SlideShare uma empresa Scribd logo

UNYCC Information Security Discussion

Ben Woelk, CISSP, CPTC
Ben Woelk, CISSP, CPTC

Three part presentation on Higher Education information security practices presented by Rochester Institute of Technology's Jonathan Maurer, ISO, Ben Woelk, Program Manager, and Paul Lepkowski, Enterprise Information Security Lead Engineer

Educação
1 de 56
Copyright © 2014 Rochester Institute of Technology UNYCC Information Security Discussion Facilitated by Rochester Institute of Technology February 24, 2014
Copyright © 2014 Rochester Institute of Technology Agenda • Policy • Jonathan Maurer, Information Security Officer • Security Awareness • Ben Woelk, Program Manager • Penetration Testing • Paul Lepkowski, Enterprise Information Security Lead Engineer
Copyright © 2014 Rochester Institute of Technology About RIT • RIT Environment – 18,000 students – 3,500 faculty and staff – International Locations – ~40,000+ systems on the network at any given time – Very skilled IT security students • RIT ISO – 4 full time • Information Security Officer • Program Manager • Lead Security Engineer • Sr. Forensics Investigator – 4+ student employees • Mix of coop and part-time
Copyright © 2014 Rochester Institute of Technology Information Security Policy Jonathan Maurer Information Security Officer RIT Information Security Office February 24, 2014
Copyright © 2014 Rochester Institute of Technology Agenda • Policy Introduction • Architecture • Types of Policies • Example Components • Policy Development • Ingredients • Processes • Discussion
Copyright © 2014 Rochester Institute of Technology Policy Introduction
Copyright © 2014 Rochester Institute of Technology Policy Introduction • Policy is the essential foundation of an effective information security program • Policy objectives – Reduced risk – Compliance with laws and regulations – Assurance of confidentiality, integrity and continuity of operations (availability). • Policies are the least expensive means of control and often the most difficult to implement
Copyright © 2014 Rochester Institute of Technology Policy Considerations • Basic rules for shaping a policy – Policy should never conflict with law – Policy must be able to stand up in court if challenged – Policy must be properly and administered • Policies are important reference documents – For internal audits – For the resolution of legal disputes about management's due diligence – Policy documents can act as a clear statement of management's intent
Copyright © 2014 Rochester Institute of Technology Policy Architecture • Policies – Enterprise information security program policy – Issue-specific information security policies • Standards – A more detailed statement of what must be done to comply with policy • Practices – Procedures and guidelines explain how employees will comply with policy
Copyright © 2014 Rochester Institute of Technology Policies, Standards, & Practices
Copyright © 2014 Rochester Institute of Technology Enterprise Information Security Policy (EISP) • Sets strategic direction, scope, and tone for organization’s security efforts • Assigns responsibilities for various areas of information security • Guides development, implementation, and management requirements of information security program
Copyright © 2014 Rochester Institute of Technology Example EISP Components • Statement of purpose – An overview of the organizational philosophy on security • Information technology security elements – Defines information security • Need for information technology security – Justifies importance of information security in the organization • Information technology security responsibilities and roles – Defines organizational structure • Reference to other information technology standards and guidelines
Copyright © 2014 Rochester Institute of Technology Issue-Specific Security Policy (ISSP) • Provides detailed, targeted guidance – Begins with introduction to fundamental technological philosophy of the organization – Instructs the organization in secure use of a technology systems • Protects organization from inefficiency and ambiguity – Documents how the technology-based system is controlled – Identifies the processes and authorities that provide this control • Indemnifies the organization against liability for an employee’s inappropriate or illegal system use
Copyright © 2014 Rochester Institute of Technology Example ISSP Components • Statement of Purpose – Scope and applicability – Definition of technology addressed – Responsibilities • Authorized Access and Usage of Equipment – User access – Fair and responsible use – Protection of privacy • Prohibited Usage of Equipment – Disruptive use or misuse – Criminal use – Offensive or harassing materials – Copyrighted, licensed or other intellectual property – Other restrictions • Systems management – Management of stored materials – Employer monitoring – Virus protection – Physical security – Encryption • Violations of policy – Procedures for reporting violations – Penalties for violations • Policy review and modification – Scheduled review of policy and procedures for modification • Limitations of liability – Statements of liability or disclaimers
Copyright © 2014 Rochester Institute of Technology Standards • A more detailed statement of what must be done to comply with policy • Articulate requirements for Technology, People and Processes Processes
Copyright © 2014 Rochester Institute of Technology Practices • Procedures and guidelines explain how employees will comply with policy • Reasons to separate out practices from standards: – Needs to be known by a small population – Requires more frequent change than review processes allow – Provides the Information Security Office professional judgment and discretion – Protects confidential details from unauthorized parties
Copyright © 2014 Rochester Institute of Technology Policy Development
Copyright © 2014 Rochester Institute of Technology Policy Ingredients External • Laws • Security Standards • Best Practices • Benchmarks Internal • Governance • Strategy • Management • Environment • Culture Policies, Standards and Practices
Copyright © 2014 Rochester Institute of Technology Planning “Plans are meaningless, Planning is everything.” - Dwight Eisenhower 19
Copyright © 2014 Rochester Institute of Technology • Revised policies • Educated community • Compliance with policies • Draft policies• Structure and team • Review as dictated by governance process • Identify issues, gaps and implications • Management Support • Distribution mechanisms • Training & Awareness • Resource prioritization and allocation • Impacted organizations implement policies • Determine goals • Consider ingredients • Write policies ORGANIZE DRAFT REVIEW COMMUNICATE 1 2 3 4 IMPLEMENT 5 • Develop governance process • Clarify roles and responsibilities • Fill roles with key stakeholders Process > Output Key Activities Key Deliverables Maintain
Copyright © 2014 Rochester Institute of Technology 3 Completely Different Processes
Copyright © 2014 Rochester Institute of Technology Key Learnings
