building an information security practice 1 building an information security practice...

Building An Information Security PracticeBuilding An Information Security Practice 11

Building an Information SecurityBuilding an Information SecurityPracticePracticeNortheastern’s ExperienceNortheastern’s Experience

Copyright Glenn C. Hill, 2003This work is the intellectual property of the author. Permission is granted for this material to beshared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Glenn C. Hill, CISSPGlenn C. Hill, CISSPManager of IT SecurityManager of IT SecurityNortheastern UniversityNortheastern UniversityBoston, MABoston, MA


The beginning is the most importantThe beginning is the most important

part of the workpart of the work..

PlatoPlato


Compelling IssuesCompelling Issues

Vast amounts of information.Vast amounts of information. Open environment.Open environment. Decentralized functions.Decentralized functions. Customer expectations.Customer expectations. Institutional responsibility.Institutional responsibility. Financial, operational & reputational Financial, operational & reputational

risks.risks. Increasing threat profile.Increasing threat profile.


Imperatives for UnderstandingImperatives for Understanding

Technology service model.Technology service model.• Increasing deployment of electronic self-Increasing deployment of electronic self-

service experiences.service experiences.

Technology landscape.Technology landscape.• New technologies, exploits and vulnerabilities.New technologies, exploits and vulnerabilities.

Threats and vulnerabilities.Threats and vulnerabilities.• Increasing each day.Increasing each day.


Imperatives for UnderstandingImperatives for Understanding

Customer and community Customer and community expectations.expectations.• Safe and secure computing experiences.Safe and secure computing experiences.

• Protection of privacy.Protection of privacy.

• Open access.Open access.

• Freedom from interference with learning Freedom from interference with learning and business processes.and business processes.

Regulatory compliance requirements.Regulatory compliance requirements.


If Columbus had an advisoryIf Columbus had an advisory

committee, he would probably stillcommittee, he would probably still

be at the dock.be at the dock.

Justice Arthur GoldbergJustice Arthur Goldberg

(1908-1990)(1908-1990)


Options for ActionOptions for Action

Hire a consultant…they’ll tell us what to Hire a consultant…they’ll tell us what to do.do.• Expensive.Expensive.

• Not all security concepts are portable from Not all security concepts are portable from one industry to another… “We’re not a bank.”one industry to another… “We’re not a bank.”

• All engagements end someday.All engagements end someday.

• Security requires continuous investment.Security requires continuous investment.



OutsourceOutsource• We don’t know what we don’t know.We don’t know what we don’t know.

• Insufficient decision support data.Insufficient decision support data.

• Traditional pitfalls…Traditional pitfalls… Truly understand the “edu” environment ?Truly understand the “edu” environment ? Understand and actualize the culture ?Understand and actualize the culture ? Real cost of outsourcingReal cost of outsourcing Contractual issuesContractual issues



Create a security practice.Create a security practice.• Flexibility.Flexibility.

• Control of costs.Control of costs.

• Enables building to meet needs.Enables building to meet needs.

• Integrates security function into environment Integrates security function into environment from the inside out.from the inside out.

• Ongoing engagement…the gift that keeps on Ongoing engagement…the gift that keeps on giving.giving.


Education is learning what youEducation is learning what you

didn’t even know you didn’t know.didn’t even know you didn’t know.

Daniel J. BoorstinDaniel J. Boorstin

Librarian of Congress EmeritusLibrarian of Congress Emeritus


Getting startedGetting startedWhat we didn’t knowWhat we didn’t know

What should an Information Security What should an Information Security program look like ?program look like ?

What resources are required ?What resources are required ? What will it cost ?What will it cost ? What are the key relationships ?What are the key relationships ? What type of person is best suited for the What type of person is best suited for the

role ?role ?


Getting startedGetting startedWhat we didn’t knowWhat we didn’t know

What experience should we look for ?What experience should we look for ? What should we expect from the role ?What should we expect from the role ?


The “Project”The “Project”Build an IT security practice.Build an IT security practice.

Create a position: IT Security Manager. Create a position: IT Security Manager. CIO and Executive Director of IS articulated CIO and Executive Director of IS articulated the initial charge:the initial charge:• Identify and establish key relationships.Identify and establish key relationships.

• Recommend security goals and architecture.Recommend security goals and architecture.

• Figure out what needs to be done.Figure out what needs to be done.

• Prioritize.Prioritize.

• Seek low-hanging opportunities.Seek low-hanging opportunities.

• Demonstrate value-add.Demonstrate value-add.


