New Jersey Association of School Business Officials Information Security K-12. June 5, 2014

Similar documents
ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Information Security Policy

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Daxko s PCI DSS Responsibilities

PCI DSS Addressing Cyber-Security Threats. ETCAA June Gabriel Leperlier

Information Technology General Control Review

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Business continuity management and cyber resiliency

TEL2813/IS2820 Security Management

External Supplier Control Obligations. Cyber Security

Healthcare HIPAA and Cybersecurity Update

Certified Information Security Manager (CISM) Course Overview

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Vulnerability Assessments and Penetration Testing

Cybersecurity in Higher Ed

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

FDIC InTREx What Documentation Are You Expected to Have?

Ingram Micro Cyber Security Portfolio

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

locuz.com SOC Services

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

10 FOCUS AREAS FOR BREACH PREVENTION

Position Description IT Auditor

QuickBooks Online Security White Paper July 2017

CCISO Blueprint v1. EC-Council

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Cyber Security Updates and Trends Affecting the Real Estate Industry

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

PCI compliance the what and the why Executing through excellence

NIST Cybersecurity Framework Protect / Maintenance and Protective Technology

Must Have Items for Your Cybersecurity or IT Budget in 2018

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Will you be PCI DSS Compliant by September 2010?

Information Security Controls Policy

Security Solutions. Overview. Business Needs

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Defense in Depth Security in the Enterprise

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Checklist: Credit Union Information Security and Privacy Policies

Security Management Models And Practices Feb 5, 2008

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

SALARY $ $72.54 Hourly $3, $5, Biweekly $8, $12, Monthly $103, $150, Annually

Effective Strategies for Managing Cybersecurity Risks

GDPR: A QUICK OVERVIEW

ROADMAP TO DFARS COMPLIANCE

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Cybersecurity Session IIA Conference 2018

Automating the Top 20 CIS Critical Security Controls

David Jenkins (QSA CISA) Director of PCI and Payment Services

To Audit Your IAM Program

CYBER FRAUD & DATA BREACHES 16 CPE s May 16-17, 2018

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Gujarat Forensic Sciences University

University of Sunderland Business Assurance PCI Security Policy

Compliance Audit Readiness. Bob Kral Tenable Network Security

Department of Management Services REQUEST FOR INFORMATION

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

How to Prepare a Response to Cyber Attack for a Multinational Company.

Sage Data Security Services Directory

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

NYDFS Cybersecurity Regulations

Cyber Hygiene: A Baseline Set of Practices

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

What It Takes to be a CISO in 2017

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

From Russia With Love

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

Avanade s Approach to Client Data Protection

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

IoT & SCADA Cyber Security Services

Ian Speller CISM PCIP MBCS. Head of Corporate Security at Sopra Steria

Cyber Fraud What can you do about it?

2017 Annual Meeting of Members and Board of Directors Meeting

Security Architecture

TEL2813/IS2621 Security Management

Cybersecurity Auditing in an Unsecure World

Agenda. Security essentials. Year in review. College/university challenges. Recommendations. Agenda RSM US LLP. All Rights Reserved.

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

SOC for cybersecurity

ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015

Designing and Building a Cybersecurity Program

Security and Privacy Governance Program Guidelines

Investigating Insider Threats

PCI DSS v3. Justin

CipherCloud CASB+ Connector for ServiceNow

Transcription:

New Jersey Association of School Business Officials Information Security K-12 June 5, 2014

Agenda Introduction K 12 Technology Trends Case Study (A Cautionary Tale) What Constitutes a Data Breach Data Breach Trends Types of Data Compromised Assessing Information Security and Technology Risk Additional Technical Security Testing Achieving and Maintaining an Information Security Function Protecting Student and Employee Data Procurement Questions and Answers

With You Today Andrew Cannata Partner, Sunera LLC. Andrew has overall responsibility for Sunera s Information Security Practice. He has more than twenty years of information technology and security experience, having worked at the senior management level within Big Four, defense and private sector organizations. Prior to Sunera, Andrew was a Senior Manager with KPMG s Information Risk Management practice. Prior to joining KPMG, Andrew led one of the largest Department of Defense Information Assurance Programs for the United States Special Operations Command (USSOCOM). Andrew is a Certified Information Systems Security Professional (CISSP), a Certified Information Security Manager (CISM), and a Payment Card Industry s Qualified Security Assessor (QSA). David Gannon Partner, Wiss and Company LLP. David has more than 16 years of experience serving the public and not-for-profit sectors. His experience includes providing accounting and auditing services to public school systems, municipalities, local authorities, state authorities, state departments, not-for-profit organizations, New York City agencies, and higher education. David has provided services to public sector entities with budgets of $1 million to $3 billion and with assets exceeding $7 billion. Specialties: Public Sector and Not-for-Profit Accounting and Auditing Government Auditing Standards OMB Circular A-133 NJ OMB Circular 04-04XXX

