ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Similar documents
Manchester Metropolitan University Information Security Strategy

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Information Technology General Control Review

In 2017, the Auditor General initiated an audit of the City s information technology infrastructure and assets.

Effective: 12/31/17 Last Revised: 8/28/17. Responsible University Administrator: Vice Chancellor for Information Services & CIO

Position Description IT Auditor

Healthcare Security Success Story

Certified Information Security Manager (CISM) Course Overview

Objectives of the Security Policy Project for the University of Cyprus

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Information Technology Branch Organization of Cyber Security Technical Standard

The Common Controls Framework BY ADOBE

ISE Canada Executive Forum and Awards

INTELLIGENCE DRIVEN GRC FOR SECURITY

College of Agricultural Sciences UNIT STRATEGIC PLANNING UPDATES MARCH 2, Information Technologies

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

EUROPEAN ICT PROFESSIONAL ROLE PROFILES VERSION 2 CWA 16458:2018 LOGFILE

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

Security Management Models And Practices Feb 5, 2008

Cyber Security Standards Drafting Team Update

Certified Cyber Security Specialist

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

TEL2813/IS2820 Security Management

Subject: Audit Report 18-84, IT Disaster Recovery, California State University, Sacramento

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Subject: University Information Technology Resource Security Policy: OUTDATED

The CISO is the owner of the vulnerability management process. This person designs the process and ensures is implemented as designed.

NEN The Education Network

Achieving effective risk management and continuous compliance with Deloitte and SAP

Cyber Security Program

locuz.com SOC Services

Implementing Cyber-Security Standards

THE ISACA CURACAO CHAPTER IS ORGANIZING FOLLOWING INFORMATION SECURITY AND TECHNOLOGY SESSIONS ON MAY 15-MAY :

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

STRATEGIC PLAN

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Information Technology Procedure IT 3.4 IT Configuration Management

Session ID: CISO-W22 Session Classification: General Interest

Les joies et les peines de la transformation numérique

SFC strengthens internet trading regulatory controls

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

John Snare Chair Standards Australia Committee IT/12/4

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

How to Derive Value from Business Continuity Planning

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

External Supplier Control Obligations. Cyber Security

Defensible Security DefSec 101

San Francisco Department of Public Health. IT and Epic Project Update

e-sens Nordic & Baltic Area Meeting Stockholm April 23rd 2013

CCISO Blueprint v1. EC-Council

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

BHConsulting. Your trusted cybersecurity partner

ROLE DESCRIPTION IT SPECIALIST

AUTHORITY FOR ELECTRICITY REGULATION

Information Security Controls Policy

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

Business continuity management and cyber resiliency

IT People has been offering end-to-end IT outsourcing & staffing solutions to companies since two decades.

IT123: SABSA Foundation Training

Data Sheet The PCI DSS

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Ready, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan

ITSM20F_Umang. Number: ITSM20F Passing Score: 800 Time Limit: 120 min File Version: 4.0. Exin ITSM20F

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Canada Green Building Council - Greater Toronto Chapter 3-Year Strategic Plan, BUILDING MOMENTUM 3-YEAR STRATEGIC PLAN ( )

STRATEGIC PLAN. USF Emergency Management

The University of Queensland

Protecting your data. EY s approach to data privacy and information security

INFORMATION SECURITY GOVERNANCE, RISK & COMPLIANCE CLOUD CONSULTING SERVICES CIO & CISO SERVICES. forebrook

Department of Management Services REQUEST FOR INFORMATION

Dan Lobb CRISC Lisa Gable CISM Katie Friebus

Global Statement of Business Continuity

How to get the Enterprise to Understand the Value of Security

Green Governance Growth

Medical Devices and Cyber Issues JANUARY 23, American Hospital Association and BDO USA, LLP. All rights reserved.

