ISE North America Leadership Summit and Awards

Similar documents
Designing and Building a Cybersecurity Program

K12 Cybersecurity Roadmap

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Cyber Protections: First Step, Risk Assessment

Putting the 20 Critical Controls into Action: Real World Use Cases. Lawrence Wilson, UMass, CSO Wolfgang Kandek, Qualys, CTO

CyberSecurity: Top 20 Controls

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

A Comprehensive Guide to Remote Managed IT Security for Higher Education

CCISO Blueprint v1. EC-Council

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Protect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP

NOTICE TO ALL PROSPECTIVE RESPONDENTS RFP 18-ITSS/CY. Addendum No. 1 issued September 7, RFI responses are in red bold print

CISO as Change Agent: Getting to Yes

Cybersecurity Session IIA Conference 2018

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix

What It Takes to be a CISO in 2017

Automating the Top 20 CIS Critical Security Controls

LESSONS LEARNED IN SMART GRID CYBER SECURITY

NISTCSF.COM. NIST Cybersecurity Framework (NCSF) Workforce Development Solutions

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

NISTCSF.COM. NIST Cybersecurity Framework (NCSF) Workforce Development Solutions

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

TIPS FOR AUDITING CYBERSECURITY

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Aligning with the Critical Security Controls to Achieve Quick Security Wins

How to Develop Key Performance Indicators for Security

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Changing the Game: An HPR Approach to Cyber CRM007

Take Risks in Life, Not with Your Security

BHConsulting. Your trusted cybersecurity partner

Cybersecurity in Higher Ed

Altius IT Policy Collection

NEN The Education Network

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

ISE Canada Executive Forum and Awards

A Controls Factory Approach To Building a Cyber Security Program Based on the NIST Cybersecurity Framework (NCSF)

Mark Littlejohn June 23, 2016 DON T GO IT ALONE. Achieving Cyber Security using Managed Services

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Managed Security Services RFP 2019 Q&A

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Cybersecurity Threat Modeling ISACA Atlanta Chapter Geek Week Conference

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Education Network Security

CipherCloud CASB+ Connector for ServiceNow

ACM Retreat - Today s Topics:

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

SOLUTIONS BRIEF GOGO AIRBORNE SECURITY SUMMARY 2017 Q3 RELEASE

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Compliance Audit Readiness. Bob Kral Tenable Network Security

Certified Information Security Manager (CISM) Course Overview

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Les joies et les peines de la transformation numérique

Top 20 Critical Security Controls (CSC) for Effective Cyber Defense. Christian Espinosa Alpine Security

Information Technology General Control Review

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Vendor Security Questionnaire

BUILDING AND MAINTAINING SOC

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

WHO AM I? Been working in IT Security since 1992

Oracle Data Cloud ( ODC ) Inbound Security Policies

SIEMLESS THREAT MANAGEMENT

Session ID: CISO-W22 Session Classification: General Interest

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Nebraska CERT Conference

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Department of Management Services REQUEST FOR INFORMATION

CompTIA CAS-002. CompTIA Advanced Security Practitioner (CASP) Download Full Version :

Cybersecurity The Evolving Landscape

Privacy Implications Guide. for. the CIS Critical Security Controls (Version 6)

Security Operations & Analytics Services

Cyber Security Program

The Common Controls Framework BY ADOBE

BHConsulting. Your trusted cybersecurity partner

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Cybersecurity: Achieving Prevailing Practices. Session 229, March 8 Mark W. Dill, Partner and Principal Consultant,

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

DETAILED POLICY STATEMENT

Total Security Management PCI DSS Compliance Guide

THE TRIPWIRE NERC SOLUTION SUITE

The Impact of Cybersecurity, Data Privacy and Social Media

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

Defensible Security DefSec 101

ISACA Arizona May 2016 Chapter Meeting

2017 Annual Meeting of Members and Board of Directors Meeting

Tips for Passing an Audit or Assessment

How to Prepare a Response to Cyber Attack for a Multinational Company.

One Hospital s Cybersecurity Journey

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

White Paper. How to Write an MSSP RFP

Transcription:

ISE North America Leadership Summit and Awards November 6-7, 2013 Presentation Title: Presenter: Presenter Title: Company Name: Embracing Cyber Security for Top-to-Bottom Results Larry Wilson Chief Information Security Officer University of Massachusetts ISE North America Leadership Summit and Awards 2013 #ISEna

University of Massachusetts Providing High Quality Education for 140 Years 2013 World University Ratings: 42 nd of Top 100 Universities 5 Campuses + Systems Office 72,000 Students 17,500 Faculty & Staff UMass Online - 120 Degree & Certificate Programs ISE North America Leadership Summit and Awards 2013 #ISEna 2

