Vous êtes sur la page 1sur 71

Polling software guidance

1. See handout for


instructions on enrolling
and response choices
2. Only submit poll responses
when that poll is active
(displayed on the screen)
3. You can submit multiple
responses separated by a
space or comma. Upper
and lower case accepted.

What Will You Wish for


When the Genie Appears?
Also Known As
The Lesson of the Golden Shovel
EDUCAUSE SPC 2015 - Panel Discussion
Wednesday, May 6th, 2015

Overview
Welcome and introductions
Panelist program overviews
Commonalities?
What comes next?
Open forum / Q&A
Closing thoughts

Welcome & Introductions

Schools Represented

Panelist Program Overviews

First up: Univ. of Maryland

Maryland Snapshot
People (Fall 2014)

Undergraduate: 27,056
Graduate: 10,554
Faculty: 4,467
Staff: 5,494

Financial (FY15)

Budget: $1.8B
Endowment: $408M

Colleges and Schools


Agriculture and Natural Resources
Education
Architecture, Planning, and
Clark School of Engineering
Preservation
Merrill School of Journalism
Arts and Humanities
Information Studies
Behavioral and Social Sciences
Public Health
Smith School of Business
Public Policy
Computer, Math, and Natural Sciences
Autonomous Institution of the University System of Maryland
Health Care Related Professional Schools Affiliated with UM-Baltimore

IT Governance
VPIT/CIO leads Division of Information Technology. Reports directly
to the President and is a member of the Presidents Cabinet.
IT Council
Appointed by Campus Senate, Sets Priorities, Guides Resource
Allocation Decisions (subcommittees: Infrastructure, Enterprise
Software, Research, Teaching & Learning, Usability)
University Technical Coordination Committee
Open Body Composed of Departmental IT Staff, Provides Feedback
on Technical Plans and Implementations

IT @ UMD
Division of Information Technology

Distributed Support

Employees: 260 FT + 150


Students
Budget: $60M
Provider of Enterprise Services:
Critical Infrastructure (data
centers, servers,
networking, etc)
Core Business Applications
(HR, Finance, SIS, Email,
etc)
Central Authentication and
Identity
Learning Management
User Support
HPC Resources

IT Employees: a mystery
IT Budget: a bigger mystery
IT Support at different levels
(School, Department, Research
Lab)
Provider of Targeted Services:
Direct Desktop Support
In-room Networking
Focused Student Labs
Discipline Specific Solutions
Specialized Hardware (e.g.
Electron Microscopes, Mass
Spectrometers, MRI systems)
Other Functions as Directed
by Unit Head

Information Security at UMD

DIT Security and Policy Office


Director/CISO: Gerry Sneeringer
Technical Services Manager: Kevin Shivers
Data Administration Manager: Erin Howard
Assurance Specialist: Steve Gunzburg
Security Engineer: Bertrand Sobesto
Project NEThics: Amy Ginther
SOC Team: Jonas Amoonarquah, Avery Greene, Lauren Winter
Data Admin Coordinator: Huifang Pan
Plus a Growing Army of Students
- Post Shovel

ITSPO: Our Portfolio

Incident Detection and Response


Assessment: Vulnerability, Risk, Compliance
Preservation and Forensics
Data Administration (Data Stewards,Data Dictionary,Data Quality, etc)
Project NEThics (Awareness and Enforcement)
Keeper of Logs (investigation and review)
SDLC Security Functions Keepers of Sanity
Auditor Containment
Purveyors of Common Sense

Why Im Here

The Credo of the Golden Shovel

Churchill didnt actually say this, but he probably should


have

Moving on: Univ. of Pennsylvania

Penn Facts
12 Schools

Annual Budget: $6.6 Billion


Current Endowment: $7.74B

Annenberg School for Communication


School of Arts and Sciences
School of Dental Medicine
Graduate School of Education
School of Engineering and Applied
Science
School of Design
Law School
Perelman School of Medicine
School of Nursing
School of Social Policy & Practice
School of Veterinary Medicine
The Wharton School

In addition to Penns 12 Schools, there are nearly 30 unique Centers, that focus on
a variety of tasks in support of Penns mission of Teaching, Research and Service.
Information Syst ems and Computing (ISC) is one of these Centers.

RCM & IT at Penn


Penn operates under a
general budgeting theory
called responsibility center
management (RCM).
All Schools and Responsibility
Centers are responsible for
managing their direct revenue and
expense.

Consistent with RCM, the


delivery of Information
Technology (IT) is highly
decentralized.
Individual Schools and
Centers make most of
their own computer
purchasing and support
decisions.

