Code Monkey home page Code Monkey logo

gvfdgfd's Introduction

LLCs and departments or whatnot. But how does MIT understand its role in the supply chain? Both as far as who your third parties are And does anyone consider you critical to their supply chain

this is just with respect to IT services or

Yeah, so generally to IT services as far as within your world, because I think we'll be talking to some of the other DLCs. And so we'll ask that question pointed to that. But, yeah, as far as that you guys can speak to.

So we do have a Strategic Procurement Office, which is centralized for the most part, so I know all of our contracts agreements with any vendors need to go through they're just like, I'm not sure if there's like a minimum level or like, dollar amount that needs to go through them because I know there's like plenty of other small applications or you know, things that probably don't go to them that PLCs are kind of doing by themselves.

Yeah, I want to double check what their current policies are because I feel like change oil but I think how it works, especially for like software and services, it you're, you're required to go through them, but if there's there, I think there is $1 amount threshold maybe a for going through their really formal like RFN RFI RFP process if they're still doing it, I don't know. I feel like with COVID Everything was like let's do a map. And

yeah, well, we we kind of went through that with insurance for a software solution that we were looking at and so it was I think it was pretty much the same day. We needed at least depending on what kind of service or solution it is. You need at least two to three, the RFPs and then they go through that entire process and get it but we have to we do have the procurement folks and VPF that's, that's where there are organizationally located as within our business to finance organization.

And part of their process is they will ask I'm not sure the specific wording but they'll ask about the data sensitivity that's involved. They feel like I should look at something they'll ask. And then I'll get like, I'm not really staffed for this, but you know, like get sock to reports or ask for a heck that and that kind of thing. So that that does happen.

And so for any of these solutions or services, either ones that you're procuring ones that are existing, have you identified any of them as critical to the functioning of MIT or her it?

Not I mean from CRM perspective, we have not done a risk assessment of applications. I think that's something that I wonder if audit may have done something like that. I mean, they do do a risk based annual assessment of what were the areas or some of the applications that they want to audit. So, you know, it may be worth asking them, they may have some but I don't know if they even read it as based on your how critical industrial organization.

Yeah, I know. Like, I don't think it's very formal, but within ice and T department like the the operations team definitely has their like, list of things that they think are critical, you know. I mean, I guess it depends on how you want to, you know, like, if email goes down, it's kind of a big deal. You know? That kind of stuff.

Yeah. So even though it's not formalized you probably have a good sense of what Yeah, and typically, from at least a procurement supply chain perspective, I view critical, hey, if they go down, we go down, you know, we go down with the ship. So, from that perspective, any solutions or you know, not formally but informally you mentioned email, any, any third parties, like, hey, if they go down, we go down. So,

Jessica, maybe I'm wrong here. But wouldn't that be on the BIA and the BCP and DRP type of documentation because I remember that I mean, the BIA the business impact analysis that MIT? I mean, you guys had, I mean, Kerberos. And all these sort of things are important. So maybe it's already documented. What is documented somewhere else is not basically managed by the security group. As Samir makes mention. I don't know I'm just putting this other reason. I think. I remember from our previous engagement that I saw, like a list of criticality per application, and I remember seeing and maybe I'm wrong, but I mean,

that's what I mean. Like, it's not us. It's the operations team that has this list of applications. So yeah, like, yeah, if Kerberos went down, we're heavily into like AWS and VMware and Bichat or whatever it is that went down in trouble.

Okay, tell us more infrastructure that in this application, is that what you're saying?

I mean, I'm trying to think if there's like a sorry, central MIT wide application, otherwise, like the BAS and in any kind of business continuity plan are done by DLCs at that level, and so there may be different applications at each, but I think MIT vide is like Jessica said, it's probably Kerberos and email, SCP. Maybe from a financial standpoint, that's used, okay.

So I think like, you know, I think I ascend to the hip you know, have the things that they manage the murky, something that Susan's thought about,

Suzanne? Yeah. So I think they have done I know that they've done some business continuity planning at on the administration side, but not as much on the academic side. That was something that was in the plan before the pandemic, but then, I feel like because of the pandemic, there were a lot of people that did their own BCPS but I don't know that it's centralized in there.

