educause security professionals conference april 2006 sem02a: information security & privacy...
TRANSCRIPT
Educause
Security Professionals ConferenceApril 2006
SEM02A: Information Security &
Privacy Policy Development
Copyright Milford, Mitrano, & Schuster, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.
Kim Milford, Information Security Officer
University of Rochester Tracy Mitrano, Director of IT Policy
Cornell University Steve Schuster, Director of IT
Security Cornell University
Information Security & Privacy Policy Development
Information Security & Privacy Policy Development
Agenda Model Security Policy Framework for Information Technology
Policy Implementation of Information Security
Policy Scenarios Discussion Q & A
Educause Model Security PolicyKim Milford
University of Rochester
Model Security PolicyEducause Sub-Committee, December
2005
Goal: Create a template of policy statements from existing standards and policies. This model policy can then be used in whole or in part by organizations creating or updating their information security policy
Model Security PolicyWilliam Custer, Miami University
Information Security Policy ManagerBob Kalal, Ohio State University
Director, Information Technology Policy & ServicesJack McCoy, East Carolina University
Director, IT SecurityKim Milford, University of Rochester
Director & Information Security OfficerDavid Weil, Ithaca College
Director, Web, Systems & Department Services
Model PolicyDeliverables (December 2006):
A category scheme of policy topics under which samples of existing policy from various universities may be displayed on the Educause web site
A set of prioritized categories about which we will write sample policy first
Some published drafts about which we can get informal feedback at the two conferences in April
A presentation at the fall Educause conference by which we can get feedback
A sample policy statement of about 10 pages on selected topics.
A statement about methodology and general assumptions.
Establishing common vocabulary & taxonomy
Will continue to evolveResearched ISO 17799, NIST, ISC2Compared to legal requirements
HIPAA, FERPA, GLBLargely based on SANS major headingsSupplemented with examples from a review of over 80 University security policies
Model Security Policy
Model Security PolicyCategories:1. Security Policy 2. Organizational Security3. Asset Classification and Control4. Personnel Security5. Physical and Environmental Security6. Communication and Operations
Management
Model Security PolicyCategories (continued):7. Access Control8. System Development & Maintenance9. Business Continuity Management10. Compliance
** Security Policy & Acceptable Use
Model Security PolicyTimeline (based on proposed priorities)
June: Organizational Security “pilot”Sept: Asset Classification & ControlSept: Communications & Operations
ManagementSept: Access ControlOct: Presentation at Educause ConfDec: Completion
Model Security Policy This is developing rapidly… there
will likely be many changes since these slides were prepared.
We will bring discussion back to Model Security Policy at the end of this morning’s session.
An Information Technology Policy Framework
Tracy Mitrano
Cornell University
Big “P” and Little “p” Policy Big “P” is for more broadly represented
issues, national policy EDUCAUSE position on FBI petition to the
FCC to expand Communications Assistance Law Enforcement Act to data networks
National security issues Little “p” policy
Institutional policy on, say, travel reimbursements, capital assets or appropriate use of IT resources
MarketMarket
ArchitectureArchitecture
Norms Norms
LawLaw
IT PolicyIT Policy
IT Policy Framework at Cornell University Policy Office
http://www.univco.cornell.edu/policy/home.html http://www.univco.cornell.edu/policy/pop.html http://www.univco.cornell.edu/policy/current.html
IT Policy Office http://www.cit.cornell.edu/oit/PolicyOffice.html http://www.cit.cornell.edu/oit/policy/drafts/ http://www.cit.cornell.edu/oit/policy/framework-char
t.html http://www.cit.cornell.edu/oit/policy/framework.html
Two Themes for Subsequent Policy Development
Protection and Preservation of Institutional Interests and Assets
Security and Privacy*
*Security and privacy could also be subsumed under the first theme, but because of the significance of the security and privacy
concerns for campus networks, it is worth illuminating separately at this time in the
history of IT policy development.
Security and Privacy Maybe in national security arena and debates
these qualities are pitted against each other in a “zero-sum” game kind of formula.
But in campus networking we should think of them as equally complementing each other, as if the old adage “you can’t have privacy without security…”
Private, criminal actions pose far greater compromise of privacy due to network security flaws than government surveillance.
Public laws weigh privacy and security provisions equally.
