8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 1/41
Patty Patria, CIO Becker College
Wednesday April 1,
Risk Management through Security P
David Sherry, CISO Brown
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 2/41
About the presenters (and their scho
David Sherry
Chief Information Security Office
Brown University
Private, Tier 1 Research Instituti
6,200 undergrad students
8,600 total students
736 faculty
3,227 staff
Patty Patria
Chief Information Officer
Becker College
Small Private University
2,000 undergrad students
1 new graduate program
445 total employees
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 3/41
The state of security 2014
Let’s set some context………………
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 4/41
2014 Threat Landscape
Source: www.ponemon.org and www.verizonbusiness.com
Verizon 2014 Breach Report
•63,000+ reported incidents
•1,367 confirmed breaches
Ponemon Data Breac•Average cost of breach is
•More than $136 per compro
•Cost of detection, response, n
lost business
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 5/41
2014 Heavy Hitters and Human Erro
Source: www.ponemon.org and www.verizonbusiness.com
2014 Heavy Hitters
MichaelsMalware; 3 millioncredit/debit cards
stolen
Home DepotMalware; 56 millioncredit cards stolen
TargetCompromised
service provider; 70million stolen cards
JP Morgan83 million peo
compromise
Sony
$100
million
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 6/41
2014 Threat Landscape
• Hacking, Malware a
Social Attacks are o
rise
• POS and web
application attacks
top threats
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 7/41
2014 Threat Landscape
Everything Else
GenericHacking
Browser
malware
Phishing
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 8/41
Source: http://blog.networkboxusa.com/2015/01/26/infographic-higher-education-data-breaches/
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 9/41
The attacks are continuous (map.ipviking.com)
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 10/41
Recent Threats Affecting Becker and
We have a feeling that you’ve seen some of these as w
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 11/41
Recent Threats Affecting Becker
Repeated responses to email Phishing several times this year.
◦ Employees respond to illegitimate email messages.
◦ Hijackers take over your email, send spam and Becker gets blacklisted, causing email toexternal recipients to be blocked.
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 12/41
Recent Threats Affecting Becker
Ransom Ware incident on L Drive and Vet network share.
◦ Employee clicked a link in personal email (from Becker computer) and it encrypted allfiles on their personal computer, Vet share and L drive.
◦ Files were encrypted and could not be opened. Encryption processran for 36 hours beforedetected.
◦ We had to restorefrom backups 2 daysprior to get all files
back.
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 13/41
Recent Threats Affecting BrownGetting attention via “salary update” phishing scam
o Widespread attack on 7/30/14
o Appeared to have come from HR
o Had the Brown logo (though skewed)
o Had “sincerity”
---------- Forwarded message ----------
From: BU-HR <[email protected]>
Date: Fri, Jul 25, 2014 at 4:21 PM
Subject: Important Salary Update
Hello,
The University is having a salary increment program again this
The Human Resources department evaluated you for a raise o
Click below to confirm and access your salary revision docume
Click Here to access the documents
Sincerely,
Human Resources
Brown University
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 14/41
Recent Threats Affecting Brown
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 15/41
Recent Threats Affecting Brown
This one really hit home!o A very common phishing scam
o With an uncommon subject line
o Proof that the scammers were inanother box when we contacted them
From: Brown University Mail <[email protected]>
Date: Wed, Aug 6, 2014 at 4:22 PM
Subject: Message from Brown Information Security: Your e
compromised
MAINTENANCE CENTER.
Dear Brown User,
Attention you have almost exceeded your account mailbox
To update or upgrade this process click the link below. Ple
Webmaster Support
**************************
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 16/41
Recent Threats Affecting Brown
Some recent stats:
o Brown has had constant phishing attacksthis academic year
o September was intense, & it became awar between the two parties
o 41 compromised accounts in a 7-dayperiod
o Data indicates undergrads are the mostnumerous victim
Compromised Accounts Since 7/1/14
undergrad grad / med facutly staff other
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 17/41
The Bottom Lineo Higher Education is a target
o It will continue to be a target
o It doesn’t matter what your Carnegie designation is
o It’s all about risk
o We must be prepared
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 18/41
Key take-away
You can reduce risk through security planning
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 19/41
Security planning to address risko Ensure executive level buy-in
o Form an Information Security Advisory Committee
o Get plugged in
o Review and develop polices
o Strategic use of audits
o Implement technology
o Train and educate users
o Purchasing and contract reviews
o Insurance and breach retainers
o Incident response
o Oh, and by the way……
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 20/41
Ensure Executive-Level Buy-Ino Leverage statistics on cost and impact of security threats and breaches to gain get
from your President or Chief Administrative Officer.
