Universities and Schools under cyberattack: How to Protect your Institution of Excellence - Webinar

Date: Wednesday, August 28, 2013

Time: 11:00 AM to 12:00 PM Eastern

Industry: Education

Topic: Universities and Schools under cyberattack: How to Protect your Institution of Excellence

CPE Credits: A certificate of completion will be provided upon request to those attendees that require the event to count for CPE credits.

The New York Times recently reported that universities face a rising barrage of cyberattacks.  University officials even acknowledge that they often do not learn of cyber break-ins until much later, if ever, and that even after discovering the breaches they may not be able to tell what was taken.  Recent cyber-threats have also targeted schools and entire school districts, in some cases.

Universities in the U.S. are undeniably the coveted innovation centers of the world where the best minds converge to bring cutting-edge inventions and innovations to the fore.  Being targets of cyberattacks is obviously not doing any favors to the solid brand and reputation that U.S. universities have worked hard to build over the years.

Schools and educational institutions too have established a long-standing reputation of being centers of learning and excellence for young minds who will go on to shape our futures.

But the information security challenges faced by universities, schools, and educational institutions are very different from those faced by typical corporations.

The very nature and tenet of a university’s success is based on the free flow of information, open collaboration across borders, and thinkers of an international scale coming together to exchange ideas and learn.  Schools and educational institutions face a slightly different set of challenges in that their students are a lot younger and potentially looked upon as easier targets.

If you represent a university, school, or educational institution and have either faced or are concerned about facing a cyberattack, join ERM for this webinar where we will discuss what you can do to protect your center of excellence from becoming a vulnerable target for hackers.

 

About The Speaker

Brandon Witte is an information security expert with Enterprise Risk Management, Inc.  He has worked closely with several universities and educational institutions, offering them guidance and technical expertise in how to secure their information assets and infrastructures.  His core technical expertise is in the area of security penetration testing and infrastructure-wide security assessment spanning a wide range of technical platforms and implementations.  He also possesses significant experience in performing enterprise-wide security risk assessments including highly technical risk assessments for several educational institutions and centers of excellence.

You can register here.

FedRAMP Compliance - What You Should Know…In 5 Minutes!

Do you know what FedRAMP is?  Do you know that it affects you if you’re providing pretty much any cloud-based product or service?  Do you think you need to comply with FedRAMP only if you want to do business with the Federal Government?  Do you know how your competitors in the cloud space are using FedRAMP to their advantage? If any of these questions affects you, read on.

FedRAMP In Short

You’re busy and don’t have time to spend researching and understanding the Federal Risk and Authorization Management Program (FedRAMP).  Perfect! Read on.

A quick and dirty way to understand FedRAMP is to think of it as the Federal Information Security Management Act (FISMA) of cloud computing.  The Federal Government began purchasing cloud-based products and services as an early adopter but soon realized that the onus of information security and due diligence needs to be pinned back on the cloud provider and not borne by any of its agencies.  So, they devised FedRAMP on the operationally successful FISMA model and required that a cloud service provider (including sellers of both cloud-based products and services) undergo an independent audit by a certified Third Party Assessment Organization (3PAO) and apply for an Authority To Operate (ATO).

So, FedRAMP is not really a “regulation” or a “certification” as much as it is an “authorization”.  A cloud service provider can apply for this authorization either itself or a Federal agency can apply on its behalf.  The authorization decision is taken by the Joint Authorization Board (JAB) which, at the top, includes CIOs of the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA).

Bottom line for cloud service providers – if you want to do business with the Federal Government, getting a FedRAMP ATO is inevitable. 

Cloud Service Provider…Nope, not us!

One of the most misunderstood phrases in relation to FedRAMP is the term “Cloud Service Provider”.  If you were to directly interpret it as it sounds, you’d probably be excused for thinking that if you’re selling a cloud-based product, or if only a teensy-weensy part of the product is “out there in the cloud”, or if you’re actually a service provider but offer a cloud-based product as a small part of your service, then you don’t fit the definition of a Cloud Service Provider.  The fact is – if any of those apply to you then you too are a Cloud Service Provider.

I don’t care…I don’t do business with the Federal Government!

Firstly, why not? It’s worth pointing out that the Federal Government is actually a market worth exploring with reports estimating that the U.S. Federal Government cloud computing market is set to grow at about 16% CAGR over 2013-2018 to hit $10 Billion by 2018!

But you’re right – technically, you have no need to go through the process of obtaining a FedRAMP ATO if you don’t intend to do business with the Federal Government.  But we’re not talking only about the ATO here.

An interesting thing about FedRAMP is the way it has gathered momentum around the U.S.  FedRAMP was what you could call the “first mover” in terms of regulating and creating a foundational security standard for “what a secure cloud should be like”.  This first-mover advantage has enabled FedRAMP to gain significant importance even in the private sector.

Cloud Service Providers have started looking at FedRAMP as a way to add credibility to their cloud-based offerings.  The fact that FedRAMP is popular, well-known, and heavily discussed, helps these companies gain leverage by adding a unique FedRAMP tag to them.  It’s almost the equivalent of saying – “We didn’t have to comply with FedRAMP, but we decided to anyway”.  And note that there’s no real need to actually obtain the FedRAMP ATO at this point; it’s just complying with the baseline set by FedRAMP to have the ability to offer equivalent security in your cloud to your customers who would expect the highest levels of security.  No ATO, no 3PAO audit.

It’s also important to note that FedRAMP currently has the most stringent requirements in terms of cloud security today.  So, to choose FedRAMP as the baseline for your cloud would be a wise thing to do because then you can easily comply with specific customer security requirements or other frameworks that customers may require your cloud to comply with. 

FedRAMP Baseline Implementation and Audit

If you’re on your way to adding the FedRAMP tag to your cloud offering, ensure that you interpret the requirements of the FedRAMP baseline controls accurately and adequately.  While the controls may appear open-ended, it is important to know where to draw the line on the scope or it can end up being a black hole for your budget.  On the other hand, if you interpret it lightly, it could end up giving you a false sense of compliance with the baseline.

A critical success factor in implementing the FedRAMP baseline is to have a mock audit or a preparedness audit.  Having an independent and experienced set of eyes perform an audit of the implemented controls will save you a lot of pain and effort when (or if) you have the final 3PAO audit.

With the momentum behind FedRAMP, it could well go on to become a commoditized requirement of sorts.  FedRAMP could be the next business driver.