What Every CBO Should Know About IT Security

Robert ClarkDirector of Internal Auditing

Georgia Institute of Technology

Jack SuessVP of Information Technology

University of Maryland, Baltimore County

Monday, July 10, 2006

Overview

• Why IT Security should be everyone’s concern – not just the IT staff

• Plethora of legal compliance issues• Potential risk factors facing organizations• Case studies and high profile examples• Fiduciary role of managers

in safeguarding these assets • Effective practices from

which to leverage• Resources and guidance

available

Introduction to the Security Task Force of EDUCAUSE

• Formed in July 2000• Current Co-chairs:

• Jack Suess, UMBC (2003-2006)• Joy Hughes, George Mason University (2004-

2007)• Executive Committee of CIO’s, Security Professionals,

and Professional Staff• EDUCAUSE & Internet2 Staff Support• Coordination with Higher Education IT Alliance

• ACE, AAU, NASULGC, AASCU, NAICU, AACC, NACUBO

Strategic Goals of the Security Task Force

Overarching Goals• Education and Awareness across the campus and

within our IT organizations• Standards, Policies, and Procedures• Security Architecture and Tools• Organization, Information Sharing, and Incident

ResponseFocused Activities• Data privacy and protection• Incident detection and response

Rapid increase in regulatory issues over data

• Gramm-Leach-Bliley Act • FERPA• HIPAA• Sarbanes-Oxley (not “directly”

applicable to higher ed, but indirectly)• California SB 1386 and 23 other state

data disclosure laws• VISA/Mastercard PCI requirements• OMB sets guidelines for Federal employee laptop

security

Imperative for Action

• Over fifty universities have had public data disclosures the last 18 months

• Total number of individuals impacted is over 2.5 million

• At least a half-dozen incidents have had direct costs for remediation and notification exceeding one million dollars

What Are The Causes of Personal Information Release?

• Most of these releases were in tertiary systems supporting a single department or were associated with an individual’s laptop or desktop computer

• The reason for these releases run the gamut - stolen laptops, virus and worms, unpatched software, programming errors, and human error

• CIFAC, an NSF sponsored study on security incidents found in reviewing incidents that the overwhelming cause was inadequate management oversight (insufficient procedures or processes) or inadequate training

When Bad Stuff Happens…

• Ohio University – 5 intrusions resulting in compromise of personal data for 300,000 students and alumni• Will spend over $4M to upgrade IT security and policies

• GMU – compromise of personal data on campus card server for over 30,000

• UC Berkeley - stolen laptop with 1.4 million ID’s resulted in largest higher-ed notification to date

• Georgia Tech – 57,000 credit card numbers accessed

Whose Problem Is IT? GIT Example

• IT staff – (Examining systems; forensic analysis)• Internal Auditing – (Investigating incident; examining controls;

facilitating discussions with appropriate management; dealing with VISA; interacting with law enforcement)

• CBO – (Examining GIT policies; VISA threatened to pull the plug on ALL credit card processing at GIT; would have had significant impact on other areas of GIT operations)

• Legal Affairs – (Negotiations with VISA; dealing with Attorney General; FBI, GBI, Secret Service)

• Ferst Center for the Arts Management – (All ticketing operations suspended; major PR issues with customers; over 30,000 first class letters sent to customers affected; Help Line staffed)

• Auxiliary Services management; Institute Communications and Public Affairs (dealing with media); Chief of Police; Office of the President

Lessons Learned

• Well designed process for responding to IT incidents provided clear guidance

• http://www.audit.gatech.edu/IAcollabrative2.pdf• Evident that this was an “Institute issue,” not just an “IT

issue” (shared responsibility)• Strong collaboration amongst management to ensure

consistent action• Costly – total “cost” in time for those involved over $100K• Led to other initiatives to locate sensitive info

across campus• Led to committee to establish Data Access Policy• Led to increased awareness of IT risk assessment

What’s Keeping Us From Doing This Right?