Copyright © 2014 Rochester Institute of Technology RIT Key Learnings • Key Learnings – Author to Facilitator • Role shift for ISO during processes – Patience is a virtue • Tortoise and the Hare • More heterogeneous = more complicated governance process – Short and Simple • Plain language • Object-oriented – Communication is key • Means disseminated, read, understood, agreed-to, and uniformly enforced. Understanding > Compliance • Exception Process
Copyright © 2014 Rochester Institute of Technology Experiences of Other Universities and Colleges
Copyright © 2014 Rochester Institute of Technology Security Awareness and Training Ben Woelk Program Manager RIT Information Security Office February 24, 2014
Copyright © 2014 Rochester Institute of Technology Overview • Basic Security Awareness Principles • What we’re doing at RIT • What other colleges and universities are doing
Copyright © 2014 Rochester Institute of Technology EDUCAUSE Resources • EDUCAUSE HEISC A&T Working Group • Cybersecurity Awareness Resource Library – https://wiki.internet2.edu/confluence/display/itsg2/Cybersecu rity+Awareness+Resource+Library • Security Awareness Quick Start Guide – https://wiki.internet2.edu/confluence/display/itsg2/Security+A wareness+Quick+Start+Guide • Security Awareness Detailed Instruction Manual – https://wiki.internet2.edu/confluence/display/itsg2/Security+A wareness+Detailed+Instruction+Manual
Copyright © 2014 Rochester Institute of Technology HEISC Quick Start Guide Overview 1. Establish an Information Security Program 2. Develop a Security Awareness Plan 3. Adopt and Modify “Key Messages” 4. Establish a Security Awareness Website 5. Use HEISC Awareness Posters and Videos
Copyright © 2014 Rochester Institute of Technology Quick Start Guide 6. Present “Key Messages” and Campus Resources in Existing Training Venues 7. Publish Original or Republish HEISC Articles (or Ads) in Existing Campus Publications 8. Participate in National Cyber Security Awareness Month (NCSAM) 9. Measure the Effectiveness of Your Program Annually 10.Automate Services (Feeds, etc.)
Copyright © 2014 Rochester Institute of Technology Establish an Information Security Program • Information Security Guide: Effective Practices and Solutions for Higher Education – https://wiki.internet2.edu/confluence/display/itsg2/ Home
Copyright © 2014 Rochester Institute of Technology Develop a Security Awareness Plan • Components – Audience analysis – Key messages – Communications channels – Calendar of promotions – Develop relationships
Copyright © 2014 Rochester Institute of Technology Audience Analysis • Who are your audiences? • How do they communicate now?
Copyright © 2014 Rochester Institute of Technology Key Messages • Short and Simple
Copyright © 2014 Rochester Institute of Technology Communications Channels
Copyright © 2014 Rochester Institute of Technology Calendar of Promotions
Copyright © 2014 Rochester Institute of Technology Education, Training & Awareness Awareness Training Education ISO Website - Comprehensive information on RIT Information Security New Student Orientation - All incoming students GCCIS S Courses - Enterprise Security - Cyber Self Defense Social Media - 6100 face fans (320 posts) - 1400 twitter followers (270 tweets) Digital Self Defense Training - Hundreds of employees trained since inception FBI Infragard Meetings Phishing and Poster Campaigns McAfee Training - 10 IT staff trained Rochester Security Summit Alerts / Advisories - Approx. 20 annually Incident Handling and DR Training
Copyright © 2014 Rochester Institute of Technology RIT Infosec Website
Copyright © 2014 Rochester Institute of Technology RIT Social Media
Copyright © 2014 Rochester Institute of Technology Posters
Copyright © 2014 Rochester Institute of Technology Alerts and Advisories
Copyright © 2014 Rochester Institute of Technology Lightning Talks
Copyright © 2014 Rochester Institute of Technology Experiences of Other Universities and Colleges
Copyright © 2014 Rochester Institute of Technology Penetration Testing Paul Lepkowski CISM, CISSP, GIAC-GPEN Enterprise Information Security Lead Engineer RIT Information Security Office February 24, 2014
Copyright © 2014 Rochester Institute of Technology Introduction • More focus on concepts and not as much on tools • Why Pen Test? – Deeper than vulnerability scans – Actually confirm if systems may be penetrable – Verify vulnerabilities – Determine what data an attack might expose
Copyright © 2014 Rochester Institute of Technology Available Certifications • GIAC-GPEN • CEH
Copyright © 2014 Rochester Institute of Technology Pen Tests At RIT • Done on an arranged basis • Typically internal • Security reviews • Scheduled audits • Automated and manual methods • Using several methods and tools – Metasploit Pro – Core Impact – we discontinued this – cost – Kali Linux
Copyright © 2014 Rochester Institute of Technology Internal or External • Internal – Only if you have the skillset on staff – Certified staff – Done from the inside network – Some or significant knowledge about network – Minimal recon phases needed • External – Expensive – May have more capabilities from off-campus
Copyright © 2014 Rochester Institute of Technology Pen Testing – Planning Areas
Copyright © 2014 Rochester Institute of Technology Pen Testing - Planning • Determine scope • Determine who • Non-disclosure agreement • Gather inventory • Determine schedule • Determine tools • Determine if security controls should be on or off? • Systems be done as is or should they patch before?
Copyright © 2014 Rochester Institute of Technology Planning (con’t) • Communication plan • Boundaries if penetration happens • Written permission • Plan of attack • System preparation
Copyright © 2014 Rochester Institute of Technology Implementation • Follow your plan • Be careful with improvising – legal and scope issues? • If security control changes needed (i.e. firewall rule changes), contact them • Fill out your checklist • Monitor the tests
Copyright © 2014 Rochester Institute of Technology Implementation (con’t) • Be ready for phone calls/emails if testing causes problems • Need to be able to stop testing immediately if problems arise • Try to multi-task without creating extra noise • Exploitation? • Remember to close any open firewall rules if they were open for testing window!
Copyright © 2014 Rochester Institute of Technology Reporting • Who – Customer – ISO – Audit? • What – Introduction – Scope – Tested systems / applications – Results
Copyright © 2014 Rochester Institute of Technology Reporting (con’t) • Risks – Penetrations? • How • What data accessed • Could data be viewed, modified, deleted, moved • System integrity • Listener? • Payload (malware) install?
Copyright © 2014 Rochester Institute of Technology Reporting (con’t) • Suggested remediations / prevention – Patch – Configuration – Policies – Additional security controls • Timing – Issue report right away depending on severity of issues
Copyright © 2014 Rochester Institute of Technology Experiences of Other Universities and Colleges