Accelerate Your Enterprise Private Cloud Initiative

Security and Privacy Governance Program Guidelines

CISM Certified Information Security Manager

Think Like an Attacker

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

Avanade s Approach to Client Data Protection

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Demystifying Governance, Risk, and Compliance (GRC) with 4 Simple Use Cases. Gen Fields Senior Solution Consultant, Federal Government ServiceNow

Sirius Security Overview

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY

A company built on security

Strength Rating. Resource & Knowledge. Leadership Support. User Knowledge. Strength Rating

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

Designing and Building a Cybersecurity Program

KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)

Subject: Audit Report 16-50, IT Disaster Recovery, California State University, Fresno

Transcription:

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION Cathy Bates Senior Consultant, Vantage Technology Consulting Group January 30, 2018 Campus Orientation

Initiative and Project Orientation

Project Purpose ISO Standard Implementation and Technology Consolidation Develop a mature, effective, high-performance Information Technology division ITS will be guided by industry best practices and the requirements of the ISO 27002 information security standard Ensure all IT environments are ISO 27002 compliant and prepared for compliance audit. 3

ISO 27002 ISO/IEC 27002:2013 Part of a family of standards for information security management designed to help organizations in protecting the confidentiality, integrity, and availability of university information and technology assets Used extensively at higher education institutions All Chancellors in UNC system agreed (2012) to use the ISO 27002 as the framework for information security policies 4

Vantage Technology Consulting Group role Cathy Bates, Senior Consultant Provide higher education specific expertise and experience» 30 years experience in higher education» Former CISO and CIO Collaborative leadership with state and national organizations» UNC Information Technology Security Council» Higher Education Information Security Council (EDUCAUSE)» GRC Board, Conference Committees 5

Vantage Technology Consulting Group role Jon Young, Senior Consultant Provide higher education specific expertise and experience» 22 years experience leading IT departments through change» Consulting services with many higher education clients Technical depth and leadership in national organizations» SANS Global Information Assurance Certification in Security Leadership» SANS GIAC Advisory Board Member» INFRAGARD 6

Vantage Technology Consulting Group role Technology Consulting for Colleges and Universities Purpose Driven Technology Thinking Independent Technology Consulting firm Higher education, healthcare, public, corporate and commercial sectors Formed in 2001 Offices in Los Angeles, Boston, San Francisco and New York 7

PROJECT PHASES

Project Phases PHASE ISO Standard Information Security Management Compliance SCOPE Information security governance, policies, standards, and baseline procedures within ISO framework Implement standards and procedures within ISO framework: Infrastructure and network security enterprise-wide contingency plans security education program IT risk assessment network monitoring and vulnerability scanning program 9

Post Implementation Program Compliance ISO Standard Program Management 10

Overall Timeline and Effort 2018 and ongoing to meet growing audit and compliance concerns Major Impact: Technology teams across the University Periodic Impact: Administrators and Campus Users» Governance» Education and awareness» Business Processes 11

PHASE 1: ISO STANDARD

Information Security Governance Advisory Council Develop information security plan, including policies and standards, initiatives and services Evaluate and advise on risks Identify awareness and training needs 13

Information Security Governance Security Incident Response Team Central response and management of incidents Security advisory distribution and information sharing Technical consulting, operations, remediation 14

Policies, Standards, Baseline Procedures Policies Standards Why do I need to do this? Review 3-5 years What is required? Review 2-4 years Procedures How do I do it? Review 1-3 Years 15

ISO Standard Example Policies Asset Responsibility» Responsibility, inventory, ownership, acceptable use and return Information Classification» Classification, labeling, and handling Media Handling» Management, transfer and disposal User Access» Registration and de-registration, access provisioning, management of privileged access, review of access privileges 16

ISO Standard Example Operating Standards Application Administration Mobile Device Management Server Management Software Development Methodology 17

ISO Standard Example Procedures Application Administration Standard» Account Provisioning» Account Termination» Authentication» Access Approval» Access Privilege Assignment» Access Privilege Review» Access Privilege Change 18

