Information Security UpdateCTC
18 March 2015Julianne Tolson
2
What is Information Security?
”Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical).”
Wikipedia: http://en.wikipedia.org/wiki/Information_security
3
CSU Information Security Policy
It is the collective responsibility of all users to ensure:• Confidentiality of information which the CSU
must protect from unauthorized access• Integrity and availability of information stored
on or processed by CSU information systems• Compliance with applicable laws, regulations,
and CSU/campus policies governing information security and privacy protection
ICSUAM http://www.calstate.edu/icsuam/sections/8000/index.shtml
4
Information Security Standards
ISO 27000,27001,27002,27003 http://en.wikipedia.org/wiki/ISO/IEC_27000 NIST Cyber Security Framework (NIST CSF) http://www.nist.gov/cyberframework/
5
How is Information Security Achieved?
A strategic partnership between stakeholders that includes:
• Risk management
• Controls
• Access control
6
Risk Management / Assessment
• Establish context• Risk assessment
• Physical / Logical Threats• Vulnerabilities
• Risk mitigation• Reduce, retain, avoid, transfer
• Monitor and control
7
Risk Management examples
• Business continuity planning• Offsite back-ups• Patching and updates• Qualys
• Vulnerability scans• Web application scans• Browsercheck (Bus. Ed.)
8
Qualys Browsercheck Business Ed. Demo
1. Sign-up2. Configure3. Distribute link
https://browsercheck.qualys.com/?uid=e60a1eceb95f467c8d725858c5595b88
4. Monitor
Users will be prompted to take action when vulnerabilities are detected
https://www.qualys.com/forms/browsercheck-business-edition/
9
Controls
• Administrative: policies and procedures, background checks, FERPA, PCI, HIPAA
• Logical: intrusion detection, firewalls, encryption, principle of least privilege
• Physical: environment, separation of duties
10
Controls examples
• Responsible use policy• Identity Finder• Intrusion detection: PAN and
Fireeye• Information Security Awareness
Discussion topic: How to get the word out?
11
Access control
• Identification Assurance
• AuthorizationMandatory Access ControlDiscretionary Access Control
• AuthenticationMulti-factor authentication
12
Access control example
• Multi-factor authenticationDuoSecurity pilot
Action Item: Review any discretionary access control you have granted
13
Security Incident Response
• Assessing current processIncident categorization
• Response by incident categoryServer, Account, Endpoint
• Forensic tools
• Event logs & analysis
14
Questions?
Top Related