Recomendados

14.05.08 connecting the it dots
14.05.08 connecting the it dots14.05.08 connecting the it dots
14.05.08 connecting the it dotskevin_donovan
 
Introduction to Health Informatics Ch11 power point
Introduction to Health Informatics Ch11 power pointIntroduction to Health Informatics Ch11 power point
Introduction to Health Informatics Ch11 power pointbradleyl2
 
Information security
Information securityInformation security
Information securityPraveen Minz
 
Digital Self Defense at RIT
Digital Self Defense at RITDigital Self Defense at RIT
Digital Self Defense at RITBen Woelk, CISSP, CPTC
 
Top Ten Tips for Shockproofing Your Use of Social Media, Lavacon 2011
Top Ten Tips for Shockproofing Your Use of Social Media, Lavacon 2011Top Ten Tips for Shockproofing Your Use of Social Media, Lavacon 2011
Top Ten Tips for Shockproofing Your Use of Social Media, Lavacon 2011Ben Woelk, CISSP, CPTC
 
Collaborating securely: Protecting Your Community and Yourself
Collaborating securely: Protecting Your Community and YourselfCollaborating securely: Protecting Your Community and Yourself
Collaborating securely: Protecting Your Community and YourselfBen Woelk, CISSP, CPTC
 
An Introvert's Journey to Leadership
An Introvert's Journey to LeadershipAn Introvert's Journey to Leadership
An Introvert's Journey to LeadershipBen Woelk, CISSP, CPTC
 
Staying Safe Online for HR Professionals
Staying Safe Online for HR ProfessionalsStaying Safe Online for HR Professionals
Staying Safe Online for HR ProfessionalsBen Woelk, CISSP, CPTC
 

Recomendados

14.05.08 connecting the it dots
14.05.08 connecting the it dots14.05.08 connecting the it dots
14.05.08 connecting the it dotskevin_donovan
 
Introduction to Health Informatics Ch11 power point
Introduction to Health Informatics Ch11 power pointIntroduction to Health Informatics Ch11 power point
Introduction to Health Informatics Ch11 power pointbradleyl2
 
Information security
Information securityInformation security
Information securityPraveen Minz
 
Digital Self Defense at RIT
Digital Self Defense at RITDigital Self Defense at RIT
Digital Self Defense at RITBen Woelk, CISSP, CPTC
 
Top Ten Tips for Shockproofing Your Use of Social Media, Lavacon 2011
Top Ten Tips for Shockproofing Your Use of Social Media, Lavacon 2011Top Ten Tips for Shockproofing Your Use of Social Media, Lavacon 2011
Top Ten Tips for Shockproofing Your Use of Social Media, Lavacon 2011Ben Woelk, CISSP, CPTC
 
Collaborating securely: Protecting Your Community and Yourself
Collaborating securely: Protecting Your Community and YourselfCollaborating securely: Protecting Your Community and Yourself
Collaborating securely: Protecting Your Community and YourselfBen Woelk, CISSP, CPTC
 
An Introvert's Journey to Leadership
An Introvert's Journey to LeadershipAn Introvert's Journey to Leadership
An Introvert's Journey to LeadershipBen Woelk, CISSP, CPTC
 
Staying Safe Online for HR Professionals
Staying Safe Online for HR ProfessionalsStaying Safe Online for HR Professionals
Staying Safe Online for HR ProfessionalsBen Woelk, CISSP, CPTC
 
Digital Self Defense
Digital Self DefenseDigital Self Defense
Digital Self DefenseBen Woelk, CISSP, CPTC
 
Exeter university ig manager presentation [1]
Exeter university ig manager presentation [1]Exeter university ig manager presentation [1]
Exeter university ig manager presentation [1]Martin Lawrence
 
Chapter-7.pptx
Chapter-7.pptxChapter-7.pptx
Chapter-7.pptxAmanuelZewdie4
 
Privacy Engineering in the Wild
Privacy Engineering in the WildPrivacy Engineering in the Wild
Privacy Engineering in the WildCREST @ University of Adelaide
 
Digital self defense iia isaca it audit seminar
Digital self defense iia isaca it audit seminarDigital self defense iia isaca it audit seminar
Digital self defense iia isaca it audit seminarBen Woelk, CISSP, CPTC
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security BlueprintZefren Edior
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.pptit160320737038
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKumawat Dharmpal
 
Ethics & Privacy issues in the context of Learning Analytics - Alan Berg, Mar...
Ethics & Privacy issues in the context of Learning Analytics - Alan Berg, Mar...Ethics & Privacy issues in the context of Learning Analytics - Alan Berg, Mar...
Ethics & Privacy issues in the context of Learning Analytics - Alan Berg, Mar...SURF Events
 
Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...
Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...
Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...EOSCpilot .eu
 
Turning FAIR into Reality - Role for Libraries
Turning FAIR into Reality - Role for Libraries Turning FAIR into Reality - Role for Libraries
Turning FAIR into Reality - Role for Libraries dri_ireland
 
Engaging with students and researchers: the case of the social sciences
Engaging with students and researchers: the case of the social sciencesEngaging with students and researchers: the case of the social sciences
Engaging with students and researchers: the case of the social sciencesLouise Corti
 
Starting a Digital Preservation Program
Starting a Digital Preservation ProgramStarting a Digital Preservation Program
Starting a Digital Preservation ProgramSarah Shreeves
 
