Beruflich Dokumente
Kultur Dokumente
IT Security Today
and Tomorrow
John L. Baines, AD, IT Policy & Compliance, OIT Security & Compliance Unit
CSAM 2013 event - jlbaines@ncsu.edu - (919)513-7482
Date: Tuesday 10/22/2013
Time: 12 noon to 1 p.m.
Place: Avent Ferry Room 112
IT Security Requires:
Monitoring
Prevention
Boundaries
Controls & Standards
Cut expenses
Accountability for funding, rather than education
Achieve cost-efficiency
Generate more of own income
eDiscovery
Investigative project coordination (12, 38, 41, 42, 43)
Personally Identifiable Information (PII) and Privacy
Taxonomy
Supply Chain Security
ISO 27002:2013
Synchronized with ISO 27001:2013
To reflect current best practice, the updated ISO/IEC 27002:2013 is
the reference handbook for selecting controls for use within an
Information Security Management System (ISMS) based on ISO/IEC
27001. It can also be used as a guidance document for any
organization wishing to implement commonly accepted information
security controls.
Title Code of practice for information security controls
Technically and structurally revised over ISO 27002:2005
Comparison
27002:2005
27002:2013
11
14
Objectives X.Y
39
35
Controls X.Y.Z
133
114 +++
Clauses
- comprehensive
UNC Systems Security Framework ISO 27002 - UNC Cause 2012 (1)
Presenters:
Mardecia Bell NC State University
Paul Hudy General Administration
Margaret Umphrey East Carolina University
UNC Systems Security Framework ISO 27002 - UNC Cause 2012 (2)
Reported:
December 2011: The UNC-ITSC recommended the
adoption of ISO 27002 as common security framework
January 2012: UNC CIO Council accepted
recommendation
April 2012: Chancellors of all UNC system institutions
submitted letters to UNC-GA indicating adoption
July 2012: Each campus performed a gap analysis of
ISO 27002 framework and existing policies.
UNC Systems Security Framework ISO 27002 - UNC Cause 2012 (3)
Policies, gaps, priorities, status:
Crosswalk Notate existing policies ->
Identify gaps
Risk assessment:
Analyze gaps
Describe plans for compliance, mitigation, or
alternative controls
Setting prioritization
Establishing an implementation plan
Gross estimate of work required for compliance
ITSC collection & sharing of policies and best practices
Environment
Threats
Controls
Techniques
Questions?
http://shop.bsigroup.com/ProductDetail/?pid=000000000030186138
http://www.27000.org/iso-27002.htm
http://webstore.iec.ch/preview/info_isoiec27002%7Bed2.0%7Den.pdf
http://www.itgovernance.co.uk/shop/p-1463-an-introduction-to-isoiec-27001-2013.aspx#.Ul3ysVA_v-c
http://orangeparachute.com/services/iso-270012013-transition-services/?gclid=CO28hMmhmroCFYWe4AodtF4AmQ
http://cms_apps.ncat.edu/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=18&type=2
Legal evidence
1.
2.
3.
4.
1.
2.
5.
6.
7.
8.
9.
3.
4.
5.