1 / 20

A Ten Step Approach to Developing an Information Security Program

A Ten Step Approach to Developing an Information Security Program. Bill Paraska Director of University Computing & Communications Services Georgia State University. “Just do it so I don’t have to hear about it again”. This is a management issue

aya
Download Presentation

A Ten Step Approach to Developing an Information Security Program

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Ten Step Approach to Developing an Information Security Program Bill Paraska Director of University Computing & Communications Services Georgia State University

  2. “Just do it so I don’t have to hear about it again” • This is a management issue • IT staff can’t decide what’s important, who needs to protect it, what’s acceptable behavior from employees and what the penalties are for non-compliance • It’s not going to go away • Putting up a firewall doesn’t make it go away – you need a plan that is maintained and evolves • When you get hacked, it’s usually not IT they are after

  3. Boy are you going to be popular • This stuff costs real dollars that were never budgeted • You can’t show any positive impact on the student retention or semester hours registered • You say you can never really fix the entire problem • You don’t know where the next attack is coming from • One of your instructional departments may even be teaching the tools to launch the attacks

  4. A pair of students were blocked by a Georgia state court from presenting information at a security and hackers' conference on how to break into and modify a university electronic transactions system

  5. Plan, execute, evaluate, fine-tune, repeat • Biggest long term mistake you can make is quick fixes with unfounded expectations • Do the homework and go after where it’s going to hurt the most • User inconvenience should not be an evaluation criteria • Don’t take it personal

  6. Ten Step Approach • Determine the "state of security" • Write a DRAFT Information Security Strategic Plan • Review existing policies and standards • Get Institution management buy-in • Write the annual Information Security Plan • Evaluate your security staff composition • Engage the active involvement of campus departments and IT leaders • Implement an incident response team • Start a security awareness program • Integrate security into the business and academic processes of the institution

  7. Determine The “State of Security“ • Using automated tools to “discover” information about your campus network • Use your own assessment plus contacts around campus to get a straw-man of what’s important, to who and why • Make preliminary assessment of vulnerabilities

  8. Develop a DRAFT Information Security Strategic Plan • Your ideas of how to approach what you have just identified • Link it to the Institution Strategic Plan or Master Plan – portray information security as a “key enabler” • Let them shoot holes in it • “No plan” means everything you bring to the table is “ad-hoc” and suspect

  9. Review Existing Policies and Standards • Policy (Principle)—What the expected end result is • Standards (Rules)—What will be allowed to meet those end results • Procedures (Process)—How to do what is allowed • Assumes you have some already. If not use what you can find that fits your institution goals and missions and management attitude • These are essential to determining appropriate tools to alleviate risks, threats and vulnerabilities

  10. Characteristics of Good Policy • Foundation in business practice not technology • Acts in the best interest of the institution • Does not prevent the attainment of subordinate organization objectives, goals • Has an element of compliance less costly than non-compliance • Once it’s completed, it sounds like common sense

  11. The Process of Policy • Needs to be done at the top of the organization • Define areas of common benefit • Agree to architectural components of common benefit • Agree to applications of common benefit • Agree on policies

  12. The Mechanics of Policy • Simple, direct statements (principles) • No more than one page per principle • Not written by the security officer or CIO • Not a set of technical rules (that comes later)

  13. Examples • Every manager is responsible for the accuracy, security and integrity of the information used by his/her organization • All corporate information is an asset of the university and will be protected as such

  14. Get Management Buy-in • You did all the stuff before this step because you are the technical expert • Sell it on their terms – not with IT techno babble • Get their validation of where the most pain would be based on the threats you have outlined

  15. Write the Information Security Annual Plan • They told you what is important so find the approach to protect it – throw their words back at them • Establish the procedure, the goals and the measurements • Show how it fits into your existing information technology environment • Don’t hide the costs

  16. Evaluate Your Security Staff Composition • Minimum Staffing—an Information Security Officer to develop and manage your security initiatives • Utilizing a cross-section of information technology staff members with backgrounds in networking, application and server management • Ramp up to what makes sense for the Strategy • Is outsourcing right for you?

  17. Engage the Active Involvement of Campus Departments, IT Leaders • Don’t dictate—Educate! • It’s their problem too! Appeal to the diverse needs and requirements of students, faculty, department heads and information technology staff members • Qualify and quantify risks where possible to provide a realistic assessment of what is at stake

  18. Implement An Incident Response Program • Refer back to the assessments you did at beginning • Define policy and procedures for incident handling • Put together the response team • Monitor your network and critical hosts for evidence of intrusions and compromises • Detect, respond, manage and mitigate (damages) incidents • Roll what you learn back into the Annual Plans

  19. Start a Security Awareness Program • Teach, motivate, inspire… • Use real-world examples to your benefit • Variety is key—websites, newsletter articles, classes, posters, seminars • Spread the word through personally visiting and engaging college staff and faculty • Provide a service to your user community

  20. Integrate Information Security into the Business and Academic Processes of the Institution • Conduct information security audits of departments • Be involved in system implementations, organizational changes, process re-engineering • Use a strategic layered approach to implement new security measures

More Related