Candidate SelectionCandidate SelectionKey attributesKey attributes

Appropriate background experiencesAppropriate background experiences• BusinessBusiness

• TechnologyTechnology

• Policy, legal and regulatory awarenessPolicy, legal and regulatory awareness

• Cross-functional awarenessCross-functional awareness

• Influence skillsInfluence skills

• Investigation skillsInvestigation skills



Familiarity with information assets of the Familiarity with information assets of the “edu” environment.“edu” environment.• Student, faculty and staff personal informationStudent, faculty and staff personal information

• Institutional data (financial, strategic)Institutional data (financial, strategic)

• Student record information (FERPA protected)Student record information (FERPA protected)

• Intellectual propertyIntellectual property



Appreciation of constituencies and Appreciation of constituencies and what’s important to each:what’s important to each:• Students (access, privacy)Students (access, privacy)

• Faculty (access, academic freedom)Faculty (access, academic freedom)

• Staff (access, privacy, security)Staff (access, privacy, security) Self-directed, quick start.Self-directed, quick start.



Diplomatic skillsDiplomatic skills• Ability to engage others in difficult Ability to engage others in difficult

discussions without provoking undue alarm, discussions without provoking undue alarm, fear or ineffective behaviors.fear or ineffective behaviors.

Brokerage skillsBrokerage skills• Ability to bring people together in Ability to bring people together in

discussion.discussion.



Influence and change agency skills.Influence and change agency skills.• Sensitivity to legacy interests.Sensitivity to legacy interests.• Recognition of change opportunities in people Recognition of change opportunities in people

and process.and process.• Recognition of values and currencies across Recognition of values and currencies across

interests.interests. Catalyst.Catalyst.

• Facilitate and speed interaction and cooperation Facilitate and speed interaction and cooperation between individuals & groups. between individuals & groups.


Expectations of the PositionExpectations of the Position

Understand the imperatives.Understand the imperatives. Identify key relationships.Identify key relationships. Create shared values and trust.Create shared values and trust. Develop security framework.Develop security framework. Figure out what needs to be done.Figure out what needs to be done. Articulate essential processes and Articulate essential processes and

procedures.procedures.


Expectations of the PositionExpectations of the Position

Exploit low-hanging opportunities.Exploit low-hanging opportunities. Take baby steps.Take baby steps. Prove value.Prove value. Be effective.Be effective. Avoid getting in the way.Avoid getting in the way.


Key Challenges in the PositionKey Challenges in the Position

No reporting relationships.No reporting relationships. No “instruction book” for implementing No “instruction book” for implementing

security in the academic environment.security in the academic environment. Prescription may be good for security, Prescription may be good for security,

but doesn’t always translate well into the but doesn’t always translate well into the EDU environment.EDU environment.

Pull works better than push.Pull works better than push. No staff adds during first year.No staff adds during first year.


The Core SkillThe Core SkillSeek to balance controls and accessSeek to balance controls and access

Controls Access

Customers can access what is required, and no more.Appropriate controls are in place.

Risk is effectively managed.


Expanded Core SkillExpanded Core SkillSeek to balance Seek to balance allall interests interests

Controls

RiskNeed for

Open access

Privacy &Security

Studentinterests

Facultyinterests

Staffinterests

Regulatory


Analysis and Problem-SolvingAnalysis and Problem-Solving


Analysis and Problem-SolvingAnalysis and Problem-SolvingWhat we looked atWhat we looked at

PeoplePeople BusinessBusiness Security modelSecurity model Costing, measuring, evaluatingCosting, measuring, evaluating


PeoplePeople

Identify key relationships.Identify key relationships. Establish rapport with students, faculty Establish rapport with students, faculty

and staff.and staff. Become visible and available.Become visible and available. Develop security awareness program.Develop security awareness program. Be the person who is there to help.Be the person who is there to help.


BusinessBusiness

Understand…Understand…• businesses and customer expectations.businesses and customer expectations.

• relationships between businesses and relationships between businesses and customers.customers.

• key information assets, owners and key information assets, owners and custodianscustodians..

Perform data classificationPerform data classification• (identify the information, it’s value, and cost (identify the information, it’s value, and cost

of compromise)of compromise)


Security ModelSecurity Model

Application of security model to Application of security model to problemsproblems• Where does the model make sense ?Where does the model make sense ?

• What needs to be done ? Priorities ?What needs to be done ? Priorities ? Costing, Measuring and EvaluatingCosting, Measuring and Evaluating

• What does security cost ?What does security cost ?

• What do we measure and how ?What do we measure and how ?

• How to evaluate effectiveness/efficiency ?How to evaluate effectiveness/efficiency ?


