INFOSEC: information security news from the University System of Georgia, Oct. 2009

Information Security News from the University System of Georgia V0l. 01 No. 04 October 2009
NEW ISO SELECTED FOR SYSTEM OFFICE

INFOSEC WWW.USG.EDU/INFOSEC
CHANCELLOR SIGNS FIRST INFOSEC PROCLAMATION

ATLANTA, GEORGIA -The University System Office is pleased to announce the selection of Kevin L. Moore as the new Information Security Officer (ISO). The scope of responsibility for this position includes USO centrally hosted applications and systems that support over 30 universities or colleges as well as both the Atlanta and Athens System offices.
Kevin's extensive background and experience as a banking and finance industry ISO has given him a working knowledge of disaster recovery, project management, multiple hardware and software technologies, and exemplary customer service skills. Please extend your congratulations to Kevin and offer your support as he constructs and refines the System's security measures. He can be reached at kevin.moore@usg.edu.

ATHENS, GEORGIA - On September 30th, 2009, University System of Georgia (USG) Chancellor Erroll B. Davis signed USG NCSAM-2009, a proclamation declaring October 2009 Cyber Security Awareness Month at a special event at the Office of Information and Instructional Technology.
Undoubtedly this is one of the most significant information security events to date," said Stanton Gatewood, Chief Information Security Officer for the University System. "The USG is also formalizing an enterprise risk management initiative that ties directly into this. This event not only raises the awareness within the university system but it also demonstrates the support for information security at the senior leadership levels here at the USG."
An excerpt from the text of the proclamation reads as follows: "Whereas, critical sectors are increasingly reliant on information systems to support financial services, energy, telecommunications, transportation, health care, and emergency response systems....I, Erroll B. Davis, Jr, Chancellor of the University System of Georgia, do hereby proclaim the month of October as Cyber Security Awareness Month at the University System of Georgia, its institutions and libraries and encourage all the students, employees and contractors in this System to learn about cyber security and put that knowledge into practice in their homes, institutions, libraries, teaching and research."

LATEST INFOSEC PODCAST
To hear the latest USG Infosec podcast, "National Cyber Security Awareness Month," visit http:// itunes.usg.edu/

"Beyond declaring October National Cyber Security Awareness Month, it challenges everyone throughout the year to remain vigilant and diligent both at work and at home." Gatewood continued. "The key issues are that InfoSec is not just IT's responsibility or a once a year activity...it's everyone's responsibility 24/7, 365 days a year. The USG InfoSec team is not asking everyone to figure out something over the next 31 days. We are offering employees and citizens resources such as security and privacy tools, checklists, procedures, guidelines, awareness training, and demonstrations. The USG/National Cyber Security Awareness Month 2009 theme is: "building a culture of awareness and preparedness..." Join us by visiting http://www.usg.edu/infosec/ncsa

National Cyber Security Awareness Month
National Cyber Security Awareness Month is a national campaign designed to increase the public's awareness of cyber security and crime issues so that users can take precautions to avoid these threats on the Internet. Throughout October 2009 public relations activities, educational programs, events, and initiatives will target home users, small businesses, education audiences (K-12 and higher education), and child safety online.

In 2004, the National Cyber Security Alliance (NCSA), an information technology trade group, launched the inaugural National Cyber Security Awareness Month (NCSAM). The aim of the program was to raise the awareness of computer users in the US; to better alert them to potential threats and improve their preparedness for cyber security incidents. In 2006, the Department of Homeland Security adopted the program and the US House of Representatives also adopted a resolution in support for the program. So far more than 40 states have either adopted a resolution in support of the program or otherwise participate in the program. The Multi State Information Sharing and Analysis Center (MS-ISAC), a national collaborative organization for states information security emergency response, helps coordinate the NCSAM across the US. Today all major software and Internet vendors have signed on to the program under the aegis of the NCSA, whose website is www.staysafeonline.info. Public and private sector enterprise now observe the program by organizing and supporting events as well as providing resources that help raise the national awareness.

NCSAM at the USG - In 2009, the University System of Georgia will observe its first, month-long event and will provide various awareness resources to the University System and Georgia Public Libraries. This year, the System is moving forward and plans to organize events around a central theme of "building a culture of awareness and preparedness".

The USG InfoSec website and Twitter stream are being updated to support this year's theme, and additional content will be provided throughout and beyond the month of October and after in observance of the NCSAM. Our goal is to keep you informed year-round about cyber risks and threats as well as what you can do to mitigate them. We invite everyone to take note of the posters, calendars, fliers and handouts that will be available throughout the month of October in observance of the NCSAM. We also encourage frequent visits to the USG InfoSec website located at http://www.usg.edu/infosec now and in the future to learn more about information security, electronic privacy and related issues.
NCSAM EVENTS THROUGHOUT OCTOBER

19-Oct 20-Oct 21-Oct 21-Oct
22-Oct 23-Oct
26-Oct
27-Oct 28-Oct 29-Oct 30-Oct

Continuity of Operations Workshop (Intro to GTA-LDRPS) Vista Learning and Security Courses HITECH Act and State Breach Laws - The Financial Nightmare WEBCAST - Automated Malware Threat Analysis: Getting actionable intelligence on attacks effectively and efficiently Proactive Application Security
IronKey, The World's most Secure Flash Drive with Identity Protection Services Payment Card Industry Data Security Standard (PCI-DSS) and Payment Applications Data Security Standard (PA-DSS) Emergency Operations Planning USG IT/IS Risk Management Workshop SANS - Top Cyber Security Risks-Special Report Information Security Program Reporting (Governor's Executive Order)

CISO TIP: "Most organizations
have no way of managing computers once they leave the
network. Greater security awareness adds a critical layer of defense in protecting
IT assets."

SHIFTING SECURITY PERSPECTIVE

Most leaders answer the daily challenge of new security issues surfacing with more hardware or software or applications, thinking: "I bought a firewall for the enterprise and now we are safe!" Stop! We have for years and years solved our information security problems with IT. Wrong! Here are four things that are certain when it comes to information security:

1. Cost and complexity will increase. 2. The more aware and prepared we are, the more options we will have to protect and defend our assets. 3. System entropy and time are enemies of security. 4. Awareness and preparedness are the answers to a successful security program.

We must shift the security perspective from being just an IT issue by making the following changes:

PERSPECTIVE Scope

FROM
Technical problem

TO
Business problem

Ownership

IT

Business/ Enterprise

NOW YOU CAN FOLLOW US ON TWITTER: http://twitter.com/usginfosec/

MORE INFORMATION...
USG Office of Information Security
www.usg.edu/infosec

Stanton S. Gatewood Chief of Information Security 706-583-2001 or 888-875-3697

Costs Execution
Approach Objective

Expense

Investment

Intermittent/ Reactive

Integrative/ Proactive/ Continuous

Practicebased
Risk Management

Processbased
Continuity of Operations/ Resilient