1 / 21

Systemic Barriers to IT Security Findings within The University of Texas System

Explore the operational review of IT security at the University of Texas System, including vulnerability assessments, findings, recommendations, and proposed metrics. Discover the top systemic barriers hindering IT security efforts and proposed solutions to address challenges effectively.

mathewt
Download Presentation

Systemic Barriers to IT Security Findings within The University of Texas System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Systemic Barriers to IT SecurityFindings within The University of Texas System Clair Goldsmith, Ph.D., Associate Vice Chancellor and CIO Lewis Watkins, CISSP Director of Information Resources

  2. The University of Texas System Nine Academic Institutions Six Health Institutions ~ 175,000 Students ~ 16,000 Faculty ~ 72,000 Non-Faculty Staff

  3. The Attention Grabber! • Security breach resulting in the unauthorized collection of 50,000+ social security numbers raises awareness of risks to our systems. • Chancellor writes letter to all Presidents asking them to conduct a security inventory.

  4. Operational Review of IT Security The Process • IT System Application Vulnerability Assessment

  5. Information System Application Vulnerability Inventory Phase 1: Mission Critical and Centrally Managed Systems • Inventory • Action Plan • Assurance Report Phase 2: Departmental Systems • Inventory • Action Plan • Assurance Report

  6. Security Vulnerability Findings

  7. Phase 2 Vulnerability Inventory Findings. (Some Specific Measures) 9

  8. Some Observations & Questions • Many departments failed to respond to the inventory or to specific questions. • What do we conclude from items not reported? • Vulnerabilities don’t exist? • Cover-up? • Ignorance? • Survey instrument or procedure weakness? • All of the above? 10

  9. Some Observations & Questions • Maturity levels in terms of security awareness varies greatly among institutions and sub-units. • Addressing all risks is a massive undertaking. • To what degree does the culture need to change? How do we change it? 10

  10. System-wide Operational Review Center for Infrastructure Assurance and Security (CIAS) The CIAS is designed to leverage San Antonio's Infrastructure Assurance and Security (IAS) strengths as part of the solution to the nation's Homeland Defense needs and deficit of IAS talent and resources. 12

  11. System-wide Operational Review Phase 1: Organization and Development • Develop comprehensive schedule. • Develop list of interest items, data points, and metrics. • Develop survey forms and questionnaires.

  12. System-wide Operational Review Phase 2: Information Gathering • Questionnaires to points of contact. • Visited to UT institutions. • During campus visits conducted interviews and manual inspections.

  13. System-wide Operational Review Phase 3: Analysis and Reporting • Identify risks, problems, best practices, and barriers to remediation. • Verify risk assessments. • Develop metrics to allow measure risks and effectiveness of remediation efforts. • Deliver report providing recommendations to address risks, barriers, and future security needs. 14

  14. Findings 205 specific recommendations across the following subject areas: • Budget • Personnel • Network Perimeter • Software Patches • Physical Security • Anti-virus • Telecommunications • Backups • Data Mgt. & Destruction • Internal System Security • Incident Response • Policies and Procedures • Lab Environments • Wireless

  15. Findings 26 proposed metrics to measure security program activity and effectiveness. • Executive Metrics – Reported to UT System. • Operational Metrics – Tracked locally at the • institution. • Temporary Metrics – Used to track progress • towards specific project goals until complete.

  16. Top Three Systemic Barriers • Resource Allocation: Institutions feel their security programs are under funded and do not have adequate staff to properly secure their information systems

  17. Top Three Systemic Barriers • Decentralized IT: Independent and open nature of institutions creates pool of systems that are not under centralized control, are managed and maintained at different levels, and introduce significant security risks.

  18. This ingrained culture is counter to efforts to maintain IT security. Top Three Systemic Barriers • Decentralized Accountability: The academic enterprise is an open and shared environment with little to no accountability for information security.

  19. Identify funding mechanism to support System-wide support for Information Security efforts. • Develop and deploy a certification process to be required of all distributed Server Administrators. • Deploy a pilot of Secure Watch software for later expansion system-wide. Next Steps

  20. Questions? Clair Goldsmith, Ph.D., Associate Vice Chancellor and CIO cgoldsmith@utsystem.edu Lewis Watkins, CISSP Director of Information Resources lwatkins@utsystem.edu 11

More Related