• No results found

Information Technology Security Program

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Information Technology Security Program"

Copied!
16
0
0

Loading.... (view fulltext now)

Download now ( 16 Page )

Full text

(1)

Information Technology Security

Program

Office of the CIO

(2)

IT Security Program

AGENDA

ƒ

What is it?

ƒ

Why do we need it?

ƒ

An international Standard

ƒ

Program Components

ƒ

Current Status

(3)

IT Security Program

What is It?

ƒ

A Policy Framework

(an umbrella document)

ƒ An Information Security Policy Manual

ƒ aka Information Security Management System (ISMS)

ƒ See http://en.wikipedia.org/wiki/Information_security_management_system

ƒ

Documents management’s commitment to

information security

ƒ

A risk-based approach

ƒ

Recognizes information as an asset!

ƒ

Specifies ownership and responsibility

(4)

IT Security Program

Why Do We Need It?

ƒ

PWC (external auditors) recommendation

ƒ

Security consultants recommendation

ƒ

“Good practice”

(documented policy)

ƒ

Communicates expectations

ƒ

Educates campus on risk management

(5)

IT Security Program

An International Standard

ISO/IEC

ƒ International Organization for Standardization ƒ International Electrotechnical Commission

ƒ The recognized system for worldwide standardization ƒ Information Security standard originated in U.K.

ƒ BS 17799

ƒ Became ISO/IEC 17799 (in 2000)

ƒ ISO/IEC created an ISMS 27000 ‘family of standards’ ƒ ISO/IEC 27001 -- for recognized certification “must do’s” ƒ ISO/IEC 27002 – code of practice “should do’s”

(6)

IT Security Program

Information Security Definition and Focus

Information security is defined within the 27002

standard in the context of the

C-I-A triad

:

ƒ the preservation of confidentiality (ensuring that information is accessible only to those authorized to have access), integrity

(safeguarding the accuracy and completeness of information and processing methods) and availability (ensuring that authorized users have access to information and associated assets when required).

ƒ “Information security is the protection of information from a wide range of threats to ensure business continuity, minimize

business risk, and maximize return on investments and

(7)

IT Security Program

Security Program Components

ƒ

Will map to and be compatible with the ISO/IEC 27002

Standard’s ‘code of practice’:

ƒ Based primarily on Risk Assessment/Risk Management; identification of critical business processes.

ƒ Security requirements also determined by regulatory and contractual provisions:

ƒ Data protection and privacy of personal information ƒ Intellectual property rights

ƒ N.B. Cost of implementing controls must be balanced against probability and impact of threats!

(8)

IT Security Program

Eleven ISO 27002 Clauses (39 control objectives)

ƒ 1. Security Policy

ƒ 2. Organization of Information Security ƒ 3. Asset Management

ƒ 4. Human Resources Security

ƒ 5. Physical & Environmental Security

ƒ 6. Communications/Operations Management ƒ 7. Access Control (incl. Networking)

ƒ 8. Systems Acquisition, Development & Maintenance ƒ 9. Security Incident Management

ƒ 10. Business Continuity Management ƒ 11. Compliance

(9)

IT Security Program

Risk Assessment

ƒ

The Standard’s Eleven Clauses provide an

organizational framework for the University’s IT

security policies (i.e. controls).

ƒ

No organization implements all of the Standard’s

100+ controls!

ƒ

Policies/controls are only implemented when they are

cost-effective and they reduce risk to an acceptable

level.

ƒ

The major IT risks identified by the ERM-SC were:

ƒ Continuity of information management and technology ƒ Management of Information and technology

(10)

IT Security Program

Current Status

ƒ

Where to start?

ƒ Determine where we are!

ƒ

Step One:

ƒ PMO prepared a “Report Card” for the CIO

ƒ Assessed progress on implementing recommendations from a 2005 external security audit mapped to ISO 27002. ƒ Grades:

ƒ A = Fully implemented; formally documented and approved

ƒ B+ = Implemented/operational; needs add’l. formalization

ƒ B = Substantially implemented; needs completed documentation and approval.

