead the public to believe that most exploits originate abroad in places such as China, the Russian Federation, or Romania, but in actuality, many viruses and scams are conceived here in the United States. (See Table 3 next page.) The importance of patching systems and updating antivirus software is not always taken seriously, and neither are common practices. Because the United States has one of the world s largest number of personal computer users, it also has the potential to possess one of the world s largest populations of infected and insecure computers. To help mitigate the risk of infected machines at UW, individuals should routinely check for and apply software patches and ensure that their antivirus is up to date. Department IT staff play a vital role by routinely communicating about and assisting users with patches and updates, and the Office of the CISO strives to keep departments and users informed about the information security threat landscape. Safeguarding personal data, computers, systems, and UW institutional information means striking a balance between staying informed of new threats while being aware of threats that no longer make the news. Table 1: A count of activities blocked by the UW TippingPoint Intrusion Prevention System (IPS) by type of activity. Invalid TCP Traffic: Possible nmap Scan (No Flags) Stacheldraht: Agent-to-Master Ping (General) DNS: Version Request (UDP) MS-SQL: Slammer-Sapphire Worm MS-RPC: DCOM ISystemActivator Overflow HTTP: PHP Code Injection SMB: ASN.1 Bitstring Processing Heap Overflow MS-RPC: LSASS Active Directory Interface Overflow Invalid TCP Traffic: Possible Recon Scan (SYN FIN) MS-RPC: Microsoft Server Service Buffer Overflow 119,221 124,647 163,060 180,919 184,198 226,936 294,903 349,922 612,096 10,604,682 Scale is discontinuous due to large number of blocks of Exploits such as Sasser, Spybot, and Conficker. 4 UW OFFICE OF THE CISO 2011 INFORMATION SECURITY AND PRIVACY ANNUAL REPORT

Table 2: A count of activities blocked by the IPS on various ports. The most common blocks are for Windows File Sharing (445), and HTTP (80). Port # (Description) Scale is discontinuous due to large amount of blocked activity on Port 445. 445 (SMB) 11,163,834 80 (HTTP) 771,429 61947 (Unknown*) 41997 (Unknown*) 1434 (Microsoft SQL) 135 (Remote Procedure Call) 443 (HTTPS) 53 (DNS) 139 (NetBIOS) 23630 (Unknown*) 279,748 249,262 181,199 180,914 176,406 163,907 136,278 75,595 * Blocks on unknown ports are likely related to botnets or Peer-to-peer (P2P) activities. Table 3: Number of activities blocked by UW s TippingPoint devices by geographical location, as determined by Autonomous System Number (ASN). United States 2,483,001 Russian Federation 1,500,344 Taiwan Brazil 1,143,323 1,053,704 China South Korea Romania Japan Poland Hungary 471,587 446,868 411,666 395,765 382,825 351,953 2011 INFORMATION SECURITY AND PRIVACY ANNUAL REPORT UW OFFICE OF THE CISO 5

Visualizing Information Security and Privacy With competing priorities and resource constraints, how do we as the UW community identify and protect our most important assets? P How do we show due care? What can we do to protect our information and systems in an effective and efficient manner? The UW Information Assurance Atlas Program will help address these and other challenging questions. By aggregating existing and new data sources the Atlas will provide important views of assets, threats, and risks. Information Assurance Atlas An information assurance atlas program with tools and services designed to support transparency, facilitate collaboration, and inform decision making around data, security, privacy, and risk. In fall 2011, the Office of the CISO developed the initial Atlas concept. Program planning and development will begin in 2012. If you are interested in following the Atlas progress, please contact ciso@uw.edu. Atlas Executive Summaries CISO Analysis Management Decisions Department/Unit Overview Communication, Information, Sharing, and Education Maps Risk Data Use Resources Policy and Best Practices Sources Existing Data Sources Data Provided by the Office of the CISO Data Provided by Department/Unit 6 UW OFFICE OF THE CISO 2011 INFORMATION SECURITY AND PRIVACY ANNUAL REPORT

