Information Security PrinciplesOctober 2021

PRESENTED BY

NICOLAS BUACHE, CISO

UGH…SECURITY

BLOCKS ME

PREVENTSWORKINGDELAYS

PROJECTS

“The security team is here, HIDE!”

YASSS…SECURITY!

NEW HABITS LEARN NEW SKILLS

PROTECTSMY

WORK

“Security team, can you help me?”

INFORMATION SECURITY = PROTECTION

PERSONAL PROTECTION

CreditCard

Bank account

CRA / ARC

SIN /NAS

PROTECT HOME & FAMILY

INFORMATION SECURITY AT UOTTAWA

Protect students’ information

Protect employees’ information

Protect intellectual property

Preserve uOttawa’s reputation

Personal information

Health information

Studies, Research

Grades, Diplomas

GOOD SECURITY Source: HighTou ch Technologies

Protection

Protection BAD SECURITY

VS

WHAT IS GOOD SECURITY? Balanced security, supports the business

• Transformation 2030 and Digital Campus Transformation Plan

Multiple layers of protection

Consistent level of security• Security level is dependent on the weakest point!

Look for opportunities to improve end-user experience

Technology

ProcessPeople

Security is everyone’s responsibility!

WHAT IS LAYERED

SECURITY?

Discourage burglars or catch them before they

can steal!

MAIN INFORMATION SECURITY CHALLENGES

Mobility & Collaboration• Access information from anywhere, any device• Share information with third parties

Cloud Solutions• Multiple Cloud solutions, accessible from

everywhere• Store sensitive data without adequate security

controls

Security Risks Evolve• New vulnerabilities are identified every day• Cookbooks and hacking tools are available to

everyone

MAIN uOTTAWA SECURITY CHALLENGES

Unmanaged devices connecting to the network• Students, professors, partners, and personal devices• Windows, MacOS, Linux, iOS, Android

Research, Labs, Professors, Students• Specific equipment or solutions• Research data or intellectual property

Higher Education is a big target

Unstandardized IT

Training and awareness

My security senses are tingling!

2021 CYBERTHREATS AT uOTTAWA

20,000+reported phishing emails

4,500+security-

related service desk requests

(last 12 months)

200+compromised

accounts(last 12 months)

EASY ENTRY POINTS: USERS

• Share or write a password down

• Reuse password

• Open a malicious link

• Share information

This Photo by Unknown Author is licensed under CC BY

EASY ENTRY POINTS: DEVICES

Is anyone guarding the coffee machine?

• Missing updates

• Weak or default password

• Application not secure

• Systems not managed

HOW YOU CAN HELP! Question yourself before acting

Apply simple security measures

Ask for help if you are not sure

Report suspicious activities What you observed What you did

Don’t be afraid to report security concerns to the Service Desk

Security is here to PROTECT and SUPPORT you!

Key PrinciplesYou are the University’s first line of defence

Always be yourself. Unless you can be Batman then always be Batman.

This Photo by Unknown Author is licensed under CC BY-NC

SECURING YOUR IDENTITY IS KEY

01

Easy targets• Phishing/vishing

attacks• Social engineering

02

Common methods• Creating sense of urgency• Take advantage of

compassion and empathy

03

Impact• Same accesses as user• Use access to prepare

attack

AUTHENTICATION & AUTHORIZATION

Password Strong (>8 characters and mix of uppercase/lowercase

letters, numbers, special characters) Unique password, stored in a secure vault Activate Multi-Factor Authentication (MFA) Personal, must not be shared

Yah… I’m the REAL

SUPERMAN

Permissions Verify the person must and is authorized to

access information Regularly review who can access information

This Photo by Unknown Author is licensed under CC BY-NC-ND

ZERO TRUST PRINCIPLE

Never trust,Always verify !

Can I authenticate the third party?• Validate the identity of the person• Validate website authenticity

Ask for Multi-Factor AuthenticationCall the person on the number you know

Is it authorized?• Is the person eligible to access the

information• Is the solution adapted to share the

informationVerify the URL or use your bookmarksResearch the company on Internet

Is it safe to connect?• Do I put myself at risk?• Do I put the organization at risk?

Ensure device is up to date & protectedVerify that network connection secure

HARDWARE & SOFTWARE BASICS

• Change default password• Rename or disable default

username• Inventory all assets• Apply updates (Firmware, OS,

Apps) & restart device• Isolate non-compliant devices

(limit internal communication; no Internet connection)

SECUREDEVICES

Foundations Encrypt all drives Password protect your devices, lock it when not in use Keep operating system and applications updated Security protections healthy and updated

Applications Install only approved applications Verify the application

Immediately report theft or loss!

REPORT PHISHING / SECURITY INCIDENTS

See a ‘phishy’ message?• In Outlook: Use Report Message button on the upper-

right corner of the Home ribbon• In Outlook on the Web: open email options (the three

horizontal dots to the right of the email subject) and click the Report message option

• On your mobile device: forward the email to phishing@uOttawa.ca

Clicked a phishing link or opened an attachment:

Open a Service Centre ticket

RESPECT UNIVERSITY POLICIES AND PROCEDURESGUIDELINES

FOR PROTECTING

uOTTAWA

Policy 117 – Information Classification and Handling Public, Internal, Confidential, Restricted

Schedule D – Password ProtectionPassword should not be shared or written

Schedule I – Virus ProtectionUsers must ensure anti-virus is running on their device

Schedule L – Privileged Account Usage on end-user DeviceThe University follows the principle of least privilege

Schedule S – Security Awareness and TrainingAll employees must complete the training

Schedule U – Software InstallationOnly authorized software can be installed

https://uozone2.uottawa.ca/standard/schedule/all

WITH GREAT POWER COMES GREAT RESPONSIBILITY