SlideShare a Scribd company logo

Start With A Great Information Security Plan!

Tammy Clark, profile picture
Tammy Clark

The document discusses Georgia State University's information security plan, which was developed based on the ISO 17799 standard. It summarizes the 12 domains covered by the ISO standard and how the university assessed its current security state in each domain. The plan aims to provide comprehensive and prioritized security objectives and action plans to improve information security protections over multiple years.

1 of 28
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Start With A Great Information Security Plan! Tammy L. Clark, CISO, Georgia State University William Monahan, Lead Information Security Administrator, Georgia State University
Why ISO 17799? The ISO 17799:2005 standard lends itself well to developing and defining information security program initiatives in a higher education environment ISO/IEC 17799:2005 provides best practice recommendations (133 controls) on information security management for use by those who are responsible for initiating, implementing or maintaining information security management systems. Information security is defined within the standard as the preservation of: Confidentiality (ensuring that information is accessible only to those authorized to have access) Integrity (safeguarding the accuracy and completeness of information and processing methods) and Availability (ensuring that authorized users have access to information and associated assets when required).
Georgia State University’s Information Security Plan Two years ago, our CIO was tasked by the Board of Regents in Georgia to submit an information security plan. We elected to provide a plan that was both comprehensive and holistic, and we chose to frame it around the ISO 17799 standard, as it advocates a very strategic, risk management based approach Looking back, this was a very ambitious undertaking that first year, since we only have three dedicated information security staff resources, and examining all of the recommended controls in the ISO 17799 was a very time consuming and (at times) difficult process We then went a few steps further and made an assessment of the current state of security in each domain area and defined prioritized objectives to accomplish each year. Each year, we modify our plan to reflect changing priorities and demands We are currently in the planning stages of integrating ITIL (IT Infrastructure Library) and COBIT (Control Objectives for Information and related Technology)
12 Domains of ISO 17799:2005 Risk Assessments Security Policies Information Security Organization Asset Management Human Resources Physical and Environmental Security Communications and Operations Management Access Control Information Systems Acquisition, Development, and Maintenance Information Security Incident Management Business Continuity Management Compliance
Benefits of Using the ISO 17799 Framework It’s comprehensive and requires an in depth analysis of business and IT processes. A great deal of time and effort will go into this initially, but when all is said and done, you will have prioritized action plans you can use to make immediate improvements. You will have a great opportunity to bridge the communication gap that often exists between information technology and business/academia. You can begin to erase the perception that information security only affects information technology, as you integrate your information security initiatives into business and academic processes and initiatives. You can use this plan to clarify to upper management what measures need to be taken at your campus to comply with university policies and legislative requirements (HIPAA, GLBA, PCI, etc.) that often require a very complex information security infrastructure. You can effectively demonstrate to your university leadership constituency that instituting adequate preventative controls and measures is necessary in order to prevent data leakages and compromises of institutional assets.
Using ISO 17799:2005 to Develop an Information Security Plan Overview of domains and objectives Ideas on assessing the current state of security at your university Coming up with proposed action plan items Building out a comprehensive appendix with supporting documentation Integrating ITIL and COBIT objectives (optional)
Executive Summary State that senior level management support and validation of your information security program is critical to its success Amplify how accomplishing the roadmap objectives you’re outlining in this plan will directly impact and enable your university’s strategic goals—academic, business, and information technology. Stress that this plan clearly demonstrates the need to institute an evolving cycle of continuous improvements in areas such as regulatory compliance, preservation of the confidentiality and integrity of university data, and availability of the critical business and information technology infrastructure
Opening Sections of Your Plan Scope: Applicability (Staff, faculty, students, affiliates, third parties) Structure (ISO 17799:2005) Explanation of the format (14 domains) Annual validation process (continuous cycle of improvement, review, and acceptance/adoption) Terms and definitions
Risk Assessment and Treatment Two major areas: Assessing Security Risks and Treating Security Risks Risk assessments should identify, quantify and prioritize risks against criteria for risk acceptance and objectives relevant to the organization Assess the state of security by addressing competencies or deficiencies Come up with proposed action items—policies, procedures, initiatives to improve upon current state of security Provide any references used to determine above
Security Policy Information Security Policies Information Security policies provide direction and support for information security iaw university requirements and relevants laws and regulations Assess the state of security by addressing competencies or deficiencies Come up with proposed action items—policies, procedures, initiatives to improve upon current state of security Provide any references used to determine above