Turning FAIR into Reality: Briefing on the EC’s report on FAIR data
Turning FAIR into Reality: Briefing on the EC’s report on FAIR dataTurning FAIR into Reality: Briefing on the EC’s report on FAIR data
Turning FAIR into Reality: Briefing on the EC’s report on FAIR datadri_ireland
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
ANS_Ch_06_Handouts.pdf
ANS_Ch_06_Handouts.pdfANS_Ch_06_Handouts.pdf
ANS_Ch_06_Handouts.pdfMeymunaMohammed1
 
Lesson 1
Lesson 1Lesson 1
Lesson 1MLG College of Learning, Inc
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security elmuhammadmuhammad
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptShruthi48
 
Cdpse course content infosec train
Cdpse course content infosec trainCdpse course content infosec train
Cdpse course content infosec trainShivamSharma909
 
Creating a Sense of Belonging--Engaging the Virtual Workforce
Creating a Sense of Belonging--Engaging the Virtual WorkforceCreating a Sense of Belonging--Engaging the Virtual Workforce
Creating a Sense of Belonging--Engaging the Virtual WorkforceBen Woelk, CISSP, CPTC
 
Creating a Sense of Belonging--Engaging the Virtual Workforce Summit.pptx
Creating a Sense of Belonging--Engaging the Virtual Workforce Summit.pptxCreating a Sense of Belonging--Engaging the Virtual Workforce Summit.pptx
Creating a Sense of Belonging--Engaging the Virtual Workforce Summit.pptxBen Woelk, CISSP, CPTC
 

Mais conteúdo relacionado

Semelhante a UNYCC Information Security Discussion

Exeter university ig manager presentation [1]
Exeter university ig manager presentation [1]Exeter university ig manager presentation [1]
Exeter university ig manager presentation [1]Martin Lawrence
 
Digital self defense iia isaca it audit seminar
Digital self defense iia isaca it audit seminarDigital self defense iia isaca it audit seminar
Digital self defense iia isaca it audit seminarBen Woelk, CISSP, CPTC
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security BlueprintZefren Edior
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.pptit160320737038
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKumawat Dharmpal
 
Ethics & Privacy issues in the context of Learning Analytics - Alan Berg, Mar...
Ethics & Privacy issues in the context of Learning Analytics - Alan Berg, Mar...Ethics & Privacy issues in the context of Learning Analytics - Alan Berg, Mar...
Ethics & Privacy issues in the context of Learning Analytics - Alan Berg, Mar...SURF Events
 
Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...
Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...
Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...EOSCpilot .eu
 
Turning FAIR into Reality - Role for Libraries
Turning FAIR into Reality - Role for Libraries Turning FAIR into Reality - Role for Libraries
Turning FAIR into Reality - Role for Libraries dri_ireland
 
Engaging with students and researchers: the case of the social sciences
Engaging with students and researchers: the case of the social sciencesEngaging with students and researchers: the case of the social sciences
Engaging with students and researchers: the case of the social sciencesLouise Corti
 
Starting a Digital Preservation Program
Starting a Digital Preservation ProgramStarting a Digital Preservation Program
Starting a Digital Preservation ProgramSarah Shreeves
 
Turning FAIR into Reality: Briefing on the EC’s report on FAIR data
Turning FAIR into Reality: Briefing on the EC’s report on FAIR dataTurning FAIR into Reality: Briefing on the EC’s report on FAIR data
Turning FAIR into Reality: Briefing on the EC’s report on FAIR datadri_ireland
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security elmuhammadmuhammad
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptShruthi48
 
Cdpse course content infosec train
Cdpse course content infosec trainCdpse course content infosec train
Cdpse course content infosec trainShivamSharma909
 

Semelhante a UNYCC Information Security Discussion (20)

Digital Self Defense
Digital Self DefenseDigital Self Defense
Digital Self Defense
 
Exeter university ig manager presentation [1]
Exeter university ig manager presentation [1]Exeter university ig manager presentation [1]
Exeter university ig manager presentation [1]
 
Chapter-7.pptx
Chapter-7.pptxChapter-7.pptx
Chapter-7.pptx
 
Privacy Engineering in the Wild
Privacy Engineering in the WildPrivacy Engineering in the Wild
Privacy Engineering in the Wild
 
Digital self defense iia isaca it audit seminar
Digital self defense iia isaca it audit seminarDigital self defense iia isaca it audit seminar
Digital self defense iia isaca it audit seminar
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.ppt
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Ethics & Privacy issues in the context of Learning Analytics - Alan Berg, Mar...
Ethics & Privacy issues in the context of Learning Analytics - Alan Berg, Mar...Ethics & Privacy issues in the context of Learning Analytics - Alan Berg, Mar...
Ethics & Privacy issues in the context of Learning Analytics - Alan Berg, Mar...
 
Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...
Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...
Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...
 
Turning FAIR into Reality - Role for Libraries
Turning FAIR into Reality - Role for Libraries Turning FAIR into Reality - Role for Libraries
Turning FAIR into Reality - Role for Libraries
 
Engaging with students and researchers: the case of the social sciences
Engaging with students and researchers: the case of the social sciencesEngaging with students and researchers: the case of the social sciences
Engaging with students and researchers: the case of the social sciences
 
Starting a Digital Preservation Program
Starting a Digital Preservation ProgramStarting a Digital Preservation Program
Starting a Digital Preservation Program
 
Turning FAIR into Reality: Briefing on the EC’s report on FAIR data
Turning FAIR into Reality: Briefing on the EC’s report on FAIR dataTurning FAIR into Reality: Briefing on the EC’s report on FAIR data
Turning FAIR into Reality: Briefing on the EC’s report on FAIR data
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
ANS_Ch_06_Handouts.pdf
ANS_Ch_06_Handouts.pdfANS_Ch_06_Handouts.pdf
ANS_Ch_06_Handouts.pdf
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.ppt
 
