ITPG Meeting Notes January 12, 2009

Present: John Ajao, Kip Bates, David Bosso, Ted Cabeen, Michael Coles, Doug Drury, Kirk Grier, Karl Heins, Tom Marazita, Aaron Martin, Elise Meyer, Steve Miley, Alan Moses, Ben Price, Mark Probert, Tom Putnam, Fuzzy Rogers, Glenn Schiferl, Kevin Schmidt, Deborah Scott, Henry Shatavsky, Chris Sneathen, Heidi Straub, Paul Valenzuela.

Action Item: Email names of potential members for Information Security Working Group(s) to Karl at karl.heins@oist.ucsb.edu.

New CISO Introduced

Karl Heins, UCSB's new Chief Information Security Officer, was introduced. Karl gave a brief overview of his background:

• 2000 to 2009:  Director of IT audit for the UC system
• 2000 to 2000:  Chief Financial Officer for CyberBranch, a software company
• 1996 to 2000:  Special Projects Manager at Stanford University
• 1991 to 1996:  Management Services for Gallo Winery and
• 1981 to 1991:  Computer Assurance Manager at Deloitte & Touche

Karl wants to understand our information security challenges and our burdens.

• He’s concerned about what he doesn’t know.
• He wants to learn the bad news sooner rather than later.
• He wants to know where we need information security tools, skills, or other resources. Information security should be based on what is right for UCSB, not on a "best effort."

Karl recognized that substantial information security work is already being done.

Information Security at UCSB

Karl touched on some information security truths:

• Information security touches everyone and is everyone’s responsibility.
• The proper use of information with the required protections are important in operating a research university of the 21st century.
• Information theft is different than the theft of most assets. For example, when a car is stolen, you no longer have the car. When information is stolen, you can still have and be able to use your information.

For the CISO, information security training and awareness will be an area of focus. We will be looking for practical and creative ways of bringing information security awareness to students, faculty, and staff because of the following.

• New and changed threats. It seems the threats have changed from targeting operations and the network to attacking applications, e.g., SQL injection.
• Awareness that a problem may be more than the symptoms indicate. For example, when a computer "acts funny," has it been hacked?
• Information Security in policy, law, regulations and contractual responsibilities continues to change rapidly.
• Consideration should be given to training materials built by someone else. Creative things have been done elsewhere, such as the films in the Educause security film contest.

Information Security Groups

The plan is to reactivate the Security Working Group (SEC-WG). Consideration will be given to creating other Information Security groups that are beyond the scope of the SEC-WG.

• Current members of SEC-WG are volunteers who have an operational (systems or networking) security role.
• Need to establish the charter and mission of the SEC-WG.
• We need to include all of the IT domains that include security:
  • Network
  • IT & Systems security
  • Data Security
  • Identity Management
  • Application Development

Potential topics for consideration include:

• Remote access or the VPN?
• VPN access means valid username and password.
• Two-factor authentication.
• The VPN may allow people to drop into a non-common LAN. Accommodations have been made so that Pueblo Radiation can read Student Health X-rays, and there are point-to-point connections for certain contractors, e.g., BARC and contract processing.
• What can we block, detect, and deal with at the Network layer?
• What are the gaps and issues that people see?
• Self assessments – what resources are available?
• What tools are available and needed to check computers?
• Things have to be done at the individual and desktop level
• What information and controls do we have in the departments?
• Do we have procedures and policies in place that make sense?

Other questions for consideration include the following.

• How do we do a risk assessment, including identifying controls? For example, the risk of a stolen laptop may be to establish the use encryption.
• Should we develop more support for encryption? There is a need to understand when to use it. Should the support include central key management? What are the real needs?

Please email names of volunteers for security working groups to Karl at karl.heins@oist.ucsb.edu.

Comparing the CISO Role to Audit

• Audit is independent from the campus and reports to the Regents. The CISO is not independent, is part of the Campus, and reports to the Campus CIO.
• If there is a difference of opinion on an issue, Audit must escalate the issue to more senior management, potentially escalating the issue to the Regents. For security issues, the CISO may also escalate issues to campus management.
• Audit work is broad, based on annual risk assessment and the directions of the Regents, UCOP, and local management. The CISO’s work is limited to information security for the Campus.
• The CISO role is both as a colleague and supportive. Although the CISO shares responsibility for security with management, the owners have the ultimate responsibility. Audit can report issues to management, but it cannot share responsibility.
• The CISO provides direct support during a breach of security or incident. Audit may be part of the team and provide consultation, but should not directly participate in any key management decisions.
• The CISO helps enable improved security through training, policy development, new procedures, and sharing of best practices. Audit can make recommendations and suggestions, but must maintain their independence.
• Audit provides quarterly reporting to UCOP and the Regents regarding the status of audit findings. The CIO and CISO provide an annual IS-3 self-assessment to the UC CIO. The UC CIO may provide a summary of that information to the Regents.
• The CISO’s job description includes substantial responsibility for policy development. Audit should not be responsible for development of policy.

CISO Enforcement Authority

What is the CISO enforcement authority? The question arose in relation to the issue of SSNs being used as identifiers.

• Where there is policy, law, regulation or guidance, the CISO will help interpret the guidance and assist in establish acceptable procedures.
• The CISO will discusses your practices to protect the data including understanding barriers to better protection. If there are problems, then he will escalate the issue to senior management.

Other Issues

Other observations and issues were raised during the discussion. These are captured for consideration by security working groups.

• IT professionals need to be involved in many decisions. Often implementation of decisions requires involvement of the IT.
• A consistent risk assessment format and structure is needed.
• A standard, usable cost/benefit approach is needed for mitigations.
• Security breach still needs attention; there have been many breaches of security within the UC system. The most common involves stolen laptops.
• Security breaches at other locations within the last year have resulted from our vendors not adequately protecting our information.
• Security is a concern of granting agencies which could have an impact on research, e.g., with the VA and State Health administration. A VCR lost their job because the federal government pulled their contracts due to failing to comply with reporting requirements.
• Risk is of different types and occurs at different levels. Guidance is needed, for example, in the following areas.
  • Operational risks
  • Policy, risk assessment. Iit was noted there is a security steering group led by Betty Huff regarding health records, where the functional units have the responsibility for security.
  • The different requirements for different classes of data.
• Everyone should be included in policy development; policy needs to reflect a shared commitment.
• There is a need to identify all compliance risk areas – Conflict of Interest, Animal Subjects, Stem Cell Research.
• Risks need to be ranked to enable work now on the most important risks first.
• The ISA recruitment (NB: opened 1/19/09) will provide additional information security technical help. That position will evaluate tools, and develop documentation and training for technical staff.
• The vision for reaching out to researchers regarding security is needed.
• When researchers work cross-departmentally, giving guidance is often difficult.
• Researcher computers have breaches because their systems aren’t patched.
• Researchers are concerned about the security of their information.
• Currently there is a question on the proposal intake process ($5M/$194M is applicable.) They need to identify data, determine the vulnerability of the data storage, and assess the threats to the data.
• Is sufficient care taken when third parties handle UC data? There are risks that the third party could have a breach, or we could lose control of our data. In some cases UC is able to audit their controls. This is a management responsibility. Review purchasing appendix DS about controls.
• It isn’t right to expect the people who do computer support to carry the message of information security to the PI, Chair, or Deans.
• The campus role related to UC-wide security groups, such as UCITPSO (UC Information Technology Policy & Security Officers) should be established to benefit from work of others.
• Maybe the EISPG should be involved?