Yeah. And I don't know if anybody like really realize we do.

Were part of consortiums, are we so we supply network access to some schools? I think I can get you more information about that. I don't know if we are really considered critical for anybody else. Yeah.

I mean, apart from our students, that

like if we go down and the government can't get their research that they paid for, like, I don't know if it's, I don't like it's critical to them that they don't

I mean, I'm wondering, when Lincoln Lab is the only thing that comes to mind that may be critical, but

yeah, we're not like they're not Yeah, yeah.

So yeah, that would be more of like a DLC, they they might be critical to some other function, but that's out of the purview of it. Is responsibilities.

Well, also, like Lincoln Lab is like a whole different organization really like they their network is completely I mean, they, you know, yeah, they're not in scope for this assessment, for sure. They're doing their own thing.

That makes my job that much easier. All right. So speaking of critical infrastructure, we talked about your supply chain and you kind of I mentioned it to you. I looked at the cyber both the cybersecurity and infrastructure security agency. Are does MIT fall under any of the critical infrastructure sectors that you're aware of? We have renewable power.

I think. I mean, if there's anything from a research perspective, if there's critical research that's going on in the labs, that's the only thing that I could think about.

Okay, so yeah, again, this kind of like a DLC specific type question. completely reasonable. Couple weeks ago, we talked, you know, at a high level about, you know, risk management and some of the security initiatives and risk initiatives, you know, put forth by MIT to kind of refresh my memory how are those? How are those initiatives communicated through to MIT to the various departments as far as hey, you know? I don't have the the list of risks in front of me but they have physical, physical security. How that as an security objective communicated out.

From our risk, well, from a risk perspective, we have a stakeholder group that is basically you know, people from across the institute that we meet with or that they reach out to if there's anything that we need to communicate, but it's but our work in the risk management area is more from our risk identification and then assessing the specific risks that have been identified. If there is so if physical security was one of our top risks, then we would be reaching out to people and figuring out how that has been mitigated. But yeah, I mean, in terms of physical honestly, I mean, training wise, it's probably at least, we probably did not have a lot of physical security before the pandemic play. Now, like access, I think, just over the pandemic axis, it's all basically tied into your ID card. And so I don't know that there's a lot of the communication I think the now that MIT edu website has had a lot of communication that goes out to the entire population in terms of changing policies. That's happened over the pandemic. So that's been new and then if there are policy changes that are specific to an area so like for example, the research area has some policy changes. And Maria, who's the VP of research which set out communication to the all the research books, so it kind of goes by organization as well. Okay.

And ATLAS website that you just showed us that that will be one avenue to communicate the changes.

Yeah, and trainings as well is to address in the Learning Center. There's any of them that's where they are.

Okay. Um, I don't see that my notes are readily available now, but do we have our does MIT have a university wide information security policy?

So we have the info protector website, which I think I might have signed up so that's our written for me written information security program. It's not really a policy we do it we do have policies that refer to this. But so basically, it has risk classifications data, low, medium, high and then tasks or controls for each level. So this is it's it's more this point guidance.

But and, you know, how often is this particular? You know, for lack of a better term right now, policy, how often is that reviewed? Is there a particular cadence to update that?

There there probably shouldn't be. I think we committed to we haven't we haven't changed much since we made it. It was kind of new actually. We're still we're still in the rolling it out phase that got a little bit sidetracked by the pandemic. But like this website, and I the wisp has been around for for a long time to fulfill Massachusetts walk, but we added I guess, gosh, I guess me it's been like three to four. I don't know maybe more years ago than that. We added just the classifications and the actual guidance about what to do to it. But yeah.

So yeah, I think that the next step, like Jessica mentioned, we're trying to roll it out by putting like a training together that's specific to you know, MIT's so it'll be an in house training that gets rolled out and, you know, basically just raise awareness around around the site and the tasks and drive people to actually do these things. So

yeah, I mean, and now that our goal is shifted to NIST 801 71 compliance for the institute. And maybe you all can help us with this would be the goal. Figuring out how we go from this to that, and what that roadmap looks like and that you know, this will have to what are we going to do with this? How will this have to change to meet those requirements?