Cdpse course content infosec train
Cdpse course content infosec trainCdpse course content infosec train
Cdpse course content infosec train
 

Mais de Ben Woelk, CISSP, CPTC

Creating a Sense of Belonging--Engaging the Virtual Workforce
Creating a Sense of Belonging--Engaging the Virtual WorkforceCreating a Sense of Belonging--Engaging the Virtual Workforce
Creating a Sense of Belonging--Engaging the Virtual WorkforceBen Woelk, CISSP, CPTC
 
Creating a Sense of Belonging--Engaging the Virtual Workforce Summit.pptx
Creating a Sense of Belonging--Engaging the Virtual Workforce Summit.pptxCreating a Sense of Belonging--Engaging the Virtual Workforce Summit.pptx
Creating a Sense of Belonging--Engaging the Virtual Workforce Summit.pptxBen Woelk, CISSP, CPTC
 
Saying "Yes, and...?" to Leadership Opportunities
Saying "Yes, and...?" to Leadership OpportunitiesSaying "Yes, and...?" to Leadership Opportunities
Saying "Yes, and...?" to Leadership OpportunitiesBen Woelk, CISSP, CPTC
 
Perspectives on Mentoring: Selected Stories
Perspectives on Mentoring: Selected StoriesPerspectives on Mentoring: Selected Stories
Perspectives on Mentoring: Selected StoriesBen Woelk, CISSP, CPTC
 
We're All Winners--Gamification and Security Awareness
We're All Winners--Gamification and Security AwarenessWe're All Winners--Gamification and Security Awareness
We're All Winners--Gamification and Security AwarenessBen Woelk, CISSP, CPTC
 
The Introvert in the Workplace--Strategies for Success
The Introvert in the Workplace--Strategies for SuccessThe Introvert in the Workplace--Strategies for Success
The Introvert in the Workplace--Strategies for SuccessBen Woelk, CISSP, CPTC
 
Building a Culture of Digital Self Defense
Building a Culture of Digital Self DefenseBuilding a Culture of Digital Self Defense
Building a Culture of Digital Self DefenseBen Woelk, CISSP, CPTC
 
Harnessing Your Innate Strengths--Introverted Leadership
Harnessing Your Innate Strengths--Introverted LeadershipHarnessing Your Innate Strengths--Introverted Leadership
Harnessing Your Innate Strengths--Introverted LeadershipBen Woelk, CISSP, CPTC
 
The Introvert in the Workplace: Becoming an Influencer and Leader #STC18
The Introvert in the Workplace: Becoming an Influencer and Leader #STC18The Introvert in the Workplace: Becoming an Influencer and Leader #STC18
The Introvert in the Workplace: Becoming an Influencer and Leader #STC18Ben Woelk, CISSP, CPTC
 
Follow the yellow brick road: A Leadership Journey to the Emerald City
Follow the yellow brick road: A Leadership Journey to the Emerald CityFollow the yellow brick road: A Leadership Journey to the Emerald City
Follow the yellow brick road: A Leadership Journey to the Emerald CityBen Woelk, CISSP, CPTC
 
Cyber Safety for Middle School Students and Parents
Cyber Safety for Middle School Students and ParentsCyber Safety for Middle School Students and Parents
Cyber Safety for Middle School Students and ParentsBen Woelk, CISSP, CPTC
 
Shockproofing your Use of Social Media: 2014
Shockproofing your Use of Social Media: 2014Shockproofing your Use of Social Media: 2014
Shockproofing your Use of Social Media: 2014Ben Woelk, CISSP, CPTC
 
Shockproofing Your Use of Social Media (professional development progression)
Shockproofing Your Use of Social Media (professional development progression)Shockproofing Your Use of Social Media (professional development progression)
Shockproofing Your Use of Social Media (professional development progression)Ben Woelk, CISSP, CPTC
 
Empowering the Introvert Within: Becoming an Outstanding Leader
Empowering the Introvert Within: Becoming an Outstanding Leader Empowering the Introvert Within: Becoming an Outstanding Leader
Empowering the Introvert Within: Becoming an Outstanding Leader Ben Woelk, CISSP, CPTC
 

Mais de Ben Woelk, CISSP, CPTC (20)

Creating a Sense of Belonging--Engaging the Virtual Workforce
Creating a Sense of Belonging--Engaging the Virtual WorkforceCreating a Sense of Belonging--Engaging the Virtual Workforce
Creating a Sense of Belonging--Engaging the Virtual Workforce
 
Creating a Sense of Belonging--Engaging the Virtual Workforce Summit.pptx
Creating a Sense of Belonging--Engaging the Virtual Workforce Summit.pptxCreating a Sense of Belonging--Engaging the Virtual Workforce Summit.pptx
Creating a Sense of Belonging--Engaging the Virtual Workforce Summit.pptx
 
Saying "Yes, and...?" to Leadership Opportunities
Saying "Yes, and...?" to Leadership OpportunitiesSaying "Yes, and...?" to Leadership Opportunities
Saying "Yes, and...?" to Leadership Opportunities
 
Perspectives on Mentoring: Selected Stories
Perspectives on Mentoring: Selected StoriesPerspectives on Mentoring: Selected Stories
Perspectives on Mentoring: Selected Stories
 
We're All Winners--Gamification and Security Awareness
We're All Winners--Gamification and Security AwarenessWe're All Winners--Gamification and Security Awareness
We're All Winners--Gamification and Security Awareness
 
The Introvert in the Workplace--Strategies for Success
The Introvert in the Workplace--Strategies for SuccessThe Introvert in the Workplace--Strategies for Success
The Introvert in the Workplace--Strategies for Success
 
Building a Culture of Digital Self Defense
Building a Culture of Digital Self DefenseBuilding a Culture of Digital Self Defense
Building a Culture of Digital Self Defense
 
Harnessing Your Innate Strengths--Introverted Leadership
Harnessing Your Innate Strengths--Introverted LeadershipHarnessing Your Innate Strengths--Introverted Leadership
Harnessing Your Innate Strengths--Introverted Leadership
 
