Defining University

IT Security Today
and Tomorrow
John L. Baines, AD, IT Policy & Compliance, OIT Security & Compliance Unit
CSAM 2013 event - jlbaines@ncsu.edu - (919)513-7482
Date: Tuesday 10/22/2013
Time: 12 noon to 1 p.m.
Place: Avent Ferry Room 112

University IT Security is Difficult!

University Values:
Openness
Independance
Sharing
Variety

IT Security Requires:
Monitoring
Prevention
Boundaries
Controls & Standards

More of a perception than a reality...

Context of Government pressures

Government wants universities to operate more
like businesses:

Cut expenses
Accountability for funding, rather than education
Achieve cost-efficiency
Generate more of own income

Can be seen in part in emphasis on:

Foundation donations
Research grants

ISO 27XXX Timeline

27000 to 27005 - Basics

27000 - Overview & vocabulary
27001 - ISMS (How to? - formal specification)
27002 - Best practices (What to? - controls)
27003 - Implementation guidance for 27001
27004 - Infosec metrics
27005 - Infosec risk management

ISO 27XXX current status

22 standards published
34 standards being updated or in
preparation
5 new work items being considered

eDiscovery
Investigative project coordination (12, 38, 41, 42, 43)
Personally Identifiable Information (PII) and Privacy
Taxonomy
Supply Chain Security

Most ISO 27K publications expand on

27001/27002 in more detailed guidance, for
specific industries, or special IT disciplines

ISO 27000 Overview & Vocabulary

Initial version introduced 2009

Second edition 27000:2012 current
Overview - how to plan & implement ISO 27K
Introduction to information security, risk
management and management systems
ISM terms being transferred from existing
ISO27k standards as new versions published
Available as a FREE digital download
ISO/IEC & IEEE terms are searchable
online

ISO 27002:2013
Synchronized with ISO 27001:2013
To reflect current best practice, the updated ISO/IEC 27002:2013 is
the reference handbook for selecting controls for use within an
Information Security Management System (ISMS) based on ISO/IEC
27001. It can also be used as a guidance document for any
organization wishing to implement commonly accepted information
security controls.
Title Code of practice for information security controls
Technically and structurally revised over ISO 27002:2005
Comparison

27002:2005

27002:2013

11

14

Objectives X.Y

39

35

Controls X.Y.Z

133

114 +++

Clauses

ISO 27002 Structure

Clause - X (e.g. 13. Communications
Security)
Objective - X.Y (e.g. 13.2 Information
Transfer
Control - X.Y.Z (e.g. 13.2.1...)
Implementation Guidance where the rubber meets the road.
NCSU-SecurityFramework-DetailedAnalysis-withPrioritization-Revised

ISO 27002:13 Clauses & Objectives

- comprehensive

UNC ITSC Security Framework - Goals

1. Develop a common framework by which each UNC
campus can develop their campus IT Security Policies
2. Design a framework which is designed to meet the
broad and unique range of security requirements on
each campus:
Administrative Systems, Academic Systems,
Research Systems, Student/Faculty/Staff access
3. Provide guidelines, direction and best practice
examples to campuses as needed
4. Provide a uniform compliance environment for the NC
Office of the State Auditor and other Governmental
Agencies (e.g. DoD!)

The UNC System Security Framework

- UNC Cause 2011
Presenter(s): Chuck Curry,
Margaret Umphrey, Paul Hudy

The UNC CIOs charged the

UNC Security Council to come
up with
a security framework that
could be implemented on
each UNC campus and
provide a common
measurement baseline
The Security Council has put
forward the ISO 27002
framework

Each UNC-System campus

Evaluating current policies
and procedures against that
framework.
Establishing a current
baseline
Producing an internal gap analysis
Plan for moving toward and
maintaining compliance
This framework mapped to other
documents and standards
NIST
CoBIT,
NC Statewide Information
Security Manual,
etc.

UNC Systems Security Framework ISO 27002 - UNC Cause 2012 (1)
Presenters:
Mardecia Bell NC State University
Paul Hudy General Administration
Margaret Umphrey East Carolina University

UNC Systems Security Framework ISO 27002 - UNC Cause 2012 (2)
Reported:
December 2011: The UNC-ITSC recommended the
adoption of ISO 27002 as common security framework
January 2012: UNC CIO Council accepted
recommendation
April 2012: Chancellors of all UNC system institutions
submitted letters to UNC-GA indicating adoption
July 2012: Each campus performed a gap analysis of
ISO 27002 framework and existing policies.

UNC Systems Security Framework ISO 27002 - UNC Cause 2012 (3)
Policies, gaps, priorities, status:
Crosswalk Notate existing policies ->
Identify gaps
Risk assessment:
Analyze gaps
Describe plans for compliance, mitigation, or
alternative controls

Priorities and costs

Implement
Over 80% UNC System IT Security Units have completed
gap analysis & risk assessment - submitted to UNC-GA.

ISO 27002 Benefits

Stakeholder confidence increased

Technology independent
Strategic comprehensive baseline
Basis for assessing risk & cost trade-offs
More accurate & reliable security audits
More effective tactical security

Adoption of ISO 27002 - UNC System

Licensing:
UNC-GA purchased a system-wide license of ISO/IEC
27002 from the American National Standards Institute
Each campus makes the ISO 27002 standard available
as a read-only reference to all faculty, staff and students

Addressing Identified Gaps - Each Campus:

Setting prioritization
Establishing an implementation plan
Gross estimate of work required for compliance
ITSC collection & sharing of policies and best practices

Compliance versus Security

Compliance 27002
Sets a baseline
Gives a list of best practices that are accepted as
reasonably comprehensive
Does not guarantee security

Must go further than strict compliance

Must accommodate change:

Environment
Threats
Controls
Techniques

Compliance must not equal complacency!

Questions?

http://shop.bsigroup.com/ProductDetail/?pid=000000000030186138
http://www.27000.org/iso-27002.htm
http://webstore.iec.ch/preview/info_isoiec27002%7Bed2.0%7Den.pdf
http://www.itgovernance.co.uk/shop/p-1463-an-introduction-to-isoiec-27001-2013.aspx#.Ul3ysVA_v-c
http://orangeparachute.com/services/iso-270012013-transition-services/?gclid=CO28hMmhmroCFYWe4AodtF4AmQ
http://cms_apps.ncat.edu/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=18&type=2

Function specific guidelines

IT particular

Legal evidence

1.
2.
3.
4.

1.
2.

5.
6.
7.
8.
9.

27017/27018 will be cloud computing

27031:2011 is business continuity
27032:2012 covers cybersecurity
27033 is / will cover IT network
security
27034 is application security
27035:2011 on IS incident
management
27039 concerns IDS/IPS (Intrusion
Detection and Prevention Systems)
27040 guideline on storage security.
27044 guideline on SIEM (Security
Incident and Event Management)

3.

4.
5.

27037:2012 covers digital evidence.

27038 will be a specification for digital
redaction.
27041 guideline on assurance for
digital evidence investigation
methods.
27042 guideline on analysis and
interpretation of digital evidence.
27043 guideline on digital evidence
investigation principles and
processes.