Title: Fy 08 NETWORK PLANNING TASK FORCE
1Fy 08 NETWORK PLANNING TASK FORCE
- Information Security Looking Forward
10.29.07
2NPTF Meetings FY 08
- 130-300pm in 337A Conference Room, 3rd floor
of 3401 Walnut Street - Process
- Intake and Current Status Review July 16
- Agenda Setting Discussion September 17
- Strategy Discussions October 1
- Security Strategy Discussions October 29
- Security Other Strategy Discussions November
5 - Prioritization FY09 Rate Setting November 19
3NPTF Meetings FY 09
- February 18-Operational review
- April 21- Planning discussions
- June 2- Security strategy session
- July 21-Strategy discussions
- August 4- Strategy discussions
- September 15- Preliminary rates/security
- October 6- Strategy discussion
- November 3- FY10 Rate setting
4Todays Agenda
- Security Strategy Discussions
- Security Planning Today
- Prevention
- Defense in Depth
- Increase Efficiency
- Proposed 3 Year Plan
5Security Planning Today
- Have a security strategy and plan
- Rolling 3 year plan
- Focus on prevention (not reactive)
- Defense in depth
- Goal Find ways to say yes while minimizing
risk, reducing vulnerabilities, and the overall
cost of security
6Prevention
- Continue to increase user awareness
- Leverage Learning Management System to deliver
security awareness and training to broad
community - 75 of data breaches are caused by user error1
- Policies and controls
- SPIA
- Infrastructure and tools
- Next generation PennKey
- Central authorization
- Laptop encryption
1. "Taking Action to Protect Sensitive Data", IT
Policy Compliance Group, Feb, 2007
7Defense in Depth
- Continue to Expand Layers of defense
- Build and maintain a robust security
infrastructure - Next generation PennKey
- Central Authorization
- Supplement strong authentication with logging
- Security Event Management in place at 45.8 of
peer institutions1 - Consider building upon logging initiative with
fraud detection
1. "Taking Action to Protect Sensitive Data", IT
Policy Compliance Group, Feb, 2007
8Increase Efficiency
- Reduce costs to affiliate with third party
systems - Shibboleth
- Central authorization - centrally managed groups
9Security Approaches Implemented by
Doctoral/Research (DR) Institutions1
1. Safeguarding the Tower IT Security in Higher
Education 2006 EDUCAUSE Center for Applied
Research
10Proposed 3 Year Plan FY 08
- SPIA
- LSP Training
- SSN Policy
- New Employee Awareness
- Central Authorization Service (PennAccess)
- Hard Drive Encryption
- PennNet Gateway Pilot
- File Sharing Policy
- Shibboleth
- GRADI / Remedy integration
11Proposed 3 Year Plan FY 09
- SPIA
- System Administrator Awareness
- Annual Security Awareness strongly encouraged for
all staff - Next Generation PennKey
- Desktop Server HIPS
- Logging Service
- Intrusion Detection (local)
- Local systems begin to utilize central
authorization - Plan database encryption and logging
- Investigate central SSN vaulting
12Proposed 3 Year Plan FY 10
- SPIA
- Annual Security Awareness for all faculty
- Database Encryption Policy
- Central SSN Vaulting Service
- Recommended Application Security Testing Tools
- Always-on Critical Host Scanning
- Database Logging
- Logging Service
- Fraud detection
13Discussion