Cybersecurity Strategy

… a first look

Brief to Information Technology Committee

Bob Turner UW-Madison CISO

April 17, 2015

What the Cybersecurity Strategic Plan provides…

• A road map to improved cybersecurity within RMF• Enables complete understanding of the UW-

Madison and UW System IT infrastructure that:• enables clear view of all routers, switches and hosts;• promotes cyber hygiene in connected or virtual

environments;• facilitates helpful behaviors and drives staff to engineer

appropriate defense measures, informed incident response; and

• consolidates Incident Response capability for campus networks and systems and for UW Common Systems

2

Aligns to University Strategic Priorities and Initiatives

• Educational Experience: Improve access and affordability; Scale Wisconsin Experience; Improve learning outcomes; Ensure graduate student mentoring; Build innovative professional degrees and other lifelong learning experiences.

• Research and Scholarship: Nurture excellence in research, scholarship, and creative activity; Optimize the research and scholarship infrastructure; Strengthen our influence in national decision-making around research policy and funding; Engage our interdisciplinary strength; Support the continued high level integration of research and education.

• The Wisconsin Idea: Partner to bring value to Wisconsin citizens; Promote economic development through technology-transfer ecosystem; Extend our educational mission to Wisconsin and the world; Leverage our distinctive interdisciplinary strength to address complex problems

http://chancellor.wisc.edu/strategicplan2/images/Strategic%20Framework_15-19.pdf 3

Aligns to University Strategic Priorities and Initiatives (Cont’d)

• People: Ensure a highly talented, engaged, and diverse workforce; Enhance the strength of our campus through diversity and inclusion; Ensure our ability to attract and retain talent Nurture growth of our people through professional development; Create the best possible environment for our people

• Resource Stewardship: Promote resource stewardship, improve service delivery and efficiency; Create a stable and sustainable financial structure; Identify and pursue new revenue sources aligned with mission and goals; n Promote environmental sustainability; Transform library structures and technologies to best support research and learning; Sponsor a comprehensive campaign to invest in the future of the university and shape the future of Wisconsin and the world

http://chancellor.wisc.edu/strategicplan2/images/Strategic%20Framework_15-19.pdf 4

Links to Campus/UW System IT StrategyA. Educational Experience

1. Provide career-oriented experiences for our students2. Design, create, and support learning-centered ecosystem3. Unify the student experience with access to data and information4. Provide tech services and resources to enhance student success and digital literacy

B. Research and Scholarship1. Provide and support robust and secure IT research and scholarship infrastructure2. Collaboratively partner with researchers to explore, access and use technology3. Encourage, recognize and support staff scholarship

C. Wisconsin Experience1. Foster state-wide public and private IT relationships2. Proactively share our IT expertise to solve complex problems3. Extend the educational mission with next generation IT infrastructure

D. Our People1. Provide career-pathing and prepare staff and managers for the future2. Diversify the IT workforce3. Recruit and retain talented and engaged staff

E. Stewards of Our Resources1. Practice and promote IT effectiveness and efficiency2. Ensure sustainable funding3. Practice transparent financial management and reporting4. Provide leadership for IT risk compliance and management5. Support and enhance innovate business and administrative systems6. Facilitate effective and secure sharing and use of data

“Look beyond the send button and shift your focus to the receiving end.”

- Anonymous

5

CISO’s Vision (Functional Capabilities)

Governance Risk Management Policy Development, Security

working group leadership Data Governance and Security Security education, training, and

awareness Risk Management Framework

implementation

Cybersecurity Defense Cyber Threat Intelligence and

Reporting Security Assessments Forensics Security Operations (ERP+)

Compliance Communications and Networking Security Engineering Assessment and Approval (RMF) PCI-DSS, PHI, HIPAA, FERPA, and

other auditing activities Security Metrics

Faculty, Staff and Student Education

Executive Security Awareness Shared Governance, Boards and

Committees

6

Leadership and Business Considerations

• Challenging budget priorities• Competition for resources• Staff maintaining work-life balance• Adapt to changing technology or revisions to best

practices• Shared Governance• Visibility within DoIT• External influences

“Security Teams must demonstrate the ability to view business problems from different or multiple perspectives.”

– Gus Agnos (VP Strategy & Operations at Synack)7

Elements of the Cybersecurity Strategy

• Strategic Element 1: Complete Data Governance and Information Classification Plan

• Strategic Element 2: Establish the UW System Risk Management Framework to materially reduce cybersecurity risk

• Strategic Element 3: Build a community of experts and improve institutional user competence though Security Education, Training, and Awareness

• Strategic Element 4: Consolidate Security Operations and institute best practices for UW-Madison Campus Networks and UW System Common Services

8“Strategy without tactics is the slowest route to victory, tactics without strategy is the noise before defeat.”

- Sun Tzu (Ancient Chinese Military Strategist)

Elements of the Cybersecurity Strategy (Cont’d)

• Strategic Element 5: Improve Cyber Threat Intelligence Analysis, Dissemination and Remediation

• Strategic Element 6: Optimize Services, Establish Security Metrics, Promote Compliance, Achieve Continuous Diagnostics and Mitigation

• Strategic Element 7: Establish Collaborative Partnerships to assure teaching and research computing resources and results are available to fulfill the Wisconsin Idea and return value to the state and its citizens

9

Enabling Objectives

• Objective 1: Consider retention of previous strategy’s actionable items (“find it”, “delete it”, and “protect it”).

• Objective 2: Create the “Culture of Compliance” for oversight of all campus data, networks and systems.

• Objective 3: Establish Restricted Data Environments based on the needs of Faculty, Researchers or IT project requirement documents.

• Objective 4: Centralize data collection and aggregation for analysis of security related events to promote unified measurement of cybersecurity attributes.

• Objective 5: Identify and stabilize sources of repeatable funding to enable accomplishment of technical or staffing related strategic goals.

“Real commitment means doing everything in your power to get things done.” - Jeroen De Flander

10

Enabling Objectives(Cont’d)

• Objective 6: Understand and map requirements imposed upon us (e.g., FERPA, HIPAA, PCI, DSS, NIST, etc.) by other agencies (i.e., Department of Education, Office for Civil Rights, credit card companies, research grant authorities).

• Objective 7: Develop and refine procedures to ensure security operations and risk assessments are conducted in a sustainable and repeatable manner that ensures standards for timeliness and measurable response are achieved and maintained.

• Objective 8: Develop and implement marketing and communications plans.

11

The road ahead…

• Complete Draft for CIO Staff Review: Done• CIO Staff Review: April 15 - 21• DoIT Director Review: April 15 – 21 (Walk Around Tour)• Campus Colleges and Departments CIO Review: Week of

April 20• Forward Draft for UW-MIST Review: April 22• UW-MIST Review: April 23 – 29. Comments adjudicated by

May 5 with discussion and concurrence during May MIST meeting (May 7)

• Final Draft for ITC: Brief at May 15th ITC • Final Version for CIO: No later than 29 May• Socialize with MTAG: Targeting June 16th meeting• Socialize with TISC: Announce during Lockdown (July 15) and

TISC Summer Meeting (July 16) with review based on responses

12

13

Questions?