designing services for security: information security management throughout the service lifecycle...
TRANSCRIPT
Designing Services for Security:
Information Security Management throughout the Service Lifecycle
Sarah Irwin & Craig Haynal2015 Penn State Security Conference, October 14, 2015
Session Roadmap
• Security Landscape• Current Challenges• Service Management at Penn State • Designing for Security• Call to Action
Security Landscape
When I say “Sensitive Data”….
You probably think of:
Photo credit: frankleleon
Photo credit: NEC Corporation of America
Photo credit: Alan Levine
Photo credit: GotCredit
http://www.databreachtoday.com/experian-faces-congressional-scrutiny-over-breach-a-8580 / http://www.databreachtoday.com/etrade-dow-jones-issue-breach-alerts-a-8586
You probably also think of:
www.target.com
www.homedepot.com
http://www.engr.psu.edu/
http://www.la.psu.edu/
Traditionally…
• Sensitive data includes things like:• Personally identifiable information (PII)• Payment Card Industry (PCI) data• Health Insurance Portability and Accountability Act (HIPAA)• Family Educational Rights and Privacy Act (FERPA)
But it’s more than just PII• Research• Human subjects• Deductive disclosure risk• Contract data• Geographic ID’s
• Student information• Transgender community• Confidentiality holds• Mental health counseling
• Administrative• HR records• Budget information• Salary and review information
• Laws and Regulations• Federal and state laws and regs• University policies• Third party contracts
It’s also becoming more prevalent
FY2010 FY2011 FY2012 FY2013 FY20140
10
20
30
40
50
60
70
80
90
100
3
20
38 39
90
Sensitive data contracts processed by the Office of Sponsored Programs per fiscal year
Current Challenges
Our Data Security Environment
Highly decentralized,
disparate IT environments and
support
Inconsistent standards
and policies
Lack of awareness and understanding
Pain Points
IT
• Lack of communication or notice between IT and users• IT is an afterthought, typically brought in after project starts• Historic lack of trust that IT can provide what users need
Users
• Currently, few central IT services for restricted data• Local IT staff assist in some colleges/departments • Many users left to sort out IT needs on their own
Secure Technology + Safe People + Sound Process = Security
Reactive IT
Retrofitting
Service Managementat Penn State
IT Services
People
TechnologyProcess
Services
• A means of delivering value to customers by facilitating outcomes customers want to achieve without the ownership of specific costs and risks.
• Service ≠ Product
• Unlike products, services often have no intrinsic value.
Service Management at Penn State
• IT Transformation Program (ITX)• The program tasked with developing and implementing the Penn State
Service Management Program.
• Penn State Service Management Program (PSSMP)• An accepted standard for University service models, processes, and tools that
improves the consistency and efficiency of Penn State services.• By using a common language and set of procedures, Penn State units will
unite in providing efficient, high-level customer service, while reducing service redundancy and cost across the University.
ITIL Framework
• Service Strategy• Service Design• Service Transition• Service Operation• Continual Service Improvement
ITX/PSSMP Processes
Current:• Incident Management• Change Management• Service Catalog Management• Request Fulfillment
Future:• Service Portfolio Management• Project Portfolio Management• Resource Portfolio Management• Knowledge Management• Problem Management• Project Management• Service Asset and Configuration
Management
ITX/PSSMP Processes – Greatest Security ImpactCurrent:• Incident Management• Change Management• Service Catalog Management• Request Fulfillment
Future:• Service Portfolio Management• Project Portfolio Management• Resource Portfolio Management• Knowledge Management• Problem Management• Project Management• Service Asset and Configuration
Management
People
TechnologyProcess
Designing for Security
Designing Services
Warranty
Availa
bility Capacity
Continuity Security
QualityService
Value
Utility WarrantyValue
Design Coordination
Define & maintain
policies and methods
Plan design resources and
capabilities
Coordinate design activities
Manage design risks & issues
Improve service design
Plan individual design
Coordinate individual design
Monitor individual design
Review design and ensure handover of
service design package
Overall service design process:
Per design process:
Service Design Package
Major components• Requirements• Service design• Organizational readiness
assessment• Service lifecycle plan
Security checkpoints• Gather security requirements• Plan for security• Ensure adequate security
training• Incorporate security checkpoints
into the plan
Information Security Management System
Control
Plan
Implement
Evaluate
Maintain
Information Security ManagementProduce/maintain
information security policy
Assess/categorize risks and vulnerabilities
Report security risks and threats
Implement/review security controls and risk
mitigation
Monitor/manage security incidents
Enforce security policy
Review/report/reducesecurity incidents
Design focusOperation focus
Security management information system (SMIS)
Information security policy
Security reports and information
Security controls
Security risks and
responses
RESILIA™ Cyber Resilience Best Practice • A practical framework for building and managing cyber resilience,
reflecting the changing need not only to detect and protect against cyber-attacks but also to respond and recover from them.• Provides security guidance aligned with the service lifecycle from the
ITIL books:• Service strategy• Service design• Service transition• Service operation• Continual service improvement
Call to Action
Start Small: Learn
• Learn about Penn State’s policies that pertain to security, especially data categorization: http://guru.psu.edu/policies/AD71.html (and the related guideline: http://guru.psu.edu/policies/ADG07.html)• Understand the minimum security baseline and be ready to
incorporate it into your services: http://sos.its.psu.edu/minimum-security-baseline.html
Focus on People
• Have conversations about the types of data that will be handled by IT services up front• You may have to educate your customers and users on data
categorization in order to discover their information security needs• Negotiate the right level of security before you plan, purchase, or
build anything• Always plan for user education, especially when it comes to securely
using services
Design Better Services
• Plan your services; don’t just rush to solutions without fully understanding the problems, particularly when it comes to security• Remember that good IT services focus on helping customers achieve
outcomes and consider people and process in addition to technology• Make sure your services not only have the needed features (utility)
but also live up to their commitments (warranty)• Taking the time to design services for security will be much less
expensive than retrofitting or replacing them later
Any Questions?