Docstoc

The UMASS WISP

Document Sample
The UMASS WISP Powered By Docstoc
					             UMASS Written Information Security Plan (WISP)




   UMASS Information Security Council
   11/16/2010
   Version 4.0


UMASS Information Security Program      Final                 1
                                       Information Security Program

Background & Introduction
    The Security Problem: External & Internal Threats
    The Security Solution: Defense in Depth
    Key Goals and Objectives

The UMASS WISP
      The WISP Framework & Controls
      UMASS Security Programs
      UMASS Security Governance
      UMASS Security Metrics

The UMASS Security Lifecycle

ITLC (Information Technology Leadership Council) Review and Approval
    Information Security Council (ISC) Charter
    UMASS Security Policy Statement
    UMASS Written Information Security Plan (WISP)




UMASS Information Security Program                       Final         2
                                       Background & Introduction

The Problem: External & Internal Threats
      Primary methods involve privilege misuse, hacking, malware
      Increase in sophistication (multi-threaded attacks)
      Most breaches avoidable through simple or intermediate controls
      Data in Motion – (Excel, Email, etc.)


The Solution: Defense in Depth
    Establish UMASS security framework & programs
    Apply controls to each program
    Measure effectiveness through metrics & reports


Key Goals & Objectives
      Develop and communicate comprehensive UMASS security programs under the WISP framework
      Align with industry best practices (ISO 27002)
      Manage security throughout it’s lifecycle
      Integrate security controls into “normal” UMASS operations
      Identify and assign / acquire resources (staffing, automated tools, etc.) to implement and maintain security programs
      Develop, communicate receive ITLC approval for the WISP implementation roadmap
      Develop and implement communications plan to increase general awareness and educate stakeholders of key WISP
       components and deliverables




UMASS Information Security Program                                      Final                                                  3
                                     The WISP Framework & Controls

                                                                                                     WISP Framework
UMASS Security Programs
      PRG-01: Governance, Risk & Compliance                                                       1. Governance, Risk & Compliance

      PRG-02: Identity & Access Management
      PRG-03: Privacy & Data Protection
      PRG-04: Application Integrity & Security
      PRG-05: Threat & Vulnerability Management                               2. Identity &   3. Privacy &
                                                                                               Data Protection
                                                                                                                           4. Application   5. Threat &
                                                                               Access                                      Integrity &      Vulnerability
      PRG-06: Infrastructure & Operations Security                            Management                                  Security         Management




ISO 27002 Security Controls
    12 Control Areas                                                                           6. Infrastructure & Operations Security

    41 Control Objectives
    135 Security Controls
                                                                                                       ISO 27002 Controls

Key Considerations
 The WISP covers all University computing resources and information
  assets; including those managed by campus and president’s office IT staff,
  decentralized departments, 3rd party managed services, etc.

 The WISP framework and security programs apply to all University
  locations, including main campus locations, branch locations, 3rd party
  managed facilities, etc.




UMASS Information Security Program                                    Final                                                                                 4
                                                   UMASS Security Programs


                                                     UMASS Security Programs
1. Governance, Risk Management & Compliance                              4. Application Integrity & Security
  Managing the security programs                                         Securing the applications
   Information Security Governance , ISC Charter                            Data Processing (input, processing, storage, output)
   Policy , Controls, Controls Review Committee (CRC)                       Secure code development
   Security Framework, Programs, WISP                                       Application Vulnerabilities (OWASP top 10)
   Risk Assessment, Audit & Compliance                                      Development, Test, Production Environments


2. Identity & Access Management                                          5. Threat & Vulnerability Management
  Securing the individuals, identities and entitlements                  Protecting against threats and weaknesses
   HR Management: Before, During, Termination of Employment                 Internal & External Vulnerability Management
   User Lifecycle: User -> Jobs; Jobs -> Roles; Roles -> Entitlements       Configuration & Patch Management
   Identity Lifecycle: Provisioning, Recertification, De-provisioning       Internal & External Threat Management
   Access Management: Authentication, Authorization, Accounting             Incident Response Procedure


3. Privacy & Data Protection                                             6. Infrastructure & Operations Security
  Securing the information                                               Securing the infrastructure
   Data Lifecycle Mgmt: Create, Share, Use, Store, Archive, Destroy         Documentation: Processes, SOPs, Network Diagrams
   Structured Data Protection: Source Data                                  Process Mgmt: Asset, Change, Configuration, Log, Alerting
   Unstructured Data Protection: E-mails, File Shares, Hard Drives          Component Security: Desktop, Network , Server, Database
   MA Privacy Controls: Program, Administrative , Technical, Physical       Remote Access & Mobile Computing




