- David Seidl, Information Security Professional, University of Notre Dame
Small department consisted of 5 FTE by 2006. PCI credit card account compliance was a driver for security - but then breach that exposed donor information changed the game. Spent about 6 months recovering from that, then were awarded a budget. Not an ideal way to get funded. University leadership requested a capus wide IT risk assessment which came to be called CITRA, or Campus IT Risk Assessment. Partnered with big-4 consulting firm (Ernst & Young). Network assessment, interviews, really dug in to everything. Was very helpful to have consultants helping.
The result was 68 findings covering 10 key areas.
Planning workshop consisted of cross-functional team. Analyzed CIRTA results and created project specifications designed to remediate findings rated medium or higher. Discussed objectives with resource managers. Working with resource managers has helped him to not go over budget in several years.
Outcome is projects sequenced to prioritize high-risk findings and balance resource consumption. Overall costs $4.6 million over 4 years.
Objectives: Information Security typically looks at confidentiality, integrity of data, and availability. Establish and implement controls to fill critical gaps (determined by risk tolerance). Awareness of security and proper data handling practices. Establish and communicate security-related procedures and standards to regular users.
Added two new FTE (Operations & Engineering and Networking positions). Additional contract staff added in project management. Some load absorbed internally (5 FTE total). They have a 4-year rolling plan now (living document). Dedicated project management software has been a huge help so that projects and details don't get lost in email. Project reports periodically to senior management.
Student awareness in an important factor, especially in terms of preventing the import of virii. Incoming students are shown a video, and progress is happening incrementally. Data stewards (one owner for a particular data set) is critical.
Web development has been a problem because code is often thrown together with an eye on functionality (not security). They are also frustrated because they have not found instructors for OSX security.
Awareness metrics look at users who saw security training materials at least 2 times per year, and actually remember seeing them.
Using "Tripwire" tool to detect changes on servers. Lots of political struggles around getting individual server admins to update (per unfunded mandate). Zoned network and wireless security, segmenting faculty/staff, from student, from servers. Much more locked down. Recurring security reviews.
Seems to be less of a balance between usability and security, and heavily tilted toward security. Probably a result of the power given to security by the compromise event. Lots of accountability metrics available now. From what he's seen, there has been no loss in functionality among end-users either, so he's comfortable with a 0 net gain.
No comments:
Post a Comment