You are on page 1of 43

Property of the University of Notre Dame

Building a Risk-Based
Information Security Program
Mike Chapple
University of Notre Dame

May 5, 2008
Property of the University of Notre Dame
Obligatory Notice
Copyright Michael J. Chapple, 2008. This work is the
intellectual property of the author. Permission is
granted for this material to be shared for non-
commercial, educational purposes, provided that this
copyright statement appears on the reproduced
materials and notice is given that the copying is by
permission of the author. To disseminate otherwise
or to republish requires written permission from the
author.

2
Property of the University of Notre Dame
Overview
Background
Campus IT Risk Assessment (CITRA)
Digesting the Results
Implementing the Security Program
Preliminary Results

3
Property of the University of Notre Dame
Notre Dame
Private, coeducational Catholic research university
located in Northern Indiana
Population of 10,000 students,
1,200 faculty and 5,300 staff
Defining characteristics
Long tradition of undergraduate excellence
Dedicated to residential life (81% undergrads on campus)
Rapidly expanding research community and graduate
programs ; Over the past decade:
35% increase in PhDs awarded
225% increase in sponsored research



4
Property of the University of Notre Dame
IT at Notre Dame
OIT is a centralized IT organization
Supports enterprise systems
Provides end user support for about
1/3 of campus
Some colleges and business units
have their own IT support groups
Varying levels of custom infrastructure
Several have their own networks
Up until 2006, Information Security was a
combination of implementing internal controls and
external consulting
5
Property of the University of Notre Dame
One Day Everything Changed
6
Property of the University of Notre Dame
Historical Context
7 7
Jan-06 - Apr-06
Initial PCI DSS
Discussions
Incident
CITRA Incident Response
2002 Information Security Office Established
2003 Data Oversight Committee Established
Data Center Firewall Implemented
Data Access Policy Approved
2005 Strong Password Initiative
Jan-06 - Apr-06
PCI DSS
Assessment
Jan-06 - Apr-06
CCSP
Planning
Jan-06 - Apr-06
Credit Card
Network Inventory
Jan-06 - Apr-06 Jan-06 - Apr-06
Jul-05 Jul-06
Aug-05 Sep-05 Oct-05 Nov-05 Dec-05 Jan-06 Feb-06 Mar-06 Apr-06 May-06 Jun-06
Information Security at Notre Dame
2005 2006
Property of the University of Notre Dame
Overview
Background
Campus IT Risk Assessment (CITRA)
Digesting the Results
Implementing the Security Program
Preliminary Results

8
Property of the University of Notre Dame
CITRA Overview
At the request of University Leadership, we
commissioned a campus-wide IT risk assessment
Partnered with Big Four consulting firm
Scope included all uses of sensitive University data,
in any form
Tools used:
Network Scanning
Surveys and Interviews
Site visits
9
Property of the University of Notre Dame
Assessment Process
10
Property of the University of Notre Dame
Surveys
19 pages, 74 questions (mixture of multiple choice
and open-ended)
Pilot deployment with our own OIT business office,
followed by a select handful of friends
Full deployment included business managers from all
academic and administrative units
Accompanied by cover letter from Executive Vice
President and Provost
Achieved 100% response rate (after quite a few
follow-up calls!)

11
Property of the University of Notre Dame
Selected Questions
What type(s) of sensitive data does your department
store/process?
What groups/roles have access to that data?
Where do you store that data (physical and/or electronic)?
Do you use encryption to protect stored information?
How do you transmit sensitive data? How do you receive it?
Do you use any web-based applications to collect data?
How long do you retain sensitive information? How do you
dispose of it?
Do you share sensitive information with third parties?

12
Property of the University of Notre Dame
Survey Results
Attribute Percentage
Use Social Security Numbers 88%
Share Passwords 81%
Store Sensitive Data Locally 77%
Transmit Sensitive Data Externally Without Encryption 68%
Not Aware of Security Policies 65%
Retain Sensitive Data Indefinitely 63%
13
Together with the consultants, we surveyed
respondents from 53 campus departments on
data handling practices.
Property of the University of Notre Dame
Business Unit Interviews
53 departments selected for individual or group
interviews based upon survey responses
Combination of academic and administrative units
Intended to serve as a one-hour deep dive into
survey responses
Conducted by a team consisting of
representatives from Information
Security, University Archives
and the consultant
14
Property of the University of Notre Dame
Discussion Guide
Walk through survey responses
Types of sensitive data within the department
Applications used to process data
Electronic and paper-based data flow
walkthrough
Physical security of departmental spaces

15
Property of the University of Notre Dame
CITRA Findings
End result was 68 findings covering 10 key areas:




For example

16
Information Security Framework Data Classification and Handling
Access Control Encryption Strategy
Configuration Standards Physical Security
Technical Security Architecture Disaster Recovery
Compliance Information Security Awareness
Property of the University of Notre Dame
CITRA Findings
17
Property of the University of Notre Dame
Overview
Background
Campus IT Risk Assessment (CITRA)
Digesting the Results
Implementing the Security Program
Preliminary Results

