Fy 08 NETWORK PLANNING TASK FORCE

1
Fy 08 NETWORK PLANNING TASK FORCE

• Information Security Looking Forward

10.29.07
2
NPTF Meetings FY 08

• 130-300pm in 337A Conference Room, 3rd floor
  of 3401 Walnut Street
• Process
• Intake and Current Status Review July 16
• Agenda Setting Discussion September 17
• Strategy Discussions October 1
• Security Strategy Discussions October 29
• Security Other Strategy Discussions November
  5
• Prioritization FY09 Rate Setting November 19

3
NPTF Meetings FY 09

• February 18-Operational review
• April 21- Planning discussions
• June 2- Security strategy session
• July 21-Strategy discussions
• August 4- Strategy discussions
• September 15- Preliminary rates/security
• October 6- Strategy discussion
• November 3- FY10 Rate setting

4
Todays Agenda

• Security Strategy Discussions
• Security Planning Today
• Prevention
• Defense in Depth
• Increase Efficiency
• Proposed 3 Year Plan

5
Security Planning Today

• Have a security strategy and plan
• Rolling 3 year plan
• Focus on prevention (not reactive)
• Defense in depth
• Goal Find ways to say yes while minimizing
  risk, reducing vulnerabilities, and the overall
  cost of security

6
Prevention

• Continue to increase user awareness
• Leverage Learning Management System to deliver
  security awareness and training to broad
  community
• 75 of data breaches are caused by user error1
• Policies and controls
• SPIA
• Infrastructure and tools
• Next generation PennKey
• Central authorization
• Laptop encryption

1. "Taking Action to Protect Sensitive Data", IT
Policy Compliance Group, Feb, 2007
7
Defense in Depth

• Continue to Expand Layers of defense
• Build and maintain a robust security
  infrastructure
• Next generation PennKey
• Central Authorization
• Supplement strong authentication with logging
• Security Event Management in place at 45.8 of
  peer institutions1
• Consider building upon logging initiative with
  fraud detection

1. "Taking Action to Protect Sensitive Data", IT
Policy Compliance Group, Feb, 2007
8
Increase Efficiency

• Reduce costs to affiliate with third party
  systems
• Shibboleth
• Central authorization - centrally managed groups

9
Security Approaches Implemented by
Doctoral/Research (DR) Institutions1
1. Safeguarding the Tower IT Security in Higher
Education 2006 EDUCAUSE Center for Applied
Research
10
Proposed 3 Year Plan FY 08

• SPIA
• LSP Training
• SSN Policy
• New Employee Awareness
• Central Authorization Service (PennAccess)
• Hard Drive Encryption
• PennNet Gateway Pilot
• File Sharing Policy
• Shibboleth
• GRADI / Remedy integration

11
Proposed 3 Year Plan FY 09

• SPIA
• System Administrator Awareness
• Annual Security Awareness strongly encouraged for
  all staff
• Next Generation PennKey
• Desktop Server HIPS
• Logging Service
• Intrusion Detection (local)
• Local systems begin to utilize central
  authorization
• Plan database encryption and logging
• Investigate central SSN vaulting

12
Proposed 3 Year Plan FY 10

• SPIA
• Annual Security Awareness for all faculty
• Database Encryption Policy
• Central SSN Vaulting Service
• Recommended Application Security Testing Tools
• Always-on Critical Host Scanning
• Database Logging
• Logging Service
• Fraud detection

13
Discussion