Organization of Information Security Two major areas: Internal organization and External parties A robust information security infrastructure must be developed that includes incident response activities, security awareness education, security policies, third party compliance with university policies and requirements, and the deployment of effective security solutions that deter the activities of unauthorized persons Assess the state of security by addressing competencies or deficiencies Come up with proposed action items—policies, procedures, initiatives to improve upon current state of security Provide any references used to determine above
Asset Management Two major areas: Responsibility for Assets and Classification Guidelines Inventories and classification of assets helps ensure that effective asset protection takes place, is an important aspect of risk management, and may also be required for other business purposes such as health, safety, and federal regulations. Assess the state of security by addressing competencies or deficiencies Come up with proposed action items—policies, procedures, initiatives to improve upon current state of security Provide any references used to determine above
Human Resources Security Three major areas: Prior to employment, During employment, and Termination or change of employment Throughout the employment cycle (hiring, current status, and termination/changes) information security procedures must be implemented to reduce the risks of human error fraud, and misuse of university resources Assess the state of security by addressing competencies or deficiencies Come up with proposed action items—policies, procedures, initiatives to improve upon current state of security Provide any references used to determine above
Physical and Environmental Security Three major areas: Secure areas, Equipment security, General controls Important business information processing facilities should reside in secure areas with appropriate security barriers and entry controls, and the protection applied should be commensurate with risks Assess the state of security by addressing competencies or deficiencies Come up with proposed action items—policies, procedures, initiatives to improve upon current state of security Provide any references used to determine above
Communications and Operations Management 10 major areas: Operational procedures and responsibilities, Third party service delivery management, System planning and acceptance, Protection against malicious and mobile code, Back-up, Network security management, Media handling, Exchange of information, Electronic commerce services, Monitoring Policies for the management and operation of all university information processing facilities should be established, codified, and communicated to all employees and third parties doing business with the university in order to ensure correct and secure operation. Capacity planning and back-up strategies are important, as is proper handling of media disposal and storage. Assess the state of security by addressing competencies or deficiencies Come up with proposed action items—policies, procedures, initiatives to improve upon current state of security Provide any references used to determine above
Access Control Eight major sections: Business requirement for access control; User access management, User responsibilities, Network access control, Operating system access control, Application and information access control, Monitoring system access and use, Mobile computing and telecommuting Access to university information and business processes should be controlled on the basis of business and security requirements according to university policies and procedures. Users must be made aware of their responsibilities in this process and standard and procedures developed and implemented to assist in mitigation of risks. Assess the state of security by addressing competencies or deficiencies Come up with proposed action items—policies, procedures, initiatives to improve upon current state of security Provide any references used to determine above
Information Systems Acquisition, Development and Maintenance Six major sections: Security requirements of information systems, Correct processing in applications, Cryptographic controls, Security of system files, Security in development and support processes, Technical vulnerability management Security reviews are necessary to ensure that controls and security requirements become a part of the overall design process. Cryptographic controls are necessary to assure confidentiality, authenticity, and integrity of sensitive information at risk. Technical vulnerability management systems should be implemented in an effective, systematic, and repeatable way with measurements taken to confirm effectiveness. Assess the state of security by addressing competencies or deficiencies Come up with proposed action items—policies, procedures, initiatives to improve upon current state of security Provide any references used to determine above
Information Security Incident Management Two major sections: Reporting information security events and weaknesses and Management of information security incidents and improvements Formal event reporting and escalation procedures should be in place. All employees, contractors, third party users should be made aware of the procedures for reporting different types of events and weaknesses that might have an impact on the security of organizational assets to the designated POC. Responsibilities and procedures should be in place to handle information security events weaknesses effectively once reported. A process of continuous improvement should be instituted to monitor, respond, evaluate and manage information security incidents. Assess the state of security by addressing competencies or deficiencies Come up with proposed action items—policies, procedures, initiatives to improve upon current state of security Provide any references used to determine above
