systemic barriers to it security findings within the university of texas system clair goldsmith,...
TRANSCRIPT
Systemic Barriers to IT SecurityFindings within The University of Texas System
Clair Goldsmith, Ph.D.,
Associate Vice Chancellor and CIO
Lewis Watkins, CISSP
Director of Information Resources
The University of Texas System
Nine Academic InstitutionsSix Health Institutions~ 175,000 Students~ 16,000 Faculty~ 72,000 Non-Faculty Staff
The Attention Grabber!
►Security breach resulting in the unauthorized collection of 50,000+ social security numbers raises awareness of risks to our systems.
►Chancellor writes letter to all Presidents asking them to conduct a security inventory.
The Process
►IT System Application Vulnerability Assessment
►Operational Review of IT Security
Information System Application Vulnerability Inventory
Phase 1: Mission Critical and Centrally Managed Systems
• Inventory• Action Plan• Assurance Report
Phase 2:Departmental Systems
• Inventory• Action Plan• Assurance Report
Security Vulnerability Findings
Phase 2 Vulnerability Inventory Findings. (Some Specific Measures)
0
10
20
30
40
50
60
70
80
90
Authentication Backups Intrusion Detection Firewalls
Protected
Unprotected
9
Some Observations & Questions
• Many departments failed to respond to the inventory or to specific questions.
• What do we conclude from items not reported?
►Vulnerabilities don’t exist?►Cover-up?►Ignorance?►Survey instrument or procedure weakness?►All of the above?
10
Some Observations & Questions
• Maturity levels in terms of security awareness varies greatly among institutions and sub-units.
• Addressing all risks is a massive undertaking.
• To what degree does the culture need to change? How do we change it?
10
12
System-wide Operational Review
Center for Infrastructure Assurance and Security (CIAS)
The CIAS is designed to leverage San Antonio's Infrastructure Assurance and Security (IAS) strengths as part of the solution to the nation's Homeland Defense needs and deficit of IAS talent and resources.
System-wide Operational Review
Phase 1: Organization and Development
►Develop comprehensive schedule.
►Develop list of interest items, data points, and metrics.
►Develop survey forms and questionnaires.
Phase 2: Information Gathering
►Questionnaires to points of contact.
►Visited to UT institutions.
►During campus visits conducted interviews and manual inspections.
System-wide Operational Review
Phase 3: Analysis and Reporting►Identify risks, problems, best practices, and
barriers to remediation.
►Verify risk assessments.
►Develop metrics to allow measure risks and effectiveness of remediation efforts.
►Deliver report providing recommendations to address risks, barriers, and future security needs.
14
System-wide Operational Review
Findings
205 specific recommendations across thefollowing subject areas:
• Budget• Personnel• Network Perimeter• Software Patches• Physical Security• Anti-virus• Telecommunications
• Backups• Data Mgt. & Destruction• Internal System Security• Incident Response• Policies and Procedures• Lab Environments• Wireless
Findings
• Executive Metrics – Reported to UT System.
• Operational Metrics – Tracked locally at the institution.
• Temporary Metrics – Used to track progress towards specific project goals until complete.
26 proposed metrics to measure securityprogram activity and effectiveness.
Top Three Systemic Barriers
1. Resource Allocation: Institutions feel their security programs are under funded and do not have adequate staff to properly secure their information systems
Security Budget
0
2
4
6
8
10
12
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Pe
rce
nt
of
IT B
ud
ge
t
Top Three Systemic Barriers
2. Decentralized IT: Independent and open nature of institutions creates pool of systems that are not under centralized control, are managed and maintained at different levels, and introduce significant security risks.
0
10
20
30
40
50
60
70
80
90
Authentication Backups Intrusion Detection Firewalls
Protected
Unprotected
Top Three Systemic Barriers
3. Decentralized Accountability: The academic enterprise is an open and shared environment with little to no accountability for information security. This ingrained culture is counter to
efforts to maintain IT security.
Next Steps
►Identify funding mechanism to support System-wide support for Information Security efforts.
►Develop and deploy a certification process to be required of all distributed Server Administrators.
►Deploy a pilot of Secure Watch software for later expansion system-wide.
Questions?
11
Clair Goldsmith, Ph.D.,
Associate Vice Chancellor and [email protected]
Lewis Watkins, CISSP
Director of Information [email protected]