Embracing Cyber-security for Top-to-Bottom Results What s at Stake UMASS Security Program Goals UMASS Security Program Design Building a Controls Wall Top 20 CyberSecurity Controls CyberSecurity Technology Architecture CyberSecurity Software Design CyberSecurity Controls Mapping UMASS Security Program Operations Center CyberSecurity Controls Implementation Lessons Learned / Best Practices ISE North America Leadership Summit and Awards 2013 #ISEna 3

What s at Stake? High Value Assets Risk of a data breach Security Risk: Based on likelihood and impact of the university experiencing an adverse event such as a data breach. Contributing to Risk Threats: Ever changing threat landscape consisting of internal and external threats. Managed Assets Unmanaged Assets Vulnerabilities: Decentralized administrative and academic computing environment across the university. High Value Assets: Intellectual property, research data, student and employee records, health records, credit cards, etc. Risk Mitigation Controls: Design, build, operate comprehensive set of security controls that safeguard computing and information assets. ISE North America Leadership Summit and Awards 2013 #ISEna 4

UMASS Security Program Goals 1. Develop university-wide security framework and strategic programs. 2. Invest in security controls to protect critical university assets (Critical Asset Groups): CAG-01: People, Identities, Access CAG-02: Endpoint Devices CAG-03: Business Applications CAG-04: Network Security CAG-05: Data Center Systems CAG-06: University Databases CAG:07: University Data 3. Align security controls with industry best practices [ISO 27002, Top 20 Critical Security Controls]. MGT: Information Security Management and Communications (People Focus) CSC: CyberSecurity Controls (Technology Focus) GCC: General Computer Controls (Process Focus) 4. Invest in resources (staffing, training) to implement and manage security controls. 5. Develop an implementation roadmap inclusive of all campuses and departments. 6. Establish a comprehensive communication program to increase stakeholder awareness. ISE North America Leadership Summit and Awards 2013 #ISEna 5

UMASS Security Program Design UMass Information Security Program Management & Communications (MGT) General Computer Controls (GCC) Cyber-security Controls (CSC) People Focus Risk Management Policy / Program Marketing & Communications Awareness Training Process Focus Secure Applications IT Operations Access Controls Records Retention Technology Focus Top 20 Critical Security Controls ISO 27002 Foundation CSCS 20 Critical Security Controls Policy, Legal, and Regulatory Framework (UMass Security Policy, WISP, Mass Privacy, PCI, SOX, HIPAA, FERPA, ) ISE North America Leadership Summit and Awards 2013 #ISEna 6

Building a Controls Wall Access to University Data MGT-01 MGT-02 MGT-03 CSC-01 CSC-02 MGT-04 MGT-05 MGT-06 MGT-07 CSC-03 CSC-04 GCC-01 GCC-02 CSC-05 CSC-06 MGT-08 CAG-01: People, Identity, Access? Allow or Deny Access MGT-09 CSC-07 GCC-03 GCC-04 GCC-05 GCC-06 CSC-08 MGT-10 CSC-09 GCC-07 GCC-08 GCC-09 GCC-10 CSC-10 CAG-07: University Data CSC-11 GCC-11 GCC-12 GCC-13 GCC-14 CSC-12 MGT-11 CSC-13 GCC-15 GCC-16 GCC-17 GCC-18 CSC-14 MGT-12 MGT CSC GCC Security Management Controls (ISO 27002) CyberSecurity Controls (CSCS CSCs) General Computer Controls (ISO 27002) MGT-13 CSC-15 CSC-16 GCC-19 GCC-20 CSC-17 CSC-18 MGT-14 MGT-15 MGT-16 MGT-17 CSC-19 CSC-20 MGT-18 MGT-19 MGT-20 ISE North America Leadership Summit and Awards 2013 #ISEna 7

Top 20 Critical Security Controls CSC-01 CSC-02 CSC-03 CSC-04 CSC-05 IT Asset Management Software Asset Management System Configuration Vulnerability Management Malware Defenses CSC-06 CSC-07 CSC-08 CSC-09 CSC-10 Application Security Wireless Devices Data Recovery Security Training Network Configuration CSC-11 CSC-12 CSC-13 CSC-14 CSC-15 Ports, Protocols, Services Administrative Privileges Boundary Defenses Audit Logs Controlled Access CSC-16 CSC-17 CSC-18 CSC-19 CSC-20 Account Monitoring Data Loss Prevention Incident Response Secure Network Engineering Penetration Testing ISE North America Leadership Summit and Awards 2013 #ISEna 8

CyberSecurity Technology Architecture Cyber-Security Technology Update Scan Engine Scan Rules Critical Asset Groups Managed & Unmanaged Assets Alerting & Reporting Console CSCS Critical Controls Database Update Monitor Engine Monitor Rules CAG-01: Identity, Access, Entitlements CAG-02: Endpoint Devices CAG-03: Business Applications CAG-04: Network Security Update Filter Engine Filter Rules CAG-05: Data Center Systems CAG-06: Databases CAG-07: University Data ISE North America Leadership Summit and Awards 2013 #ISEna 9

