Service Business Case - Central Washington University



Service Business CaseNetwork SecurityTable of Contents TOC \h \z \u \t "Heading 2,1" Executive Summary PAGEREF _Toc347312853 \h 31.Problem Definition PAGEREF _Toc347312854 \h 42.Addressing Problem with CWU existing tools and products (i.e. PeopleSoft) PAGEREF _Toc347312855 \h anizational Impact PAGEREF _Toc347312856 \h 44.Benefits PAGEREF _Toc347312857 \h 55.Strategic Alignment PAGEREF _Toc347312858 \h 56.Cost PAGEREF _Toc347312859 \h 57.Alternatives (add lines as necessary) PAGEREF _Toc347312860 \h 68.Timing / Schedule (add lines as necessary) PAGEREF _Toc347312861 \h 69.Technology Migration/Resource Identification PAGEREF _Toc347312862 \h 610.Product Life/Application Sunsetting or Decommissioning PAGEREF _Toc347312863 \h 611.References PAGEREF _Toc347312864 \h 712.Recommendation PAGEREF _Toc347312865 \h 713.Approvals PAGEREF _Toc347312866 \h 7Executive SummaryIn our current environment, Central Washington University does not implement any intrusion detection or intrusion prevention systems (IDS/IPS). These systems are network security devices that reside on the network and listens to the traffic. The purpose of these devices is to detect intrusions as they happen and then prevent them from intruding on our network. This includes protocol-based inspection, protection against advanced malware, zero-day attacks, Distributed Denial of Service Attacks, and botnets.The need for an effective intrusion detection/prevention solution is driven primarily by:Best practice: We currently do not have any way of detecting intrusions on our network other than from a forensic perspective. PCI / HIPAA Compliance: Both the PCI and HIPAA federal compliance standards require that an IDS/IPS system is in place.Cedar Crestone Security Recommendations: The Cedar Crestone security assessment indicates that the implementation of an IDP/IPS system is a critical part of the deployment of the PeopleSoft Portal environment.Sponsoring Department(s): Security Services Department Date of Business Case Preparation: 10/8/13 Contact Person Name/Phone: Andreas Bohman / 2499 FORMCHECKBOX New Product/ServiceIf there is a draft or sample contract, please provide a copy. FORMCHECKBOX Renewal of Existing Product/Service – if checked, include background information.If there is a site license agreement, existing contract or new contract draft, please provide a copy.Problem Definition Central Washington University currently does not have any systems or devices in place to detect intrusions on our network. While we have firewalls in place, these devices are not designed to detect intrusions in what is otherwise considered to be valid traffic into our network. In order to provide for network security based on best practice, federal compliance requirements, and the Cedar Crestone security recommendations, we have to implement an IDS/IPS system.PCI Compliance Language:11.4 Use intrusion-detection systems, and/or intrusion-prevention systems to monitor all traffic at the perimeter of the data environment as well as at critical points inside of the data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up-to-date.Addressing Problem with CWU existing tools and products (i.e. PeopleSoft)This is a network security equipment purchase and there are no other solutions that provide this functionality in our environment. Organizational ImpactStakeholders: The primary stakeholders are the Security Services and Information Services departments. There is expected to be minimal impact on the rest of the CWU staff. Training Requirements: Depending on the solution that is decided upon, there will be training required for the technical staff tasked with managing the IDS/IPS solution. All Stakeholders:DepartmentNameSecurity ServicesAndreas BohmanSecurity ServicesJamie SchademanSecurity ServicesBarbara BissonITSChris TimmonsITSDavid Hart Benefits As we are currently not able to inspect network traffic as it enters our environment, this is a much needed functionality. We will also be in a much better position to ensure the confidentiality, integrity, and availability of our customer’s confidential information. In addition, we have to implement a solution that meets federal compliance requirements in order to avoid non-compliance consequences. Lastly, as we deploy the PeopleSoft Portal, we will be able to prevent intrusions into our business-critical data.Strategic AlignmentStudent success: CWU believes that student success is best achieved by providing supportive learning and living environments that encourage intellectual inquiry, exploration, and application. Strategic Alignment: By providing for a secure yet highly available environment, we ensure ready access to information will still providing our students with the confidence that we will protect their confidential information. Shared Governance: CWU believes that shared governance is most effective when information systems and decision-making processes are both robust and transparent. CWU believes that communication channels should be open and two-way and that faculty, staff, and students should be empowered to participate in the governance systems.Strategic Alignment: Securing our customer data is an important part of building and implementing robust and transparent information systems and decision-making processes.CostThere is currently no funding for this business case. The Security Services department is currently soliciting quotes from vendors for the purchase of an IDS/IPS solution. The cost of the equipment is estimated to be $75,000.00 -$100,000.00. ItemUnitCostEquipment Purchase1$100,000.00Annual Maintenance1$10,000.005-Year Cost$140,000.00Alternatives (add lines as necessary)AlternativeReasons For Not Selecting AlternativeDo nothingExposure to intrusions into our business-critical data. Timing / Schedule (add lines as necessary)Task Target DateEvaluate RFQ responses12/15/2013Select Vendor12/16/2013Purchase Equipment01/01/2014Initiate Implementation01/15/2014Complete Implementation02/01/2014Technology Migration/Resource Identification ResourceJanFebMarAprMayJuneJulyAugSeptOctNovDecSecurity Admin1510ITS 155Total Hours3015Product Life/Application Sunsetting or DecommissioningThe expected product life for the IDS/IPS solution is 5-6 years. ReferencesCedar Crestone Security Recommendations PCI Compliance DocumentationHIPAA Compliance DocumentationRecommendationIt is recommended that CWU purchases an IDS/IPS solution in order to detect and prevent intrusions into its network and data environments. ApprovalsThe following actions have been taken by the appropriate Sub-Council (ATAC or Non-Academic Sub-Council) and University Enterprise Team:DateAction By10/10/2013Presented to Non-AcademicAndreas Bohman10/14/2013Approved for Review by cabinetNon-academic10/14/2013Presented to EISCAndreas Bohman10/14/2013Approved for Review by cabinetEISC Upon approval by the Enterprise Team (ET) or one of the two Sub-Councils (Academic or Non-Academic), CWU procurement policies and procedures should be used to initiate a purchase.? Please contact the Purchasing office at x1001 with any questions regarding the procurement process.If you have any questions, please contact Sue Noce 963-2927 or Tina Short 963-2910. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download