Alright, so my next question was yeah, like, what is your What's this policy based on? Like, what framework is based off sounds like future state you want it to be 801 71 as it currently was a base off that Michigan statute requiring the whisk

Massachusetts as it was sort of started off there. They don't there weren't a lot of requirements that that statute had, as I recall, you know, like there was some talk of like encryption, but so this was based. Well, it was really based on whatever Stanford did, to be honest. But it's there's a lot of overlap here between, like, you know, all of those frameworks like CSS for the Sisa top 20. But it was it was close it's closely aligned otter peers are doing okay. Fair

enough. And yeah, definitely. Why rewrite the wheel. I don't think you know, plagiarism thing when it comes to policies, works works. Um, so I notice you're looking at the website, there's a policy page I took a quick, quick peek at that. So when we talk about your policies, we have policies, we have standards and we have procedures, you know, standards and procedures, help implement policies, help procedures or step by step instructions to help carry out some policies. Do you have any attendant standards and procedures that relate to these policies?

Does a knowledge base have steps I guess too, but it's more around tools and how to use those two.

Yeah, I mean, I think it's kind of depends on that like so. Yeah. If you're talking about these policies specifically or their procedures with them like some of them so I sorry, go ahead.

Oh, no, no, I was just gonna say like, you know, and we'll talk about this more later on. But you know, when it comes to like encryption, you know, you you probably have a policies a you know, sensitive data may be encrypted depending on its data. Classification, something like that. But then you have a procedure for Hey, data that's classified as confidential, must be encrypted using AES 256. And the encryption keys must be rotated X amount of you know, every couple of months or what have you. So kind of questions they give documents like that, that are secure, security related.

So okay, so like not not with probably you would think of as a policy but like, just fine. Like, you know, you mentioned encryption, so we have some things here like enable whole disk encryption, yeah. Reach all these things. it'll link you to the knowledge base. I have to click on Learn how and I'll talk about like, what are the options that MIT for implementing that like, what if What are recommendations? They're not really what you would probably look for in a policy.

I mean, I guess kind of going back to the point is, it's not really a formal policy. It's just guidance. There's no like, steps and this is, this is exactly what you do. It's more like these. This is an array of options and how you can do this and here's some help and you know, how help setting it up.

And you know, and then I think for some of these other things like you I don't know where it went, but there might be, like, DHCP logs, you know, like, what the, the team that's actually running the DHCP like, they probably have procedures and things. If that's kind of I mean, there's I wouldn't be a policy like what you're talking about, but they would have probably some some standard operating procedures written down like, like my team has stuff for our workflows for when we're responding to phishing or incident response and that kind of stuff, but it's not super formal.

I mean, the only thing that comes to mind, Jessica is when we have to renew our certificates and where we are forced to change our passwords. I mean, that's probably one thing that we have. There's procedures on how to do that and that kind of goes out every year. You know, every 365 days, I think or whatever the time period is. In terms of support, that's the only thing that I can think about is like on a cyclical procedural basis.

Yeah, and you know, the procedures do Yeah, they're very, you know, you start getting into the weeds there, and it sounds like you know, depending on the process, there are documented procedures for certain areas. Okay, now, that makes sense. And, again, this whole this whole information that this whole West value said it's not necessarily any sort of requirements, but it's all guidance. So what this put the various deals in this little set with them when we talk to them, but there's this guidance applied to them as well are they responsible for coming up with their own with?

Well, the idea was this and kind of when the reasons why it's not it why it's presented as an array of options is that we wanted it to be simple and something that they could customize themselves if they felt we wanted to. So when we did this, we did a lot of like, pilot projects and focus groups with a lot of the DLCs so they had a lot of feedback into it helped us right it got a chance to adapt it to really know that it exists those counters, you're getting of socializing it as well. So

yeah, they're I mean, they're they're responsible for figuring out how they're going to implement this on their own but

I guess they're not required to do this, but it is available to them and a lot of them do if they know about it. They use it.

