new ise north america leadership summit and awards · 2017. 1. 6. · nominee showcase presentation...

Nominee Showcase Presentation

#ISEnaISE® North America Leadership Summit and Awards 2013

ISE® North AmericaLeadership Summit and Awards

November 6-7, 2013

Presentation Title: Embracing Cyber Security for Top-to-Bottom Results Presenter: Larry WilsonPresenter Title: Chief Information Security OfficerCompany Name: University of Massachusetts



University of Massachusetts

• Providing High Quality Education for 140 Years• 2013 World University Ratings: 42nd of Top 100 Universities • 5 Campuses + Systems Office• 72,000 Students • 17,500 Faculty & Staff • UMass Online - 120 Degree & Certificate Programs

2



Embracing Cyber-security for Top-to-Bottom Results

3

• What’s at Stake• UMASS Security Program Goals

– UMASS Security Program Design– Building a Controls Wall

• Top 20 CyberSecurity Controls– CyberSecurity Technology Architecture– CyberSecurity Software Design– CyberSecurity Controls Mapping

• UMASS Security Program Operations Center• CyberSecurity Controls Implementation• Lessons Learned / Best Practices


#ISEnaISE® North America Leadership Summit and Awards 2013 4

What’s at Stake?Risk of a data breach • Security Risk: Based on likelihood and impact of the university

experiencing an adverse event such as a data breach.

Contributing to Risk• Threats: Ever changing threat landscape consisting of internal

and external threats.

• Vulnerabilities: Decentralized administrative and academic computing environment across the university.

• High Value Assets: Intellectual property, research data, student and employee records, health records, credit cards, etc.

Risk Mitigation• Controls: Design, build, operate comprehensive set of security

controls that safeguard computing and information assets.

High Value Assets

Managed Assets

Unmanaged Assets



UMASS Security Program Goals

1. Develop university-wide security framework and strategic programs.

2. Invest in security controls to protect critical university assets (Critical Asset Groups): CAG-01: People, Identities, Access CAG-02: Endpoint Devices CAG-03: Business Applications CAG-04: Network Security CAG-05: Data Center Systems CAG-06: University Databases CAG:07: University Data

3. Align security controls with industry best practices [ISO 27002, Top 20 Critical Security Controls]. MGT: Information Security Management and Communications (People Focus) CSC: CyberSecurity Controls (Technology Focus) GCC: General Computer Controls (Process Focus)

4. Invest in resources (staffing, training) to implement and manage security controls.

5. Develop an implementation roadmap inclusive of all campuses and departments.

6. Establish a comprehensive communication program to increase stakeholder awareness.



Process Focus

Secure Applications

IT Operations

Access Controls

Records Retention

Technology Focus

Top 20 Critical Security Controls

People Focus

Risk Management

Policy / Program

Marketing & Communications

Awareness Training

UMass Information Security Program

ISO 27002 Foundation CSCS 20 Critical Security Controls

Policy, Legal, and Regulatory Framework(UMass Security Policy, WISP, Mass Privacy, PCI, SOX, HIPAA, FERPA, …)

Management & Communications (MGT)

General Computer Controls (GCC)

Cyber-securityControls (CSC)

UMASS Security Program Design



Access to University Data

Allow or Deny Access

?

MGT-01 MGT-02 MGT-03 CSC-01 CSC-02 MGT-04 MGT-05 MGT-06

MGT-07 CSC-03 CSC-04 GCC-01 GCC-02 CSC-05 CSC-06 MGT-08

MGT-09 CSC-07 GCC-03 GCC-04 GCC-05 GCC-06 CSC-08 MGT-10

CSC-09 GCC-07 GCC-08 GCC-09 GCC-10 CSC-10

CSC-11 GCC-11 GCC-12 GCC-13 GCC-14 CSC-12

MGT-11 CSC-13 GCC-15 GCC-16 GCC-17 GCC-18 CSC-14 MGT-12

MGT-13 CSC-15 CSC-16 GCC-19 GCC-20 CSC-17 CSC-18 MGT-14

MGT-15 MGT-16 MGT-17 CSC-19 CSC-20 MGT-18 MGT-19 MGT-20

MGT

CSC

GCC

Security Management Controls (ISO 27002)

CyberSecurity Controls (CSCS CSCs)

General Computer Controls (ISO 27002)

CAG-07:University Data

Building a Controls Wall

CAG-01: People, Identity, Access



CSC-01 CSC-02 CSC-03 CSC-04 CSC-05

IT Asset Management Software Asset Management

System Configuration Vulnerability Management Malware Defenses

Application Security Wireless Devices Data Recovery Security Training Network Configuration

Ports, Protocols, Services Administrative Privileges Boundary Defenses Audit Logs Controlled Access

Account Monitoring Data Loss Prevention Incident Response Secure Network Engineering Penetration Testing




Top 20 Critical Security Controls



CSCS Critical Controls Database

ScanEngine

MonitorEngine

FilterEngine

Alerting & ReportingConsole

Managed & Unmanaged Assets

CAG-01: Identity, Access, Entitlements

CAG-02: Endpoint Devices

CAG-03: Business Applications

CAG-04: Network Security

CAG-05: Data Center Systems

CAG-06: Databases

CAG-07: University Data

Scan Rules

Monitor Rules

Filter Rules

Update

Update

Update

Cyber-Security TechnologyCritical Asset Groups

CyberSecurity Technology Architecture



CyberSecurity Software DesignSTART

Control Requirements (Asset Management): Use active monitoring and configuration management to maintain an up-to-date inventory of devices connected to the organization network, including servers, workstations, laptops, and remote devices.