Security ModelSecurity Model

Analysis and understanding of traditional Analysis and understanding of traditional security model in businesssecurity model in business• ““We’re not a bank.”We’re not a bank.”

• What parts of the model make sense for us ?What parts of the model make sense for us ?

Apply appropriate parts of the model.Apply appropriate parts of the model.• Can’t lock down everything. Can’t lock down everything.

• Selective/judicious application of controls.Selective/judicious application of controls.


Applying Security Practices to Applying Security Practices to ProblemsProblems

Risk analysisRisk analysis• (cost of consequence v. cost of protection)(cost of consequence v. cost of protection)

Recommend and cost appropriate Recommend and cost appropriate administrative, physical and logical administrative, physical and logical controls to protect information.controls to protect information.

Help business unit leaders and IT Help business unit leaders and IT managers weigh costs v. benefits.managers weigh costs v. benefits.


Costing, Measuring and Costing, Measuring and EvaluatingEvaluating

Quantify cost of security.Quantify cost of security. What we measure.What we measure.

• Types of activities (AUP, Security, and Risk)Types of activities (AUP, Security, and Risk)

• Hours invested, costs avoided.Hours invested, costs avoided. How we measure it.How we measure it.

• Incident tracking system.Incident tracking system.


Costing, Measuring and Costing, Measuring and EvaluatingEvaluating

Look at risks mitigated, costs avoided.Look at risks mitigated, costs avoided.

Create and share metrics across key Create and share metrics across key relationships and constituencies.relationships and constituencies.


Outcomes/AchievementsOutcomes/Achievements



Formed key Formed key administrativeadministrative relationships: relationships:• Office of University CounselOffice of University Counsel

• Internal AuditInternal Audit

• Human ResourcesHuman Resources

• External AffairsExternal Affairs

• Public Safety, Student AffairsPublic Safety, Student Affairs

• Office of the President, Office of ProvostOffice of the President, Office of Provost



Formed key Formed key businessbusiness relationships: relationships:• Office of the Registrar (FERPA)Office of the Registrar (FERPA)

• Enrollment ManagementEnrollment Management

• Customer Service Center (for students)Customer Service Center (for students)

• Office of the Controller (GLB)Office of the Controller (GLB)

• Faculty representation (faculty senate)Faculty representation (faculty senate)

• Division of Research (ethics)Division of Research (ethics)

• Residential Life (ResNet network)Residential Life (ResNet network)

• HIPAA covered entitiesHIPAA covered entities



Formed key Formed key communitycommunity relationships: relationships:• StudentsStudents

• Student representation (RSA)Student representation (RSA)

• Student media leadershipStudent media leadership

• Student advisory groupsStudent advisory groups



Formed Formed individualindividual relationships: relationships:• Faculty Faculty

• Students with specific questions/needsStudents with specific questions/needs

• External mediaExternal media



Updated Appropriate Use Policy Updated Appropriate Use Policy (AUP). (AUP). • The The foundationfoundation for policy enforcement for policy enforcement

and assertion of everyone’s rights and and assertion of everyone’s rights and interests.interests.

Instituted annual review/update cycle.Instituted annual review/update cycle.



Created Appropriate Use incident Created Appropriate Use incident management process.management process.• Case intake and documentationCase intake and documentation

• InvestigationInvestigation

• Developmental discussionDevelopmental discussion

• Identification of sanctioning bodiesIdentification of sanctioning bodies

• Development of sanction recommendationsDevelopment of sanction recommendations

• Case escalation and referral procedureCase escalation and referral procedure



Made change in Appropriate Use Made change in Appropriate Use incident management process:incident management process:

• OLD: OLD: direct referral to disciplinary direct referral to disciplinary processprocess

• NEW: NEW: developmental discussion first, developmental discussion first, then referral to disciplinary process if then referral to disciplinary process if necessarynecessary



Developed Security Awareness Training Developed Security Awareness Training Program for students, faculty and staffProgram for students, faculty and staff

• Information Security and Information Security and YOUYOU…Partners in …Partners in ProtectionProtection

• One hour presentationOne hour presentation• ““My security self-assessment” instrumentMy security self-assessment” instrument• Introduction to assets, value and cost of Introduction to assets, value and cost of

consequenceconsequence• Self-help recommendationsSelf-help recommendations



Developed targeted Security Awareness Developed targeted Security Awareness Training Program for studentsTraining Program for students• Delivered in ResNet “town meeting” forums.Delivered in ResNet “town meeting” forums.

• Topics:Topics: Appropriate Use, Computer securityAppropriate Use, Computer security Copyright compliance, SpamCopyright compliance, Spam



Using AUP incident response process as Using AUP incident response process as a model, created incident response a model, created incident response outline for Security and Risk outline for Security and Risk Management activities.Management activities.