Okay, and I don't read a hang on this comment, but when you say if they know about it, so I mean, is there an effort to communicate Hey, this is available on to you if should you want to embark on your own journey to draft your policies?

Yeah, I mean, we've did this is basically what our annual security email is about the other four. So we try to drive people to it. And, you know, like, anytime I talk about anything, I try to link it to info protect, so that it's all you know, it's not this thing that's just kind of orphaned off on the side. But we had like Sami was talking about this training that we were working on to just drive awareness of this website and this plan and what it can do for you. That's something that we had been we were planning this this rollout campaign to get people to adopt this and then the pandemic hits, so we kind of got pushed, but yes,

definitely understand different dynamic, definitely realign priorities. So can't fault you there. Within this document, or anywhere else, really. Have you documented or outline roles and responsibilities, visa vie security.

So we have, I guess, a few things. So we have this incident response tab that talks about the data incident response team and like what that team is responsible for. We have gotten on the IS and T website. We also have a section for policies, sorry, workplaces, um, that has which I think some of these are linked on that from protect, but not all of them. But it has like IT staff access to confidential data. Somewhere and here's the MIT Athena rules of use MIT that rules of you. i Not sure if it really is what you're looking for, but like defining roles, we also actually have to back up a little bit on the improper check say, we have within the tasks. I don't know if we define these I think we maybe did definitions. But we we classified each of these tasks by like what type of device it applies to. And then also what role like who is responsible for it. So there is the owner of the data that like end user, the system or an administrator. This is mainly a way to like not overwhelm people when they're coming to this and they're like I just have a laptop. What am I to do? So we did we do have that there? I guess we did define I hope we have to find it somewhere. Yeah. But defining who specifically is responsible for a certain set of data like that would that would be up to the the department's to document that?

Okay, perfect. Yeah. So I mean, I think you'll what, you know, what I had in my mind as far as the best practice goes is a little bit more thorough or there was not the right word, but a little more built out as far as like, you don't have like a racy chart or anything. Like, you know, talking about, you know, who's responsible for asset management, vulnerability management. You know, incident I mean, your incident response. you've outlined some responsibilities there, but just kind of a holistic view of like all the security responsibilities

Yeah, we have

because that's gonna differ from DLC to DLC. It's kind of hard. I mean, the incident response team that's, that's kind of centralized because you know, we want to make sure that if there's an incident because that can impact the Institute as a whole, but asset management and other things are all it's going to be very much localized.

I noticed on the website, on the info protect, or actually, this is a follow up question, though. Um, so you know, if we're protected, I have access to that. But the other website you just showed that you linked to just a moment ago with all those other policies, is that also also publicly available? Or is that something available only to internal users?

This should be available, it's just ice t.mit.edu. So that's our department, but IT departments website. Okay. So yeah, you should be able to get to it. I don't think these policies are behind touchstone. Yeah. And then we also have policies that mit.edu So this is like, all of the policies and some of them were linked to and protected and ice and T website, but there's there's a, you know, a couple on like privacy and an information technology in there.

Okay. Um, so yeah, um, that that info protect website I noticed there was a section about, you know, regulations that, you know, MIT has to adhere to. So my follow up question to that is, who's responsible for identifying those regulations? Is it do you have in house counsel or do you leverage, you know, an outside law firm to help help you out with that?

We do have in house counsel, we have the, like Sami has risk and compliance.

So do you have an institute compliance officer who kind of she has a compliance Council and as part of that we have counsel who focuses on data privacy and other regulations that are related to data and information. And then are into compliance officers kind of she it's again, it's most like a resource and facilitating so for example, GDPR, for example, there she'll you know, she did the lead on bringing together everybody educating them on what GDPR was kind of data, gathering all of that and then pushing, you know, policy or any practices that needed to be done from a reporting perspective that you know, had to be marketed to everybody or everybody needed to be made aware of that. So.