ƒ C = In-progress implementation; but not formalized

ƒ D = Only minimal reactive steps taken

(11)

IT Security Program

Current Status

ƒ

Report Card Summary:

ƒ Areas of Improvement (C’s and B’s) ƒ Physical Security

ƒ Risk Assessment

ƒ Security Responsibilities

ƒ Network and Operational Security ƒ Cryptographic Controls

ƒ Vulnerability Management

ƒ Systems Development/Change Management ƒ Incident Management

(12)

IT Security Program

Current Status

ƒ

Report Card Summary:

ƒ Areas Needing Attention! (D’s)

ƒ IT Asset Classification (and ownership)

ƒ Human Resource Security (before, during, after) ƒ Business Continuity (probability planning; testing) ƒ Step Two:

ƒ Get management’s attention!

ƒ Draft a Policy Framework (i.e. the Security Program).

ƒ Map existing approved and draft IT security policies to the Standard (and into the Program document).

(13)

IT Security Program

Next Steps

ƒ The 27002 standard provides guidance! ƒ Essential Controls:

ƒ Protection of privacy and organizational records ƒ Intellectual property rights

ƒ Common Best Practices:

ƒ Allocate responsibility for IT security

ƒ Develop an information security policy document ƒ Manage information security events/incidents ƒ Establish a vulnerability management process ƒ Provide security awareness training

(14)

IT Security Program

Next Steps

ƒ

Step Three:

ƒ

Introduce the Program!

ƒ

CCS Council, ITSC, ISC, ITSIG

ƒ

Solicit comment and feedback

ƒ

Approval in Principle (by ITSC)

(15)

IT Security Program

Next Steps

ƒ

Step Four:

ƒ

Short-term policy priorities

ƒ IT Security: Roles and Responsibility Policy ƒ IT Security Incident Management Policy ƒ IT Security Awareness campaign

ƒ Network Infrastructure and Access Policies ƒ Longer-term priorities:

ƒ Formalize business continuity planning ƒ Review information management practice

(16)

IT Security Program

ƒ

Contact:

ƒ

Email:

[email protected]

ƒ

Phone: Ext. 52830

ƒ

Websites:

ƒ

www.uoguelph.ca/pmo

ƒ

www.uoguelph.ca/itgov

ƒ

Thank you!

References

Download now ( PDF - 16 Page - 175.53 KB )

Related documents

MEDIA ACCREDITATION RULES FOR THE 2015 MELBOURNE CUP CARNIVAL

[r]

CITY OF PAWTUCKET REQUEST FOR PROPOSALS

CITY OF PAWTUCKET’S PURCHASING OFFICE GENERAL CONDITIONS OF PURCHASE All City of Pawtucket purchase orders, contracts, solicitations, delivery orders and service requests shall

Evaluating Motivational Factors Involved at Different Stages in an IS Outsourcing Decision Process

Request for information and invitation of tender Tender invitation Evaluation of tenders Due diligence and agreement proposals Negotiation Factors seen as motivational

A Review of the Data Broker Industry: Collection, Use, and Sale of Consumer Data for Marketing Purposes

While there is no statutory definition for “data brokers,” the Federal Trade Commission (FTC) has defined this term to include “companies that collect information, including personal

PISA Data Analysis leveraging R:

• You can use effective functions for calculating estimates taking into account the complex sample design and rotated test form of PISA data (using intsvy package). • A major

Organisational culture and its influence on physicians’ consultation style in Hong Kong

Therefore, this qualitative study explored GPs and primary care managers’ perceptions of organisational culture within public and private healthcare organisations in Hong

Lesson study library: A catalyst for incremental instructional improvement

27 In her doctoral dissertation, Gail Siragusa Yamnitzky (2010) studied the connection between lesson study and effective professional development practices, specifically looking

Do women prefer pink? The effect of a gender stereotypical stock portfolio on investing decisions

The purpose of this paper is to contribute to the understanding of the gender gap in investor behavior by taking a behavioral perspective and, specifically, resting on the concept of