Masters Project Presentation

1
Masters Project Presentation

• University Information Security Program
  Implementation
• Presented by Masters Candidate Mckinley H.
  Burnette Jr.
• Old Dominion University

2
Overview

• This project is a real world project designed to
  establish a formal Information Technology
  Security Program within the Hampton University
  Center for Information Technology. Hampton
  University is a private University located in
  Hampton VA. HU has approx 6,000 students with
  satellite campuses in VA Beach and Roanoke VA.
• The university has an DS3 connection to the
  internet. Campus connectivity is wired utalizing
  fiber with Gigabyte switch and 10 to 100 Mbps to
  the desk tops.

3
Objective

• To assure the availability, accuracy,
  authenticity and confidentiality of information
  on and or leaving the University information
  technology infrastructures while maintaining
  complacence with state and federal regulations.

4
Applicable Regulations

• Sarbanes Oxley Socks
• HIPAA
• Gramm Leach Bill Act of 1999
• ISO 17799

5
Methodology

• A top down methodology was used in our design and
  implementation of this program. Using the
  Security Systems development life cycle , best
  practices in the ten common bodys of Knowledge
  of the CISSP and the SAN Institute.

6
Initial Scope

• During interview with the CIO and Systems Team
  manger. It was decide that the initial scope of
  the University Security Program should center
  around the Enterprise Services Group. The
  enterprise services group oversee all hardware
  and software used for the business and
  administrative services of the University. The
  logic to the approach is to organize, standardize
  and mobilize the Information Technology (IT)
  Department. Once organization, standardization
  and mobilization has occurred the scope of the
  program would increase to include additional
  business process and departments.

7
Tasks

• Conduct an IT Security Asset Inventory
• Implement A Change Management
• Conduct A Risk Assessment

8
Deliverable

• Written Policies and Procedures.
• Clearly Defined roles and responsibilities for
  each team.
• Established (Daily, Weekly, Monthly, Annual) Task
  for each team.

9
Goals

• To foster synergy and coordinate the security
  efforts amongst HU Center for Information
  Technology Teams.
• Network Team
• Help Desk
• Systems Team
• Banner Team
• Web Team
• Media Productions
• Data Conversion and Management Laboratory

10
Risk Assessment

• The risk assessment is based on reviews of the
  asset inventory and interviews with team managers
  and team members.

11
Risk Assessment Components

• Executive Summary
• Introduction
• Statement of Work
• Analysis
• Findings
• Conclusions

12
Asset Classification

• Hampton University IT Assets were classified into
  categories identifying its mission criticalness
  by asset team owners. The Categories L1 through
  L4 were categorized.
• Level 1/ L1 Mission Critical Services I.E TCP/IP
  UDP
• Level 2 / L2 Mission Critical Application I.E
  Banner
• Level 3 / L3 Storage Device Non missions
  critical
• Level 4 / L4 All other non missions Critical
  Applications

13
Phase I

• Objective To form a team that will coordinate
  the security efforts of the Network Team, Help
  Desk, Systems Team and Banner and Web team.
  Initial attendance Representative from the
  Network Team, Help Desk , Systems Team and Web
  team.

14
Phase I Task

• Clearly Defined roles and responsibilities.
• Establish Task daily, Weekly, Monthly, Annual.
• Security Inventory
• Risk Assessment
• Change Management
• LOG Security Systems
• Documentation Standards Track IT to include
  network Infrastructure, help desk tools and
  Systems teams items.
• Patch Management Strategy
• Security Audits
• Incident handling.

15
Security Initiatives

• Proofpoint Implementation
• Veritas Net Backup 6.0
• IT Security Web Page
• Wireless Authentication Radius
• Systems Management Server

16
Proofpoint Protection Server

• The proofpoint protection server. The proofpoint
  protection server is a powerful software
  application that integrates virus protection,
  spam detection, regulatory compliance, and
  digital asset protection technologies into an
  extensible message management platform.

17
Lessons Learned

• Communication Plan is critical
• Must receive the support and backing of the CIO.
• Written Policies must be in effect in order to
  enforce best practices and standards.
• Send Reminders Leading to deadlines
• Provide detailed instructions for task
  accomplishment.

18
Lessons Learned Contd.

• Keep management informed.
• Conduct Interviews of Dept members outside the
  team.

19
Summary

• The implementation of an IT Security Program has
  been accomplished using a top down methodology.
  During Phase I roles were established through the
  implementation of the IT Security Task Force. The
  task force provided a cross functional
  perspective of the security concerns and polices
  that effect the University.

20
Summary Contd.

• It Security is a continuous process. We must
  continue to progress through the Security
  Development life cycle.