Centralizing IT Risk Centralizing IT Risk Assessment and Measuring Assessment and Measuring Security Policy Compliance Security Policy Compliance Kent Knudsen and Jeff McCabe Texas A&M University EDUCAUSE 2004 EDUCAUSE 2004 Denver, CO Denver, CO October 20 October 20 Copyright 2004 Kent Knudsen. This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
34
Embed
Centralizing IT Risk Assessment and Measuring Security Policy ...
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Centralizing IT Risk Assessment Centralizing IT Risk Assessment and Measuring Security Policy and Measuring Security Policy ComplianceCompliance
Copyright 2004 Kent Knudsen. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Challenges of Decentralized Challenges of Decentralized SecuritySecurity
Some departments have full-time, trained IT staff – while other Some departments have full-time, trained IT staff – while other departments rely on student workers (or worse, have no IT staff)departments rely on student workers (or worse, have no IT staff)
Diversity of operating systems (Apple/Mac, Linux, MVS, Novell, Unix, Diversity of operating systems (Apple/Mac, Linux, MVS, Novell, Unix, Windows, etc.) – difficult to be an expert on more than one platformWindows, etc.) – difficult to be an expert on more than one platform
Libraries must provide access to information resources to both the Libraries must provide access to information resources to both the University populous and the community at largeUniversity populous and the community at large
Research computers funded by grants that have little or no provision for Research computers funded by grants that have little or no provision for security measuressecurity measures
Need a forum to allow IT staff to share best practices and tips on Need a forum to allow IT staff to share best practices and tips on securing the various platformssecuring the various platforms
Which Security Standard?Which Security Standard?U.S. Standards:
If your organization needs a benchmark based on industry best practices, there are several sources available:
State and Local StandardsObviously, compliance with your state and local security standards should be measured. However, if your state and local standards are incomplete or lacking, there are other standards to consider.
NIST Computer Security Resource Center (csrc.nist.gov)
The NIST CSRC provides several publications (FIPS PUBS) and other documents to serve as standards.
Which Security Standard?Which Security Standard?U.S. Standards:Additional sources:
Office of Management and Budget (OMB) (www.whitehouse.gov/omb/circulars)Provides circular A-130 - pertaining to information security of federal systems.
DITSCAP – DoD IT Security Certification and Accreditation Process that includes standards (www.dtic.mil)
The Department of Defense provides the DITSCAP process that can serve as a resource for additional security measures.
Which Security Standard?Which Security Standard?International Standards:
The ISO17799 Standard (www.iso17799-web.com)The ISO17799 Standard is a set of security standards (based on the British Standards Institution - BS 7799) adopted and approved by the ISO, IEC and JTC1 (International Electrotechnical Commission, International Organization for Standardization and Joint Technical Committee) and is available for a fee.
The Common Criteria (www.commoncriteria.org)The Common Criteria project was started in 1993 in order to bring together various standards (TCSEC, ITSEC, etc.) into a single international standard for IT security evaluation.
Build an InfoSec CommunityBuild an InfoSec Community• Create an affiliation of campus ITCreate an affiliation of campus IT personnelpersonnel• Create a monthly meeting to discuss Create a monthly meeting to discuss information security issues (online for information security issues (online for multi-campus participation)multi-campus participation)• Provide a discussion list for sharingProvide a discussion list for sharing information between meetings, and forinformation between meetings, and for discussing issues in a timely mannerdiscussing issues in a timely manner
Towards Institutional Towards Institutional Assessment and ComplianceAssessment and Compliance
The time expended by IT personnel The time expended by IT personnel should be a consideration and kept to anshould be a consideration and kept to an effective minimumeffective minimum
In considering the various assessment In considering the various assessment methodologies and approaches – you methodologies and approaches – you want to avoid the situation where progress want to avoid the situation where progress is dependent on numerous individuals and is dependent on numerous individuals and their schedules (avoid death by committee their schedules (avoid death by committee scenario)scenario)
Security Best Practices. . . What Security Best Practices. . . What We KnowWe KnowThe approach of beginning each risk The approach of beginning each risk
assessment from scratch with a group of people assessment from scratch with a group of people was not practical for our diverse environment – was not practical for our diverse environment – so we reviewed a multitude of assessment so we reviewed a multitude of assessment methodologies to produce a “best of breed” methodologies to produce a “best of breed” product.product.