IT directors and other technology managers from the


Schools and Centers serve on IT Roundtable, an
advisory and governance body that helps align IT.

More Penn IT
900 IT staff at Penn, 325 providing
support

Estimated that 3% of the Universitys


annual budget is spent on IT ($200M)

Local Support Providers (LSPs) a


general term to represent IT staff
who assist with IT in the Schools &
Centers.

ISC & Central Computing


It makes sense to centralize some IT functions
Critical and/or second-tier client support
Core administrative systems (e.g., Payroll, Student Systems, etc.)
Networking, telecommunications and other foundational technology
services
Key academic and/or instructional technologies
Campus-wide IT-related strategy and initiatives
Campus wide policy and standards

Funding is a mixture of allocated, and charge-back


Currently 280 FTE in this organization
Undergoing re-definition under leadership of new CIO.

(Central) InfoSec at Penn

ISC Office of Information Security


Joshua Beeman
University
Information Security
Officer

Bob Desilets
Senior Information
Security Specialist

David Earley
Senior Information
Security Specialist

Samuel Jenkins
Senior Information
Security Specialist

Melissa Muth Senior


Information
Security Specialist

Sherry Weller
Senior Information
Security Specialist

ISC InfoSec Key Services


Projects
Consultation
& Awareness

Policy
Reporting

Incidents

Risk
POC

Some Key InfoSec Resources


Security Liaisons
Working groups (NSDR & CSAT)

Security and Privacy Impact Assessment (SPIA) Program


Critical Components database
Scanning and reporting

Senior Incident Response Team


Vendor assessment and contract initiatives
Community of Practice initiatives

29

Information Security at Penn


Preserving the
confidentiality,
integrity and
availability of
Penn data is a
shared
responsibility
ISC Information Security
Offices core mission is
to develop tools,
strategies and best
practices to protect
Penns confidential and
sensitive information
assets.

We Are Partners
in Governance

Schools and Centers are


responsible for assessing
risk and implementing
specific security
controls locally.

Why Im On the Panel

Enterprise Risk Management

32

2013
July-December

2014
January

February

March

April

May

June

July

August

September

October

November

December

33

Finally: Stanford University

Stanford University Snapshot


Students: 7K undergrad, 9K grad
Faculty: 2K
Staff: 11K
Budget: $5.1B
Endowment: $21.4B
Research: 5.3K sponsored projects ($1.3B)
700 Buildings
Network nodes: 250K

IT Resources are Decentralized


University
Board of Trustees
President
John Hennessy

Provost
John Etchemendy
SU Libraries
Mike Keller
Dean School of ____

School CIOs

VP ________
VP ________
Unit CIOs

VP Business Affairs
Randy Livingston
IT Services
Bill Clebsch
Administrative Systems

Ganesh Karkala
Information Security
Michael Duff

Office of the CIO

SHC
Bd of Directors

LPCH
Bd of Directors

SHC President
Amir Dan Rubin

LPCH President
Chris Dawes

SHC CIO
Pravene Nath

LPCH CIO
Ed Kopetsky

Only 30% of University IT staff are in central units


Excludes SLAC & Hospitals

Total = 1,300
Admin Units
200
16%

Libraries
210
16%
Other Acad
Units
160 GSB
60
12%
5%

Central IT
380
30%

Medicine
270
21%

Information Security at Stanford


CISO

Security Operations
8

Consulting
6

School of Medicine
4

Information Security Goals


No incidents attributable to a lack of best practices
Automated standards enforcement wherever possible
Uniform solutions across the University, Hospitals and SLAC
Balance security with usability and personal privacy
Stanford as a recognized leader in information security

Why Im On the Panel

July 2013:
Nation-State Sponsored Breach

Three Schools, Commonalities

Common Lessons
1. Community Buy-In is Crucial Even if Under Duress.
Leadership and inclusiveness: University IT, CIO
Council, OCIO, faculty committees
2. Other groups may be resentful. Everyone is FOR
Security, but not always happy about losing funds
when Security is getting funds.
3. Dont let perfect be the enemy of the good
4. Privacy, Transparency & Accountability

What did Year 1 look like?


What comes next for our panelists?