Security incidents:Security incidents:• Loss of confidentialityLoss of confidentiality• Physical loss of information assetsPhysical loss of information assets• System intrusion attemptsSystem intrusion attempts

Risk incidents:Risk incidents:• Electronic threats to persons and propertyElectronic threats to persons and property• System vulnerabilitiesSystem vulnerabilities• Business and operational risksBusiness and operational risks



Identified additional opportunities for Identified additional opportunities for security contribution:security contribution:• University Crisis TeamUniversity Crisis Team

• Business Continuity and Disaster RecoveryBusiness Continuity and Disaster Recovery

• Academic Honesty and Integrity TeamAcademic Honesty and Integrity Team

• HIPAA Compliance TeamHIPAA Compliance Team

• GLBA Compliance TeamGLBA Compliance Team

• Guest lecture services for facultyGuest lecture services for faculty



Integrated security reviews into new Integrated security reviews into new product development efforts. product development efforts.

Began collecting & sharing monthly Began collecting & sharing monthly metrics.metrics.• How many incidents of each type (AUP, How many incidents of each type (AUP,

Security, Risk)Security, Risk)

• Time investment per incidentTime investment per incident

• Outcomes and trendingOutcomes and trending


Before and AfterBefore and After


Security Questions & ProblemsSecurity Questions & Problems

Before:Before:• Customers didn’t know where to go for help Customers didn’t know where to go for help

with security questions and problems.with security questions and problems.

Effects:Effects:• Delayed answers/resolutions.Delayed answers/resolutions.• Unnecessary risks.Unnecessary risks.

After:After:• There is a person to speak to, and a There is a person to speak to, and a

procedure for each problem.procedure for each problem.


Appropriate Use PolicyAppropriate Use Policy

BeforeBefore::• Appropriate Use Policy was weak and hard-to-find.Appropriate Use Policy was weak and hard-to-find.

EffectsEffects::• Difficult for readers to understand how to comply.Difficult for readers to understand how to comply.• Hard to enforce the AUP.Hard to enforce the AUP.

AfterAfter::• AUP more clear, concise and easy-to-find.AUP more clear, concise and easy-to-find.• Forms an improved foundation for protecting the Forms an improved foundation for protecting the

rights of all individuals.rights of all individuals.


Security Awareness TrainingSecurity Awareness Training

Before:Before:• No Security Awareness Training Program in No Security Awareness Training Program in

place.place. Effects:Effects:

• Out of sight = out of mind.Out of sight = out of mind.• Customers had no foundation to understand Customers had no foundation to understand

security in the context of their work.security in the context of their work. After:After:

• Foundation for understanding established.Foundation for understanding established.• Customers better able to apply concepts to Customers better able to apply concepts to

their work.their work.


Perceived value of securityPerceived value of security

Before:Before:• Security seen as an inconvenient obstacle.Security seen as an inconvenient obstacle.

Effects:Effects:• No rationale for individual investment.No rationale for individual investment.

After:After:• People now ask about security.People now ask about security.• Risks are being proactively addressed and Risks are being proactively addressed and

reduced.reduced.


Stewardship in projectsStewardship in projects

Before:Before:• Security didn’t have stewardship in University Security didn’t have stewardship in University

projects.projects.

Effects:Effects:• Un-necessary risk exposure.Un-necessary risk exposure.• Re-work to shore up security.Re-work to shore up security.

After:After:• Security now an integral part of many projects.Security now an integral part of many projects.• Much of security work gets done up front.Much of security work gets done up front.


Developmental processDevelopmental process

Before:Before:• AUP violators didn’t have an opportunity for AUP violators didn’t have an opportunity for

developmental discussions.developmental discussions.

Effects:Effects:• No basis for understanding real risks of No basis for understanding real risks of

ineffective/risky behaviors.ineffective/risky behaviors.

After:After:• 99% of all cases resolve at the developmental 99% of all cases resolve at the developmental

discussion phase, as opposed to sanction discussion phase, as opposed to sanction phase.phase.


SuccessesSuccesses


SuccessesSuccesses

Created the key relationships.Created the key relationships.

Created security awareness.Created security awareness.

Illustrated relevance of security to all Illustrated relevance of security to all roles.roles.


SuccessesSuccesses

Turned the tide from security being an Turned the tide from security being an inconvenience, to becoming an enabler.inconvenience, to becoming an enabler.

Achieved risk reductions across Achieved risk reductions across multiple exposures.multiple exposures.