CyberSecurity Software Design START Control Requirements (Asset Management): Use active monitoring and configuration management to maintain an up-to-date inventory of devices connected to the organization network, including servers, workstations, laptops, and remote devices. Compliance Assessment Security Assessment Design Requirements: 1. Establish authoritative system of record (controls database) 2. Update with known managed assets (GCC Process) 3. Scan rules for unknown unmanaged assets (active discovery) 4. Monitor rules for unknown unmanaged assets (passive discovery) 5. Filter rules for unknown unmanaged assets (access control) 6. Generate Real-time Alerts and Management Reports (Alerting and Reporting Console) 7. Update authoritative system of record (controls database) Compliance Assessment (Asset Management): Implement, operate, alert and report using processes and tools to track/control/ prevent/correct network access by devices (computers, network components, printers, anything with IP addresses) based on an asset inventory of which devices are allowed to connect to the network. END ISE North America Leadership Summit and Awards 2013 #ISEna 10

CyberSecurity Controls Mapping Security Control Control Description CAG-01 CAG-02 CAG-03 CAG-04 CAG-05 CAG-06 CAG-07 People, Identity, Access Endpoint Devices Business Applications University Networks Data Center Systems CSC-01 Inventory of Authorized and Unauthorized Devices CSC-02 Inventory of Authorized and Unauthorized Software CSC-03 System Configuration (servers, laptops, mobile devices) CSC-04 Continuous Vulnerability Assessment and Remediation CSC-05 Malware Defenses CSC-06 Application Software Security CSC-07 Wireless Device Control Databases CSC-08 Data Recovery CSC-09 Security Skills Assessment and Training CSC-10 Network Configuration (switches, routers, firewalls) CSC-11 Control of Ports, Protocols, and Services CSC-12 Control of Administrative Privileges CSC-13 Boundary Defenses CSC-14 Maintenance, Monitoring of Audit Logs CSC-15 Controlled Access based on Need to Know CSC-16 Account Monitoring CSC-17 Data Loss Prevention University Data CSC-18 Incident Response Process Process Process Process Process Process Process CSC-19 Secure Network Engineering ISE North America Leadership Summit and Awards 2013 #ISEna 11 CSC-20 Penetration Testing & Red Team Exercises Assessment Assessment Assessment Assessment Assessment Assessment Assessment

CyberSecurity Controls Implementation (Example) Asset Group Action Plan to Comply with University Standards based on Top 20 Critical Security Controls Phase 1 Phase 2 Phase 3 CAG-01 People, Identities, Access 1. USecure Program Continue to implement the Usecure program based on CSCS STH 2. Develop University-wide RFP for EndPoint Management Solution 3. SecAdmin Process University wide process for managing access to Psoft applications CAG-02 Endpoint Devices 4. Determine best campus / department for MDM pilot (mobile devices) 5. NAC Implement NAC to control unmanaged endpoints and servers 6. Establish endpoint security standard (Anti-Virus, file/folder encryption, USB drive encryption) CAG-03 Business Applications 7. BSIMM Establish best practices for Software Security 8. WAF Evaluate Web Application Firewall technologies CAG-04 Network Security 9. Establish standards for Wireless Networks 10. Next-Gen Firewall Determine best alternative for next-gen Firewall 11. Two Factor AuthN Two factor authentication (RSA Tokens) CAG-05 Data Center Systems 12. Vulnerability & Patch Management 13. SIEM Determine best alternative for SIEM or managed service 14. Central authentication evaluate technology solutions for central authentication of linux systems CAG-06 Databases 15. Database Security Determine database security strategy & technology CAG-07 University Data 16. Implement technology to identify, inventory and manage sensitive data 17. Records Administration establish process for deleting sensitive data via records retention standards ISE North America Leadership Summit and Awards 2013 #ISEna 12

UMASS Security Program Operations Center Input Output Incident Response Team Help Desk Information Security Operations Center (ISOC) Work Requests, Tickets, Audit Findings (Build, Buy, Outsource, Cloud) Advisories & Incidents CSIRT IT Operations 20 CSCs Data Breaches Management Team Intelligence Feeds Zero-day Threats, Zero-day Vulnerabilities Alerts, Metrics & Reports ISE North America Leadership Summit and Awards 2013 #ISEna 13

Lessons Learned / Best Practices Start with the Design: Get management buy-in including budget, resources and timelines. Implement in Phases: Quick wins, maximum impact need success stories! Communicate Often: Monthly implementation and compliance reports. Work with Partners: Including Council on Cybersecurity, vendors / service providers to improve technology and service offerings ISE North America Leadership Summit and Awards 2013 #ISEna 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback