Balancing Agility Openness and Security University of Northern

Balancing Agility, Openness, and Security University of Northern Colorado & University of Colorado Boulder

About the presenters Matt Langford Chief Information Security Officer UNC • • ISC 2 CISSP – ISSMP PCIP (Previously QSA and PA-QSA) Background • Auditor/Penetration Tester for Payment Applications • Auditor for Data Security Standards • Anti-Malware Architect for IBM

About the presenters Dan Jones Chief Information Security Office Chief Digital Accessibility Officer Background • 20 years of professional experience with IT in support of higher education and K-12. • Developing security program at CU since 2001 • Master of Science degree in Software Engineering from Regis University and now also affiliate faulty.

Agenda • Briefly define the subjects: – Agility – Openness – Security • Securely facilitating agility and openness

Agility What does it mean to be agile in information technology at a educational institution? • Easy to access • Easy to use • Quick turn around

Openness What does it mean to be open in information technology in an educational institution? • Sharing of ideas • Using information freely • Few barriers to exchange information

Security What does it mean to be secure in information technology in an educational institution? • Data is described and classified • Data is secure • Appropriate access

Facilitating Agility and Openness • • Education Reasonable Policies Risk Management Approach Data Classification

Facilitating Agility and Openness • Access • Authentication • Encryption

Facilitating Agility and Openness • Permissions • Malware • System Management

Education • End user security education • Need to know presentations • Staff and Faculty awareness

Reasonable Polices • Acceptable use • Individual and departmental responsibilities • Expectation of policy literacy rea • son • a • ble (rēˈzə-nə-bəl) adj. Governed by or being in accordance with reason or sound thinking: a reasonable solution to the problem.

Path to Reasonableness • Realize we have problem and understand scope of the problem and understand sphere of influence • Negotiate the vision of what is CU like if problem solved • Craft principles required address the problem • Establish vision as institutional priority and identify roles and responsibilities required to achieve vision (aka Policy) • Build roadmap with measureable objectives

Risk Management vs. Compliance • Compliance is important • Purely compliance based programs are problematic – Does not motivate change – Does not address root cause – Forces problems into the shadows • Understanding and managing risk is more important

Prioritizing Risk Over Compliance • Forces you to understand business needs • Provides more complete understanding of options, including non-IT options • Less likely to miss potential issues – The vast majority of risk in IT environments is not missing controls, but rather controls that are not deployed correctly, and thus providing a false sense of security. • Provides critical information to leadership who can then enable and guide management to meet policies and standards, comply with federal and state laws and regulations. • Places responsibility for accepting risk with leadership

Example from HIPAA • Significant financial impact for compliance failures • Regulatory framework provides flexibility to “reasonably and appropriately” implement the regulations. – In deciding which security measures to use, a covered entity must take into account the following factors: • The size, complexity, and capabilities of the business unit. • The covered entity’s technical infrastructure, hardware, and software security capabilities. • The costs of security measures. • The probability and criticality of potential risks to electronic protected health information. • We created one private data security standard to address HIPAA, PCIDSS, PII, etc. (note: assumes data classification!)

Data Classification Knowing your what you data are working with. • • • Is it Personally Identifiable Information (PII) Is it health information Is it financial information Is it sensitive information Is it private information Is the information governed by internal or external policies, guidelines, compliance, or regulation

Access One of the most effective and least resource intensive tools. • Principle of least privilege • Using role based permissions • Auditing permissions • Reviewing the access log

Authentication What you know, what you have, what you are. • • Sufficient complexity Multiple factor authentication Passphrase policy Reporting

Encryption Protecting your data at rest and in transit. • • • Database Application Web Transmission Key management System

Permissions Industry standards that can easily transition to education. • • How to talk about permission controls Implementing reasonable controls Managing controls Exception process

Malware Our networks will become infected with malware but we should take all reasonable measures to protect ourselves. Reasonable anti-malware strategy Protect connected resources/users Managing controls Exception process

System Management Making sure our networks are healthy and safe. • • Patch management 3 rd party updates OS rules and polices Vulnerability management program

Discussion What challenges do you face? • • • Trouble implementing access controls Resource management between security & operations Managing and implementing encryption Working through what protections are reasonable Risk management

Contact Information Dan Jones CISO, CDAO at CU Boulder dan. jones@colorado. edu Phone # 303 -735 -6637 Matt Langford CISO at UNC matthew. langford@unco. edu Phone # 970 -351 -1420