cybersecurity - linda sharp
Post on 20-Nov-2014
758 Views
Preview:
DESCRIPTION
TRANSCRIPT
SchoolDude University 2009
Cyber Security
Linda SharpCoSN Cyber Security
Project Director
SchoolDude University 2009
Understanding the Issues
Four Reasons to Pay Attention to K-12 Four Reasons to Pay Attention to K-12 Network SecurityNetwork Security
1. Protect data 2. Prevent misuse of resources 3. Prevent interruption of operations (Protecting the Core Mission: Learning)
4. Keep kids safe
SchoolDude University 2009
Reliance on Technology
• For instructional activities• For business operations• For student data and recordkeeping• For assessment and accountability• For internal and external communication
Other areas of reliance in your schools?
SchoolDude University 2009
The Evolution of Intent From Hobbyists to Professionals
THR
EAT
SEVE
RIT
Y
1990 1995 2000 2005 WHAT’S NEXT?2007
Threats becoming increasingly difficult to detect and mitigateFINANCIAL:Theft & Damage
FAME:Viruses and Malware
TESTING THE WATERS:Basic Intrusions and Viruses
SchoolDude University 2009
Financial Impact
• 2004 – Cyber Attack impact in business was $226 billion
• 2008 – One of top 4 US priority security issues.
• Cyber Crime has overtaken drugs for financial impact.
SchoolDude University 2009
Legal Impact
• FERPA• CIPA• HIPAA• COPA• FRCP 34
SchoolDude University 2009
Legal Impact
• Data– Personal, Private, Sensitive Information
• Information Sharing– Internal – External
• Backup/Restore– Where and how
SchoolDude University 2009
Legal Impact
• Acceptable Use Policies (AUP)– Who should sign AUP?– What should be included?
• Internet usage• Data protection and privacy• Rules/regulations• Consequences
SchoolDude University 2009
Safety vs. Security
• Safety: Individual behavior
• Security: An organizational responsibility
SchoolDude University 2009
Five Guiding Questions
• What needs to be protected?
SchoolDude University 2009
Five Guiding Questions
• What needs to be protected? • What are our weaknesses?
SchoolDude University 2009
Five Guiding Questions
• What needs to be protected? • What are our weaknesses? • What are we protecting against?
SchoolDude University 2009
Five Guiding Questions
• What needs to be protected? • What are our weaknesses? • What are we protecting against? • What happens if protection fails?
SchoolDude University 2009
Five Guiding Questions
• What needs to be protected? • What are our weaknesses? • What are we protecting against? • What happens if protection fails? • What can we do to eliminate
vulnerabilities and threats and reduce impacts?
SchoolDude University 2009
Three Strategic Areas
People
Policy
Technology
SchoolDude University 2009
Three Action Themes
Prevention Monitoring Maintenance
SchoolDude University 2009
Questions to Ask
• Do we have a security plan?
SchoolDude University 2009
Questions to Ask
• Do we have adequate security and privacy policies in place? –District Security Rules–Legal Review–External Controls
SchoolDude University 2009
Questions to Ask
• Are our network security procedures and tools up to date? –Hardware–Software–Monitoring
SchoolDude University 2009
Questions to Ask
• Is our network perimeter secured against intrusion? –Design–Laptops–Wireless Security–Passwords
SchoolDude University 2009
Questions to Ask
• Is our network physically secure? • Environmental Hazards• Physical Security
SchoolDude University 2009
Questions to Ask
• Have we made our users part of the solution? –Awareness–Training –Communications
SchoolDude University 2009
Questions to Ask
• Are we prepared to survive a security crisis? –Backups–Redundant Systems–Communications Plan–Preparedness
SchoolDude University 2009
Security Planning Protocol
Outcome:Outcome:Security Project Description goals
processes resources decision-making standards
Phase 1: Create Leadership Team & Set Security Goals
Outcome:Outcome:Prioritized Risk Assessment A ranked list of vulnerabilities to guide the Risk Reduction Phase
Phase 2: Risk Analysis
Outcome:Outcome:Implemented Security Plan Risk Analysis and Risk Reduction processes must be regularly repeated to ensure effectiveness
Phase 3: Risk Reduction
Outcome:Outcome:Crisis Management Plan A blueprint for organizational continuity
Phase 4: Crisis Management
SchoolDude University 2009
Leadership Team• Create Leadership Team and Set
Security Goals• Purpose:: Clarify IT’s role in district
mission
• Scope:: Set boundaries and budgets
• Values:: Define internal expectations and external requirements for security
SchoolDude University 2009
Leadership Team
Leadership Team Personnel• IT Leadership• Administrators – district and building• Legal counsel • Human resources • Public relations representative • Teachers
SchoolDude University 2009
District Security Checklist
• Self Assessment Checklist
SchoolDude University 2009
Risk Analysis
• What’s at risk? • Vulnerabilities and Threats
–Identify impacts to »System»People»IT organizational issues»Physical plant
• Stress Test
SchoolDude University 2009
Security Planning GridSecurity Area Basic Developing Adequate Advanced
Management
Leadership:
Little participation in IT security
Aware but little support provided
Supports and funds security
Aligns security with organizational mission
Technology
Network design and IT operations:
broadly vulnerable
security roll out is incomplete
mostly secure
seamless security
Environmental & Physical:
Infrastructure:
not secure partially secure
mostly secure
secure
End Users
Stakeholders:
unaware of role in security
Limited awareness and training
Improved awareness, Mostly trained
Proactive participants in security
SchoolDude University 2009
Security Planning Grid
• Provides benchmarks for assessing key security preparedness factors
• Uses the same topic areas for consistency
• Helps prioritize security improvement action steps
SchoolDude University 2009
Planning Security Grid
• Prioritize solutions
• Action plan
• Revise SOP
SchoolDude University 2009
Plan, Test, Plan, Test…..– Scenario: "Despite our best intentions..."
• Financial system backups stored within a vault below ground
• Vault walls are constructed of cinderblocks
• Fire destroys the building • Very cool to the touch
-- vault becomes sauna, backup tapes destroyed
SchoolDude University 2009
Plan, Test, Plan, Test…..XXXXX School District
• Monday, February 11, 2008• Break-In at XXX. in XXX, CA• "Smash and Grab" -- 1 computer
stolen• One data file including personally
identifiable information on approximately 3,500 school district employees and on the employees of 12 other school districts
SchoolDude University 2009
Plan, Test, Plan, Test…..
• Decision to notify and “how to respond?"
• Notification authority rests with the Superintendent
• Elected to follow aggressive path of notification and openness
• E-Mails, letters, contact person, Website (blog)
SchoolDude University 2009
The worst case scenario . . .
NO PLAN!
SchoolDude University 2009
Questions and Comments?
SchoolDude University 2009
www.securedistrict.org
www.cosn.org
SchoolDude University 2009
Linda Sharp
CoSN Project ManagerCyber Security
IT Crisis Preparedness
linda@cosn.org
top related