Business Continuity Management Information security aspects of business continuity management In order to prevent disruption to business activities, as well as protect critical business processes from the effects of major failures or disasters, the development of a comprehensive University Disaster Recovery/Business Continuity Plan is necessary. The plan should call for risk analyses to determine the impact of business disruptions, identify priorities for testing, maintenance and activation, as well as outline specific processes to follow in the event of disruptions, including identification of the individuals or departments responsible for execution of each component of the plan. Assess the state of security by addressing competencies or deficiencies Come up with proposed action items—policies, procedures, initiatives to improve upon current state of security Provide any references used to determine above
Compliance Three major areas: Compliance with legal requirements, Compliance with security policies and standards, and technical compliance, System audit consideration Universities are obligated to protect information types defined under FERPA, GLBA, HIPAA, Digital Millennium Act, CC 42CFR Part 73, ECPA and various other state and federal statutes or guidelines. It is also necessary to ensure compliance of information technology systems with university policies and standards. It is desirable to maximize the effectiveness of system audits and to minimize business disruptions due to vulnerability and/or penetration tests performed on university information technology resources. Assess the state of security by addressing competencies or deficiencies Come up with proposed action items—policies, procedures, initiatives to improve upon current state of security Provide any references used to determine above
(Sample) Appendices Items Sensitive Services Information security documentation Information security technical control matrix Credit card merchants Examples of outsourced contracts to 3 rd parties HIPAA compliance Sample risk assessment report Email servers requiring periodic security reviews Proposed Action Item Matrix CSIRT membership
ITIL Integration Information security is an integral part of all business processes and serves as a support structure and success enabler of key business objectives ITIL and ISO 17799:2005 are compatible in that both seek to establish an effective risk management approach that promotes continuous information security planning, development of policies to support initiatives, risk analyses, controls and operational measures, compliance, metrics, and audits While ISO 17799:2005 identifies the best practices and elements that should be developed to manage an effective and robust information security program, ITIL devises formal processes that translate to customer requirements, business and IT processes, and thus provide a common ‘language’ between the business customer, the IT provider, and the Information Security program initiatives and controls,
ITIL Information Security Model Key components of the ITIL process-based Information Security approach are: Understanding of customer requirements and business needs—provide security awareness to customer Service level agreements--internal and external information security requirements Planning—Strategic, Tactical and Operational Controls—information security management framework Implementations—asset classification & control, security staffing requirements, physical security, secure computer & network management, systems access control and user access management Evaluations—information security risk analyses, reviews and audits Maintenance—continuous cycles of modifications and improvements Reporting—reports and metrics
COBIT Integration COBIT provides a framework for IT governance, providing management tools such as metrics and maturity modeling to complement a control framework COBIT can be integrated into ISO 17799:2005 to assist with communicating management aims and direction, compliance, refining information classification, access controls, information security program infrastructure, human resources (job definitions and staffing), operational procedures and responsibilities
COBIT Information Security Model Four broad areas that contain specific objectives overlay the processes and domains outlined in ISO 17799:2005 and ITIL: Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate
Final Considerations The reason we chose to develop our campus information security plan under ISO 17799:2005 and are now in the planning stages of integrating ITIL and COBIT is because we believe that an effective information security program integrates business/academic processes and initiatives with IT and information security objectives The frameworks discussed allow your information security staffs to speak a ‘common’ language with the functional/business executives at your institution, which ultimately promotes a dialogue that leads to increased understanding and better definition of risks and vulnerabilities. While we advocate that ISO 17799:2005 strongly lends itself for adoption by higher education institutions in its comprehensive approach to designing a robust information security program, we advise “picking and choosing” from the ITIL and COBIT frameworks to enhance your understanding and fine tune specific areas of your plan, especially in developing continuous cycles of measurements and improvements. Developing a comprehensive plan, with actionable information security objectives that are tied and aligned with both technology and business goals and processes, can assist you in making the case for funding and staffing resources because information security will be seen as a critical success factor to your institution and it also provides a way for you to effectively communicate with your business and academic leaders and really get their attention!
Resources ISO 17799:2005: http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=39612&ICS1=35&ICS2=40&ICS3 ISO/IEC 17799 – Wikipedia: http://en.wikipedia.org/wiki/ISO_17799 OGC-ITIL website: http://www.itil.co.uk/ ITIL – Wikipedia: http://en.wikipedia.org/wiki/ITIL ISACA – COBIT: http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981 COBIT – Wikipedia: http://en.wikipedia.org/wiki/COBIT Georgia State University Information Systems Use Policies: http://www2.gsu.edu/~wwwccs/doc/uccs/policy/pol/archpolicy.htm
Questions? Copyright Tammy L. Clark, October 2006. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

