risk management through security planning (287806631)
DESCRIPTION
This presentation will show how two very different colleges have reduced risk through comprehensive security planning. Both schools will discuss security threats affecting higher education, explain how security planning can reduce risk, explain how to achieve buy in, and review the necessary policies, processes, and technologies to achieve these goals. Outcomes: Learn how to build or augment a security program at your institution * Acquire new strategies for addressing security issues and implementing solutions for reducing risk http://www.educause.edu/annual-conference/2015/risk-management-through-security-planningTRANSCRIPT
Risk Management Through Security Planning
David SherryCISOBrown University
Patty PatriaCIOBecker College
About the presenters (and their schools)David Sherry
Chief Information Security Officer
Brown University
Private, Tier 1 Research Institution
6,264 undergrad students
8,848 total students
718 faculty
3,835 staff
Patty Patria
Chief Information Officer
Becker College
Small Private University
2,000 undergrad students
1 new graduate program
445 total employees
The state of security 2015
Let’s set some context………………
2014-15 Threat Landscape
Source: www.ponemon.org and www.verizonbusiness.com
Verizon 2014 Breach Report•63,000+ reported incidents•1,367 confirmed breaches
•110 million consumers in the Target breach alone
Ponemon Data Breach Costs•Average cost of breach is $5.4 million
•More than $136 per compromised record•Cost of detection, response, notification and
lost business
2014 Threat Landscape
• Hacking, Malware and Social Attacks are on the rise
• POS and web application attacks top threats
2014 Threat Landscape
Everything Else
Generic Hacking
Browser malware
Phishing
2014-15 has certainly been fun…..
I don’t foresee this graphic ever becoming irrelevant
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
The attacks are continuous (map.ipviking.com)
Now, on to our campuses……….
Recent Threats Affecting Becker and Brown
We have a feeling that you’ve seen some of these as well……..
Recent Threats Affecting Becker
Repeated responses to email Phishing several times this year. ◦ Employees respond to illegitimate email messages.
◦ Hijackers take over your email, send spam and Becker gets blacklisted, causing email to external recipients to be blocked.
Since moving to Office 365, we have experienced significantly less
phishing emails and zero employees responding to phishing.
Recent Threats Affecting BeckerRansom Ware incident on L Drive and Vet network share.
◦ Employee clicked a link in personal email (from Becker computer) and it encrypted all files on their personal computer, Vet share and L drive.
◦ Files were encrypted and could not be opened. Encryption process ran for 36 hours beforedetected.
◦ We had to restore from backups 2 days prior to get all files back.
Recent Threats Affecting BeckerDDoS
◦ In the past month, we have experienced 3 Denial of Service attacks on our public web server.
◦ Not all hosted systems include DoS coverage; plan carefully when moving your web server to the cloud.
Recent Threats Affecting BrownGetting attention via “salary update” phishing scam
o Widespread attack as the FY turns
o Appeared to have come from HR
o Had the Brown logo (though skewed)
o Had “sincerity”---------- Forwarded message ----------
From: BU-HR <[email protected]>
Date: Wed, Jul 29, 2015 at 4:21 PM
Subject: Important Salary Update
Hello,
The University is having a salary increment program again this year with an average of 2.5%
The Human Resources department evaluated you for a raise on your next paycheck.
Click below to confirm and access your salary revision documents:
Click Here to access the documents
Sincerely,
Human Resources
Brown University
Recent Threats Affecting Brown
From: ”Brown Address” <[email protected]>Date: Tue, Sep 29, 2015 at 12:56 PMSubject: pls read (don’t ignore)To: Sherry, David
17
Ow.ly/SNVuJ
Kindley view the document i attach to you via Dropbox.
Login with your email and password
Thank you © 2015 Dropbox
Recent Threats Affecting Brown
From: Admin@Brown <actual Brown email address>Date: Tue, September 29, 2015 at 9:29 AMSubject: important noticeTo: Sherry, David
Hello,Please note the following students are recommended to come to admin office to update there record.Kindly go through list and check if your name is listed.
N/B. I uplaoded using dropped box, hit on View /Download to view copy.
Thanks.