K 12 Technology Trends What do we See? Changing Service Models for Infrastructure and Applications Changing IT Organizational Structures IT Governance Online, Hybrid and Collaborative Learning Bring Your Own Device (BYOD) Personalized Learning Environments (PLEs) One-to-One (Student-to-Computer Ratio) Digital Curriculum Big Data Cloud Computing Game-Based Learning

K 12 Technology Trends What is Missing? Information Security is frequently overlooked and underfunded Some constraints Lack of internal subject matter expertise Lean staffing Student population growth Conflicting priorities Great Recession and associated funding constraints Evolving technology trends Key Results Many K-12 environments have not been designed to protect sensitive data Organizations have been breached but do not even realize it

A Cautionary Tale Background We were engaged by a K-12 school district to perform an external and internal vulnerability assessment What we found Systems had been compromised by an Armenian hacker group Mid-engagement, a 2nd hacker group from Algeria took control of the same systems The compromised systems permitted secondary access to student information systems What went wrong (i.e. root cause analysis)? Low maturity in terms of information security function and posture Due to lack of segmentation, student information systems were accessible externally (from the Internet) Lack of system patching, insecure system and firewall configurations Limited audit logging, monitoring, and incident response no one knew they had been compromised, and if they had, they would not have been able to respond appropriately

A Cautionary Tale

What Constitutes a Data Breach? As we just discussed, a malicious attacker compromising an organization's technical infrastructure But what else? Lost or stolen hardware Backup tapes lost in transit Employees stealing information or allowing access to information Poor practices (e.g. mishandling of sensitive information) Careless disposal of information (that may be retrieved via dumpster diving) Malware

Data Breach Trends 1 Who caused the breach? 92% resulted from external sources 19% tied to state-affiliated groups 14% caused by insiders 1% implicated business partners Mechanism of the breach? 76% exploited weak or stolen credentials 52% due to hacking 40% incorporated malware 35% were via physical attacks 29% employed social tactics 13% involved misuse of privileged access All in all, 2012 reminded us that breaches are a multi-faceted problem, and any one-dimensional attempt to describe them fails to adequately capture their complexity. Verizon, 2013 Data Breach Investigations Report 1

Data Breach Trends Who caused the breach? Mechanism of the breach? Verizon, 2014 Data Breach Investigations Report

Types of Data Compromised 1 Variety Breaches Payment card numbers / data 61% Authentication credentials (usernames, pwds, etc.) 38% Sensitive organizational data (reports, plans, etc.) 24% System information (config, svcs, sw, etc.) 20% Trade secrets 20% Personal information (name, SSN, Addr., etc.) 10% Bank account numbers/data 6% Unknown (specific type is not known) 6% Copyrighted / Trademark material 1% Classified information <1% Medical records <1% Verizon, 2013 Data Breach Investigations Report 1

Assessing Information Security Risk - Program Level Objective: To ensure that existing and emerging risks are appropriately addressed through a comprehensive information security program Considerations Organizational structure responsible for information security management Skill set(s) utilized to manage and execute the program Current scope of the program and methods used to validate scope Processes for identifying emerging risks Techniques for assessing risk and remediation priorities Process for tracking required program updates from identification through resolution

Assessing Information Security Risk - Detailed Considerations Objective: To ensure the operational effectiveness of the technical and procedural mechanisms in place to address IT security related risks to the District s environment. Topic Risk Management and Assessment Processes Compliance Management Vulnerability Management Considerations Frameworks used (e.g., ISO27005, NIST SP 800-30, OCTAVE) Frequency of risk assessments Participants contributing to and approving the results Tracking and remediation of residual risk Identification and tracking of compliance requirements and industry frameworks (i.e., PCI and ISO27001) Involvement of key departments in compliance management (e.g., Legal and HR) Types of technical security testing performed Frequency of technical security testing Tools and manual techniques utilized Tracking and remediation of issues Data Loss Prevention Technology utilized Processes followed Review, tracking and remediation of issues