More Related Content

PPTX
5 Step Data Security Plan for Small Businesses
Wilkins Consulting, LLC
 
DOC
Computer Security Policy
everestsky66
 
PPT
1. security management practices
7wounders
 
PPT
Information security management
UMaine
 
PPT
Computer Security Policy D
guest34b014
 
PDF
Physical Security Management System
Daniel Suchy, CPP, MSyI
 
PPTX
Information security management best practice
parves kamal
 
PPTX
Importance Of A Security Policy
charlesgarrett
 
5 Step Data Security Plan for Small Businesses
Wilkins Consulting, LLC
 
Computer Security Policy
everestsky66
 
1. security management practices
7wounders
 
Information security management
UMaine
 
Computer Security Policy D
guest34b014
 
Physical Security Management System
Daniel Suchy, CPP, MSyI
 
Information security management best practice
parves kamal
 
Importance Of A Security Policy
charlesgarrett
 

What's hot (20)

PPT
Information Security Background
Nicholas Davis
 
DOCX
Information security policy
BalachanderThilakar1
 
PPTX
code of conduct
David Waddell
 
PDF
Chapter 12 iso 27001 awareness
newbie2019
 
PPT
Integrating Physical And Logical Security
Jorge Sebastiao
 
PPT
Security & control in management information system
Online
 
PPT
Network security policies
Usman Mukhtar
 
PPTX
Information Security : Is it an Art or a Science
Pankaj Rane
 
PPTX
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
Biswajit Bhattacharjee
 
PDF
Information Security Management 101
Jerod Brennen
 
PPTX
Information Security Management
EC-Council
 
PPT
How To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
Tammy Clark
 
PPTX
17 info sec_ma_imt_27_2_2012
RECIPA
 
PPT
Developing an Information Security Program
Shauna_Cox
 
DOCX
Security Management Strategies and Defense and their uses.
Computer engineering company
 
PPTX
Security Management | System Administration
Lisa Dowdell, MSISTM
 
DOC
System Security Threats and Risks)
BPalmer13
 
PPTX
Physical Security Assessment
Faheem Ul Hasan
 
PDF
Understanding security operation.pptx
Piyush Jain
 
PPTX
It security controls, plans, and procedures
CAS
 
Information Security Background
Nicholas Davis
 
Information security policy
BalachanderThilakar1
 
code of conduct
David Waddell
 
Chapter 12 iso 27001 awareness
newbie2019
 
Integrating Physical And Logical Security
Jorge Sebastiao
 
Security & control in management information system
Online
 
Network security policies
Usman Mukhtar
 
Information Security : Is it an Art or a Science
Pankaj Rane
 
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
Biswajit Bhattacharjee
 
Information Security Management 101
Jerod Brennen
 
Information Security Management
EC-Council
 
How To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
Tammy Clark
 
17 info sec_ma_imt_27_2_2012
RECIPA
 
Developing an Information Security Program
Shauna_Cox
 
Security Management Strategies and Defense and their uses.
Computer engineering company
 