Admin
students copy.pdf View | Download
18
Recent Threats Affecting Brown
Recent Threats Affecting Brown
Some recent stats:
o Brown has had constant phishing attacks this academic year
o September was intense, & it became a war between the two parties
o 41 compromised accounts in a 7-day period
o Data indicates undergrads are the most numerous victim
Compromised Accounts Since 7/1/15
undergrad grad / med facutly staff other
277 total compromised
accounts
The Bottom Lineo Higher Education is a target
o It will continue to be a target
o It doesn’t matter what your Carnegie designation is
o It’s all about risk
o We must be prepared
Key take-away
You can reduce risk through security planning
Security planning to address risko Ensure executive level buy-in
o Form an Information Security Advisory Committee
o Get plugged in
o Review and develop polices
o Strategic use of audits
o Implement technology
o Train and educate users
o Purchasing and contract reviews
o Insurance and breach retainers
o Incident response
o Oh, and by the way……
Ensure Executive-Level Buy-Ino Leverage statistics on cost and impact of security threats and breaches to gain get support from your President or Chief Administrative Officer.
o Ensure that they know that you will never be 100% secure
o “When”, not “if”
o Always use the term “incident”, and only use “breach” when speaking of actual events
o Get time in front of the Board/Cabinet/Trustees/etc, and not just for bad news
o Be prompt in informing them of the security posture relative to the breaches and findings of other schools
o Speak in terms of dollars and reputation, and less about fear, uncertainty and doubt
o IMPACT ON RISK: knowledge of security concerns and areas to focus at the highest levels can lead to resources, support, and prioritization; this aids is reducing risk probability
Source: http://www.huffingtonpost.com/kyle-mccarthy/five-colleges-with-data-b_b_6474800.html
2014 Landscape: Colleges With Breaches Larger Than Sony's
Form an Information Security Advisory Committee
o Ideally have director level (or above) participation from all key departments on campus, especially those the process or store PII.
o Committee should not be chaired by IT (although IT can run it). Needs to be chaired by Cabinet level folks with influence to address security policy, process and technology.
o Use the committee to aid in policy review, setting priorities, getting buy-in, and as early adopters
o IMPACT ON RISK: using a broad spectrum of constituents in your vetting process, and receiving approval and input for policy and projects, provides a more broad view of the organization, and a deeper penetration of the security mission, reducing risk in areas that may have been hard to identify
Vet Policy Through a Committee
CFO Financial Aid
CIO
Provost
HR
Alumni
Registrar
StudentAffairs Finance
UG Admissions
Marketing
President’sOffice
Enlist Committee’s Support in Establishing a Risk Management Framework
Minimize collection of sensitive data
Minimize # of people with access
Protect sensitive data in our custody; train employees
Set usages and retention timeframes and securely
destroy sensitive data
BUSINESS PROCESSES
RESPONSIBILITY AND TECHNOLOGY
P
O
L
I
C
Y
R
O
L
E
S
Brown’s expanded committee and mission
Membership:
SVP of Corporation Affairs and Governance
Vice President of Research
University Librarian
Assistant to the President
Director, Human Resources Services
Chief General Counsel
Chief University Auditor
University Controller
University Registrar
AVP, Research Administration
AVP Financial & Administrative Services
Chief Information Security Officer (CHAIR)
University Archivist
University Records Manager
Director of International Research Administration
Director of Research Integrity
Director of Environmental Health and Safety
Associate Director of Web and Information Services
Data, Privacy, Compliance and Records Management Executive Committee (“DPCRM”)
Get plugged ino Get a seat on the University Risk Committee (and get a standing agenda item)
o Get a seat on the University Change Control Committee
o Get a seat on the University Commerce Committee
o Get in the approval line in the IT Project Management process
o Get a seat on the IRB, OSP and HPC committees
o Get a seat on your Hospital/University HIPAA Committee
o Become the signatory of all Data Use Agreements
o Make sure your institution knows who your senior security person is!
o IMPACT ON RISK: not only will the security team become aware of many hidden risks, awareness of the security mission will increase, and risk will be reduced by having security’s expertise be included in all areas of the organization
Review and Develop Policieso A strong (and up to date!) policy set lowers risk
o Perform regular gap analysis for emerging areas (times change!)
o Ensure that all policies are current
o Maintain a regular schedule of review, and document for auditors
o Utilize the partnership with Internal Audit to keep current at the landscape of policies
o IMPACT ON RISK: By monitoring current phishing policies and then making updates to those policies by requiring special training for phishers, Becker has been able to reduce the number of successful phishing attempts which reduces the threat to institutional data (and workload for IT folks dealing with phishing).