The Introvert in the Workplace: Becoming an Influencer and Leader #STC18
The Introvert in the Workplace: Becoming an Influencer and Leader #STC18The Introvert in the Workplace: Becoming an Influencer and Leader #STC18
The Introvert in the Workplace: Becoming an Influencer and Leader #STC18
 
Digital self defense 101 me rit
Digital self defense 101 me ritDigital self defense 101 me rit
Digital self defense 101 me rit
 
Follow the yellow brick road: A Leadership Journey to the Emerald City
Follow the yellow brick road: A Leadership Journey to the Emerald CityFollow the yellow brick road: A Leadership Journey to the Emerald City
Follow the yellow brick road: A Leadership Journey to the Emerald City
 
Cyber Safety for Middle School Students and Parents
Cyber Safety for Middle School Students and ParentsCyber Safety for Middle School Students and Parents
Cyber Safety for Middle School Students and Parents
 
Succession Planning and Volunteering
Succession Planning and VolunteeringSuccession Planning and Volunteering
Succession Planning and Volunteering
 
Shockproofing your Use of Social Media: 2014
Shockproofing your Use of Social Media: 2014Shockproofing your Use of Social Media: 2014
Shockproofing your Use of Social Media: 2014
 
A Techcomm Bestiary Summit14
A Techcomm Bestiary Summit14A Techcomm Bestiary Summit14
A Techcomm Bestiary Summit14
 
A Techcomm Bestiary Spectrum14
A Techcomm Bestiary Spectrum14A Techcomm Bestiary Spectrum14
A Techcomm Bestiary Spectrum14
 
Empowering the Introvert Within stc13
Empowering the Introvert Within stc13Empowering the Introvert Within stc13
Empowering the Introvert Within stc13
 
Shockproofing Your Use of Social Media (professional development progression)
Shockproofing Your Use of Social Media (professional development progression)Shockproofing Your Use of Social Media (professional development progression)
Shockproofing Your Use of Social Media (professional development progression)
 
Security Awareness at RIT 2012-2013
Security Awareness at RIT 2012-2013Security Awareness at RIT 2012-2013
Security Awareness at RIT 2012-2013
 
Empowering the Introvert Within: Becoming an Outstanding Leader
Empowering the Introvert Within: Becoming an Outstanding Leader Empowering the Introvert Within: Becoming an Outstanding Leader
Empowering the Introvert Within: Becoming an Outstanding Leader
 

Último

4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
MS4 level being good citizen -imperative- (1) (1).pdf
MS4 level being good citizen -imperative- (1) (1).pdfMS4 level being good citizen -imperative- (1) (1).pdf
MS4 level being good citizen -imperative- (1) (1).pdfMr Bounab Samir
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvRicaMaeCastro1
 
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxSayali Powar
 
ICS 2208 Lecture Slide Notes for Topic 6
ICS 2208 Lecture Slide Notes for Topic 6ICS 2208 Lecture Slide Notes for Topic 6
ICS 2208 Lecture Slide Notes for Topic 6Vanessa Camilleri
 
4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptxmary850239
 
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Association for Project Management
 
Textual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSTextual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSMae Pangan
 
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptxDecoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptxDhatriParmar
 
CHEST Proprioceptive neuromuscular facilitation.pptx
CHEST Proprioceptive neuromuscular facilitation.pptxCHEST Proprioceptive neuromuscular facilitation.pptx
CHEST Proprioceptive neuromuscular facilitation.pptxAneriPatwari
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxMichelleTuguinay1
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxlancelewisportillo
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfPatidar M
 
Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1GloryAnnCastre1
 
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...DhatriParmar
 
4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptx4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptxmary850239
 
Mythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWMythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWQuiz Club NITW
 

Último (20)

4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
MS4 level being good citizen -imperative- (1) (1).pdf
MS4 level being good citizen -imperative- (1) (1).pdfMS4 level being good citizen -imperative- (1) (1).pdf
MS4 level being good citizen -imperative- (1) (1).pdf
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
 
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptxINCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
 
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
 
ICS 2208 Lecture Slide Notes for Topic 6
ICS 2208 Lecture Slide Notes for Topic 6ICS 2208 Lecture Slide Notes for Topic 6
ICS 2208 Lecture Slide Notes for Topic 6
 
4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx
 
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
 
Textual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSTextual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHS
 
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptxDecoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
 
CHEST Proprioceptive neuromuscular facilitation.pptx
CHEST Proprioceptive neuromuscular facilitation.pptxCHEST Proprioceptive neuromuscular facilitation.pptx
CHEST Proprioceptive neuromuscular facilitation.pptx
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
 
Mattingly "AI & Prompt Design: Large Language Models"
Mattingly "AI & Prompt Design: Large Language Models"Mattingly "AI & Prompt Design: Large Language Models"
Mattingly "AI & Prompt Design: Large Language Models"
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdf
 
Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1
 
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
 
4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptx4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptx
 
Mythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWMythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITW
 