18
Property of the University of Notre Dame
Planning Workshop
Cross-functional team
Analyzed CITRA results
and created project
specifications designed to
remediate all
medium/high risk findings
Produced comprehensive
project plan with resource
estimates and sequencing
19
Property of the University of Notre Dame
Resource Planning
Discussed project objectives with resource
managers
Simple approach to resource ($$$ and staff)
estimation:
Determine best case and worst case time and
cost estimates
Average those endpoints
Surprisingly accurate!
20
Property of the University of Notre Dame
Ranking System
Each project ranked on costs (financial and
staff), importance and urgency
21
Property of the University of Notre Dame
Outcome
Projects sequenced to prioritize high-risk
findings and balance resource consumption

Overall costs: $4.6M one-time, $630K
recurring

Presented to University leadership and funded
in full
22
Property of the University of Notre Dame
Overview
Background
Campus IT Risk Assessment (CITRA)
Digesting the Results
Implementing the Security Program
Preliminary Results

23
Property of the University of Notre Dame
Program Mission
24
Identify confidentiality, integrity and
availability risks to sensitive University
information, and mitigate those risks to
acceptable levels.
Property of the University of Notre Dame
Program Objectives
25
The objectives of the program are to:
Evaluate risks to the confidentiality, integrity and
availability of sensitive information

Establish and implement controls to fill critical gaps,
as determined by institutional risk tolerance

Create awareness of information security and proper
data handling practices

Establish and communicate security-related policies,
procedures and standards
Property of the University of Notre Dame
Program Plan
26
Property of the University of Notre Dame
Policy
It all begins with policyreally!

27
Security Policies
(1.1)
Configuration
Standards (1.3)
SDLC (1.5)
Policy
Security Policies and Standards (FY 2007)
Establish University-wide Information Security policies and handling
standards based on ISO 17799

Configuration Standards (FY 2007)
Develop configuration standards for applications and mobile systems

Software Development Lifecycle (FY 2010)
Select and implement a SDLC model for use with OIT systems
Property of the University of Notre Dame
Awareness, Training and
Education
28
Awareness, Training and Education
Classification
Workshops (2.2)
Sensitive Data Handler
Training (2.4)
Technical Security
Training (2.5)
Student Awareness
& Training (2.3)
Employee
Awareness &
Training (2.1)
Employee Awareness (FY 2007-2008)
Provide security awareness, communication and training for faculty & staff

Student Awareness (FY 2008)
Provide security awareness, communication and training for students

Classification Workshops (FY 2008)
Conduct workshops to aid Data Stewards in classifying their data

Sensitive Data Handler Training (FY 2008)
Provide specialized training for those who work with sensitive University Data

Technical Security Training (FY 2009)
Provide specialized technical security training for IT Professionals
Property of the University of Notre Dame
Workstation Security
29
File Security (6.3)
Malware
Management (6.2)
Workstation Security
Initial Desktop
Remediation (6.1)
Messaging
Security (6.4)
Initial Desktop Remediation (FY 2007)
Apply a basic set of security controls to University workstations

Malware Management (FY 2008)
Provide a solution for management and monitoring of antivirus and anti-
spyware software on University systems

File Security (FY 2009)
Conduct a vulnerability assessment and apply security controls to NetFile

Messaging Security (FY 2009-2010)
Apply security controls to electronic mail and instant messaging

Property of the University of Notre Dame
Server Security
30
Database Security
(7.3)
Data Center
Remediation (7.1)
Server Integrity
Monitoring (7.2)
Server Security
Dept Server
Consulting (7.4)
OIT Server
Management (7.5)
Data Center Architecture Enhancements (FY 2008)
Enhance security controls on the OIT Data Center front end

Server Integrity Monitoring (FY 2008)
Formalize OIT server integrity monitoring infrastructure and processes

Database Security (FY 2008)
Conduct a vulnerability assessment of University databases and implement
appropriate controls

Departmental Server Consulting (FY 2008-2009)
Conduct a security assessment of each departmental server and provide
recommendations on alternative technologies and/or appropriate controls.

