Systemic Barriers to IT SecurityFindings within The University of Texas System

Clair Goldsmith, Ph.D.,

Associate Vice Chancellor and CIO

Lewis Watkins, CISSP

Director of Information Resources

The University of Texas System

Nine Academic InstitutionsSix Health Institutions~ 175,000 Students~ 16,000 Faculty~ 72,000 Non-Faculty Staff

The Attention Grabber!

►Security breach resulting in the unauthorized collection of 50,000+ social security numbers raises awareness of risks to our systems.

►Chancellor writes letter to all Presidents asking them to conduct a security inventory.

The Process

►IT System Application Vulnerability Assessment

►Operational Review of IT Security

Information System Application Vulnerability Inventory

Phase 1: Mission Critical and Centrally Managed Systems

• Inventory• Action Plan• Assurance Report

Phase 2:Departmental Systems

• Inventory• Action Plan• Assurance Report

Security Vulnerability Findings

Phase 2 Vulnerability Inventory Findings. (Some Specific Measures)

0

10

20

30

40

50

60

70

80

90

Authentication Backups Intrusion Detection Firewalls

Protected

Unprotected

9

Some Observations & Questions

• Many departments failed to respond to the inventory or to specific questions.

• What do we conclude from items not reported?

►Vulnerabilities don’t exist?►Cover-up?►Ignorance?►Survey instrument or procedure weakness?►All of the above?

10

Some Observations & Questions

• Maturity levels in terms of security awareness varies greatly among institutions and sub-units.

• Addressing all risks is a massive undertaking.

• To what degree does the culture need to change? How do we change it?

10

12

System-wide Operational Review

Center for Infrastructure Assurance and Security (CIAS)

The CIAS is designed to leverage San Antonio's Infrastructure Assurance and Security (IAS) strengths as part of the solution to the nation's Homeland Defense needs and deficit of IAS talent and resources.

System-wide Operational Review

Phase 1: Organization and Development

►Develop comprehensive schedule.

►Develop list of interest items, data points, and metrics.

►Develop survey forms and questionnaires.

Phase 2: Information Gathering

►Questionnaires to points of contact.

►Visited to UT institutions.

►During campus visits conducted interviews and manual inspections.

System-wide Operational Review

Phase 3: Analysis and Reporting►Identify risks, problems, best practices, and

barriers to remediation.

►Verify risk assessments.

►Develop metrics to allow measure risks and effectiveness of remediation efforts.

►Deliver report providing recommendations to address risks, barriers, and future security needs.

14

System-wide Operational Review

Findings

205 specific recommendations across thefollowing subject areas:

• Budget• Personnel• Network Perimeter• Software Patches• Physical Security• Anti-virus• Telecommunications

• Backups• Data Mgt. & Destruction• Internal System Security• Incident Response• Policies and Procedures• Lab Environments• Wireless

Findings

• Executive Metrics – Reported to UT System.

• Operational Metrics – Tracked locally at the institution.

• Temporary Metrics – Used to track progress towards specific project goals until complete.

26 proposed metrics to measure securityprogram activity and effectiveness.

Top Three Systemic Barriers

1. Resource Allocation: Institutions feel their security programs are under funded and do not have adequate staff to properly secure their information systems

Security Budget

0

2

4

6

8

10

12

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Pe

rce

nt

of

IT B

ud

ge

t

Top Three Systemic Barriers

2. Decentralized IT: Independent and open nature of institutions creates pool of systems that are not under centralized control, are managed and maintained at different levels, and introduce significant security risks.

0

10

20

30

40

50

60

70

80

90

Authentication Backups Intrusion Detection Firewalls

Protected

Unprotected

Top Three Systemic Barriers

3. Decentralized Accountability: The academic enterprise is an open and shared environment with little to no accountability for information security. This ingrained culture is counter to

efforts to maintain IT security.

Next Steps

►Identify funding mechanism to support System-wide support for Information Security efforts.

►Develop and deploy a certification process to be required of all distributed Server Administrators.

►Deploy a pilot of Secure Watch software for later expansion system-wide.

Questions?

11

Clair Goldsmith, Ph.D.,

Associate Vice Chancellor and CIOcgoldsmith@utsystem.edu

Lewis Watkins, CISSP

Director of Information Resourceslwatkins@utsystem.edu