1 / 9

UMASS Information Security Council 11/16/2010 Version 4.0

UMASS Written Information Security Plan ( WISP). UMASS Information Security Council 11/16/2010 Version 4.0. Information Security Program . Background & Introduction The Security Problem: External & Internal Threats The Security Solution: Defense in Depth Key Goals and Objectives

lamar
Download Presentation

UMASS Information Security Council 11/16/2010 Version 4.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. UMASS Written Information Security Plan (WISP) UMASS Information Security Council 11/16/2010 Version 4.0 UMASS Information Security Program Final 1

  2. Information Security Program • Background & Introduction • The Security Problem: External & Internal Threats • The Security Solution: Defense in Depth • Key Goals and Objectives • The UMASS WISP • The WISP Framework & Controls • UMASS Security Programs • UMASS Security Governance • UMASS Security Metrics • The UMASS Security Lifecycle • ITLC (Information Technology Leadership Council) Review and Approval • Information Security Council (ISC) Charter • UMASS Security Policy Statement • UMASS Written Information Security Plan (WISP) UMASS Information Security Program Final 2

  3. Background & Introduction • The Problem: External & Internal Threats • Primary methods involve privilege misuse, hacking, malware • Increase in sophistication (multi-threaded attacks) • Most breaches avoidable through simple or intermediate controls • Data in Motion – (Excel, Email, etc.) • The Solution: Defense in Depth • Establish UMASS security framework & programs • Apply controls to each program • Measure effectiveness through metrics & reports • Key Goals & Objectives • Develop and communicate comprehensive UMASS security programs under the WISP framework • Align with industry best practices (ISO 27002) • Manage security throughout it’s lifecycle • Integrate security controls into “normal” UMASS operations • Identify and assign / acquire resources (staffing, automated tools, etc.) to implement and maintain security programs • Develop, communicate receive ITLC approval for the WISP implementation roadmap • Develop and implement communications plan to increase general awareness and educate stakeholders of key WISP components and deliverables UMASS Information Security Program Final 3

  4. The WISP Framework & Controls WISP Framework • UMASS Security Programs • PRG-01: Governance, Risk & Compliance • PRG-02: Identity & Access Management • PRG-03: Privacy & Data Protection • PRG-04: Application Integrity & Security • PRG-05: Threat & Vulnerability Management • PRG-06: Infrastructure & Operations Security • ISO 27002 Security Controls • 12 Control Areas • 41 Control Objectives • 135 Security Controls • Key Considerations • The WISP covers all University computing resources and information assets; including those managed by campus and president’s office IT staff, decentralized departments, 3rd party managed services, etc. • The WISP framework and security programs apply to all University locations, including main campus locations, branch locations, 3rd party managed facilities, etc. 1. Governance, Risk & Compliance ISO 27002 Controls 3. Privacy & Data Protection 2. Identity & Access Management 5. Threat & Vulnerability Management 4. Application Integrity & Security 6. Infrastructure & Operations Security UMASS Information Security Program Final 4

  5. UMASS Security Programs UMASS Information Security Program Final 5

  6. UMASS Security Governance • UMASS Information Security Governance • Information Technology Leadership Council (ITLC) • Information Security Council (ISC) • Controls Review Committee (CRC) • Security Program Teams (SPTs) • Information Security Council (ISC) Charter • Advise ITLC of security risks to University’s information assets and technology resources • Collaborate across campuses and system’s office to ensure consistent approach to managing risks • Lead in the development of programs, policies, standards, procedures and controls • Respond to ITLC requests to investigate technologies, process controls, mitigate newly identified risks, etc. UMASS Security Governance • Local Administration • Education • Implementation • Management ITLC Security Oversight ISC Controls Oversight Program Oversight CRC SPTs SPT SPT SPT Controls Programs (University and local campus teams) UMASS Information Security Program Final 6

  7. UMASS Security Metrics Operational Metrics • Operational Metrics • Effective security metrics are a challenge to develop • Goal is to build a baseline model that will evolve over time • Allows managers to measure effectiveness of security program • Compliance Metrics • Control Environment: Policies, procedures, practices and organizational structures that provide reasonable assurance business objectives are achieved and undesired events are prevented or detected and corrected. • Control Objective: Description of what are we trying to achieve. • Control: A statement that describes how UMASS will attain the control objective. • Control Documentation: The control design and implementation details. • Control Evidence: Proof that the control exists. • Control Testing: Assessment of the control effectiveness in mitigating risk. ? Compliance Metrics UMASS Information Security Program Final 7

  8. UMASS Security Program Lifecycle UMASS Security Framework & Programs ISO 27002 Controls 1. Governance, Risk & Compliance PLAN DO 3. Privacy & Data Protection 2. Identity & Access Management 5. Threat & Vulnerability Management 4. Application Integrity & Security Gap Remediation or Risk Acceptance Operational & Compliance Metrics Risk = f (Impact & Exposure) ACT CHECK High Risk ? 6. Infrastructure & Operations Security Low Risk Exposure Impact Compliance Metrics Operational Metrics UMASS Information Security Program Final 8

  9. ITLC Review and Approval • Information Security Council (ISC) Charter • Advise ITLC of security risks to University’s information assets and technology resources • Collaborate across campuses and system’s office to ensure consistent approach to managing risks • Lead in the development of programs, policies, standards, procedures and controls • Respond to ITLC requests to investigate technologies, process controls, mitigate newly identified risks, etc. • Upon approval from the ITLC, the ISC Charter will be published on the Massachusetts.edu website • UMASS Security Policy Statement • High level statement established to protect the assets and interests of the University • Increase security awareness and compliance across the university • Establishes coordinated approach for implementing, managing & maintaining control environment • Upon approval from the ITLC, the Policy will be submitted to the Board of Trustees for ratification • UMASS Written Information Security Plan (WISP) • UMASS Security Framework, Programs, Controls and Metrics • Upon approval from the ITLC, the WISP will be published on the Massachusetts.edu website • For future consideration • Developing / defining a UMASS Controls Review Committee (CRC) who would interpret the ISO controls and determine how to best implement across the university UMASS Information Security Program Final 9

More Related