March 22 2017 Tom Ambrosi Chief Information Security Officer httpsereducauseeduarticles20171top10itissues2017foundationsforstudentsuccess Penn State University President Eric Barron ID: 589271
Download Presentation The PPT/PDF document "Information Security Program" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Information Security Program
March 22, 2017
Tom Ambrosi
Chief Information
Security
OfficerSlide2
https://er.educause.edu/articles/2017/1/top-10-it-issues-2017-foundations-for-student-successSlide3Slide4Slide5Slide6
Penn State University President – Eric Barron
“We all will need to take additional steps to protect ourselves, our identities and our information from a new global wave of cybercrime and cyberespionage," Barron said in his statement. "Well-funded and highly skilled cyber criminals have become brazen in their attacks on a wide range of businesses and government agencies, likely in search of sensitive information and intellectual property
.“
"In this particular case we are dealing with the highest level of sophistication," Barron said. "Unfortunately, we now live in an environment where no computer network can ever be completely, 100 percent secure
.“
Mandiant
"
Advanced cyberattacks like this -- sophisticated, difficult to detect and often linked to international threat actors -- are 'the new normal,'" said Nick Bennett, Mandiant's senior manager of professional services. "No company or organization is immune -- the world's leading banks, energy companies, retailers and educational institutions have all been and will be targets."Slide7
Program Requirements/Drivers
Required to comply with Federal, State & Industry Standards & Regulations
FERPA
HIPAA
PCI DSS v3.1 – 6.1, 10.6, 12.2
GLBA
Washington
State OCIO Policy 141 – Securing Information Technology
AssetsSlide8Slide9
Requirements / Drivers
Program Governance Initiatives
Governance Structure
Information
Security Program
Strategy
Information
Security
Policies
University Security Policy
Update to University Data Policies
Security & Privacy Accountabilities, Roles & Responsibilities
Standards & Compliance Frameworks
PCI, HIPAASlide10
Executive Perspectives
on Top Risks for 2017
https://www.protiviti.com/US-en/insights/protiviti-top-risks-surveySlide11
Executive Perspectives
on Top Risks for 2017Slide12
Requirements / Drivers
Institutional Risk Areas For Public Research Institutions
Financial & Economic Conditions
Ability to Recruit Quality Students, Faculty & Staff
Business Continuity
Physical Infrastructure
WSU IT Infrastructure
Legal & Regulatory Compliance
Safety & Security
Research
Reputation & BrandSlide13
Requirements / Drivers
Information Security & Privacy Risk Areas
Cyber Attacks & Data Security
Advanced
Threats to C-I-A
Data Privacy Breaches
Federal, State, Industry Regulations
Legal & Regulatory Compliance
Outsourcing & Cloud Computing
Mobile Devices
Incident Response
Identity & Access Mgmt
Education, Training & Awareness
Business Continuity & Disaster RecoverySlide14
Requirements / Drivers
M
anaging Security & Privacy Risk
Establish Risk Mgmt Framework
Consistent with Enterprise Risk Mgmt
Identify, Assess, Respond, Monitor
Risk Mgmt Objectives
Support Strategic Decision Making & Planning
Allocate Resources
Effectively
Better able to meet Compliance
Requirements
Provide Optimized set of Risk Mitigations
Enable University Mission & Business
Objectives
with
acceptable level of risk
Security
& Privacy Risks are Institutional
RisksSlide15
Risk = Likelihood x Impact
Each Vulnerability/Threat Pair will be evaluated for
Likelihood of Occurrence
Impact Classification
Risk Level AssignedSlide16Slide17Slide18Slide19
Responsibilities
Protecting Data Security & Privacy is a shared responsibility
Promote a Risk-Aware Culture
Understand risks to your business & potential impacts to the University
Be Proactive – Avoiding risk is Accepting risk
Escalate
critical risks to Senior
Leadership
Include risk assessment processes into business processes
Ensure all employees are aware of their responsibilities
Provide training for employees that is appropriate to their roles & responsibilitiesSlide20
Questions?Slide21
Executive
Perspectives
on Top Risks for 2017Slide22
Executive
Perspectives
on Top Risks for 2017