Security Management | System Administration
Lisa Dowdell, MSISTM
 
System Security Threats and Risks)
BPalmer13
 
Physical Security Assessment
Faheem Ul Hasan
 
Understanding security operation.pptx
Piyush Jain
 
It security controls, plans, and procedures
CAS
 
Ad

Viewers also liked (14)

PDF
2012 global cloud_security_survey_executive_summary
Комсс Файквэе
 
PPTX
Creating a Security Plan for Your Agency - Laird Rixford
Insurance Technologies Corporation (ITC)
 
PPT
Security Measure
syafiqa
 
DOCX
Security Assessment Plan (Template)
GovCloud Network
 
PPT
develop security policy
Info-Tech Research Group
 
PPT
Information Security Awareness And Training Business Case For Web Based Solut...
Michael Kaishar, MSIA | CISSP
 
PPTX
Chapter 11: Information Security Incident Management
Nada G.Youssef
 
PPTX
Plan your security
Capt Rajeshwar singh
 
PPTX
Information security: importance of having defined policy & process
Information Technology Society Nepal
 
PPTX
Enterprise Architecture and Information Security
John Macasio
 
PDF
The Benefits of a Network Security Plan
SwiftTech Solutions, Inc.
 
PPTX
ANTIVIRUS AND VIRUS Powerpoint presentation
abhijit chintamani
 
PPS
SAP for Beginners
Jainul Musani
 
PDF
How to dimension user traffic in LTE
Althaf Hussain
 
2012 global cloud_security_survey_executive_summary
Комсс Файквэе
 
Creating a Security Plan for Your Agency - Laird Rixford
Insurance Technologies Corporation (ITC)
 
Security Measure
syafiqa
 
Security Assessment Plan (Template)
GovCloud Network
 
develop security policy
Info-Tech Research Group
 
Information Security Awareness And Training Business Case For Web Based Solut...
Michael Kaishar, MSIA | CISSP
 
Chapter 11: Information Security Incident Management
Nada G.Youssef
 
Plan your security
Capt Rajeshwar singh
 
Information security: importance of having defined policy & process
Information Technology Society Nepal
 
Enterprise Architecture and Information Security
John Macasio
 
The Benefits of a Network Security Plan
SwiftTech Solutions, Inc.
 
ANTIVIRUS AND VIRUS Powerpoint presentation
abhijit chintamani
 
SAP for Beginners
Jainul Musani
 
How to dimension user traffic in LTE
Althaf Hussain
 
Ad

Similar to Start With A Great Information Security Plan! (20)

PPT
Supplement To Student Guide Seminar 03 A 3 Nov09
Tammy Clark
 
PPTX
Information Security Blueprint
Zefren Edior
 
PDF
Chapter 7 Managing Secure System.pdf
AbuHanifah59
 
PPT
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Tammy Clark
 
PDF
Ch08 8 Information Security Process it-slideshares.blogspot.com
phanleson
 
PPTX
Security Foundation and Incident Mgmt and BCMS.pptx
MohsenMojabi1
 
PPTX
Introduction to Information security ppt
krishkiran2408
 
PPTX
Introduction to Information security ppt
krishkiran2408
 
PPT
How Do You Create A Successful Information Security Program Hire A Great Iso!!
Tammy Clark
 
PPTX
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
PPTX
Know more about exin unique information security program
Elke Couto Morgado
 
PPTX
Dancyrityshy 1foundatioieh
Anne Starr
 
PPT
Is awareness government
Hamisi Kibonde
 
PPTX
Business information security requirements
gurneyhal
 
PPTX
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09
Tammy Clark
 
PPTX
Security Baselines and Risk Assessments
Priyank Hada
 
PPTX
Kick off Meeting Presentation to Framingham State Information Security Council
plaughran
 
PPT
Introduction to information security
Kumawat Dharmpal
 
PPT
01Introduction to Information Security.ppt
it160320737038
 
PDF
Security Level Analysis of Academic Information Systems Based on Standard ISO...
IJCSIS Research Publications
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Tammy Clark
 
Information Security Blueprint
Zefren Edior
 
Chapter 7 Managing Secure System.pdf
AbuHanifah59
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Tammy Clark
 
Ch08 8 Information Security Process it-slideshares.blogspot.com
phanleson
 
Security Foundation and Incident Mgmt and BCMS.pptx
MohsenMojabi1
 
Introduction to Information security ppt
krishkiran2408
 
Introduction to Information security ppt
krishkiran2408
 
How Do You Create A Successful Information Security Program Hire A Great Iso!!
Tammy Clark
 
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
Know more about exin unique information security program
Elke Couto Morgado
 
Dancyrityshy 1foundatioieh
Anne Starr
 
Is awareness government
Hamisi Kibonde
 
Business information security requirements
gurneyhal
 
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09
Tammy Clark
 
Security Baselines and Risk Assessments
Priyank Hada
 
Kick off Meeting Presentation to Framingham State Information Security Council
plaughran
 
Introduction to information security
Kumawat Dharmpal
 
01Introduction to Information Security.ppt
it160320737038
 
Security Level Analysis of Academic Information Systems Based on Standard ISO...
IJCSIS Research Publications
 

Start With A Great Information Security Plan!