Okay, and it sounds like that, is that a pretty proactive, not reactive approach? It sounds like with GDPR you were ahead of the curve before implementation, okay. Outside of specific compliance topics, you know, GDPR gramm leach Bliley gramm leach Bliley I'm very familiar with GLBA any other big yo regulations you mentioned the Massachusetts you know, security statute. Any other major compliance requirements the ICT s be aware of and adhere to.

PCI PL is the one coming up which is a China kind of the parallel to GDPR. Okay.

Yeah, we're not really sure how that impact us.

But again, we're just trying to stay ahead of the curve in terms of educating ourselves and and then NIH, maybe I mean, from a research data perspective, I'm not I know there's some thing that goes into effect next year, as far as research data is concerned.

Yeah, I mean, that. I'm not sure again, like how much that really impacts ice and T specifically, but yeah, and I think that's a lot to do with you know, like making your search datasets available. Right, that open access kind of thing. Yeah. But yeah, like, like, I think like the cmmc You know, the NS PM 33 Which I don't know if you'd call us like regulations, but like those kind of requirements that are coming down, will impact the whole institute. I don't I think it's kind of related to GLBA but like the Department of Education saying they want everybody to be NIST 801 71 for financial aid data. Or they're using GLBA to do the work anyway. But yeah, get those requirements coming to.

So I mean, definitely have a lot that that you have to be aware of. So how do you how does isn t and Risk and Compliance keep track of all all the requirements and you know, what particular controls might map to fulfilling those requirements?

We don't have like a GRC tool for that kind of thing. But we talk a lot.

Are there like weekly GDPR meetings or something like that, Jessica?

Yeah. bi weekly or something but yeah, like we have like the GDPR Taskforce, or whatever we call ourselves with, like Kate, who's the Compliance Officer Jason or OJC person who's always in the data, security stuff and myself. We meet pretty regularly and then the other group that developed the Infobright tag, which includes, which is basically that group that includes Samia and our auditor. We still meet pretty much by every two weeks. Yeah. And so then as far as like tracking things that are coming, like we're all active in our peer groups with other institutions, you know, just the what, what everybody's chattering about because usually, I always felt like at least how I figured out what's going on.

Understandable, okay, okay. So switching gears here a little bit, and actually I want to do a health check. I want to check on Thomas, David, and whomever, anything of any of the subjects we talked about or anything really that so we only got about 25 minutes left anything you wanted to touch upon before I jump into my next questions.

So one of the questions that I have on my side is, I mean, based on the guidance that you're providing Jessica, or the policies that you have in place, how much of that translates to automation and technology, that Europe is implementing in MIT, like, you have a guidance, beta of the risk, but I mean, I do applying that guidance and then you know what, people are stepping out on that guidance in some kind of way or how was that? Okay, just wanted to ask

that was always something we were Yeah, it's funny. People would always be like, how is this what does this mean? Are you gonna like, enforce it or track us down or whatever we don't apply here. And the language of the info protect that got a lot of like, if we said the word insurer or sure like what does that mean? So right now No, we're not I mean, I see the another like, driver and the info protect was that were findings that are internal audit office had were like they were doing these engagements with a few DLCs and they they kept like, kind of giving the same feedback to people that they didn't really have security plans or processes or any of these controls. So so instead of like auditing everybody and saying the same thing, you know, like have one central

repository of that.

So I I'm not sure if they actually incorporate them for protecting their audits, but probably Hopefully, they're Yeah,

I think they do ask about it. Yeah.

The main reason why I'm asking is because I know that I mean, mid uses heavily. AWS under 10. In the cloud, there's multiple ways to automate some of the compliance, I guess, compliance monitoring, right? I mean, you don't have to fully enforce it. But at the very least, if you have some guidance, you can potentially leverage technology to, to implement that guidance and see where when and where you're stepping out of that guidance, I guess.

Oh, yeah. I mean, you know, you're preaching to the choir. But no, we're not doing any of that right now. But we did recently purchase Z scalar and we're working on implementing that and part of the purchase few things. So what what I would want to see and we're using supposed to be using as far as enforcing security posture requirements on points before they get on the network. So ensuring that people have CrowdStrike and patching you know, all of those things. And we also bought the Z scalar module for I forget what they call it. It was like Cloud pasture posture management checking so little you know, you can give it API talks into your AWS and your Azure and GCP and whatever, and it will do those things where it will check against either like kallisto can policy through your own policies. Yeah, cool.

Okay, cool. So you're using the cloud pause to scan that Cisco provides on top of, I mean, having the C scaler edge and that is allowing you to understand the security posture of the endpoint itself. Right. Okay. That is helpful. And then what is probably still missing is taking these guidelines that you're providing and mapping them to the technology, not to enforce them, but at the very least understand where you might fall out of compliance with those guidelines. Or we I mean, maybe need to call it 171 or oil type of diamond that you're trying to follow. And then from there, I mean, if you want to apply to a specific group, then you can probably try to force it if that group needs to be compared with something. Is that a fair statement?

Oh, yes, yes.

Okay. Just want to make sure they ask that question. Because when we have that protector meeting, and we talk more about architecture, one of the questions that is going to be relevant is how are you setting up your architecture imageData inside MIT to understand each of the assets right and if you apply these policies, don't apply it university wide, but do you apply it to a specific assets that sit on their specific network or under a specific group name? Something like that would allow you to just say, oh, for this research group, I want to apply cmmc or NIST 801 71. And then for everybody else, I mean, you guys be MIT, right? But, but for these a specific group, we want a little bit more of the Restrict type of policy. Oh, yes. All right. That is the only thing that I have on my side. Nick. Just wanted to ask that question for future references.

Oh, no, no, I definitely appreciate that. Um, so I was gonna jump into something a little less cool. A little less interesting, but I just want to get a sense of how the security team and I s&t was playing back up here. Is there an organizational chart for it? That shows the overarching leadership and then how security fits underneath that?

Yeah, I think we uploaded it, but if we didn't, I can get it to you.

Oh, my God, I double check the documents right before okay. You know what, there it is. I just did not alright, that's on me. So we definitely have it. Okay. By descend, look at it more recently. So, those are good, good. Well, it's gonna say it's so looking at the security workforce. You know, looking at I looked at the org chart, and then you have the security team workforce model. And that has kind of what we were talking about earlier as far as the roles and responsibilities. So I wanted to ask if that's still relevant, or is this maybe an older document?

No, that's that's my like pie in the sky wish list. So that's a planning document like I was asked to come up with a plan to you know what, for the team to implement all of the stuff we're talking about, like state once anyone plans and what we needed. So that's what that is. So So I guess, if you want to like if you're looking at what we're doing now, as far as like defining roles and responsibilities. I'm not sure if I defined in that document. What because like, right and right now as far as security centrally, like it's just me and Paul and Ryan. So just those little blocks. You know, obviously we we leverage the work of a lot of other teams like the network team, you know, they they're managing the firewalls we're not you know, we're not doing anything I was like, like that we're not doing I am, you know, so but I can I can definitely get you. Not sure it might be like a little overkill, but you figure out where it is. It may or may not be in here. But like we do have these very like long documents defining our I'm seeing here, our what do they call them, job Families and Work roles and the kinds of things that that somebody in the roles would be responsible for, like we have two positions right now. A security engineer and a security analyst. So I could get you the documents for those positions if that's the kind of thing but basically, we're so small or just doing all of it.

Okay, fair enough. Is your is the security budget is that an itemized budget within isn t or does that fall under another part of the budget? Versus even an itemized line?

It's a separate line, a separate budget. I think there's I think that's all they do it. Like we have a security cost object and we have two that could be for us. Sometimes it does get a little confusing because like there was a software budget and like a lot of the stuff ended up you know, but I don't know if that answers your but I can get you the dinette and get you the budget and get you the budget.