o Ensure that they know that you will never be 100% secure
o “When”, not “if”
o Always use the term “incident”, and only use “breach” when speaking of actual ev
o Get time in front of the Board/Cabinet/Trustees/etc, and not just for bad news
o Be prompt in informing them of the security posture relative to the breaches and other schools
o Speak in terms of dollars and reputation, and less about fear, uncertainty and dou
o IMPACT ON RISK: knowledge of security concerns and areas to focus at the highelead to resources, support, and prioritization; this aids is reducing risk probability
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 21/41
Form an Information Security AdvisoryCommittee
o Ideally have director level (or above) participation from all key departments on ca
especially those the process or store PII.
o Committee should not be chaired by IT (although IT can run it). Needs to be chairelevel folks with influence to address security policy, process and technology.
o Use the committee to aid in policy review, setting priorities, getting buy-in, and as adopters
o IMPACT ON RISK: using a broad spectrum of constituents in your vetting process
receiving approval and input for policy and projects, provides a more broad view organization, and a deeper penetration of the security mission, reducing risk in arhave been hard to identify
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 22/41
Vet Policy Through a Committee
CFO Financial
Aid
CIO
Provost
HR
Alumni
Registrar
Student
Affairs Finance
UG Admissions
Marketing
President’s
Office
Enlist Committee’s Support in Establishing a
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 23/41
Enlist Committee s Support in Establishing aRisk Management Framework
Minimize collection of sensitivedata
Minimize # of peoplewith access
Protect sensitive data in ourcustody; train employees
Set usages and retentiontimeframes and securely
destroy sensitive data
BUSINESS PROCESSES
RESPONSIBILITY ND TECHNOLOGY
P
O
L
I
C
Y
R
O
L
E
S
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 24/41
Brown’s expanded committee and missio
Membership:
SVP of Corporation Affairs and Governance
Vice President of Research
University Librarian
Assistant to the President
Director, Human Resources Services
Chief General Counsel
Chief University Auditor
University Controller
University Registrar
AVP, Research Administration
AVP Financial & Administrative Services
Chief Information Security Officer (CHAI
University Archivist
University Records Manager
Director of International Research Admi
Director of Environmental Health and Sa
Associate Director of Web and Informat
Data, Privacy, Compliance and Records Management Executive Committee
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 25/41
Get plugged ino Get a seat on the University Risk Committee (and get a standing agenda item)
o Get a seat on the University Change Control Committee
o Get in the approval line in the IT Project Management process
o Get a seat on the IRB, OSP and HPC committees
oGet a seat on your Hospital/University HIPAA Committee
oBecome the signatory of all Data use Agreements
o Make sure your institution knows who your senior security person is!
o IMPACT ON RISK: not only will the security team become aware of many hiddenawareness of the security mission will increase, and risk will be reduced by havingexpertise be included in all areas of the organization
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 26/41
Review and Develop Policieso A strong (and up to date!) policy set lowers risk
o Perform regular gap analysis for emerging areas (times change!)
o Ensure that all policies are current
o Maintain a regular schedule of review, and document for auditors
o Utilize the partnership with Internal Audit to keep current at the landscape of pol
o IMPACT ON RISK: By monitoring current phishing policies and then making updapolicies by requiring special training for phishers, Becker has been able to reduce of successful phishing attempts which reduces the threat to institutional data (andfor IT folks dealing with phishing).
Key Information Security Policies
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 27/41
Key Information Security Policies
Acceptable use Policy
Confidentiality Agreements & Acceptable Use Policy
Retention and Destruction Policy
Mobile Device Policy
Clean Desk Policy
Digital Millennium Copyright Policy
FERPA & HIPAA Policies
PCI Policy & Red Flags
Gramm-Leach-Bliley Policy
Third Party Assurance Policy
Breach or Incident Response Policy
Address State Data Privacy laws…
In MA, a Written Information SecuPlan is also required
http://www.becker.edu/abo
rmation-privacy/policie
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 28/41
Emerging Policies, and the Use ofPosition Papers at Browno Attribute Release Policy
o Web Click-Through Agreements
o Use of Skype
o Multi-Function Network Devices
o DNS Policy
o Use of TOR
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 29/41
Strategic Use of Auditso Some are mandatory (credit cards, social security numbers)
o Data use / records management audits
o Visits, surveys, data element inventories…use them all
o Partner with Internal Audit for targeted areas of security and risk, and use the auddrive the security mission and reduce overall university risk
o IMPACT ON RISK: If you don’t work with key areas that handle data in both elect
paper form to properly secure data (paper and electronic) at both rest and in-tranchange for having a breach will be significantly higher. Through strategic auditing,able to completely eliminate PII from systems that no longer needed it.
