converting policy to reality designing an it security program for your campus 2 nd annual conference...
TRANSCRIPT
Converting Policy to RealityDesigning an IT Security Program
for Your Campus
2nd Annual Conference on Technology and Standards
May 3, 2005
Jacqueline CraigDirector of Policy
Information Resources and CommunicationsUniversity of California Office of the President
The First Step
• reflects the institution core values• establishes an integrated
framework• identifies objectives
“what” needs to happen
Establish Policy
Policy may include or reference
• elements often included in policy guidelines procedures standards best practices
• “how” to achieve objectives
Elements of security policy
Policy should identify:
• principles
• roles and responsibilities
• scope
• identification of measures that comprise your security program
Moving from Policy to Reality
Create a Security Program
→ a road map
→ an action plan
→ a means of ensuring policy compliance
throughout the campus community
IT Security Program
The means to implement IT policy• it is a management concern – not just the responsibility of IT• input from administration, faculty, staff,
students• publicize widely – must be an open process• security planning must be incorporated into
every management level• leverage campus governance structure
Campus Governance
• establishes the risk management philosophy of the enterprise
• articulates the ethical values of the enterprise
• establishes the operating style
• assigns authority and responsibility
Not only an enabler An integral part of enterprise governance
Is the CIO at the head table?Do IT Personnel participate in
business decisions?
• IT governance cannot be separated from the governance of the enterprise
• Enterprise governance structure must include IT personnel at every level
• Is there a campus Security Officer?• Is there a campus-wide committee to
address security?
Campus Security Committee
• represent campus-wide interests in information security
• brings matters of information security to executive management
• develop campus-wide strategy• provide direction, planning, and guidance in
the area of information security→ develop and review campus-wide information security program
IT Security Program
• assignment of responsibility
• risk assessment requirements
• security plan mitigation plan identification of internal controls
IT Security Program
• business continuity emergency operation disaster recovery
• incident response and mitigation
• education and security awareness plan
• evaluation of program’s effectiveness
IT Security Program
• establishes governance for security– management and administration
• ensures network defense– architecture and security strategy
• implements protection management– resources, procedures, projects
Risk Assessments• purpose
help management create appropriate strategies and controls for stewardship of information assets
• a process to understand and document potential risks to
information assets• scope can vary
managerial view• institutional, division, department
IT view• systems application
• outcome create a security plan
Risk Assessments
May be mandated by policy or statute• Gramm-Leach-Bliley Act
- Financial Modernization Act (G-L-B)- Implemented by May 23, 2003 FTC Safeguard Rule
established standards for administrative, technical, and physical safeguards for customer information
• Health Insurance Portability and Accountability Act – (HIPAA)- Security Rule compliance effective April 2005
Risk Assessments
Purpose and scope determine the assets to be covered in the risk assessment
• Privacy usually a focus on safeguards to protect data
and resource
• Criticality focus is often on operations
Risk Assessments
Approaches:• identify and classify information assets • identify processes
How does information flow through IT resources?
• identify key players• identify types of resources
data centers, application systems, workstations, portable equipment?
Methodology Overview
• may be formal (institutional) or informal (departmental review)
• create a risk assessment team– set scope– identify assets to be covered– categorize potential losses– identify threats and vulnerabilities– identify existing controls– analyze the result of the data collected
Create a Security Plan
• determine appropriate controls to address vulnerabilities and risks revealed by assessment→ administrative/management/operational→ logical/technical→ physical measures
• identify minimum requirements
• identify procedures
Access Authorization and Authentication
• Identity Management – infrastructure for access authorization
• establish procedures for verification of identify • facilitate role-based authorization
or authorization assignment • issuance of strong authentication credentials• termination procedures
Data Classification
How is data classified?• What is protected by law?• What are the disclosure requirements?• What privacy or criticality mandates apply?
Data Classification
FIPS publication 199 Low Moderate High
Confidentiality limited adverse effect
serious adverse effect
severe or catastrophic adverse effect
Integrity limited adverse effect
serious adverse effect
severe or catastrophic adverse effect
Availability limited adverse effect
serious adverse effect
severe or catastrophic adverse effect
Workforce
• EDUCATION– customize training according to roles– identify responsibilities of supervisors, IT staff,
researchers - everyone– ensure security reminders for new threats
• PROCEDURES – manage flow of information
• BACKGROUND CHECKS for critical positions
Business Partners
• contracts and agreements
• confidentiality agreements
Logical (technical) Security
• establish means to ensure:– software updates– installation of security patches– intrusion detection– scanning for vulnerabilities– password management– protection against viruses
• establish encryption key management plans→ employ technology-implemented policy compliance where possible
Physical Security
consider use of
professionally-managed data centers
• ensure appropriate controls for– hardware, software, and administration– physical access controls– back up– business continuity and disaster recovery– device and media controls– procedural controls
Physical Security
When data centers cannot be utilized• identify rules for
→ departmental servers
→ desktop computers
→ portable devices
Stolen laptops account for 60 percent of security breach notifications in California
Incident Response
• identify an Incident Response Manager (may be a person or a team)
• establish explicit procedures for– reporting suspected incidents– decision tree for resolution– summary reporting
• feedback loop for remediation
• revisit existing controls
Publicize to the Entire Community
Communicate with academic, administrative, and student communities• town meetings• hearings in standing committees and user
groups• newsletters, websites, mailing lists
→ ensure a constant flow of information
to every segment of your community
Re-evaluate Security Program
• role of auditors or external review– trained in enterprise risk management– ability to identify and assess risks– understand interrelated impacts– recommend appropriate control activities– perform role of monitoring the enterprise
Resources
• Educause– http://www.educause.edu/Cybersecurity/
• Security Standard: ISO 17799 • National Institute of Standards & Technology –
Computer Security Division– Special Publications (800 series) and FIPS pubs– http://csrc.nist.gov/publications/index.html
• Audit Framework Documents– Enterprise Risk Management Framework – COSO (Committee
of Sponsoring Organizations of the Treadway Commission)– IT Governance Institute – Control Objectives for Information and
related Technology (CobiT Framework)