  • 1. Start With A Great Information Security Plan! Tammy L. Clark, CISO, Georgia State University William Monahan, Lead Information Security Administrator, Georgia State University
  • 2. Why ISO 17799? The ISO 17799:2005 standard lends itself well to developing and defining information security program initiatives in a higher education environment ISO/IEC 17799:2005 provides best practice recommendations (133 controls) on information security management for use by those who are responsible for initiating, implementing or maintaining information security management systems. Information security is defined within the standard as the preservation of: Confidentiality (ensuring that information is accessible only to those authorized to have access) Integrity (safeguarding the accuracy and completeness of information and processing methods) and Availability (ensuring that authorized users have access to information and associated assets when required).
  • 3. Georgia State University’s Information Security Plan Two years ago, our CIO was tasked by the Board of Regents in Georgia to submit an information security plan. We elected to provide a plan that was both comprehensive and holistic, and we chose to frame it around the ISO 17799 standard, as it advocates a very strategic, risk management based approach Looking back, this was a very ambitious undertaking that first year, since we only have three dedicated information security staff resources, and examining all of the recommended controls in the ISO 17799 was a very time consuming and (at times) difficult process We then went a few steps further and made an assessment of the current state of security in each domain area and defined prioritized objectives to accomplish each year. Each year, we modify our plan to reflect changing priorities and demands We are currently in the planning stages of integrating ITIL (IT Infrastructure Library) and COBIT (Control Objectives for Information and related Technology)
  • 4. 12 Domains of ISO 17799:2005 Risk Assessments Security Policies Information Security Organization Asset Management Human Resources Physical and Environmental Security Communications and Operations Management Access Control Information Systems Acquisition, Development, and Maintenance Information Security Incident Management Business Continuity Management Compliance
  • 5. Benefits of Using the ISO 17799 Framework It’s comprehensive and requires an in depth analysis of business and IT processes. A great deal of time and effort will go into this initially, but when all is said and done, you will have prioritized action plans you can use to make immediate improvements. You will have a great opportunity to bridge the communication gap that often exists between information technology and business/academia. You can begin to erase the perception that information security only affects information technology, as you integrate your information security initiatives into business and academic processes and initiatives. You can use this plan to clarify to upper management what measures need to be taken at your campus to comply with university policies and legislative requirements (HIPAA, GLBA, PCI, etc.) that often require a very complex information security infrastructure. You can effectively demonstrate to your university leadership constituency that instituting adequate preventative controls and measures is necessary in order to prevent data leakages and compromises of institutional assets.
  • 6. Using ISO 17799:2005 to Develop an Information Security Plan Overview of domains and objectives Ideas on assessing the current state of security at your university Coming up with proposed action plan items Building out a comprehensive appendix with supporting documentation Integrating ITIL and COBIT objectives (optional)
  • 7. Executive Summary State that senior level management support and validation of your information security program is critical to its success Amplify how accomplishing the roadmap objectives you’re outlining in this plan will directly impact and enable your university’s strategic goals—academic, business, and information technology. Stress that this plan clearly demonstrates the need to institute an evolving cycle of continuous improvements in areas such as regulatory compliance, preservation of the confidentiality and integrity of university data, and availability of the critical business and information technology infrastructure
  • 8. Opening Sections of Your Plan Scope: Applicability (Staff, faculty, students, affiliates, third parties) Structure (ISO 17799:2005) Explanation of the format (14 domains) Annual validation process (continuous cycle of improvement, review, and acceptance/adoption) Terms and definitions
  • 9. Risk Assessment and Treatment Two major areas: Assessing Security Risks and Treating Security Risks Risk assessments should identify, quantify and prioritize risks against criteria for risk acceptance and objectives relevant to the organization Assess the state of security by addressing competencies or deficiencies Come up with proposed action items—policies, procedures, initiatives to improve upon current state of security Provide any references used to determine above
  • 10. Security Policy Information Security Policies Information Security policies provide direction and support for information security iaw university requirements and relevants laws and regulations Assess the state of security by addressing competencies or deficiencies Come up with proposed action items—policies, procedures, initiatives to improve upon current state of security Provide any references used to determine above
  • 11. Organization of Information Security Two major areas: Internal organization and External parties A robust information security infrastructure must be developed that includes incident response activities, security awareness education, security policies, third party compliance with university policies and requirements, and the deployment of effective security solutions that deter the activities of unauthorized persons Assess the state of security by addressing competencies or deficiencies Come up with proposed action items—policies, procedures, initiatives to improve upon current state of security Provide any references used to determine above
  • 12. Asset Management Two major areas: Responsibility for Assets and Classification Guidelines Inventories and classification of assets helps ensure that effective asset protection takes place, is an important aspect of risk management, and may also be required for other business purposes such as health, safety, and federal regulations. Assess the state of security by addressing competencies or deficiencies Come up with proposed action items—policies, procedures, initiatives to improve upon current state of security Provide any references used to determine above
  • 13. Human Resources Security Three major areas: Prior to employment, During employment, and Termination or change of employment Throughout the employment cycle (hiring, current status, and termination/changes) information security procedures must be implemented to reduce the risks of human error fraud, and misuse of university resources Assess the state of security by addressing competencies or deficiencies Come up with proposed action items—policies, procedures, initiatives to improve upon current state of security Provide any references used to determine above
  • 14. Physical and Environmental Security Three major areas: Secure areas, Equipment security, General controls Important business information processing facilities should reside in secure areas with appropriate security barriers and entry controls, and the protection applied should be commensurate with risks Assess the state of security by addressing competencies or deficiencies Come up with proposed action items—policies, procedures, initiatives to improve upon current state of security Provide any references used to determine above
  • 15. Communications and Operations Management 10 major areas: Operational procedures and responsibilities, Third party service delivery management, System planning and acceptance, Protection against malicious and mobile code, Back-up, Network security management, Media handling, Exchange of information, Electronic commerce services, Monitoring Policies for the management and operation of all university information processing facilities should be established, codified, and communicated to all employees and third parties doing business with the university in order to ensure correct and secure operation. Capacity planning and back-up strategies are important, as is proper handling of media disposal and storage. Assess the state of security by addressing competencies or deficiencies Come up with proposed action items—policies, procedures, initiatives to improve upon current state of security Provide any references used to determine above