UNYCC Information Security Discussion

  • 1. Copyright © 2014 Rochester Institute of Technology UNYCC Information Security Discussion Facilitated by Rochester Institute of Technology February 24, 2014
  • 2. Copyright © 2014 Rochester Institute of Technology Agenda • Policy • Jonathan Maurer, Information Security Officer • Security Awareness • Ben Woelk, Program Manager • Penetration Testing • Paul Lepkowski, Enterprise Information Security Lead Engineer
  • 3. Copyright © 2014 Rochester Institute of Technology About RIT • RIT Environment – 18,000 students – 3,500 faculty and staff – International Locations – ~40,000+ systems on the network at any given time – Very skilled IT security students • RIT ISO – 4 full time • Information Security Officer • Program Manager • Lead Security Engineer • Sr. Forensics Investigator – 4+ student employees • Mix of coop and part-time
  • 4. Copyright © 2014 Rochester Institute of Technology Information Security Policy Jonathan Maurer Information Security Officer RIT Information Security Office February 24, 2014
  • 5. Copyright © 2014 Rochester Institute of Technology Agenda • Policy Introduction • Architecture • Types of Policies • Example Components • Policy Development • Ingredients • Processes • Discussion
  • 6. Copyright © 2014 Rochester Institute of Technology Policy Introduction
  • 7. Copyright © 2014 Rochester Institute of Technology Policy Introduction • Policy is the essential foundation of an effective information security program • Policy objectives – Reduced risk – Compliance with laws and regulations – Assurance of confidentiality, integrity and continuity of operations (availability). • Policies are the least expensive means of control and often the most difficult to implement
  • 8. Copyright © 2014 Rochester Institute of Technology Policy Considerations • Basic rules for shaping a policy – Policy should never conflict with law – Policy must be able to stand up in court if challenged – Policy must be properly and administered • Policies are important reference documents – For internal audits – For the resolution of legal disputes about management's due diligence – Policy documents can act as a clear statement of management's intent
  • 9. Copyright © 2014 Rochester Institute of Technology Policy Architecture • Policies – Enterprise information security program policy – Issue-specific information security policies • Standards – A more detailed statement of what must be done to comply with policy • Practices – Procedures and guidelines explain how employees will comply with policy
  • 10. Copyright © 2014 Rochester Institute of Technology Policies, Standards, & Practices
  • 11. Copyright © 2014 Rochester Institute of Technology Enterprise Information Security Policy (EISP) • Sets strategic direction, scope, and tone for organization’s security efforts • Assigns responsibilities for various areas of information security • Guides development, implementation, and management requirements of information security program
  • 12. Copyright © 2014 Rochester Institute of Technology Example EISP Components • Statement of purpose – An overview of the organizational philosophy on security • Information technology security elements – Defines information security • Need for information technology security – Justifies importance of information security in the organization • Information technology security responsibilities and roles – Defines organizational structure • Reference to other information technology standards and guidelines
  • 13. Copyright © 2014 Rochester Institute of Technology Issue-Specific Security Policy (ISSP) • Provides detailed, targeted guidance – Begins with introduction to fundamental technological philosophy of the organization – Instructs the organization in secure use of a technology systems • Protects organization from inefficiency and ambiguity – Documents how the technology-based system is controlled – Identifies the processes and authorities that provide this control • Indemnifies the organization against liability for an employee’s inappropriate or illegal system use
  • 14. Copyright © 2014 Rochester Institute of Technology Example ISSP Components • Statement of Purpose – Scope and applicability – Definition of technology addressed – Responsibilities • Authorized Access and Usage of Equipment – User access – Fair and responsible use – Protection of privacy • Prohibited Usage of Equipment – Disruptive use or misuse – Criminal use – Offensive or harassing materials – Copyrighted, licensed or other intellectual property – Other restrictions • Systems management – Management of stored materials – Employer monitoring – Virus protection – Physical security – Encryption • Violations of policy – Procedures for reporting violations – Penalties for violations • Policy review and modification – Scheduled review of policy and procedures for modification • Limitations of liability – Statements of liability or disclaimers
  • 15. Copyright © 2014 Rochester Institute of Technology Standards • A more detailed statement of what must be done to comply with policy • Articulate requirements for Technology, People and Processes Processes
  • 16. Copyright © 2014 Rochester Institute of Technology Practices • Procedures and guidelines explain how employees will comply with policy • Reasons to separate out practices from standards: – Needs to be known by a small population – Requires more frequent change than review processes allow – Provides the Information Security Office professional judgment and discretion – Protects confidential details from unauthorized parties
  • 17. Copyright © 2014 Rochester Institute of Technology Policy Development
  • 18. Copyright © 2014 Rochester Institute of Technology Policy Ingredients External • Laws • Security Standards • Best Practices • Benchmarks Internal • Governance • Strategy • Management • Environment • Culture Policies, Standards and Practices
  • 19. Copyright © 2014 Rochester Institute of Technology Planning “Plans are meaningless, Planning is everything.” - Dwight Eisenhower 19
  • 20. Copyright © 2014 Rochester Institute of Technology • Revised policies • Educated community • Compliance with policies • Draft policies• Structure and team • Review as dictated by governance process • Identify issues, gaps and implications • Management Support • Distribution mechanisms • Training & Awareness • Resource prioritization and allocation • Impacted organizations implement policies • Determine goals • Consider ingredients • Write policies ORGANIZE DRAFT REVIEW COMMUNICATE 1 2 3 4 IMPLEMENT 5 • Develop governance process • Clarify roles and responsibilities • Fill roles with key stakeholders Process > Output Key Activities Key Deliverables Maintain
  • 21. Copyright © 2014 Rochester Institute of Technology 3 Completely Different Processes
  • 22. Copyright © 2014 Rochester Institute of Technology Key Learnings