Assessing Information Security Risk - Detailed Considerations (Cont.) Topic Considerations Data Encryption Technology utilized Secure System Development, Developer Skill Sets and Training Scope of data included Procedures for key management Audience included in training Frequency of training Quality and content of training Embedded security gates in the SDLC Integration with vulnerability management processes Configuration Management Use of documented baselines Integration with change management Anti-virus Management Technology utilized Frequency and nature of monitoring and/ or reviews Configuration management Frequency of updates and scans Patch Management Technology utilized Technology and procedures for logging and reporting Procedures for monitoring and resolution Risk-based threat assessment processes Frequency and timeliness of implementation

Assessing Information Security Risk - Detailed Considerations (Cont.) Topic Logical Access to Systems and Data and Identity Management Considerations Authentication Authorization Audit Logging Technology utilized Incident Identification and Response Security Awareness Training Policies and procedures for provisioning Policies and procedures for decommissioning Completeness of scope Monitoring and review processes Methodology and framework Frequency of testing Training of participants Scope and content Audience to receive training Delivery mechanism Data Classification Methodology utilized Third Party Management and Due Diligence Procedures for compliance monitoring and resolution Accuracy and completeness of scope Effectiveness of communication Completeness and effectiveness of implementation Evaluation framework Consistency and completeness of implementation

Additional Technical Security Testing Analyze local and wide area networks and infrastructure implementation for security and continuity considerations. External and Internal Penetration Testing and/or Vulnerability Assessment Evaluate all internally and externally facing IP addresses Perform automated scans to identify: poor or improper configurations; software flaws; or operational weaknesses. Leverage manual and automated techniques to exploit vulnerabilities and provide a proof of concept regarding the risk of data exposure. Test wireless design, implementation and configuration.

Identification of Scope Where is your Sensitive Data? Critical to achieving and maintaining data security Manual Methods (Necessary) Interviews with business process owners and IT Identifies manual and automated business processes and systems that store, process or transmit sensitive data Questionnaires are a useful tool in this process Automated Methods (Supplemental) Automated scanning of potential locations of sensitive data Identifies potential electronic storage locations of sensitive data Freeware and custom scripting are available options Limitations Some file types such as images and PDF formats Binary files require sophisticated techniques than regular textual pattern matching such as Optical Character Recognition (OCR)

Keys to Achieving and Maintaining an InfoSec Program Executive management support and prioritization Assignment of a program lead Dedicated resource May be within Information Security, Internal Audit or IT Clearly defined control owners with responsibility Identify who performs the action and who is responsible for oversight, if applicable Administrative Calendar Periodic, recurring tasks, e.g. bi-annual firewall reviews, annual risk assessment annual (internal and external) penetration testing, quarterly scans, quarterly wireless analysis Many organizations use an existing help desk ticketing system Periodic Controls Monitoring Identifies potential issues before they result in control failure

Protecting Your Student and Employee Data Third-party partners Are your partners secure? Data transmission processes (fax, mail, email, phone, etc.) Secure storage Network segmentation Identity and access management Data retention Encryption Mobile technologies Consistent social media policy

Procurement IT Security Review Overview of Local Public Contracts Law: Professional Service Extraordinary Unspecifiable Service Competitive Contracting Professional Service: Professional services are services rendered or performed by a person authorized by law to practice a recognized profession, whose practice is regulated by law, and the performance of which services requires knowledge of an advanced type in a field of learning acquired by a prolonged formal course of specialized instruction and study as distinguished from general academic instruction or apprenticeship and training. Whether a contract could be awarded under this option is dependent upon the company proposing to perform the engagement. Key question to ask - Are they regulated by law?

Procurement IT Security Review Extraordinary Unspecifiable Service: Extraordinary unspecifiable services are services that are specialized and qualitative in nature requiring expertise, extensive training and proven reputation in the field of endeavor. Keys to awarding a contract under this provision: The need for expertise, extensive training and proven reputation in the field of endeavor must be critical and essential to the project, and not merely a desire to have a reliable job performed. The services must be of such a qualitative nature that the performance of the services cannot be reasonably described by written specifications.

Procurement IT Security Review Competitive Contracting: Competitive contracting means the method described in sections 1 through 5 of P.L.1999, c.440 (C.18A:18A-4.1 thru 18A:18A-4.5) of contracting for specialized goods and services in which formal proposals are solicited from vendors; formal proposals are evaluated by the purchasing agent or counsel or administrator; and the governing body awards a contract to a vendor or vendors from among the formal proposals received. May be used under the following provisions: At the option of the governing body of the contracting unit, any good or service that is exempt from bidding pursuant to section 5 of P.L.1971, c.198 (C.18A:18A-5). The operation, management or administration of other services, with the approval of the Director of the Division of Local Government Services.

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback