OSHEAN eCurrent - Page 34

Q: How has the proliferation of mobile devices impacted security measures? tion and provide authority to implement proce- A layered approach is essential not only for At CCRI, the college has adopted a security perimeter security at the network and indi- awareness program to both educate and justify vidual workstation level as well. The use of actions to the user community. network access controls, data loss prevention Q: There is a renewed push for companies to weaken encryption methodologies so governments can more easily access data during investigations, what impact would such policies have on your organization / constituents? technologies and advanced persistent threat monitoring are essential so that all activities flowing through the network are being evaluated for potential malware or leaks of infor- dures such as frequency of password changes. mation. Stringent policies, with buy-in from There may be privacy concerns with faculty, executive leadership, outlining what behaviors staff and students. The college’s practice and are acceptable and which behaviors won’t be policies has always been to practice due dili- tolerated must be created. Employees need to gence in terms of security while at the same know of, and understand, the potential dangers time imposing constraints that will protect if their system or the network is compromised. the exposure of personal identity information. End users are on the front lines of keeping data While this is not a big problem for the college secure. it will provide a new “backdoor” to the college network. As such it is critical that the governBRUCE BARRETT ment access be totally secure terms in terms Director of Networking and Telecommunications for Information Technology, Community College of RI of people, process and technology to prevent exploitation by hackers. The college recognizes this as authorized access supported by writ- What’s the value of your information worth on the black market? I N FO R MATI O N VA L UE ME T H OD 1,000 Stolen Email Addresses $0.50 — $10 Spam, Phishing Credit Card Details $0.50 — $20 Fraudulent Purchases Scans of Real Passports $1 — $2 Identity Theft Stolen Gaming Accounts $10 — $15 Attaining Valuable Virtual Items Custom Malware $12 — $3,500 Payment Diversions, Bitcoin Stealing 1,000 Social Network Followers $2 — $12 Generating Viewer Interest Stolen Cloud Accounts $7 — $8 Hosting a Command-and-Control (C&C) Server 1 Million Verified Email Spam Mail-outs $70 — $150 Spam, Phishing Registered and Activated Russian Mobile Phone SIM Card $100 Fraud ten legal authority from the government (i.e., Q: In such complex IT environments, how do you balance security & usability? In general, access management technology limits the user access to only resources that he or she has been previously approved to access (as is required to perform their job function). analogous to a search warrant). Due diligence is always the practice in terms of compliance requirements (which is taking an increasing amount of time and resources) and to follow pre-established best practices and controls as already defined in the NIST Framework. Such framework controls are also the justifica- 34 | CURRENT 2015-2016 Stronger Together | 35