FailuresFailures


FailuresFailures

We didn’t catch all the risks.We didn’t catch all the risks.

Didn’t create awareness deep into faculty Didn’t create awareness deep into faculty constituency.constituency.

Some discussions/interactions were strained. Some discussions/interactions were strained. Relationships required repair.Relationships required repair.

Ineffective at gaining full implementation of Ineffective at gaining full implementation of recommended technical controls.recommended technical controls.


Lessons LearnedLessons Learned

(Top Ten)(Top Ten)


Lessons Learned: 1Lessons Learned: 1 The security leadership position is not a The security leadership position is not a

technical role.technical role.

Rather, it is a program manager role.Rather, it is a program manager role.

The role must be comfortable as a The role must be comfortable as a program manager, and must be able to program manager, and must be able to know when to put on the technical hat.know when to put on the technical hat.


Lessons Learned: 2Lessons Learned: 2 Security awareness is not a natural thought Security awareness is not a natural thought

process for everyone.process for everyone.

Sometimes you don’t know what you don’t Sometimes you don’t know what you don’t know.know.

The role must plant/grow the seeds of The role must plant/grow the seeds of awareness, and illustrate the relevance of awareness, and illustrate the relevance of security to all roles.security to all roles.


Lessons Learned: 3Lessons Learned: 3 A commitment to security implies A commitment to security implies

investment primarily in a security investment primarily in a security leadership position itself.leadership position itself.

The investment needn’t involve The investment needn’t involve spending money on technology.spending money on technology.

Invest in the human resource first.Invest in the human resource first.


Lessons Learned: 4Lessons Learned: 4 While security and privacy are important While security and privacy are important

to most people, we tend to be to most people, we tend to be uncomfortable talking about security uncomfortable talking about security weaknesses.weaknesses.

The role must de-mystify security and The role must de-mystify security and steward creation of appropriate settings steward creation of appropriate settings and processes to discuss security issues.and processes to discuss security issues.


Lessons Learned: 5Lessons Learned: 5 Security is on everyone’s mind, but not Security is on everyone’s mind, but not

everyone understands how to apply everyone understands how to apply security in the context of their work.security in the context of their work.

Ability to articulate and quantify risk and Ability to articulate and quantify risk and cost of consequence is an essential cost of consequence is an essential element of gaining a motivated audience.element of gaining a motivated audience.


Lessons Learned: 6Lessons Learned: 6 The “starter” key relationships are:The “starter” key relationships are:

• Office of University CounselOffice of University Counsel

• Internal AuditInternal Audit

• Human ResourcesHuman Resources

• External AffairsExternal Affairs

• Public Safety, Student AffairsPublic Safety, Student Affairs

• Office of the President, Office of ProvostOffice of the President, Office of Provost


Lessons Learned: 7Lessons Learned: 7 Over-prescription creates little gain in Over-prescription creates little gain in

security at the expense of willingness and security at the expense of willingness and cooperation from customers.cooperation from customers.

Security is a “living thing”, not a one-time Security is a “living thing”, not a one-time project.project.

Find ways to attract and retain customers in Find ways to attract and retain customers in security discussions and activities.security discussions and activities.


Lessons Learned: 8Lessons Learned: 8 Few security answers are binary.Few security answers are binary.

The vast majority of answers are analog.The vast majority of answers are analog.

The ability to discriminate which The ability to discriminate which situations require a binary answer, and situations require a binary answer, and which require more a more introspective which require more a more introspective analog answer, is essential.analog answer, is essential.


Lessons Learned: 9Lessons Learned: 9 Measurement is essential to illustrate Measurement is essential to illustrate

value and costs, and to underwrite future value and costs, and to underwrite future success.success.• Keep track of what you do.Keep track of what you do.

• Tabulate.Tabulate.

• Quantify.Quantify.

• Report.Report.

• Share (with discretion)Share (with discretion)


Lessons Learned: 10Lessons Learned: 10

The beginning is the most importantThe beginning is the most important

part of the workpart of the work..


Contact InformationContact Information

Glenn C. Hill, CISSPGlenn C. Hill, CISSP

Manager of IT SecurityManager of IT Security

Northeastern UniversityNortheastern University

403 Richards Hall403 Richards Hall

Boston, MA 02115Boston, MA 02115

617.373.7718617.373.7718

[email protected]@neu.edu


Building an Information SecurityBuilding an Information SecurityPracticePracticeNortheastern’s ExperienceNortheastern’s Experience

Questions and AnswersQuestions and Answers

building an information security practice 1 building an information security practice...

Documents

security concepts

ma slide

plato slide

customer expectations

open environment

understanding customer

open access

community expectations