  • 23. Copyright © 2014 Rochester Institute of Technology RIT Key Learnings • Key Learnings – Author to Facilitator • Role shift for ISO during processes – Patience is a virtue • Tortoise and the Hare • More heterogeneous = more complicated governance process – Short and Simple • Plain language • Object-oriented – Communication is key • Means disseminated, read, understood, agreed-to, and uniformly enforced. Understanding > Compliance • Exception Process
  • 24. Copyright © 2014 Rochester Institute of Technology Experiences of Other Universities and Colleges
  • 25. Copyright © 2014 Rochester Institute of Technology Security Awareness and Training Ben Woelk Program Manager RIT Information Security Office February 24, 2014
  • 26. Copyright © 2014 Rochester Institute of Technology Overview • Basic Security Awareness Principles • What we’re doing at RIT • What other colleges and universities are doing
  • 27. Copyright © 2014 Rochester Institute of Technology EDUCAUSE Resources • EDUCAUSE HEISC A&T Working Group • Cybersecurity Awareness Resource Library – https://wiki.internet2.edu/confluence/display/itsg2/Cybersecu rity+Awareness+Resource+Library • Security Awareness Quick Start Guide – https://wiki.internet2.edu/confluence/display/itsg2/Security+A wareness+Quick+Start+Guide • Security Awareness Detailed Instruction Manual – https://wiki.internet2.edu/confluence/display/itsg2/Security+A wareness+Detailed+Instruction+Manual
  • 28. Copyright © 2014 Rochester Institute of Technology HEISC Quick Start Guide Overview 1. Establish an Information Security Program 2. Develop a Security Awareness Plan 3. Adopt and Modify “Key Messages” 4. Establish a Security Awareness Website 5. Use HEISC Awareness Posters and Videos
  • 29. Copyright © 2014 Rochester Institute of Technology Quick Start Guide 6. Present “Key Messages” and Campus Resources in Existing Training Venues 7. Publish Original or Republish HEISC Articles (or Ads) in Existing Campus Publications 8. Participate in National Cyber Security Awareness Month (NCSAM) 9. Measure the Effectiveness of Your Program Annually 10.Automate Services (Feeds, etc.)
  • 30. Copyright © 2014 Rochester Institute of Technology Establish an Information Security Program • Information Security Guide: Effective Practices and Solutions for Higher Education – https://wiki.internet2.edu/confluence/display/itsg2/ Home
  • 31. Copyright © 2014 Rochester Institute of Technology Develop a Security Awareness Plan • Components – Audience analysis – Key messages – Communications channels – Calendar of promotions – Develop relationships
  • 32. Copyright © 2014 Rochester Institute of Technology Audience Analysis • Who are your audiences? • How do they communicate now?
  • 33. Copyright © 2014 Rochester Institute of Technology Key Messages • Short and Simple
  • 34. Copyright © 2014 Rochester Institute of Technology Communications Channels
  • 35. Copyright © 2014 Rochester Institute of Technology Calendar of Promotions
  • 36. Copyright © 2014 Rochester Institute of Technology Education, Training & Awareness Awareness Training Education ISO Website - Comprehensive information on RIT Information Security New Student Orientation - All incoming students GCCIS S Courses - Enterprise Security - Cyber Self Defense Social Media - 6100 face fans (320 posts) - 1400 twitter followers (270 tweets) Digital Self Defense Training - Hundreds of employees trained since inception FBI Infragard Meetings Phishing and Poster Campaigns McAfee Training - 10 IT staff trained Rochester Security Summit Alerts / Advisories - Approx. 20 annually Incident Handling and DR Training
  • 37. Copyright © 2014 Rochester Institute of Technology RIT Infosec Website
  • 38. Copyright © 2014 Rochester Institute of Technology RIT Social Media
  • 39. Copyright © 2014 Rochester Institute of Technology Posters
  • 40. Copyright © 2014 Rochester Institute of Technology Alerts and Advisories
  • 41. Copyright © 2014 Rochester Institute of Technology Lightning Talks
  • 42. Copyright © 2014 Rochester Institute of Technology Experiences of Other Universities and Colleges
  • 43. Copyright © 2014 Rochester Institute of Technology Penetration Testing Paul Lepkowski CISM, CISSP, GIAC-GPEN Enterprise Information Security Lead Engineer RIT Information Security Office February 24, 2014
  • 44. Copyright © 2014 Rochester Institute of Technology Introduction • More focus on concepts and not as much on tools • Why Pen Test? – Deeper than vulnerability scans – Actually confirm if systems may be penetrable – Verify vulnerabilities – Determine what data an attack might expose
  • 45. Copyright © 2014 Rochester Institute of Technology Available Certifications • GIAC-GPEN • CEH
  • 46. Copyright © 2014 Rochester Institute of Technology Pen Tests At RIT • Done on an arranged basis • Typically internal • Security reviews • Scheduled audits • Automated and manual methods • Using several methods and tools – Metasploit Pro – Core Impact – we discontinued this – cost – Kali Linux
  • 47. Copyright © 2014 Rochester Institute of Technology Internal or External • Internal – Only if you have the skillset on staff – Certified staff – Done from the inside network – Some or significant knowledge about network – Minimal recon phases needed • External – Expensive – May have more capabilities from off-campus
  • 48. Copyright © 2014 Rochester Institute of Technology Pen Testing – Planning Areas
  • 49. Copyright © 2014 Rochester Institute of Technology Pen Testing - Planning • Determine scope • Determine who • Non-disclosure agreement • Gather inventory • Determine schedule • Determine tools • Determine if security controls should be on or off? • Systems be done as is or should they patch before?
  • 50. Copyright © 2014 Rochester Institute of Technology Planning (con’t) • Communication plan • Boundaries if penetration happens • Written permission • Plan of attack • System preparation
  • 51. Copyright © 2014 Rochester Institute of Technology Implementation • Follow your plan • Be careful with improvising – legal and scope issues? • If security control changes needed (i.e. firewall rule changes), contact them • Fill out your checklist • Monitor the tests
  • 52. Copyright © 2014 Rochester Institute of Technology Implementation (con’t) • Be ready for phone calls/emails if testing causes problems • Need to be able to stop testing immediately if problems arise • Try to multi-task without creating extra noise • Exploitation? • Remember to close any open firewall rules if they were open for testing window!
  • 53. Copyright © 2014 Rochester Institute of Technology Reporting • Who – Customer – ISO – Audit? • What – Introduction – Scope – Tested systems / applications – Results
  • 54. Copyright © 2014 Rochester Institute of Technology Reporting (con’t) • Risks – Penetrations? • How • What data accessed • Could data be viewed, modified, deleted, moved • System integrity • Listener? • Payload (malware) install?
  • 55. Copyright © 2014 Rochester Institute of Technology Reporting (con’t) • Suggested remediations / prevention – Patch – Configuration – Policies – Additional security controls • Timing – Issue report right away depending on severity of issues
  • 56. Copyright © 2014 Rochester Institute of Technology Experiences of Other Universities and Colleges