  • 16. Access Control Eight major sections: Business requirement for access control; User access management, User responsibilities, Network access control, Operating system access control, Application and information access control, Monitoring system access and use, Mobile computing and telecommuting Access to university information and business processes should be controlled on the basis of business and security requirements according to university policies and procedures. Users must be made aware of their responsibilities in this process and standard and procedures developed and implemented to assist in mitigation of risks. Assess the state of security by addressing competencies or deficiencies Come up with proposed action items—policies, procedures, initiatives to improve upon current state of security Provide any references used to determine above
  • 17. Information Systems Acquisition, Development and Maintenance Six major sections: Security requirements of information systems, Correct processing in applications, Cryptographic controls, Security of system files, Security in development and support processes, Technical vulnerability management Security reviews are necessary to ensure that controls and security requirements become a part of the overall design process. Cryptographic controls are necessary to assure confidentiality, authenticity, and integrity of sensitive information at risk. Technical vulnerability management systems should be implemented in an effective, systematic, and repeatable way with measurements taken to confirm effectiveness. Assess the state of security by addressing competencies or deficiencies Come up with proposed action items—policies, procedures, initiatives to improve upon current state of security Provide any references used to determine above
  • 18. Information Security Incident Management Two major sections: Reporting information security events and weaknesses and Management of information security incidents and improvements Formal event reporting and escalation procedures should be in place. All employees, contractors, third party users should be made aware of the procedures for reporting different types of events and weaknesses that might have an impact on the security of organizational assets to the designated POC. Responsibilities and procedures should be in place to handle information security events weaknesses effectively once reported. A process of continuous improvement should be instituted to monitor, respond, evaluate and manage information security incidents. Assess the state of security by addressing competencies or deficiencies Come up with proposed action items—policies, procedures, initiatives to improve upon current state of security Provide any references used to determine above
  • 19. Business Continuity Management Information security aspects of business continuity management In order to prevent disruption to business activities, as well as protect critical business processes from the effects of major failures or disasters, the development of a comprehensive University Disaster Recovery/Business Continuity Plan is necessary. The plan should call for risk analyses to determine the impact of business disruptions, identify priorities for testing, maintenance and activation, as well as outline specific processes to follow in the event of disruptions, including identification of the individuals or departments responsible for execution of each component of the plan. Assess the state of security by addressing competencies or deficiencies Come up with proposed action items—policies, procedures, initiatives to improve upon current state of security Provide any references used to determine above
  • 20. Compliance Three major areas: Compliance with legal requirements, Compliance with security policies and standards, and technical compliance, System audit consideration Universities are obligated to protect information types defined under FERPA, GLBA, HIPAA, Digital Millennium Act, CC 42CFR Part 73, ECPA and various other state and federal statutes or guidelines. It is also necessary to ensure compliance of information technology systems with university policies and standards. It is desirable to maximize the effectiveness of system audits and to minimize business disruptions due to vulnerability and/or penetration tests performed on university information technology resources. Assess the state of security by addressing competencies or deficiencies Come up with proposed action items—policies, procedures, initiatives to improve upon current state of security Provide any references used to determine above
  • 21. (Sample) Appendices Items Sensitive Services Information security documentation Information security technical control matrix Credit card merchants Examples of outsourced contracts to 3 rd parties HIPAA compliance Sample risk assessment report Email servers requiring periodic security reviews Proposed Action Item Matrix CSIRT membership
  • 22. ITIL Integration Information security is an integral part of all business processes and serves as a support structure and success enabler of key business objectives ITIL and ISO 17799:2005 are compatible in that both seek to establish an effective risk management approach that promotes continuous information security planning, development of policies to support initiatives, risk analyses, controls and operational measures, compliance, metrics, and audits While ISO 17799:2005 identifies the best practices and elements that should be developed to manage an effective and robust information security program, ITIL devises formal processes that translate to customer requirements, business and IT processes, and thus provide a common ‘language’ between the business customer, the IT provider, and the Information Security program initiatives and controls,
  • 23. ITIL Information Security Model Key components of the ITIL process-based Information Security approach are: Understanding of customer requirements and business needs—provide security awareness to customer Service level agreements--internal and external information security requirements Planning—Strategic, Tactical and Operational Controls—information security management framework Implementations—asset classification & control, security staffing requirements, physical security, secure computer & network management, systems access control and user access management Evaluations—information security risk analyses, reviews and audits Maintenance—continuous cycles of modifications and improvements Reporting—reports and metrics
  • 24. COBIT Integration COBIT provides a framework for IT governance, providing management tools such as metrics and maturity modeling to complement a control framework COBIT can be integrated into ISO 17799:2005 to assist with communicating management aims and direction, compliance, refining information classification, access controls, information security program infrastructure, human resources (job definitions and staffing), operational procedures and responsibilities
  • 25. COBIT Information Security Model Four broad areas that contain specific objectives overlay the processes and domains outlined in ISO 17799:2005 and ITIL: Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate
  • 26. Final Considerations The reason we chose to develop our campus information security plan under ISO 17799:2005 and are now in the planning stages of integrating ITIL and COBIT is because we believe that an effective information security program integrates business/academic processes and initiatives with IT and information security objectives The frameworks discussed allow your information security staffs to speak a ‘common’ language with the functional/business executives at your institution, which ultimately promotes a dialogue that leads to increased understanding and better definition of risks and vulnerabilities. While we advocate that ISO 17799:2005 strongly lends itself for adoption by higher education institutions in its comprehensive approach to designing a robust information security program, we advise “picking and choosing” from the ITIL and COBIT frameworks to enhance your understanding and fine tune specific areas of your plan, especially in developing continuous cycles of measurements and improvements. Developing a comprehensive plan, with actionable information security objectives that are tied and aligned with both technology and business goals and processes, can assist you in making the case for funding and staffing resources because information security will be seen as a critical success factor to your institution and it also provides a way for you to effectively communicate with your business and academic leaders and really get their attention!
  • 27. Resources ISO 17799:2005: http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=39612&ICS1=35&ICS2=40&ICS3 ISO/IEC 17799 – Wikipedia: http://en.wikipedia.org/wiki/ISO_17799 OGC-ITIL website: http://www.itil.co.uk/ ITIL – Wikipedia: http://en.wikipedia.org/wiki/ITIL ISACA – COBIT: http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981 COBIT – Wikipedia: http://en.wikipedia.org/wiki/COBIT Georgia State University Information Systems Use Policies: http://www2.gsu.edu/~wwwccs/doc/uccs/policy/pol/archpolicy.htm
  • 28. Questions? Copyright Tammy L. Clark, October 2006. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Editor's Notes

