1 / 15

NETWORK PLANNING TASK FORCE

This session will discuss the security strategy for the next three years, including defense in depth, prevention, risk assessment updates, and increasing efficiency. The goal is to minimize risk, reduce vulnerabilities, and lower the overall cost of security.

bettycoleman
Download Presentation

NETWORK PLANNING TASK FORCE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NETWORK PLANNING TASK FORCE STRATEGY SESSION September 15, 2008 3-year Security discussion

  2. NPTF Meeting dates • February 18-Operational review (Completed) • April 21- Security strategy session (Completed) • July 21-Updates & planning discussions (Completed) • August 11- Strategy discussions (Completed) • September 15- Security strategy discussion • October 6- Strategy discussions/preliminary rates (ADDED) • October 20- Strategy discussion • November 3- FY’10 Finalize rate setting

  3. Today’s Agenda • Security Strategy Discussions • Security Planning Today • Defense in Depth • Prevention • Risk Assessment Update • Increase Efficiency • Proposed 3 Year Plan

  4. Security Planning Today • Continue to evolve a security strategy and plan • Goal:Find ways to say “yes” while minimizing risk, reducing vulnerabilities, and the overall cost of security

  5. Security Planning Today • Rolling 3 year plan • Defense in depth • Prevention • Update Risk Assessment • Increase Efficiency

  6. Defense in Depth • Continue to expand layers of defense • Maintain and enhance a robust security infrastructure • Strengthening PennKey Project • Central Authorization • Supplement strong authentication with logging and anomaly detection

  7. Prevention • Continue to increase user awareness • Leverage Learning Management System to deliver security awareness and training to broad community • Focus awareness on phishing in FY09 • Policies and controls • SSN policy • SPIA • Infrastructure and tools • Strengthening PennKey Project • Central authorization • Laptop encryption

  8. Risk Assessment Update • College Opportunity and Affordability Act of 2008 • Phishing • Lost and stolen devices

  9. Increase Efficiency • Reduce costs to affiliate with third party systems • Shibboleth • Central authorization - centrally managed groups • Replace GRADI with RT-IR

  10. Proposed 3 Year Plan Firm Evolving

  11. Proposed 3 Year Plan FY ‘09 • SPIA Cohort 3 • Phishing awareness • Tips, articles, warnings • Online Privacy and Security Training • Staff & Faculty, followed by LSPs • Central Authorization Service (PennGroups) • Fall 08 general availability • Hard Drive Encryption • PGP selected, Volume license agreement • Shibboleth • Q4 FY09 • Streamlining PennKey

  12. Proposed 3 Year Plan FY ’09 • RT-IR • New tracking system for ISC Information Security Team • Strengthening PennKey • Cosign replacing websec • Passphrases replacing passwords • SecureShare • Secure web based file sharing tool • Scanning • Considering Rapid7 NeXpose to replace ISS • Security Liaisons • SSN Compliance

  13. Proposed 3 Year Plan FY ‘10 • SPIA • 2 Factor Authentication • Authentication Logging • Hard Drive Encryption for Laptops • Strongly encouraged for all laptops • Evaluate DKIM (Domain Keys Identified Mail) to mitigate spam & phishing • Strengthen 3rd party email phishing filtering and broaden adoption • Explore technical measures to combat illegal file sharing

  14. Proposed 3 Year Plan FY ‘11 • SPIA • Anomaly Detection • Policy governing storage of, and access to, University Data from machines not owned by Penn

  15. Discussion

More Related