I don't think you know, Thomas and David Kimi it I don't think the budget is included in the document request list. So I'm not going to necessarily pass that now. But we might follow up to provide that. Right. So a couple weeks ago, we I want to switch gears to touch base on some risk management. Again, we talked a lot about risk manager a couple weeks ago, so I don't want to rehash a lot of what we already discussed. But I do want to revisit the risk assessment process because you know, looking at my notes prior to this it looks like there's an overarching it's like a rotating risk assessment every three to four years that covers each domain. I guess you can very briefly because we have the notes here but could you touch upon that like how often is security or risks security risks assess.

So, information security, I think last time it was assessed, I want to save us 2016 or so. And that was actually not done by our office or team. It was like an internal is NTSS I believe Charles was a previous jantar John Charles I think he had done it but Tony Sharon had asked him to do that. And so we just kind of took the result that came out of that. And then the next one you've been planning but we actually because we knew that the RSM the ones that you're you guys are working on was kind of being planned for the last year or so we didn't want to repeat it. We didn't want to duplicate efforts. And so we just, you know, we thought that we would just to leverage what has been done by you

know, moving forward after this year, you know, depending on who does it. Is there any plans to kind of develop an assessment strategy to you know, from year to year, make or whatever, you decide to make the risk assessment side consistent with a defined methodology?

Yeah, the only so I think the security risk assessment is a little different because when we do it, it's at a very Institute wide level and it's the standard processes and it's not really looking at what each and every person is doing, but it's more just these key individuals that we kind of get together in a group and and then we're asking them about it. They have the tools and processes to be able to monitor but we are not actually testing to see what's actually happening in you know, in real or in a date on a day to day basis. That is something that audit, I know does to some of their audits. And so I feel like if you do if you do decide to do that, it would have to be again you know, I think you'd have to work with Jessica's team to see what's the best way of doing the security risk assessments at what level do we need to get them done? You know, would it be on a DLC by DLC basis? Maybe there's like a sample of DLC has been selected to it that way or, again, if it's going to be like an add an overall Institute wide level. So ours is very high level the risk assessment that we do.

Okay, though, definitely, definitely. So we're talking about identifying risks, you know, one one way to do this a risk assessment, you know, like, we're doing here with the RSM team how else might MIT to identify security risks like, is there any sort of cyber threat intelligence such as you or anyone in your team subscribe to?

Yeah, we are members of the red Isaac, Research and Engineering network, Information Sharing and Analysis Center. So we get, you know, bombarded with emails from our other institutions and they also there's this like, feed of like, IPS and URLs and things like that. That's, you know, the that's probably the main way that we get information about different vulnerabilities and campaigns and things that are happening and what other people are seeing.

Jessica is there. I know you talked a little bit about penetration testing, is that something that you're still planning to do? Or have you done that in the past?

It's I mean, I think it's something that we're gonna have to do for the any of these things and it's it's in my plan, but right now, we we don't really do that. There's no like, formal policy or process or like, what we're penetration testing or anything on like I s&t managed things very much. We do. Have a contract with Trustwave, which is now Viking cloud, I guess, or they change vendors better. But anyway, it's through BPF for a few things. A few servers that are in our PCI environment, even though it's at they're not really processing PCI, like actual cardholder data, but we we do these automated penetration tests on those servers periodically we there definitely are, you know, DLC by DLC where they might do penetration testing on some of their servers, which is really fun when it's in our data center. They don't let us know that's happening. Another tab would happen. And we have you know, we have a license for tenable Security Center. So we have vulnerability scanning capability to detect risks and categorize them.

Or forget, have will definitely do a deep dive into vulnerability management and I believe next week, but it's and this question kind of straddles the line between both high level risks and vulnerability scanning, at least. You know, the way that this defines it

well, we also have be subscribed a bit site so we get these like ratings for what it's worth. For that,

and I know we're close on time here, but a couple things that perked up my ears bio, what's your opinion on BitSight? How do you find it so far? Since you've implemented it?