Stanford Information Security Projects


FY2014 Q1

FY2014 Q2

Password resets

FY2014 Q3

FY2014 Q4

FY2015 Q2

Password resets II

UIT Splunk Phase 2

Centralized logging (Splunk): Phase 1

FY2015 Q4

2-Step HW tokens
Win2003 elimina@on

Splunk as a Service

MicrosoN infrastructure

FY2015 Q3

Vulnerability protec@on for Windows (EMET)

Password complexity

Email aSachment ltering

FY2015 Q1

Endpoint encryp@on mandates

PBHs

AirWatch MDM

Legacy MDM to Airwatch migra@on

Windows XP migra@on

Payee Portal

App specic passwords

Risk mi@ga@on for remaining XP machines

App whitelis@ng (AppLocker)

Applica@on whitelis@ng (Bit9)

Broad Bit9 deployment

Intrusion detec@on (OSSEC)


Vulnerability scanning service (Qualys)

Ongoing vulnerability detec@on and remedia@on


Endpoint Compliance Management System

Two-step auth

DLP (Code Green)

Enhanced two-step auth (Duo)

Isolated network segments for highly vulnerable devices


Establish security standards
PCI DSS v3 environment

48

Aug 2015

Jul 2015

Jun 2015

May 2015

Apr 2015

Feb 2015

Jan 2015

Merchant website hos@ng

Dec 2014

Nov 2014

Oct 2014

Sep 2014

Aug 2014

Jul 2014

Jun 2014

May 2014

Apr 2014

Mar 2014

Feb 2014

Jan 2014

Dec 2013

Nov 2013

Oct 2013

Sep 2013

An@-spam (Proofpoint)

Mar 2015

PCI DSS v2 environment

Promulgate security standards

Tiered
Password
Policy

Two-Factor Authentication for All


Completed rollout to all 105K accounts in October, 2013
60K active two-factor users

Campus-Wide Endpoint Encryption

Provided free of charge

Stanford Minimum Security Standards: Endpoints

Recurring task

High Risk
Moderate Risk
Low Risk
Patching

Apply security patches within 7 days of publish.


BigFix recommended. Use a supported OS version.

Whole Disk Encryp@on

Enable FileVault 2 for Mac, BitLocker for Windows.


SWDE recommended, opPon to use VLRE instead.
Install MDM on mobile devices.

Malware Protec@on

Install anPvirus (SCEP recommended).


Install EMET on Windows.

Backups

Backup user data at least daily. University IT CrashPlan


PROe recommended (opPon to set personal password).
Encrypt backup data in transit and at rest.

Inventory

Review and update NetDB records quarterly.


Maximum of one node per NetDB record.

Congura@on Management
Install BigFix and SWDE.

Regulated Data Security Controls

Implement PCI DSS, HIPAA, or export controls as applicable.

Provided free of charge

Stanford Minimum Security Standards: Applica@ons

Recurring task

High Risk
Moderate Risk
Low Risk
Patching

Apply security patches within 7 days of publish.


Use a supported version of the applicaPon.

Inventory

Maintain a list of applicaPons,


data classicaPons, and volume esPmates.
Review and update records quarterly.

Firewall

Permit minimum necessary services


in network rewall.

Dedicated Admin Worksta@on

Two-Step Authen@ca@on
Require Duo two-step authenPcaPon for all
interacPve user and administrator logins.

Privacy, Security and Legal Review


Centralized Logging

Request a Data Governance Board review and


implement recommendaPons before deployment.

Forward logs to a remote log server.


University IT Splunk service recommended.

Vulnerability Management

Monthly Qualys app scan. Remediate severity 5 vulns


within 7 days, severity 4 vulns within 14 days, and
severity 3 vulns within 28 days of discovery.

Secure SoNware Development

Include security as a design requirement. Review all code


and correct idenPed security aws before deployment.
Use of staPc code analysis tools recommended.

Creden@als and Access Control


Review exisPng accounts and privileges quarterly.
Enforce password complexity. Logins with SUNet
credenPals via WebAuth/SAML recommended.

Access administraPve accounts only via a


cerPed Personal BasPon Host (PBH).

Developer Training

A_end two days of Stanford InformaPon


Security Academy training annually.

Backups

Backup applicaPon data at least weekly.


Encrypt backup data in transit and at rest.

Regulated Data Security Controls

Implement PCI DSS, HIPAA, or export controls as applicable.

Provided free of charge

Stanford Minimum Security Standards: Servers

Recurring task

High Risk
Moderate Risk
Low Risk

Two-Step Authen@ca@on
Require Duo two-step authenPcaPon for all
interacPve user and administrator logins.

Patching

Apply security patches within 7 days of publish.


Use a supported OS version.

Centralized Logging

Dedicated Admin Worksta@on


Access administraPve accounts only via a
cerPed Personal BasPon Host (PBH).

