Making the Case for Security: An Application of the NIST Security
Assessment Framework to GW
January 17, 2003
David SwartzChief Information Officer
Guy JonesChief Technology Officer
Krizi TrivisaniChief Security Officer
Copyright Krizi Trivisani 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Agenda
•Starting a Security Program•The Security Landscape – The Violation Situation•Security Implementation Reliance•Benefits of Using the NIST Framework•Security Projects to Achieve NIST Level 3•Cultural Impacts of Security Programs•Information Resources
Starting a Security Program
•What are you trying to protect?•What will be your security philosophy? Need to know? Need to protect?•What level of security do you want vs. need to achieve?•What industry guidelines will you use to determine if your program is on track? NIST?•What is your risk vs. benefit, including cost and compliance analysis?
The Security Landscape – The Violation Situation 2001
Total Violations went from 354 to 5526 – an increase of 1,560%
Security Metrics Comparison 2001
0
2000
4000
6000
8000
10000
Total Minor Violations Total Severe Violations Total Violations by Month
Month and Total Violations
Num
ber o
f Vio
latio
ns
JanuaryFebruaryMarchAprilMayJuneJulyAugustSeptemberOctoberNovemberDecember
The Security Landscape – The Violation Situation 2002
Security Metrics Comparison 2002
010002000300040005000600070008000
Total MinorViolations
Total SevereViolations
Total Violations byMonth
Month and Total Violations
Nu
mb
er
of
Vio
lati
on
s
November
December
January '02
February '02
March '02
April '02
May '02
June '02
July '02
August '02
September '02
October '02
November '02
Average number of violations per month in 2002 is 7197
The Violation Situation ContinuedEmail Viruses Filtered
Trend Virus Filter Monthly Comparison
0
50,000
100,000
150,000
200,000
Month and Total Viruses
Nu
mb
er
of
Vio
lati
on
s
December
January '02
February '02
March '02
April '02
May '02
June '02
July '02
August '02
September '02
October '02
November '02
22,271 in December of 2001 increased to 150,936 in November of 2002
Process
People
Technology
Systems must be built to technically
adhere to policy
People must understand their responsibilities
regarding policy
Policies must be developed,
communicated, maintained and
enforced
Processes mustbe developed thatshow how policies
will be implemented
Security ImplementationRelies On:
What is security awareness?
Security awareness is knowledge of potential threats. It is the advantage of knowing what types of security issues and incidents members of our organization may face in the day-to-day routine of their University functions.
Technology alone cannot provide adequate information security. People, awareness and personal responsibility are critical to the success of any information security program.
Poor awareness exposed…
“It’s a frightening fact, but nine out of ten employees would unwittingly open or execute a dangerous virus-carrying email attachment”
“Two-thirds of security managers felt that the overall level of security awareness is either inadequate or dangerously inadequate”
“Six out of ten employees revealed an inadequate level of security awareness”
These things don’t happen as a result of malicious intent, but rather a lack of
awareness of security risks.
Benefits of Using the NIST Framework
•Considered an industry best practice•Shows standard of due care•Allows risk assessment to determine program elements•Flexibility in application•Can be used for assessment criteria•Aligns with proposed HIPAA security regulations•Can reduce risk while balancing academic freedom
NIST – National Institute of Standards and Technology
Level 1 Documented Policy
Level 2 Documented Procedures
Level 3 Implemented Procedures and Controls
Level 4 Measured Program
Level 5 Pervasive Program
Universities expectedto operate at this level
Security Assessment Framework:
Security Procedures
And ControlsAre implemented
Security Procedures
And ControlsAre implemented
GW Security Timeline
Some security in place but does not meet
Level 1 Criteria
Some security in place but does not meet
Level 1 Criteria
Level 0:• GW• Most Universities
Formally documented and Disseminated policyResponsibilities Assigned
Compliance Identified
Formally documented and Disseminated policyResponsibilities Assigned
Compliance Identified
Documented proceduresfor implementing security controls
identified in policies
Documented proceduresfor implementing security controls
identified in policies
Level 1:•GW – Achieved
Level 2:• GW – Jan 03
Level 3:•GW – Dec 04
Host/router Security
Password Management
Central Security Office
Compliance Office
Policy Manager
Virus Filters
Incidence Response
Data Center Firewalls
Security Architecture
3rd Party Assessment
Disaster Recovery
Change Control
Assignment of Duties
Awareness & Training
Personal FirewallsScanning LabMonitoring
Strong Authentication
Remote Access - VPN
Intrusion Detection
Enterprise Firewall
NIST: Security Assessment Framework
Culture Analogy - Seatbelts
“ It should be noted that it took many years to get the seatbelt usage up to its present level, and it takes a heavy hand from the police to persuade the stupid to do the obvious.” — Peter N. Wadham
"Out at sea it takes 30 miles for an oil tanker to reverse its direction. It takes time and commitment to change, based on foundational values, principles and quality relationships to positively affect your company's culture -- its way of doing things. " — The Freeman Institute Changing the Culture of Your Organization
"Culture does not change because we desire to change it. Culture changes when the organization is transformed; the culture reflects the realities of people working together every day."— Frances Hesselbein Key to Cultural Transformation
Questions and Presentation Wrap-up
• Recommended information sources• http://nist.gov/• http://cs-www.ncsl.nist.gov/• http://www.educause.edu/security/• http://www.humanfirewall.org/• http://www.nipc.gov/• http://www.cio.gov/documents/info_security
assessment_framework_Sept_2000.html• http://www.hipaadvisory.com• http://www.pwchealth.com/hipaa.html