• Organizational challenges for IT security• The tension between the academy and the enterprise• Lack of adequate knowledge about the nature of IT issues• Over reliance on techno-centric solutions• IT security not recognized a shared responsibility• Security viewed as counter to organizational productivity• Reactive responses vs. systemic framework

for sustainable solutions• No budgets established and resources

allocated to conduct IT risk assessments• Unclear on guidance to adopt and effective

practices to follow

Review of Industry Frameworks

• COSO (Committee of Sponsoring Organizations of the Treadway Commission) 1987-1992

• COBIT (Control Objectives for Information and related Technology) 1996-2000

• OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) 2001

• ISO 17799 (International Organization for Standardization – Information Technology: Code of Practice for Information Security) 2000

New (2004) ERM COSO Framework

Org. structure (e.g., Board, policies, mgmt’s risk appetite

Objectives in Strategy, Operations, Reporting,Compliance

What can go wrong?

Likelihood and impact of risks

How to manage risks? (Share, avoid, reduce, accept?)

Procedures to ensure risk mitigation is effective

Education & awareness of policies, effective practices

Mgmt reviews & Auditors assess

COBIT: Evaluation of Three Key Areas

• Information Criteria• Quality (Cost, delivery) • Fiduciary responsibility (Reliability,

compliance, Efficiency and effectiveness)• Security (confidentiality, integrity,

availability)

• IT resources (Data, Application systems, Technology, Facilities, People)

• IT Processes (Domain, Processes, Tasks/Activities)

OCTAVE

• Phase I: Build asset-based threat profiles• What’s important to the org; how are assets protected?

• Phase II: Identify infrastructure vulnerabilities• IDing classes of IT components related to each critical asset; how

resistant to network attacks?

• Phase III: Develop security strategy and plans• ID risks to org’s critical

assets; what is being done to protect them?

ISO 17799: Defines Best Practice and Certification Process

Detailed security standard; organized into ten major sections:

1. Security policy

2. Security organization

3. Asset classification & control

4. Personal security

5. Physical & environmental security

6. Communications & operations management

7. Access control

8. Systems development & maintenance

9. Business continuity management

10. Compliance

Risk Assessment Models

• NIST – Security Self-Assessment Guide for Information Technology Systems

• NIPC (National Infrastructure Protection Center; part of Dept. of Homeland Security)

• NSA (National Security Agency)• ISO 17799 (International Standards

Organization, "a comprehensive set of controls comprising best practices in information security“)

All solid guidance but none are higher-ed focused

Higher-Ed focused risk assessment tools:

• OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) - developed at the CERT Coordination Center at Carnegie Mellon University

• STAR (Security Targeting and Analysis of Risks) – developed and used at Virginia Tech

• Information Security Governance (ISG) Assessment Tool (http://www.educause.edu/ir/library/pdf/SEC0421.pdf)

• EDUCAUSE Effective Practices Guidehttp://www.educause.edu/EffectivePracticesandSolutionsinSecurity/1246

• Risk Assessment Framework:http://www.educause.edu/LibraryDetailPage/666?ID=CSD4380

Outline of Risk Assessment Framework

• Phase 0 : Establish Risk Assessment Criteria for the Identification and Prioritization of Critical Assets (a one-time process)• 1: Establish Risk Assessment Criteria• 2: Apply the Critical Asset Criteria to Classify Data Collections

and Related Resources

• Phase 1: Develop Initial Security Strategies• 1: Strategic Perspective –

Senior Management• 2: Operational Perspective –

Departmental Management• 3: Practice Perspective – Staff• 4: Consolidated View of

Security Requirements

Outline of Risk Assessment Framework (cont.)

• Phase 2: Technological View - Identify Infrastructure Vulnerabilities• 5: Key Technology Components• 6: Selected Technology Components Evaluation

• Phase 3: Risk Analysis - Develop Security Strategy and Plans• 7: Risk Assessment• 8: Protection Strategy and

Mitigation Plans

Recommendations for CBO’s

• Data disclosures put your institution at great financial risk and CBO’s need to understand the risks and issues

• Foster collaborative relationships with the Provost, CIO, CFO, and Chief Auditor to make IT security a campus priority. Consider using the building organizational capacity model to analyze your approach to IT Security.

• Research has shown that policies, procedures, and management oversight are the critical factors for success. This is often a strength of CBO’s that can be shared with IT.

• Partner with IT to integrate IT security throughout your own organization and promote the message that IT security is a “shared responsibility”