ISO Standard Timeline Governance Jan-March Policies Jan-April Standards Feb-April Procedures May-August 19

PHASE 2: INFORMATION SECURITY MANAGEMENT

Information Security Management Vulnerability Scanning Inventory: Which systems, where are they, who owns them?» Registration and inventory management for critical devices Scanning: Scanning tool with templates to look for standard system and application vulnerabilities and security patches» Scanning Program for ISO, PCI, other compliance needs Remediation: Understanding and fixing vulnerabilities» Management of reports, remediation, clean scan, cycle of scans 21

Information Security Management Initial Projects, Remediation Projects, Strategic Projects Initial Remediation Known infrastructure issues such as upgrades, enterprise practices, security practices Issues documented during vulnerability scanning and information security assessments for all environments Strategic Projects to manage security objectives, shrink security footprint, address security architecture with IT infrastructure 22

Information Security Management Security Education Program Faculty, Staff, Student Technical Roles Specialized Users International Travel Phishing Alerts Identity Theft Wireless Security Online Reputation 23

Information Security Management Contingency Planning SCOPE WHO Campus-wide emergency response Disaster recovery plans Business continuity plans Business & Finance / ITS All IT environments All departments 24

Information Security Management IT Security Management Program Development A program is an organizational effort defined to meet an overarching goal. A program includes all the collective:» Vision, Goals, Strategy, Governance» Planning, Projects and» Daily Operations necessary to meet the program mission. 25

Information Security Management IT Security Management Program Strategy Makes sense of the competing compliance pressures Coordinates initiatives to highlight direction and vision Aligns overall costs and benefits against other institutional goals 26

Information Security Management Timeline Project Jan Feb Mar Apr May Jun Jul Aug Sep Vulnerability Scanning Initial and Remediation Projects Strategic Projects Security Education Contingency Planning Program Management 27

PHASE 3: COMPLIANCE

Compliance Information Security Assessment Complete an Information Security risk assessment» HEISC maturity assessment tool (based on ISO standard)» For every department managing IT services» All assessments require work plans could require lots of coordination» Performed annually» Results are prioritized by risk and become part of the IT Risk Assessment 29

Compliance Information Security Risk Assessment 30

Compliance IT Risk Assessment IT risk is the potential for an unplanned, negative outcome. IT risk is a business risk consisting of IT-related events that could affect an institution's ability to achieve its mission and key objectives. IT risk management refers to the process of identifying, assessing, prioritizing, and addressing the major IT risks associated with an institution's key objectives. https://er.educause.edu/articles/2015/2/understanding-itgrc-in-higher-education-it-risk 31

Compliance IT Risk Assessment IT Risk Assessment is a portion of university s Enterprise Risk Management program» Follow university risk management processes High level divisional review of mission and key objectives, identifying IT risks that could affect ability to achieve those objectives» Collaboration between IT, ERM program and business function owners» Utilize EDUCAUSE IT Risk Register with risk categories such as compliance, financial, IT lifecycle, operational, reputational and strategic risks 32

Compliance IT Risk Assessment Higher levels risks require action:» Reduce to acceptable level (mitigation)» Transfer the risk» Assume (accept) the risk Annual IT Risk Assessment (including Information Security Risk Assessment) due to UNC-GA annually 33

Information Security and IT Risk Assessment Timelines Policies Standards Feb-April Information Security Assessments April-TBD IT Risk Assessment TBD Jan-April 34

TECHNOLOGY CONSOLIDATION

Technology Consolidation Why Consolidate? Protect the University, improve security and reduce risk Ensure consistent compliance Limit redundant IT management, risk assessment and support efforts Leverage resources to meet demands for support and coordinate technology deployment Provide efficient, professional technology management 36

Technology Consolidation Next Steps Complete technology assets inventory Meet with units to review assets and discuss needs and opportunities Identify and implement consolidation projects» Complete prior to risk assessments and next audit 37

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback