How Do You Create A Successful Information Security Program Hire A Great Iso!!
Start With A Great Information Security Plan!
1. Start With A Great Information Security Plan! Tammy L. Clark, CISO, Georgia State University William Monahan, Lead Information Security Administrator, Georgia State University
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
Editor's Notes
ISO/IEC 17799 is an information security standard published and most recently revised in 2005 by the International Organization for Standardization and the International Electrotechnical Commission. It is entitled Information technology - Security techniques - Code of practice for information security management. The current standard is a revision of the version published in 2000, which was itself a word-for-word copy of the British Standard BS 7799-1:1999.
Examples: State of Security: Adoption of Risk Assessment Policy in November 2005; Information security risk assessments performed using the methodology outlined in National Institute of Science and Technology (NIST) SP 800-30 Risk Management Guide for Information Technology Systems, and incorporate relevant university policies and procedures. Proposed Action Items: Develop standard criteria that departments can use in conducting preliminary analysis of potential IT system candidates; Develop supporting documentation and procedures to support the risk assessment policy and for periodic reassessments of systems and data Impact: The Risk Assessment policy adopted in November 2005 has led to approximately 50 risk assessments being conducted in 2006 so far, that led to mandatory information security controls, policies, procedures and guidelines being put in place to protect the university’s information technology infrastructure.
State of Security: The Statutes of Georgia State University provide for the internal governance of this University Proposed Action Items: Establish a schedule and process for periodic review; modify security awareness course to include domain on security policies, Adopt a policy mandating all students and staff complete security awareness course; Coordinate with internal audit to focus attention on areas of concern in regards to policy compliance Impact: Conducting risk assessments of university business and IT initiatives has led to the revision or institution of new information security policies that better define the responsibilities of those who manage information technology assets and information, as well as numerous procedures and guidelines that specify what needs to be done to safeguard it from unauthorized access and usage
State of security: 2000—Information Security department created and a number of initiatives developed to provide the campus with enhanced resources, knowledge, and leadership Proposed Action Plan Items: Reassess current information security needs of university; Investigate training and procedures to allow assumption of routine tasks by other elements of central IT org; Develop procedures for operation of CSIRT; Develop and maintain security architecture; develop and implement criteria and processes for eval of risks associated with third party access Impact: Management commitment is critical in order to acquire funding and staffing resources. A CISO and dedicated, highly trained information security resources are necessary to manage and maintain a successful information security program.
State of security: Property Control Policy; Data Stewardship and Access Policy Proposed Action Items: Implement asset tracking for critical information technology equipment that falls outside span of control of Property Control Policy; Review procedures and policies governing control of access to sensitive information and review/approval of continuing access Impact: In order to get your arms around what needs to be protected, this is a critical step!
State of Security: Credit checks, criminal background investigations, defining information security related job duties in position descriptions, security awareness training requirements, identity management initiatives Proposed Action Plan items: Incorporate information security duties into job descriptions; mandated security awareness training; utilize IDM to assure appropriate access and authorization to university information and IT resources Impact: Implementing an identity management system to provision and deprovision id’s in a timely manner; online class has made it easy and convenient to administer security awareness training, which is critical for the campus user population
State of security: Restrict physical entry into the Data Operations Center; prevent loss, damage or compromise of information technology assets; minimize exposure to flooding unauthorized access, fire, corrosive agents, and potential hazards Proposed Action items: Approve Network Operation Center Access Policy and Telecomm Room Access and Key Policy; install monitoring and recording equipment for tracking environmental changes; Implement necessary changes to mechanical systems within the NOC Impact: Part of the process of analyzing this particular domain area is assessing power and A/C in the network operations center—the ISO 17799 standard really leads to you taking an indepth view of the controls in each domain area
State of security: Knowledgebase in the NOC and HelpCenter; Central database repository for disparate data sources to dynamically record all devices; CSIRT mobilization; performance of risk assessments; devising acceptance criteria for new centrally managed information systems, et al; implement controls to prevent and detect unauthorized or malicious software (defense in depth); Adequate back-up plans and facilities; security management controls—centralized and distributed; Secure Disposal or Re-Use of Information Systems Equipment; Email System Acceptable Use and Security Policy; Compliance with PCI and CISP; continuous, dynamic network monitoring from a central location Proposed Action Items: Consolidated knowledge Base; Critical Outage procedures; Standards and procedures for implementing third party service delivery solutions; develop and implement IT Infrastructure Master Plan and IT Project Portfolio review; select and deploy additional security technologies to bolster internal defenses; conduct reviews of back-up strategies on system by system basis; review through data steward structure the procedures for approving and protecting exchange of sensitive university data between systems and to individual end users; develop standard methodology for processing credit card transactions; examine feasibility of single monitoring application or appliance Impact: Codify all your IT and information security procedures—an area where ITIL and COBIT can be integrated effectively
State of security: In accordance with existing policy, all university information is used with appropriate access levels and sufficient assurance of integrity, confidentiality, and compliance with laws and statutes; IDM, Minimum Information Security Environment Policy and Information Systems Ethics Policy; Password complexity controls that adhere to Sensitive Information Protection Policy and supporting procedures; Remote Access Policymandating use of VPN and approved methods; procedures for restricting access to production environments based on business requirements of functional customer and control by security administrators; Wireless Access Policy mandating use of VPN Proposed action items: IDM implementation; mandated password complexity in sensitive areas assured by technical controls; network access authentication requirements assured by technical controls Impact: Tightening up the controls on accessing information on your network—including third parties doing business with the university and remote users
State of security: Information Risk Assessment policy approved in Nov 2005; Data Stewardship and Access Policy; Remote Access policy; institution of standard cryptographic controls; acquisition of multiple vulnerability assessment technologies used to scan devices in support of university policies and information security initiatives Proposed Action items: Continued research of vulnerability assessment technologies that can be integrated with various security monitoring systems Impact: Support the risk assessment process in which you analyze information technology projects and business processes in seeking to implement consistent, effective controls
State of security: Incident Response Policy and associated procedures; modification of technical controls routinely to mitigate threats. Proposed action items: Continued development of CSIRT procedures as needed; Training and simulation of events conducted with CSIRT members Impact: Face it—criminal activities using computers are on the upswing and the CSIRT, effective policies and procedures, as well as trained staff members with forensics knowledge, are all critical in order to properly handle forensics and evidence seizures from a legal standpoint
State of security: Development of a comprehensive Disaster Recovery/Business Continuity plan State of security: Funded and staffed commitment to Business Continuity plan and associated Disaster Recovery Plan Impact: Having a business continuity plan is critical
State of security: Secure Computing Initiative that mandates specified levels of protection to systems and assets that fall under compliance requirements; risk assessments to identify areas of the campus that fall under specific regulations/statutes; vulnerability assessments and limited penetration testing; security reviews and audits; qualified CISA’s in information security and/or internal audit departments Proposed Action Plan items: Conduct periodic information technology reviews and audits; HIPAA Sanction Policy; provide procedures and training to Internal Audit personnel; Mandate completion of advanced information security awareness course for IT personnel that support/manage areas which are subject to compliance or to be audited Impact: Assessing what resources, funding and controls are necessary to comply with university policies and federal statutes is a big benefit of the plan. This information can be used to appeal to higher ups at your university in terms they understand.