P Privacy Program Updates The Privacy Program made notable advancements in 2011. The Office of the CISO published a list of the privacy and information security laws that impart a duty upon the University to protect information. Our website summarizes the laws by subject area (Financial, Health Care, Research, etc.) and identifies the UW Subject Matter Expert (SME) and resources. We hosted the First Annual SME Symposium in December, where the SMEs were able to share their experiences and learn of legislative and enforcement developments in each area. We will continue to monitor legislative developments, and provide updates and confer with SMEs as necessary. 2011 was a key year for federal legislative initiatives in the field of Data Privacy. As of this writing, several items of legislation are again circulating throughout Congress. The Obama Administration has devoted resources and made several statements regarding the importance placed on data privacy. A key battleground concerns the enforcement of eventual policies, and whether this will lie with the Federal Communications Commission or the Federal Trade Commission. Data Security Agreement Other privacy projects included the revision of the Data Security Agreement (DSA) used in contract negotiations, as well as the addition of several interpretive documents to aid campus in the understanding and use of the DSA. A workshop was held in June with campus leaders to explain the revised DSA and accompanying materials, as well as to support the use and understanding of those materials. Acceptance of the documents by our key collaborators on campus has been widespread. Increased use of the documents has been seen at earlier and more critical stages of procurement and contract negotiations, reducing the University s risk and preserving the integrity of confidential information. Cloud Services Initiative As part the University s efforts to contract with Cloud service providers, the Office of CISO provided support by investigating and reviewing providers security strategies and operational practices. This included assessing risks and understanding answers to key questions for each provider: Does the provider have strong security controls? Does the provider have a qualified and experienced security team? What are the provider s policies related to security and privacy concerns? Where will the University users data reside and, if not inside the USA, what does that mean? If the service is compromised, what is the provider s capability for responding and recovering from the incident? Can the University s security professionals have access to the provider s investigation reports? What priority will University users have in that recovery process? 2011 INFORMATION SECURITY AND PRIVACY ANNUAL REPORT UW OFFICE OF THE CISO 7

Incident Management Update Improvements to the incident response process at the University made great progress in 2011. Many of these improvements are due to the final approval of Administrative Policy Statement (APS) 2.5, Information Security and Privacy Incident Management Policy. 2 This policy improves the incident response process in a number of key ways. Potential information security events are now investigated based on data type instead of physical location. This gives Subject Matter Experts direct oversight of incidents. 10 Things to Do to Secure Data 1. Do know your data what you have, how much, and where. 2. Do think before sharing information on social networks. 3. Do audit data access permissions regularly. 4. Do use different passwords for different applications and systems. 5. Do update software regularly. 6. Do assess risks to your critical assets regularly. 7. Do assume that your data or systems could be compromised. 8. Do configure auditing, logging, and alerting on critical systems. 9. Do use the Data Security Agreement when sharing confidential data with vendors. 10. Do segment critical systems and sensitive data. And 5 Do Nots 1. Do not open email attachments or click on links in unexpected or suspicious email. 2. Do not assume vendors are doing what you think they are doing. 3. Do not retain unnecessary stores of confidential data. 4. Do not assume that cloud solutions are secure and robust. 5. Do not keep records past their retention period. Per APS 2.5, the designated officials mentioned in the chart below are responsible for responding to and managing information security and privacy incidents at the University. As needed, those designated officials assemble an incident management team with the appropriate Subject Matter Experts; the team provides advice on how business processes, laws, compliance obligations, and risks may impact the University. Designated Official Type of Information Organizational Area University Facility Security Officer, or his or her designee Chief Privacy Officer for the non-uw Medicine components of the hybrid entity, or his or her designee Chief Privacy Officer for UW Medicine, or his or her designee University Chief Information Security Officer, or his or her designee National security information or national security systems Protected health information Protected health information All information unrelated to national security information, national security systems, or protected health information All areas of the University Non-UW Medicine healthcare components of the University UW Medicine All areas of the University Administrative Policy Statement 2.5 also clearly states that University employees should report any potential incident and gives the investigative team the ability to garner resources to perform the investigations in a timely manner. In addition to the high-level policy approvals, the Office of the CISO continued developing internal procedures. The creation of an internal incident response plan has already led to faster response time and better cooperation with departments and business units when investigating potential incidents. 8 UW OFFICE OF THE CISO 2011 INFORMATION SECURITY AND PRIVACY ANNUAL REPORT

2012 2012 Goals Risk Management and Intelligence Complete development of risk assessment tools to help departments and business units assess risks and make calculated decisions about information security and privacy. Plan and develop the first phase of the Information Assurance Atlas. Streamline threat analysis to provide timely information to departments and business units. Policy Revise Administrative Policy Statement (APS) 2.1, Information Systems Security and APS 2.10, Minimum Data Security Standards. Publish University-wide Social Media and Networking Guidelines. Audit & Compliance Map the common requirements in the information security and privacy laws that are applicable to the University. Privacy Develop guidance and tools to help departments implement key concepts in APS 2.2, University Privacy Policy. Establish institutional resources for department and business unit risk assessment and consulting. Education Publish online information security and privacy training. Continue to provide quarterly information security and privacy seminars for the University community. 2012 Seminars In 2012, the Office of the CISO will hold quarterly Information Assurance Seminars with a roundtable format. Each quarter there will be a topic relating to information security and privacy best practices and risk management strategies. We will also provide the latest updates on continuously evolving subjects, such as the threat landscape, privacy laws and regulations, and mobile device security. More info ciso.washington.edu/events/ 2011 INFORMATION SECURITY AND PRIVACY ANNUAL REPORT UW OFFICE OF THE CISO 9

ciso.uw.edu

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information