Securing the Open University Network Environment IT Risk Assessment and Security Policy Compliance...
-
Upload
claribel-rodgers -
Category
Documents
-
view
214 -
download
0
Transcript of Securing the Open University Network Environment IT Risk Assessment and Security Policy Compliance...
Securing the Open University Securing the Open University Network Network EnvironmentEnvironmentIT Risk Assessment and Security Policy Compliance Measurement
Kent Knudsen, Texas A & M University
Security Professionals Security Professionals Workshop 2004Workshop 2004
May 18May 18
Copyright 2004 Kent Knudsen. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
© Copyright 2004 – Kent Knudsen, Texas A&M University© Copyright 2004 – Kent Knudsen, Texas A&M University
An Open Network is Like a An Open Network is Like a City . . .City . . . Network lines, like roadways, are open and designed to move trafficNetwork lines, like roadways, are open and designed to move traffic Security varies at the nodes or segmentsSecurity varies at the nodes or segments Secure nodes - Administrative computing requires stronger security, Secure nodes - Administrative computing requires stronger security,
like bankslike banks Minimal Security nodes - Student lab workstations have minimal securityMinimal Security nodes - Student lab workstations have minimal security
like retail storeslike retail stores Nodes with unknown security - Faculty and Student owned computers Nodes with unknown security - Faculty and Student owned computers
have unknown security, have unknown security,
like residential housinglike residential housing Not a perfect analogy, but it Not a perfect analogy, but it
illustrates that security tends illustrates that security tends
to be focused on the nodesto be focused on the nodes
The Result:The Result:
Decentralized SecurityDecentralized Security
© Copyright 2004 – Kent Knudsen, Texas A&M University© Copyright 2004 – Kent Knudsen, Texas A&M University
Challenges of Decentralized Challenges of Decentralized SecuritySecurity
Some departments have full-time, trained IT staff – while other Some departments have full-time, trained IT staff – while other departments rely on student workers (or worse, have no IT staff)departments rely on student workers (or worse, have no IT staff)
Diversity of operating systems (Apple/Mac, Linux, MVS, Novell, Unix, Diversity of operating systems (Apple/Mac, Linux, MVS, Novell, Unix, Windows, etc.) – difficult to be an expert on more than one platformWindows, etc.) – difficult to be an expert on more than one platform
Residential network allowing students to connect their PCs with little or Residential network allowing students to connect their PCs with little or no security protectionno security protection
Libraries must provide access to information resources to both the Libraries must provide access to information resources to both the University populous and the community at largeUniversity populous and the community at large
Research computers funded by grants that have little or no provision for Research computers funded by grants that have little or no provision for security measuressecurity measures
Need a forum to allow IT staff to share best practices and tips on Need a forum to allow IT staff to share best practices and tips on securing the various platformssecuring the various platforms
Who is keeping up with patches and security updates?Who is keeping up with patches and security updates?
© Copyright 2004 – Kent Knudsen, Texas A&M University
Which Security Standard?Which Security Standard?
First, you have to decide upon a security standard . . .
“If you aim at nothing, you’ll hit it every time.”
© Copyright 2004 – Kent Knudsen, Texas A&M University
Which Security Standard?Which Security Standard?
U.S. Standards:If your organization needs a benchmark based on industry best practices, there are some sources available:
State and Local Standards
Obviously, compliance with your state and local security standards should be measured. However, if your state and local standards are incomplete or lacking, there are other standards to consider.
NIST Computer Security Resource Center (csrc.nist.gov)
The NIST CSRC provides several publications (FIPS PUBS) and other documents to serve as standards.
© Copyright 2004 – Kent Knudsen, Texas A&M University
Which Security Standard?Which Security Standard?
U.S. Standards:Additional sources:
Office of Management and Budget (OMB) (www.whitehouse.gov/omb/circulars)
Provides some circulars pertaining to information security of federal systems (A-130 in particular).
DITSCAP – DoD IT Security Certification and Accreditation Process that includes standards (www.dtic.mil)
The Department of Defense provides the DITSCAP process that can serve as a resource for additional security measures.
© Copyright 2004 – Kent Knudsen, Texas A&M University
Which Security Standard?Which Security Standard?
U.S. Standards:
Several U.S. industry and governmental entities have produced guidelines and standards – visit the link below for a comprehensive list.
http://iase.disa.mil/policy.html#ditscap
© Copyright 2004 – Kent Knudsen, Texas A&M University
Which Security Standard?Which Security Standard?