Design Requirements:1. Establish authoritative system of record (controls database) 2. Update with known “managed” assets (GCC Process)3. Scan rules for unknown “unmanaged” assets (active discovery) 4. Monitor rules for unknown “unmanaged” assets (passive discovery) 5. Filter rules for unknown “unmanaged” assets (access control) 6. Generate Real-time Alerts and Management Reports (Alerting and Reporting Console)7. Update authoritative system of record (controls database)

Compliance Assessment (Asset Management): Implement, operate, alert and report using processes and tools to track/control/ prevent/correct network access by devices (computers, network components, printers, anything with IP addresses) based on an asset inventory of which devices are allowed to connect to the network.

END

Secu

rity

As

sess

men

t

Com

plia

nce

As

sess

men

t



SecurityControl Control Description

CAG-01 CAG-02 CAG-03 CAG-04 CAG-05 CAG-06 CAG-07

People, Identity, Access

EndpointDevices

BusinessApplications

UniversityNetworks

Data CenterSystems

Databases University Data

CSC-01 Inventory of Authorized and Unauthorized Devices

CSC-02 Inventory of Authorized and Unauthorized Software

CSC-03 System Configuration (servers, laptops, mobile devices)

CSC-04 Continuous Vulnerability Assessment and Remediation

CSC-05 Malware Defenses

CSC-06 Application Software Security

CSC-07 Wireless Device Control

CSC-08 Data Recovery

CSC-09 Security Skills Assessment and Training

CSC-10 Network Configuration (switches, routers, firewalls)

CSC-11 Control of Ports, Protocols, and Services

CSC-12 Control of Administrative Privileges

CSC-13 Boundary Defenses

CSC-14 Maintenance, Monitoring of Audit Logs

CSC-15 Controlled Access based on Need to Know

CSC-16 Account Monitoring

CSC-17 Data Loss Prevention

CSC-18 Incident Response Process Process Process Process Process Process Process

CSC-19 Secure Network Engineering

CSC-20 Penetration Testing & Red Team Exercises Assessment Assessment Assessment Assessment Assessment Assessment Assessment

CyberSecurity Controls Mapping



Asset Group Action Plan to Comply with University Standardsbased on Top 20 Critical Security Controls

Phase 1 Phase 2 Phase 3

CAG-01People, Identities, Access

1. USecure Program – Continue to implement the Usecure program based on CSCS STH2. Develop University-wide RFP for EndPoint Management Solution3. SecAdmin Process – University –wide process for managing access to Psoft applications

CAG-02 Endpoint Devices

4. Determine best campus / department for MDM pilot (mobile devices)5. NAC – Implement NAC to control unmanaged endpoints and servers6. Establish endpoint security standard (Anti-Virus, file/folder encryption, USB drive encryption)

CAG-03 Business Applications

7. BSIMM – Establish best practices for Software Security8. WAF – Evaluate Web Application Firewall technologies

CAG-04 Network Security

9. Establish standards for Wireless Networks10. Next-Gen Firewall – Determine best alternative for next-Gen Firewall11. Two Factor AuthN – Two factor authentication (RSA Tokens)

CAG-05 Data Center Systems

12. Vulnerability & Patch Management13. SIEM – Determine best alternative for SIEM or managed service14. Central authentication – evaluate technology solutions for central authentication of linux systems

CAG-06 Databases

15. Database Security – Determine database security strategy & technology

CAG-07 University Data

16. Implement technology to identify, inventory and manage sensitive data17. Records Administration – establish process for deleting sensitive data via records retention standards

CyberSecurity Controls Implementation (Example)



Help Desk

IT Operations

Incident Response Team

Management Team

Advisories & Incidents

Data Breaches

Alerts, Metrics & Reports

Work Requests, Tickets, Audit Findings

20 CSCs

CSIRT

Information Security Operations Center (ISOC)

Input

Output

(Build, Buy, Outsource, Cloud)

Intelligence Feeds

Zero-day Threats, Zero-day Vulnerabilities

UMASS Security Program Operations Center



Lessons Learned / Best Practices

• Start with the Design: Get management buy-in including budget, resources and timelines.

• Implement in Phases: Quick wins, maximum impact – need success stories!

• Communicate Often: Monthly implementation and compliance reports.

• Work with Partners: Including Council on Cybersecurity, vendors / service providers to improve technology and service offerings

new ise north america leadership summit and awards · 2017. 1. 6. · nominee showcase presentation...

Documents