OIT Server Management (FY 2008-2009)
Implement security management practices for OIT servers with
separation of duties and data segregation, where appropriate
Property of the University of Notre Dame
Network Security
31
Intrusion
Prevention (5.4)
Network Security
Border Security
(5.1)
Network Admission
Control (5.5)
Zoned Network &
Wireless Sec. (5.3)
Network Device
Management (5.2)
Border Security (FY 2007)
Implement campus network border firewall to block unsolicited inbound connections

Network Device Management (FY 2007-2008)
Implement security standards on campus network devices

Zoned Network and Wireless Security (FY 2008-2009)
Design and implement a zoned network architecture with appropriate security
controls on the wired and wireless networks

Intrusion Prevention (FY 2009)
Replace the Universitys existing intrusion detection system with a comprehensive
intrusion prevention system

Network Admission Control (FY 2010)
Implement controls to ensure that network-
connected systems meet security standards
Property of the University of Notre Dame
Security Infrastructure
32
Application
Logging (4.4)
Log Security
Analysis (4.5)
Network Activity
Logging (4.7)
Vulnerability
Scanning (4.1)
Firewall
Mgt. (4.6)
Security Infrastructure
Rogue Wireless AP
Detection (4.8)
Sensitive Data
Scanning (4.3)
Security Review
Process (4.2)
Vulnerability Scanning (FY 2007)
Create a scanning facility to proactively detect technical vulnerabilities in
University systems

Security Review Process (FY 2007)
Create a process for consistently conducting information security reviews

Sensitive Data Scanning (FY 2008)
Create a scanning facility to proactively detect CC/SSNs stored in institutional
file systems
Property of the University of Notre Dame
Security Infrastructure (contd)
33
Application
Logging (4.4)
Log Security
Analysis (4.5)
Network Activity
Logging (4.7)
Vulnerability
Scanning (4.1)
Firewall
Mgt. (4.6)
Security Infrastructure
Rogue Wireless AP
Detection (4.8)
Sensitive Data
Scanning (4.3)
Security Review
Process (4.2)
Application Logging (FY 2009)
Capture enterprise application events in the OIT central log repository

Network Logging (FY 2009)
Capture records of off-campus connections involving University systems

Security Log Analysis (FY 2009)
Create a security log analysis capability for use with the central log repository

Firewall Management (FY 2009)
Audit existing firewall rulebase and implement standard management practices

Rogue Wireless AP Detection (FY 2010)
Provide the ability to identify unauthorized wireless access points on the
University network
Property of the University of Notre Dame
Credit Card Security
34
Infrastructure
(3.1)
Monitoring (3.3)
CCSP
Physical
Security (3.4)
Application
Migration (3.2)
CCSP Infrastructure (FY 2007)
Create the infrastructure required to migrate card processing applications to
the OIT data center

CCSP Application Migration (FY 2007-2008)
Move card processing servers to the payment card environment located in the
OIT data center

CCSP Monitoring (FY 2008)
Implement ongoing technical monitoring of the payment card environment

CCSP Physical Security (FY 2008-2009)
Upgrade data center physical security to meet PCI DSS requirements
Property of the University of Notre Dame
Incident Handling
35
Forensics (8.2)
Incident Tracking
System (8.3)
Incident Response
Procedures (8.1)
Incident Handling
Incident Response Procedures (FY 2010)
Create technical procedures for responding to information security incidents
to supplement the existing Incident Response Plan

Forensics (FY 2010)
Identify forensic resources for use in information security incident response.

Incident Tracking System (FY 2010)
Provide an information security incident tracking system
Property of the University of Notre Dame
Sustaining Activities
36
Program
Monitoring (9.3)
Sustaining Activities
Security Ops
Center (9.1)
Recurring Risk
Assessments (9.2)
Security Operations Center (FY 2008-2009)
Create an operations center to monitor and provide initial response to
security events

Recurring Risk Assessments (FY 2010)
Establish a process for recurring, periodic risk assessments to measure risk
to University data assets

Program Monitoring (FY 2010)
Assess the ongoing effectiveness of the information security program
Property of the University of Notre Dame
Overview
Background
Campus IT Risk Assessment (CITRA)
Digesting the Results
Implementing the Security Program
Preliminary Results

37
Property of the University of Notre Dame
Current Status
38
Property of the University of Notre Dame
Program Highlights
For the most part, on-time completion under
budget

Some in-flight changes to the plan to:
Reprioritize project sequencing
Address new risks (e.g. Web application security)
Balance resource utilization with other initiatives
39
Property of the University of Notre Dame
Policy and Standards
Policy complete and
awaiting Officer approval

Operating system
standards in place

Application standards
complete and published
40
Policy Usage
(Spring 2007 Fall 2007)
2%
10%
7%
13%
44%
59%
55%
66%
35%
21%
28%
12%
20%
10% 10%
9%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Spring 2007 Fall 2007 Spring 2007 Fall 2007
Faculty Staff
Use it regularly Have read it
Aware it exists Not aware it exists
Property of the University of Notre Dame
Vulnerability Scanning
41
Property of the University of Notre Dame
Awareness
42
Goal: Engage 85% of the faculty and staff at
least twice annually
42
43%
94%
56%
97%
32%
6%
23%
1%
25%
3%
21%
2%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Faculty
Spring 2007
Faculty
Fall 2007
Staff
Spring 2007
Staff
Fall 2007
No contact
One-Touch
Two-Touch
Property of the University of Notre Dame
Questions
43

You might also like