International Standards:
The ISO17799 Standard (www.iso17799-web.com)The ISO17799 Standard is a set of security standards (based on the British Standards Institution - BS 7799) adopted and approved by the ISO, IEC and JTC1 (International Electrotechnical Commission, International Organization for Standardization and Joint Technical Committee) and is available for a fee.
The Common Criteria (www.commoncriteria.org)The Common Criteria project was started in 1993 in order to bring together various standards (TCSEC, ITSEC, etc.) into a single international standard for IT security evaluation.
Centralized Information Security Centralized Information Security ProgramProgram
IT Risk Assessment and Security Policy Compliance Measurement
© Copyright 2004 – Kent Knudsen, Texas A&M University
Texas A&M’s Answer . . .Texas A&M’s Answer . . .
© Copyright 2004 – Kent Knudsen, Texas A&M University© Copyright 2004 – Kent Knudsen, Texas A&M University
“Information Security Program in a box”
ISAAC –
Information
Security
Awareness,
Assessment, and
Compliance
What is ISAAC?What is ISAAC?
© Copyright 2004 – Kent Knudsen, Texas A&M University© Copyright 2004 – Kent Knudsen, Texas A&M University
Centralized Information Security Centralized Information Security ProgramProgram
Assesses the security posture of diverse information systems
Measures compliance with Information Security standards
Security awareness training (focused on various audiences)
Monthly Information Security Forum and e-mail discussion List
Mechanism for reporting security incidents
Guides for creating Business Continuity / Disaster Recovery plans
A checklist for annual inspections of the physical security
ISAACISAAC - a web-based “information security
program in a box”. Thinking inside the box…
© Copyright 2004 – Kent Knudsen, Texas A&M University© Copyright 2004 – Kent Knudsen, Texas A&M University
A Web-based Solution Providing . . .A Web-based Solution Providing . . .
Automated Risk Assessment (standardized)
Security Awareness Training (including validation)
Business Continuity / Disaster Recovery Planning guide
Security Incident Reporting System (web)
Physical Security check list
Security Forms and Templates
What is ISAAC?What is ISAAC?
Non-invasive, platform independent system to inform and assist departmental IT personnel with InfoSec program:
© Copyright 2004 – Kent Knudsen, Texas A&M University© Copyright 2004 – Kent Knudsen, Texas A&M University
Consistent, repeatable baseline assessment
Covers both operational and technical requirements
Most admins can complete an assessment < 2 hrs
Results are combined into an overall assessment
Risk report has a consistent format to assist our “team members”, the auditors
What is ISAAC?What is ISAAC?
A standardized risk assessment process
© Copyright 2004 – Kent Knudsen, Texas A&M University© Copyright 2004 – Kent Knudsen, Texas A&M University
Departmental registration of system types and quantities (useful for sending targeted security alerts, among other things)
What is ISAAC?What is ISAAC?
Centralized databases for collecting required departmental data. The databases provide:
Registration of mission critical information resource owners, custodians, and users (state of Texas requirement)
© Copyright 2004 – Kent Knudsen, Texas A&M University© Copyright 2004 – Kent Knudsen, Texas A&M University
Centralized databases provide (con’t):
The Risk Assessment data is used to produce a composite report for the entire university, including overall percentage of compliance for each policy item on a university-wide basis
What is ISAAC?What is ISAAC?
The Security Awareness Training data is used to generate “certificates” of completion, and can be analyzed to determine the effectiveness of the training program
© Copyright 2004 – Kent Knudsen, Texas A&M University© Copyright 2004 – Kent Knudsen, Texas A&M University
Business Continuity Module:
The Business Continuity / Disaster Recovery Module contains a full-blown guideline for those departments maintaining server/client systems, and a simpler, basic plan for the desktop (peer-to-peer) environment
What is ISAAC?What is ISAAC?
© Copyright 2004 – Kent Knudsen, Texas A&M University© Copyright 2004 – Kent Knudsen, Texas A&M University
The State of Texas requires that once a month, a summary report be filed detailing the month’s security incidents
What is ISAAC?What is ISAAC?
Security Incident Reporting System:
A web-based form for reporting various kinds of security incidents, such as: malicious code attacks, unauthorized access and use, disruption or denial of service, hoaxes, etc.
The SIRS database can be analyzed for trends and to measure effectiveness of various countermeasures
© Copyright 2004 – Kent Knudsen, Texas A&M University© Copyright 2004 – Kent Knudsen, Texas A&M University
What is ISAAC?What is ISAAC?
Physical Security Module:
This module contains a checklist which can be printed and used as a guide for making a visual inspection of the facilities. For example:
Are doors solid, fireproof, and lockable?