UMASS Information Security Program                                       Final                                                            5
                                           UMASS Security Governance


UMASS Information Security Governance                                        UMASS Security Governance
    Information Technology Leadership Council (ITLC)
                                                          Local Administration
    Information Security Council (ISC)                    Education
                                                           Implementation
                                                                                            ITLC
    Controls Review Committee (CRC)
                                                           Management
    Security Program Teams (SPTs)
                                                                                                        Security
                                                                                                        Oversight
Information Security Council (ISC) Charter
    Advise ITLC of security risks to University’s
     information assets and technology resources                                            ISC
    Collaborate across campuses and system’s office to                      Controls                   Program
     ensure consistent approach to managing risks                            Oversight                  Oversight
    Lead in the development of programs, policies,
     standards, procedures and controls
    Respond to ITLC requests to investigate
     technologies, process controls, mitigate newly                               CRC                 SPTs
                                                                                                       SPT
     identified risks, etc.                                                                             SPT
                                                                                                         SPT
                                                                                 Controls
                                                                                                        Programs
                                                                                                   (University and local
                                                                                                     campus teams)

UMASS Information Security Program                               Final                                                6
                                                 UMASS Security Metrics

                                                                                           Operational Metrics
Operational Metrics
   • Effective security metrics are a challenge to develop
   • Goal is to build a baseline model that will evolve over time                                             ?
   • Allows managers to measure effectiveness of security program



Compliance Metrics
    Control Environment: Policies, procedures, practices and organizational structures
     that provide reasonable assurance business objectives are achieved and undesired
                                                                                                Compliance Metrics
     events are prevented or detected and corrected.
    Control Objective: Description of what are we trying to achieve.                     Control Testing:               Control Objective:
    Control: A statement that describes how UMASS will attain the control objective.
    Control Documentation: The control design and implementation details.
    Control Evidence: Proof that the control exists.                                                        Control :

    Control Testing: Assessment of the control effectiveness in mitigating risk.
                                                                                                                         Control
                                                                                          Control Evidence:
                                                                                                                         Documentation:




UMASS Information Security Program                                      Final                                                                 7
                                                                                UMASS Security Program Lifecycle

                        UMASS Security Framework & Programs                                                                    ISO 27002 Controls


                                    1. Governance, Risk & Compliance




        2. Identity &           3. Privacy                     4. Application     5. Threat &
        Access                  & Data                         Integrity &        Vulnerability
        Management              Protection                     Security           Management




                                 6. Infrastructure & Operations Security
                                                                                                  PLAN   DO


              Gap Remediation or Risk Acceptance                                                                        Operational & Compliance Metrics
                        Risk = f (Impact & Exposure)                                              ACT    CHECK

                                                                           High
                                                                           Risk                                                Control Testing:                Control Objective:



                                                                                                                                                   Control :
                                                                                                                 ?
        Exposure




                         Low
                         Risk                                                                                                  Control Evidence:               Control Documentation:


                   Impact
                                                                                                         Operational Metrics                Compliance Metrics

UMASS Information Security Program                                                                       Final                                                                          8
                                             ITLC Review and Approval

Information Security Council (ISC) Charter
      Advise ITLC of security risks to University’s information assets and technology resources
      Collaborate across campuses and system’s office to ensure consistent approach to managing risks
      Lead in the development of programs, policies, standards, procedures and controls
      Respond to ITLC requests to investigate technologies, process controls, mitigate newly identified risks, etc.
      Upon approval from the ITLC, the ISC Charter will be published on the Massachusetts.edu website

UMASS Security Policy Statement
      High level statement established to protect the assets and interests of the University
      Increase security awareness and compliance across the university
      Establishes coordinated approach for implementing, managing & maintaining control environment
      Upon approval from the ITLC, the Policy will be submitted to the Board of Trustees for ratification

UMASS Written Information Security Plan (WISP)
    UMASS Security Framework, Programs, Controls and Metrics
    Upon approval from the ITLC, the WISP will be published on the Massachusetts.edu website

For future consideration
    Developing / defining a UMASS Controls Review Committee (CRC) who would interpret the ISO controls and determine how to best
     implement across the university




UMASS Information Security Program                                       Final                                              9

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:10
posted:12/24/2012
language:Unknown
pages:9