Key Information Security Policies
Acceptable use Policy
Confidentiality Agreements & Acceptable Use Policy
Retention and Destruction Policy
Mobile Device Policy
Clean Desk Policy
Digital Millennium Copyright Policy
FERPA & HIPAA Policies
PCI Policy & Red Flags
Gramm-Leach-Bliley Policy
Third Party Assurance Policy
Breach or Incident Response Policy
Address State Data Privacy laws…In MA, a Written Information Security Plan is also required
http://www.becker.edu/about/information-privacy/policies/
Emerging Policies, and the Use of Position Papers at Browno Attribute Release Policy
o Position Papers:o Web Click-Through Agreements
o Multi-Function Network Devices
o 2-Step Authentication
o DNS Policy
o Use of TOR
Strategic Use of Auditso Some are mandatory (credit cards, social security numbers)
o Data use / records management audits
o Visits, surveys, data element inventories…use them all
o Use audits in order to become an ally
o Partner with Internal Audit for targeted areas of security and risk, and use the audit results to drive the security mission and reduce overall university risk
o IMPACT ON RISK: If you don’t work with key areas that handle data in both electronic and paper form to properly secure data (paper and electronic) at both rest and in-transit, the change for having a breach will be significantly higher. Through strategic auditing, Becker was able to completely eliminate PII from systems that no longer needed it.
Implement Technologyo Firewalls / DMZs
o Intrusion Detection/Prevention Systems
o Patch Management
o Database Activity Monitoring
o Employ DLP to find and monitor PII
o Endpoint encryption
o 2-Factor authentication
o Cloud Application Security Brokers (“CASB”)
o Hard drive crusher
o IMPACT ON RISK: Having a strong defense in depth and secure architecture, along with supporting and tangential solutions, enables data to be protected (and destroyed), reducing risk
Train and Educate End Userso Mandatory for all employees (including student work studies)
o Evolution of security threats
o State & Federal regulations affecting security
o Data classifications
o Secure computing practices (Phishing)
o Fines and reputational impact of breaches
o IMPACT ON RISK: Approximately 70% of breaches in higher education have some type of human component involved. Uneducated employees are a huge risk.
Provide Online User Resources
http://www.becker.edu/about/information-privacy/awareness-training/faqs-and-newsletters-2/
• Send out routine newsletters to faculty and staff on pertinent security topics.
• Special email to report phishing scams. • Created targeted training sessions on special topics like
phishing to high risk groups such as Adjunct Faculty.
Brown’s User Awareness Resourceso Morning Mail
o Brown Bag sessions (focus on “personal” use cases)
o Campus streaming services (Powerpoint, message boards, etc)
o “Securing the Human”
o Movie nights (free popcorn!)
Brown’s Latest Resource: the “Phish Bowl”
Purchasing and contract reviewso Establishing a strong and personal relationship with purchasing provides a lens in to the entire campus
o Contracts now include language for security and privacy
o Security can set the standards necessary for such areas as network copiers, shredding companies, click-through agreements, document management outsourcing, and others
o As stated before, you should be reading items that pass through the IRB, the OSP, and the HPC
o IMPACT ON RISK: If you don’t have provisions in place, and you are subject to MA data breach laws, you are not legally doing your due diligence.
Insurance and breach retainerso Cyber Insurance is a risk management tool, via risk transference
o Be certain that you are agreeing to the right areas
o Many companies will now provide breach retainers with no money up fronto Be certain to agree on the pricing for individual areas
o Understand the response time
o Sign off on the what determines when an incident becomes a breach
o IMPACT ON RISK: If you have a breach, you will have the coverage you need to address it.
Incident responseo A foundational process for security management
o But also a key aid in risk management
o Make sure your process is documented
o Set “levels”, that determine what level of university involvement is needed
o Get inserted into the emergency management testing
o Have an annual update/refresher for those who were not effected in the previous 12-months
o Join REN-ISAC and make them part of your response process
o IMPACT ON RISK: When and if a breach occurs, having a good Incidence Response plan will make the process go more smoothly.
Oh, and by the way…..We could have talked about:
o Business Continuity Planning
o Disaster Recovery
o Records Management / Retention
o Project Management Life Cycle
o and many, many more…….
Concluding thoughts and recommendationso Security Management is Risk Management
o Our roles are less and less bits and bytes, and more and more policy, compliance and risk
o Sound security strategies help in reducing risk to our institutions
o Size, location, public/private, or Carnegie designation doesn’t matter
o Each of us has to find ways for the security mission to be part of all areas and every level of our organizations
o The recommendations we’ve suggested are actionable, and have proven results
o Each one, while a security measure, is also a risk management measure
PAT TY PATRIA
CIO
BECKER COLLEGE
DAVID SHERRY
CISO
BROWN UNIVERS ITY
[email protected] you for choosing our session!
Thank you for participating
in today’s session.
We’re very interested in your feedback. Please take
a minute to fill out the session evaluation found within
the conference mobile app, or the online agenda.