MISSION:The mission of the information security office is to assist in building a security aware university culture through education and technical assistance to all university stakeholders and to promote the safe and secure use of information technology resources.
GOAL – CYBER RESILIENT UNIVERSITY
SIG – Information Risk Management ISO – Broad Operational Security COBIT - Governance STIX – Threat Intelligence NIST – Topical Standards Guidance
WHAT WE DO:
• Assist in the development of processes, procedures, and policies for the protection of confidential information, the protection of individuals privacy, and the protection of university information resources
• Assist in the identification and mitigation of information security risks
• Assist with defining security requirements
• Assist university units in achieving their compliance requirements based on applicable laws, regulations, and best practices
• Provide assistance to users and departments regarding information security issues and the resolution of information security issues
• Improve campus awareness of information security through communication, open dialogue, and training activities
EVOLUTION OF INFORMATION SECURITY
IT Security
Informatio
n Secur
ity
IT Risk
Manageme
nt
Information Risk
Management
1990 - 1998 2015 - ????2005 - 20141999 - 2004
EDUCATIONAL INSTITUTIONS ARE AMONG THE MOST VULNERABLE BECAUSE THEY HOLD TREASURE TROVES OF PERSONAL INFORMATION
- San Francisco Business Times -
FORCES ON INFORMATION SECURITY
BusinessStrategy
IT Organization,
Systems & Infra-structure
OrganizationalCulture
Adversaries&
Threats
Government & Industry Regulations
Social & Politi-cal Forces
Resilient In-formation Security Strategy
InternalExter-nal
AWARENESS• USL Program – Reboot• Awareness & Training
INFORMATION SECURITY RISK MANAGEMENT PROGRAM: Enterprise Risk Assessment Threat Assessment Unit Based Risk Assessment Individual Project/Proposal Risk Assessment Risk & Threat Mitigation Strategies Coordination with Internal Audit
Policies
Procedures
Guidelines &
Standards
MASTER DATA ACCESS PLAN:
Master Data Access Plan
CYBER EVENT RESPONSE:
IT Cyber Event Response Plan
The University IT Cyber Event Response Plan (i.e., IT-CERT Plan) includes the following tasks:
Ι. Detection – Identification and Reporting
ΙΙ. Containment
ΙΙΙ. Eradication
IV. Recovery
V. Follow-up
EVENT CLASSIFICATIONS:
• Event (or Cyber Event)• Potential Event• Non-Event• Response Event• Incident• Potential Breach• Breach
THE SECURITY JOURNEY
Ad Hoc
Business Aligned
Risk Based
Intelligence Driven
Threat Based
Compliance Based
Infrastructure Based
FINAL THOUGHTS• Many exciting things are happening• We are always here to help• We can’t do this alone, Information Security requires
everyone
Contact Information:
Kevin Crouse: (309) [email protected]
QUESTIONS?