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 30/41
Implement Technologyo Firewalls
o DMZs
o Intrusion Detection/Prevention Systems
o Patch Management
o Database Activity Monitoring- This is moving cloud based
o Employ DLP to find and monitor PIIo Active DLP
o Passive DLP
o Endpoint & Network encryption
o Hard drive crusher
o IMPACT ON RISK: Having a strong defense in depth and secure architecture, along wand tangential solutions, enables data to be protected (and destroyed), reducing risk
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 31/41
Train and Educate End Userso Mandatory for all employees (including student work studies)
o Evolution of security threats
o State & Federal regulations affecting security
o Data classifications
o Secure computing practices (Phishing)
o Fines and reputational impact of breaches
o IMPACT ON RISK: Approximately 70% of breaches in higher education have somehuman component involved. Uneducated employees are a huge risk.
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 32/41
Provide Online User Resources
http://www.becker.edu/about/information-privacy/awareness-training/faqs-and-newsl
• Send out routine newsletters to fpertinent security topics.
• Special email to report phishing s
• Created targeted training session
phishing to high risk groups such
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 33/41
Brown’s User Awareness Resourceso Morning Mail
o Brown Bag session (focus on “personal” use cases)
o Campus streaming services (Powerpoint, message boards, etc)
o “Securing the Human”
o Movie nights (free popcorn!)
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 34/41
Brown’s Latest Resource: the “Phish
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 35/41
Purchasing and contract reviewso Establishing a strong and personal relationship with purchasing provides a lens in
campus
o Contracts now include language for security and privacy
o Security can set the standards necessary for such areas as network copiers, shredcompanies, click-through agreements, document management outsourcing, and ot
o As stated before, you should be reading items that pass through the IRB, the OSP,
o
IMPACT ON RISK: If you don’t have provisions in place, and you are subject to Mbreach laws, you are not legally doing your due diligence.
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 36/41
Insurance and breach retainerso Cyber Insurance is a risk management tool, via risk transference
o Be certain that you are agreeing to the right areas
o Many companies will now provide breach retainers with no money up front
o Be certain to agree on the pricing for individual areas
o Understand the response time
o Sign off on the what determines when an incident becomes a breach
o
IMPACT ON RISK: If you have a breach, you will have the coverage you need to a
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 37/41
Incident responseo A foundational process for security management
o But also a key aid in risk management
o Make sure your process is documented
o Test regularly!
o Set “levels”, that determine what level of university involvement is needed
o Get inserted into the emergency management testing
o Have an annual update/refresher for those who were not effected in the previous
o IMPACT ON RISK: When and if a breach occurs, having a good Incidence Responmake the process go more smoothly.
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 38/41
Oh, and by the way…..We could have talked about:
o Business Continuity Planning
o Disaster Recovery
o Records Management / Retention
o Project Management Life Cycle
o and many, many more…….
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 39/41
Concluding thoughts and recommendo Security Management is Risk Management
o Our roles are less and less bits and bytes, and more and more policy, compliance
o Sound security strategies help in reducing risk to our institutions
o Size, location, public/private, or Carnegie designation doesn’t matter
o Each of us has to find ways for the security mission to be part of all areas and eveorganizations
o The recommendations we’ve suggested are actionable, and have proven results
o Each one, while a security measure, is also a risk management measure
Questions?
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 40/41
Questions?
8/9/2019 Risk Management through Security Planning: A View from a CIO and a CISO (261562383)
http://slidepdf.com/reader/full/risk-management-through-security-planning-a-view-from-a-cio-and-a-ciso-261562383 41/41
PATTY PATRI A
CI O
BECKER COLLEGE
DAVID SHERRY
CI S O
BROWN UNIVERSI
DAVID_SHERRY@
Thank you for choosing our session!