Information Security UpdateCTC

18 March 2015Julianne Tolson

2

What is Information Security?

”Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical).”

Wikipedia: http://en.wikipedia.org/wiki/Information_security 

3

CSU Information Security Policy

It is the collective responsibility of all users to ensure:• Confidentiality of information which the CSU

must protect from unauthorized access• Integrity and availability of information stored

on or processed by CSU information systems• Compliance with applicable laws, regulations,

and CSU/campus policies governing information security and privacy protection

ICSUAM http://www.calstate.edu/icsuam/sections/8000/index.shtml

4

Information Security Standards

ISO 27000,27001,27002,27003 http://en.wikipedia.org/wiki/ISO/IEC_27000  NIST Cyber Security Framework (NIST CSF) http://www.nist.gov/cyberframework/

5

How is Information Security Achieved?

A strategic partnership between stakeholders that includes:

• Risk management

• Controls

• Access control

6

Risk Management / Assessment

• Establish context• Risk assessment

• Physical / Logical Threats• Vulnerabilities

• Risk mitigation• Reduce, retain, avoid, transfer

• Monitor and control

7

Risk Management examples

• Business continuity planning• Offsite back-ups• Patching and updates• Qualys

• Vulnerability scans• Web application scans• Browsercheck (Bus. Ed.)

8

Qualys Browsercheck Business Ed. Demo

1. Sign-up2. Configure3. Distribute link

https://browsercheck.qualys.com/?uid=e60a1eceb95f467c8d725858c5595b88

4. Monitor

Users will be prompted to take action when vulnerabilities are detected

https://www.qualys.com/forms/browsercheck-business-edition/

9

Controls

• Administrative: policies and procedures, background checks, FERPA, PCI, HIPAA

• Logical: intrusion detection, firewalls, encryption, principle of least privilege

• Physical: environment, separation of duties

10

Controls examples

• Responsible use policy• Identity Finder• Intrusion detection: PAN and

Fireeye• Information Security Awareness

Discussion topic: How to get the word out?

11

Access control

• Identification Assurance

• AuthorizationMandatory Access ControlDiscretionary Access Control

• AuthenticationMulti-factor authentication

12

Access control example

• Multi-factor authenticationDuoSecurity pilot

Action Item: Review any discretionary access control you have granted

13

Security Incident Response

• Assessing current processIncident categorization

• Response by incident categoryServer, Account, Endpoint

• Forensic tools

• Event logs & analysis

14

Questions?