Privacy, Security and Legal Review


Request a Data Governance Board review and
implement recommendaPons before deployment.

Forward logs to a remote log server.


University IT Splunk service recommended.

Inventory

Review and update NetDB + SUSI records quarterly.


Maximum of one node per NetDB record.

Regulated Data Security Controls

Malware Protec@on

Deploy Bit9 in high enforcement mode.


Review alerts as they are received.

Firewall

Enable host-based rewall in default deny mode


and permit minimum necessary services.

Intrusion Detec@on

Deploy Bit9 on supported pladorms, otherwise


use OSSEC. Review alerts as they are received.

Creden@als and Access Control


Review exisPng accounts and privileges quarterly.
Enforce password complexity. Logins with SUNet
credenPals via Kerberos recommended.

Vulnerability Management

Monthly Qualys scan. Remediate severity 5 vulns


within 7 days, severity 4 vulns within 14 days, and
severity 3 vulns within 28 days of discovery.

Sysadmin Training

A_end two days of Stanford InformaPon


Security Academy training annually.

Physical Protec@on

Place system hardware in a data center.

Implement PCI DSS, HIPAA, or export controls as applicable.

minsec.stanford.edu

Themes for the Year Ahead


Adoption, adoption, adoption
Good Great
Advanced capabilities
Prototype, pilot, beta, fail fast, iterate

Additional Lessons Learned


Incidents expose technical debt
Be good stewards of funding
Relationships are key

Penn Proposals
Administrative/Policy
1. Formalize Charter & Governance
2. Establish (2) Governance
committees
3. Package/Promote/Maintain Program
4. Training & Awareness
Prog.improvements
5. Internal Audit evaluations
6. Develop key standards
7. Publish and/or update policy
8. Transparency and Accountability
Program

Technical
1. Inline blocking
2. Improve attribution
3. Central logging
4. Advanced Network Analytics
5. Additional Segmentation (incl.
quarantine).
6. Credential analytics
7. Penetration Testing program
8. Password Manager
9. Threat monitoring
10."Compliance" network

Penn, Addl Lessons


Hard to prioritize Technical with Administrative/Governance
related items
Think long term (governance, charter, a seat the table in the
future)
but be prepared that someday youll be asking for money
and they may only fund 1 thing

Peer data helps where will you get it?


Our Project Guiderails:
1.
2.
3.

Perfect is the enemy of good


Program maturity enables later operational success
G.S.D. Get Stuff Done

INVESTMENTS IN SECURITY

Proposals from Presidents IT Security Task


Force
Security Governance
Enhance Awareness
Policy Development
More Technical Stds
Broad Risk Assessment
Update Retention

Policy
Limit Use of Sensitive
Data
Desktop PII Round-up

Multi-Factor
Authentication
Enhance Security
Infrastructure
New IdM Framework
Increase IT Security
Staffing
Less open
environment

YEAR 1 PROJECTS
Created IT Security Advisory Committee (hand picked
membership)
ITSAC Taking Lead on Risk Assessment and Policy Work
Expand Security Staff: Additional Engineer + 2
Assurance/Compliance, 9 Students
Quarterly Pen Test Engagements w/ Outside Firm
Campus-wide Identity Finder rollout
Duo Security Slowly expanding scope

YEAR 1 CONTINUED
Swap out HP/Tippingpoint for Palo Alto
Tufin Firewall Management
Rebirth of Data Policy Advisory Committee and Office of
Data Administration

Maryland, Addl Lessons Learned


Very Easy to Spread the Talent Too Thinly, Project Thrashing
You quickly find out what doesnt scale when you go campus
wide
You have NEVER found all of the PII, it seeks out cracks in
which to hide
Dont Let Artificial Deadlines Become Commitments on Your
Presidents Performance Review
Everything Else That You Are Supposed to Do Doesnt Go Away
You can play the Emergency card only so many times when
dealing with State Procurement

Panel Discussion and Q&A


Open poll option provided for submitting free form text
(questions, comments, etc.) to be displayed on screen
while panel taking place

Closing Thoughts
Penn
Stanford
Maryland
Brown

(minute to win it)

There is never enough time;


thank you for some of yours.
Joshua Beeman

Michael Duff

CISO, University of Pennsylvania

CISO, Stanford University

jbeeman@isc.upenn.edu

mjduff@stanford.edu

(215) 746-7077

650-721-3111

Gerry Sneeringer

David Sherry

CISO, University of Maryland

CISO, Brown University

sneeri@umd.edu

david_sherry@brown.edu

(301) 405-2996

401-863-7266