I mean, it's really so we mainly use it for we have these different like, trust trust zones, you know, that we were talking about earlier? Like, right over the academic sections in network. So we told that site what those IP ranges were so then they can give us a score for each of those segments. And we use those scores when we report to the board. Okay, well, it's helpful for that like kind of metrics, but it doesn't really translate well like their algorithm or whatever you would call it for coming up with these scores is like really does not translate well to academic network or environment or our environment. So and then sometimes they'll change their day and then the scores will change drastically. You don't even really know why. They if you pay a little bit more you get like a feed of what their actual like findings were that go into the score so they can like fix things are patched things, whatever it is. So we do that. But we found that that's like the data that comes out of that is so messy, that it's hard for us to we don't have a system really to do vulnerability management to like tie it back to the owner of the asset and like, hey, please do this. You know, like that. That step is really it's really hard for us to do right now. Especially because the data is so messy. It's like not even like, is this gonna is this entry gonna have a URL? Or is it going to have an IP address or neither or both? Or is it called something different? Or like was this a sinkhole or like, what was this and when was this And anyway, I mean, it is what it is. Yeah,

no, I appreciate the candor or, you know, usually, you know, my previous role, we use bid side to value where third parties, so it's interesting to see on the other foot, evaluate yourself and and your idea a lot of the information is very technical, in almost this huge reports, and, I mean, they're really like credit scores. The algorithm is, you know, you know, under lock and key. Okay. Oh, also, you mentioned PCI, they have a PCI zone that doesn't really process or store cardholder data. And we talked about regulation compliance is our compliance requirements a little bit ago. So why is that called the PCI zone? Like, what's, what's going on there?

So, the, the way that we, we handle a credit card data, it's well I guess it's changed a little bit, but we don't do anything on the network unless it's PTP validated. So there's that we have some virtual terminals that are in PCI but the things I was talking about that we do the penetration testing, they are it's a server and database that do redirection for people's has been awhile since I really got it was thing but so like if somebody has a an e commerce website, this will redirect them to the CyberSource page where it actually has the like, checkout page and actually takes the sensitive information. But we redirect through this system so that like the keys for that API, and that merchant is managed by us and not all these random DLCs. So it's, it's not in scope for a cardholder data environment check, make fully massive change to PCI 4.0 But we do the penetration testing.

Okay. And so when you identify an issue, a security issue, we'll call it a risk or vulnerability. Are you assigning a criticality to that issue? Because, you know, we talked about risk management, they, you know, risk management, there's you do impact times likelihood, those are similar rating exercise for security issues.

I mean, we usually go by whatever like the CVE rating is and then have, it's not very formal, but you know, have a discussion like if something comes out and it's critical. Like, we look at the actual environment and what, what our exposure is, if we're impacted, and what's that you know, to figure out like, do we drop everything in patch? Or is it something we can wait till the regular cycle or you know, what the best course of action is? Usually it's drop everything and patch just

Okay, no, yeah, I mean, I'm not gonna fall for patching quickly. For those a larger issue, say like, for instance, might display a bad example in your environment, but, you know, certain data isn't encrypted, but you need to for compliance reasons. Do you maintain a risk register to identify lack of encryption, and then document the response plan?

Yeah, we definitely don't have

I appreciate the candor again. I mean, it's media definitely will be in a report and we'll have a you know, an attendant recommendation for that. Okay, I know we're a time here. didn't cover everything. There's a lot of time here. David and Thomas and Mara, before we go, is there any other questions before I jump into the next steps? Not for me.

None for me, either.

None for me. Okay, perfect. So our next meeting is at two o'clock on August 1, that's technical security. What we didn't get to today was a lot of asset management asset inventory. We kind of touched upon that when we talked about the network security, but I I want to reevaluate that especially as it relates to our our discussion around BitSight and as it leads into vulnerability management, as well as business continuity. So asset inventory underpins a lot of stuff. So that'd be a great item to discuss. Next couple meetings. I'll get with Tom as a crew to see you know, if we need to schedule a separate meeting to discuss that or whether we can loop it into one of the existing meetings. Any questions on the MIT side?

All right, so

Well, it's Friday. So hopefully you guys get up early, start your weekend and we'll meet up on Monday. Thank you. Thank you. Thank you, everybody. Appreciate

it

Transcribed by https://otter.ai

gvfdgfd's People

Contributors

uakbr avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.