Also, a large number of threats are already Also, a large number of threats are already known, and security standards have been known, and security standards have been established, therefore we chose to design a tool established, therefore we chose to design a tool that establishes a good security baseline.that establishes a good security baseline.
Centralized Information Security Centralized Information Security ProgramProgramIT Risk Assessment and Security Policy Compliance Measurement
Automated Risk Assessment (standardized) Security Awareness Training (including validation) Business Continuity / Disaster Recovery Planning Guide Security Incident Reporting System (web) Physical Security Check List Security Forms and Templates
What is ISAAC?What is ISAAC?
Non-invasive, platform independent system to inform and assist departmental IT personnel with InfoSec program:
Consistent, repeatable baseline assessment Covers both operational and technical requirements Most admins can complete an assessment < 2 hrs Results are combined into an overall assessment Risk report has a consistent format to assist our
The Risk Assessment data is used to produce a composite report for the entire university, including overall percentage of compliance for each policy item on a university-wide basis
What is ISAAC?What is ISAAC?
The Security Awareness Training data can be analyzed to determine the effectiveness of the training program, and is used to record quiz scores for generating completion “certificates”
The Business Continuity / Disaster Recovery Module contains a full-blown guideline for those departments maintaining server/client systems, and a simpler, basic plan for the desktop (peer-to-peer) environment
The State of Texas requires that once a month, a summary report be filed detailing the month’s security incidents
What is ISAAC?What is ISAAC?
Security Incident Reporting System:
A web-based form for reporting various kinds of security incidents, such as: malicious code attacks, unauthorized access and use, disruption or denial of service, hoaxes, etc.
The SIRS database can be analyzed for trends and to measure effectiveness of various countermeasures
What is ISAAC?What is ISAAC?Physical Security Module:
This module contains a checklist which can be printed and used as a guide for making a visual inspection of the facilities. Two examples:
Entrances to areas of the highest sensitivity or criticality should be monitored using closed circuit television or automated systems or should be protected by guards.
Visitors should be escorted to and from their destination by a facility employee.
What is ISAAC?What is ISAAC?Security Forms and Templates Module:
This module contains several items. For example: Promotes participation in the monthly Information Security Forum meetings and email discussion list Non-Disclosure Agreement template Computing Ethics / Acceptable Use template for staff Sample Security Manual Incident Handling Guide Recommended security related email lists
ISAAC Because . . . Assessment ISAAC Because . . . Assessment FlexibilityFlexibility
An annual process that yields an institutional wide assessment as well as
individual assessments that each department can use to evaluate their risks and make risk management decisions.
Three risk assessment types:– “Departmental” (for servers and clients)– “Desktop” (for peer-to-peer setup)– “Good Net Neighbor” – (for public access or lab
ISAAC Because . . . Department ISAAC Because . . . Department FlexibilityFlexibility Assessment report includes a “corrective action” plan that gives the
departmental IT staff an opportunity to recommend solutions to management for their consideration
Management has the flexibility to make risk management decisions for implementing the recommendations based on cost-benefit analysis
ISAAC Benefits . . . Easy to ISAAC Benefits . . . Easy to ImplementImplement
The Departmental IT Staff (System Admins) already feel harried and were not sitting idle looking for something to do – SO, in consideration of their time, an effective and efficient assessment was key to implementation
We also wanted this new initiative to be palatable, and able to garner “buy in” from the departmental managers
We held informational forums, and offered an on-site assistance option via online calendar. (However, ISAAC was so well received, not much assistance was requested)
All this and more was done to ease the burden, facilitate departmental use, and to smooth implementation
ISAAC ResultsISAAC ResultsIndividual Risk Reports for departments and a University-wide composite view of risks and security
countermeasures.
Ability to track compliance with info security standards: 55 policy items (49 improved compliance over last year) Overall compliance improved to 85% Number of systems achieving 100% compliance increased to 24%
The Overall Risk Rating improved from the previous year with 90% of the systems earning an “acceptable” rating.