Are cabling, plugs, and other wires secured?
Do secure areas have full height walls?
© Copyright 2004 – Kent Knudsen, Texas A&M University© Copyright 2004 – Kent Knudsen, Texas A&M University
What is ISAAC?What is ISAAC?
Security Forms and Templates Module:
This module contains several items. For example:
Promotes participation in the monthly Information Security Forum meetings and email discussion list
Non-Disclosure Agreement template
Computing Ethics / Acceptable Use template for staff
Sample Security Manual
Incident Handling Guide
Recommended security related email lists
© Copyright 2004 – Kent Knudsen, Texas A&M University
ISAAC Because . . . It WorksISAAC Because . . . It Works
First Year of Implementation:
• Achieved 100% participation from all 214 departments represented by 164 system administrators involving 17,000 systems (servers and desktops).
• Produced first ever, composite risk assessment report for the University IT infrastructure.
© Copyright 2004 – Kent Knudsen, Texas A&M University
ISAAC Because . . . Scalable ISAAC Because . . . Scalable SolutionSolution
Large, Decentralized University
Over 44,000 Students
Over 10,000 Faculty
and Staff Over 60,000 nodes
© Copyright 2004 – Kent Knudsen, Texas A&M University
ISAAC Because… Security Best ISAAC Because… Security Best PracticesPractices
The approach of beginning each risk assessment from scratch with a group of people was not practical for our diverse environment – so we reviewed a multitude of assessment methodologies to produce a “best of breed” product
Also, a large number of threats are already known, and security standards have been established, therefore we chose to design a tool that establishes a good security baseline
© Copyright 2004 – Kent Knudsen, Texas A&M University
ISAAC Because . . . Best of Breed ISAAC Because . . . Best of Breed RARA
Assessment based on established NIH risk methodology
Modified to include components of the NIST Special Publication 800-26 and the IAM methodology from NSA
Mainly a qualitative risk assessment with a quantitative risk rating (for prioritizing risk management decisions)
© Copyright 2004 – Kent Knudsen, Texas A&M University
ISAAC Because . . . Part of ISAAC Because . . . Part of Security PolicySecurity Policy
PolicyOnly authorized
personnel allowed toaccess the systems
Standard
All authorized user accounts willbe protected by a password
Procedure, Guideline, Practice
Passwords will be eight characters long, include 1non-alpha character and not be a dictionary word
ISAAC ISAAC
© Copyright 2004 – Kent Knudsen, Texas A&M University
ISAAC Because . . . Assessment ISAAC Because . . . Assessment FlexibilityFlexibility
An annual process that yields an
institutional wide assessment as well as individual assessments that each department can use to evaluate their risks and make risk management decisions.
Three risk assessment types:– “Departmental” (for the servers and clients)– “Desktop” (for peer-to-peer setup)– “Good Net Neighbor” – (for public access or lab
computers)
© Copyright 2004 – Kent Knudsen, Texas A&M University
ISAAC Because . . . Department ISAAC Because . . . Department FlexibilityFlexibility
Assessment report includes a “corrective action” plan that gives the departmental IT staff an opportunity to recommend solutions to management for their consideration
Management has the flexibility to make risk management decisions for implementing the recommendations based on cost-benefit analysis
© Copyright 2004 – Kent Knudsen, Texas A&M University
ISAAC Benefits . . . Easy to ISAAC Benefits . . . Easy to ImplementImplement
The Departmental IT Staff (System Admins) already feel harried and were not sitting idle looking for something to do – so, in consideration of their time, an effective and efficient assessment was key to implementation
We also wanted this new initiative to be palatable, and to garner “buy in” from the departmental managers
We held informational forums, and offered an on-site assistance option via online calendar. (However, ISAAC was so well received, not much assistance was requested)
All this and more done to ease burden, facilitate departmental use, and to smooth implementation
© Copyright 2004 – Kent Knudsen, Texas A&M University
ISAAC Benefits . . . Easily ISAAC Benefits . . . Easily AdaptedAdapted
“Raising the Bar” on security -
Each year ISAAC is evaluated against the current IT environment (new threats, legal and/or regulatory issues, etc.) and modified as necessary.
In addition, any new assessment methodologies are considered for enhancement to ISAAC.
© Copyright 2004 – Kent Knudsen, Texas A&M University
Any Any Questions?Questions?
Contact Information:E-mail: [email protected]
Postal: Computing & Information Services Texas A&M University College Station, TX 77843-3142
Centralized Information Security Centralized Information Security ProgramProgram