Information Security Update CTC 18 March 2015 Julianne Tolson.
-
Upload
spencer-mitchell -
Category
Documents
-
view
214 -
download
0
Transcript of Information Security Update CTC 18 March 2015 Julianne Tolson.
![Page 1: Information Security Update CTC 18 March 2015 Julianne Tolson.](https://reader036.fdocuments.net/reader036/viewer/2022082713/56649e195503460f94b05da4/html5/thumbnails/1.jpg)
Information Security UpdateCTC
18 March 2015Julianne Tolson
![Page 2: Information Security Update CTC 18 March 2015 Julianne Tolson.](https://reader036.fdocuments.net/reader036/viewer/2022082713/56649e195503460f94b05da4/html5/thumbnails/2.jpg)
2
What is Information Security?
”Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical).”
Wikipedia: http://en.wikipedia.org/wiki/Information_security
![Page 3: Information Security Update CTC 18 March 2015 Julianne Tolson.](https://reader036.fdocuments.net/reader036/viewer/2022082713/56649e195503460f94b05da4/html5/thumbnails/3.jpg)
3
CSU Information Security Policy
It is the collective responsibility of all users to ensure:• Confidentiality of information which the CSU
must protect from unauthorized access• Integrity and availability of information stored
on or processed by CSU information systems• Compliance with applicable laws, regulations,
and CSU/campus policies governing information security and privacy protection
ICSUAM http://www.calstate.edu/icsuam/sections/8000/index.shtml
![Page 4: Information Security Update CTC 18 March 2015 Julianne Tolson.](https://reader036.fdocuments.net/reader036/viewer/2022082713/56649e195503460f94b05da4/html5/thumbnails/4.jpg)
4
Information Security Standards
ISO 27000,27001,27002,27003 http://en.wikipedia.org/wiki/ISO/IEC_27000 NIST Cyber Security Framework (NIST CSF) http://www.nist.gov/cyberframework/
![Page 5: Information Security Update CTC 18 March 2015 Julianne Tolson.](https://reader036.fdocuments.net/reader036/viewer/2022082713/56649e195503460f94b05da4/html5/thumbnails/5.jpg)
5
How is Information Security Achieved?
A strategic partnership between stakeholders that includes:
• Risk management
• Controls
• Access control
![Page 6: Information Security Update CTC 18 March 2015 Julianne Tolson.](https://reader036.fdocuments.net/reader036/viewer/2022082713/56649e195503460f94b05da4/html5/thumbnails/6.jpg)
6
Risk Management / Assessment
• Establish context• Risk assessment
• Physical / Logical Threats• Vulnerabilities
• Risk mitigation• Reduce, retain, avoid, transfer
• Monitor and control
![Page 7: Information Security Update CTC 18 March 2015 Julianne Tolson.](https://reader036.fdocuments.net/reader036/viewer/2022082713/56649e195503460f94b05da4/html5/thumbnails/7.jpg)
7
Risk Management examples
• Business continuity planning• Offsite back-ups• Patching and updates• Qualys
• Vulnerability scans• Web application scans• Browsercheck (Bus. Ed.)
![Page 8: Information Security Update CTC 18 March 2015 Julianne Tolson.](https://reader036.fdocuments.net/reader036/viewer/2022082713/56649e195503460f94b05da4/html5/thumbnails/8.jpg)
8
Qualys Browsercheck Business Ed. Demo
1. Sign-up2. Configure3. Distribute link
https://browsercheck.qualys.com/?uid=e60a1eceb95f467c8d725858c5595b88
4. Monitor
Users will be prompted to take action when vulnerabilities are detected
https://www.qualys.com/forms/browsercheck-business-edition/
![Page 9: Information Security Update CTC 18 March 2015 Julianne Tolson.](https://reader036.fdocuments.net/reader036/viewer/2022082713/56649e195503460f94b05da4/html5/thumbnails/9.jpg)
9
Controls
• Administrative: policies and procedures, background checks, FERPA, PCI, HIPAA
• Logical: intrusion detection, firewalls, encryption, principle of least privilege
• Physical: environment, separation of duties
![Page 10: Information Security Update CTC 18 March 2015 Julianne Tolson.](https://reader036.fdocuments.net/reader036/viewer/2022082713/56649e195503460f94b05da4/html5/thumbnails/10.jpg)
10
Controls examples
• Responsible use policy• Identity Finder• Intrusion detection: PAN and
Fireeye• Information Security Awareness
Discussion topic: How to get the word out?
![Page 11: Information Security Update CTC 18 March 2015 Julianne Tolson.](https://reader036.fdocuments.net/reader036/viewer/2022082713/56649e195503460f94b05da4/html5/thumbnails/11.jpg)
11
Access control
• Identification Assurance
• AuthorizationMandatory Access ControlDiscretionary Access Control
• AuthenticationMulti-factor authentication
![Page 12: Information Security Update CTC 18 March 2015 Julianne Tolson.](https://reader036.fdocuments.net/reader036/viewer/2022082713/56649e195503460f94b05da4/html5/thumbnails/12.jpg)
12
Access control example
• Multi-factor authenticationDuoSecurity pilot
Action Item: Review any discretionary access control you have granted
![Page 13: Information Security Update CTC 18 March 2015 Julianne Tolson.](https://reader036.fdocuments.net/reader036/viewer/2022082713/56649e195503460f94b05da4/html5/thumbnails/13.jpg)
13
Security Incident Response
• Assessing current processIncident categorization
• Response by incident categoryServer, Account, Endpoint
• Forensic tools
• Event logs & analysis
![Page 14: Information Security Update CTC 18 March 2015 Julianne Tolson.](https://reader036.fdocuments.net/reader036/viewer/2022082713/56649e195503460f94b05da4/html5/thumbnails/14.jpg)
14
Questions?