1 / 9

Office of Campus Information Security

Office of Campus Information Security. Stefan Wahe (smwahe@wisc.edu) Sr. Information Security Analyst. Driving a Security Architecture by Assessing Risk. Realizing our Principles. Answering the question, “Why?” To have a common understanding of building a secure architecture.

eldon
Download Presentation

Office of Campus Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Office of Campus Information Security Stefan Wahe (smwahe@wisc.edu) Sr. Information Security Analyst Driving a Security Architecture by Assessing Risk

  2. Realizing our Principles • Answering the question, “Why?” • To have a common understanding of building a secure architecture. • Developed based on NIST 800-27,, ISO 20071, CIC schools, and other publications.

  3. OCIS IT Security Principles Security is Everyone’s Responsibility • Security is Part of the Development Life Cycle • Information Privacy and Assurance; Usability; and Defense in Depth. • Security is Asset Management • Classify Information; Least Privilege; and Separation of Duties. • Security is a Common Understanding • Due Diligence; Manage Threats, Risks, and Costs; and Incident Management.

  4. Risk Assessment Process Step 1: Letter of Engagement Step 2: Conduct the Assessment Step 3: Draft Report on Findings Step 4: Communicate Findings Step 5: Re-Assess

  5. Building a Common Understanding: Managing Risk Impact Likelihood Risk Mitigation Controls $ Care $ $

  6. Example Question • Does the system maintain Configuration Management methodology that includes: • A documented process for reviewing, approving and implementing changes • Version control for software system components • Timely identification and installation of all applicable patches for any software used in the provisioning of the CS.

  7. Common Gaps • Common Security Gaps (examples) • The system infrastructure needs to be segmented with robust firewall controls. • Encryption controls and key management procedures should be implemented for data at rest. • Restricted data needs to be sanitized in non-production environments. • Intrusion detection, prevention and log management devices should be installed and maintained with appropriate alerting processes.

  8. Integrating a Security Culture • Awareness and Training • SANS Secure Web Development • Policy Development and Best Practices • Restricted Information Management Practices • Desktop Encryption Policy • Centralized Resources • Security Event Management • Network Management • Desktop Tools • PKI

  9. Questions • How can we help you? 42

More Related