  • #3: ISO/IEC 17799 is an information security standard published and most recently revised in 2005 by the International Organization for Standardization and the International Electrotechnical Commission. It is entitled Information technology - Security techniques - Code of practice for information security management. The current standard is a revision of the version published in 2000, which was itself a word-for-word copy of the British Standard BS 7799-1:1999.
  • #10: Examples: State of Security: Adoption of Risk Assessment Policy in November 2005; Information security risk assessments performed using the methodology outlined in National Institute of Science and Technology (NIST) SP 800-30 Risk Management Guide for Information Technology Systems, and incorporate relevant university policies and procedures. Proposed Action Items: Develop standard criteria that departments can use in conducting preliminary analysis of potential IT system candidates; Develop supporting documentation and procedures to support the risk assessment policy and for periodic reassessments of systems and data Impact: The Risk Assessment policy adopted in November 2005 has led to approximately 50 risk assessments being conducted in 2006 so far, that led to mandatory information security controls, policies, procedures and guidelines being put in place to protect the university’s information technology infrastructure.
  • #11: State of Security: The Statutes of Georgia State University provide for the internal governance of this University Proposed Action Items: Establish a schedule and process for periodic review; modify security awareness course to include domain on security policies, Adopt a policy mandating all students and staff complete security awareness course; Coordinate with internal audit to focus attention on areas of concern in regards to policy compliance Impact: Conducting risk assessments of university business and IT initiatives has led to the revision or institution of new information security policies that better define the responsibilities of those who manage information technology assets and information, as well as numerous procedures and guidelines that specify what needs to be done to safeguard it from unauthorized access and usage
  • #12: State of security: 2000—Information Security department created and a number of initiatives developed to provide the campus with enhanced resources, knowledge, and leadership Proposed Action Plan Items: Reassess current information security needs of university; Investigate training and procedures to allow assumption of routine tasks by other elements of central IT org; Develop procedures for operation of CSIRT; Develop and maintain security architecture; develop and implement criteria and processes for eval of risks associated with third party access Impact: Management commitment is critical in order to acquire funding and staffing resources. A CISO and dedicated, highly trained information security resources are necessary to manage and maintain a successful information security program.
  • #13: State of security: Property Control Policy; Data Stewardship and Access Policy Proposed Action Items: Implement asset tracking for critical information technology equipment that falls outside span of control of Property Control Policy; Review procedures and policies governing control of access to sensitive information and review/approval of continuing access Impact: In order to get your arms around what needs to be protected, this is a critical step!
  • #14: State of Security: Credit checks, criminal background investigations, defining information security related job duties in position descriptions, security awareness training requirements, identity management initiatives Proposed Action Plan items: Incorporate information security duties into job descriptions; mandated security awareness training; utilize IDM to assure appropriate access and authorization to university information and IT resources Impact: Implementing an identity management system to provision and deprovision id’s in a timely manner; online class has made it easy and convenient to administer security awareness training, which is critical for the campus user population
  • #15: State of security: Restrict physical entry into the Data Operations Center; prevent loss, damage or compromise of information technology assets; minimize exposure to flooding unauthorized access, fire, corrosive agents, and potential hazards Proposed Action items: Approve Network Operation Center Access Policy and Telecomm Room Access and Key Policy; install monitoring and recording equipment for tracking environmental changes; Implement necessary changes to mechanical systems within the NOC Impact: Part of the process of analyzing this particular domain area is assessing power and A/C in the network operations center—the ISO 17799 standard really leads to you taking an indepth view of the controls in each domain area
  • #16: State of security: Knowledgebase in the NOC and HelpCenter; Central database repository for disparate data sources to dynamically record all devices; CSIRT mobilization; performance of risk assessments; devising acceptance criteria for new centrally managed information systems, et al; implement controls to prevent and detect unauthorized or malicious software (defense in depth); Adequate back-up plans and facilities; security management controls—centralized and distributed; Secure Disposal or Re-Use of Information Systems Equipment; Email System Acceptable Use and Security Policy; Compliance with PCI and CISP; continuous, dynamic network monitoring from a central location Proposed Action Items: Consolidated knowledge Base; Critical Outage procedures; Standards and procedures for implementing third party service delivery solutions; develop and implement IT Infrastructure Master Plan and IT Project Portfolio review; select and deploy additional security technologies to bolster internal defenses; conduct reviews of back-up strategies on system by system basis; review through data steward structure the procedures for approving and protecting exchange of sensitive university data between systems and to individual end users; develop standard methodology for processing credit card transactions; examine feasibility of single monitoring application or appliance Impact: Codify all your IT and information security procedures—an area where ITIL and COBIT can be integrated effectively
  • #17: State of security: In accordance with existing policy, all university information is used with appropriate access levels and sufficient assurance of integrity, confidentiality, and compliance with laws and statutes; IDM, Minimum Information Security Environment Policy and Information Systems Ethics Policy; Password complexity controls that adhere to Sensitive Information Protection Policy and supporting procedures; Remote Access Policymandating use of VPN and approved methods; procedures for restricting access to production environments based on business requirements of functional customer and control by security administrators; Wireless Access Policy mandating use of VPN Proposed action items: IDM implementation; mandated password complexity in sensitive areas assured by technical controls; network access authentication requirements assured by technical controls Impact: Tightening up the controls on accessing information on your network—including third parties doing business with the university and remote users
  • #18: State of security: Information Risk Assessment policy approved in Nov 2005; Data Stewardship and Access Policy; Remote Access policy; institution of standard cryptographic controls; acquisition of multiple vulnerability assessment technologies used to scan devices in support of university policies and information security initiatives Proposed Action items: Continued research of vulnerability assessment technologies that can be integrated with various security monitoring systems Impact: Support the risk assessment process in which you analyze information technology projects and business processes in seeking to implement consistent, effective controls
  • #19: State of security: Incident Response Policy and associated procedures; modification of technical controls routinely to mitigate threats. Proposed action items: Continued development of CSIRT procedures as needed; Training and simulation of events conducted with CSIRT members Impact: Face it—criminal activities using computers are on the upswing and the CSIRT, effective policies and procedures, as well as trained staff members with forensics knowledge, are all critical in order to properly handle forensics and evidence seizures from a legal standpoint
  • #20: State of security: Development of a comprehensive Disaster Recovery/Business Continuity plan State of security: Funded and staffed commitment to Business Continuity plan and associated Disaster Recovery Plan Impact: Having a business continuity plan is critical
  • #21: State of security: Secure Computing Initiative that mandates specified levels of protection to systems and assets that fall under compliance requirements; risk assessments to identify areas of the campus that fall under specific regulations/statutes; vulnerability assessments and limited penetration testing; security reviews and audits; qualified CISA’s in information security and/or internal audit departments Proposed Action Plan items: Conduct periodic information technology reviews and audits; HIPAA Sanction Policy; provide procedures and training to Internal Audit personnel; Mandate completion of advanced information security awareness course for IT personnel that support/manage areas which are subject to compliance or to be audited Impact: Assessing what resources, funding and controls are necessary to comply with university policies and federal statutes is a big benefit of the plan. This information can be used to appeal to higher ups at your university in terms they understand.