Cornell Security Program
http://www.cit.cornell.edu/oit/policy/security.html
Cornell Privacy Program
http://www.cit.cornell.edu/oit/policy/privacy.html
Cornell IT Policy Framework
http://www.cit.cornell.edu/oit/policy/framework-chart.html
Policy Implementation Good balance between policy statements
and procedures Balance is relative to structure and traditions
of the institution Cornell’s “rule of thumb” is to include the level of
procedure only at the highest university wide level IT organization does the documentation for deeper
level of implementation and backline procedures Intelligibility to technical and non-
technical users IT organization documentation can augment dry
bones policy form and substance And meet the needs of both technical and non-
technical uses
Policy Implementation Exceptions
Every policy has exceptions (just like every law!) Make sure the exceptions are for important reasons
are appropriately tailored
Requisite authority Centralized or non-centralized processes Enforceable
Usually through audit at the institutional level and to each individual through disciplinary measures (HR, JA, etc.) ould not cause additional burden
Policy Implementation Address administrative/financial burden
Up front so that stakeholders and authorizing parties are aware of the financial, business and administrative costs
Balance those costs with clear explication of the benefits that the policy provides the institution
Build cost/benefit analysis into implementation Education for the community Tools (e.g. software or new programs) Training for relevant personnel Time line for full implementation
Final Thoughts IT Policy externally influenced by law,
technology, business models and social norms.
IT Policy development challenging due to the diverse nature of our institutions One size does not fit all! Different policy processes Passionate stakeholder concerns…
IT Policy function requires different styles of leadership.
Three Axioms: Conclusion Only write IT policy for IT matters
Where technology meets law and behavior Give unto Caesar what is Caesar's...
Harassment as an example, political speech in email
Communicate, Educate and Commiserate, but don’t be afraid to…
EXERCISE LEADERSHIP!
Policy ImplementationSteve Schuster
Cornell University
Cornell Network Registry(Case Study) Must be
understandable The policy must be
clear to technical and non- technical people
What needs to be done to meet the requirements of the policy
Network Registry policy.htm
Cornell Network Registry(Case Study) Exceptions need
to be well understood and articulated Are exceptions
acceptable? What are
acceptable reasons?
DNSDB Tools for Network Registration.htm
Cornell Network Registry(Case Study) Must be
implementable A policy that can
not be implemented is not worth writing
DNSDB Tools for Network Registration.htm
Cornell Network Registry(Case Study) Must be
enforceable A way is required
to validate compliance
Non compliance should mean consequences
Network Registry audit of 128842030.txt
Cornell Network Registry(Case Study) Should not cause
substantially additional burden Staff time Financial
Lessons Learned There is no way to over communicate There are almost as many unique
situations as there are people on campus
Regardless of how straight forward people will not be happy
Enforcement and compliance are difficult to get your arms around
Information Security & Privacy Policy Development
Break Time:
Review scenarios for discussion after the break
Information Security & Privacy Policy Development
Scenarios:
- Break into small groups & discuss- Come back to full group discussion
Scenario 1:
Information Security & Privacy Policy Development
A local system administrator receives a call from a law enforcement officer requesting any information that can be provided for a specific IP number. The situation sounds very serious and the officer is explaining that this information is critical to determine how to proceed. What steps should be captured in policy?
Information Security & Privacy Policy Development
Scenario 2:An administrative assistant has filled a complaint with the university counsel that her boss spends an enormous amount of time surfing the web and searching for porn. There have been no previous complaints concerning this activity and the individual being accused has a good university record. What questions need to be answered? What steps should be taken? What should be represented in policy?
Information Security & Privacy Policy Development
Scenario 3:
A small group of graduate students are not overly happy with the networking arrangements they have in their work space. They have complained to the local network administrator but the situation has still not been resolved to their satisfaction. One of the graduate students purchases a small wireless access point and installs it in the work space for others to use. What questions need to be answered? What steps should be taken? What should be represented in policy?
Information Security & Privacy Policy Development
Case Studies:
- Break into small groups & discuss- Come back to full group discussion- Bring back to model security policy
Information Security & Privacy Policy Development
Case Study 1:
You have been hired as the new Information Security Director.
Welcome aboard! A few things to know about your new
job…
Information Security & Privacy Policy Development
Case Study 2:
Inadvertant release of patient data and questions of privacy.
Model Security PolicyCategories:1. Security Policy 2. Organizational Security3. Asset Classification and Control4. Personnel Security5. Physical and Environmental Security6. Communication and Operations
Management
Model Security PolicyCategories (continued):7. Access Control8. System Development &
Maintenance9. Business Continuity Management10. Compliance
Model Security Policy
Priorities:
Organizational SecurityAsset Classification & ControlCommunications & Operations
ManagementAccess Control
Model Security Policy Organizational Security
1. Management Commitment2. Information Security Infrastructure3. Security of Third Party Access4. Outsourcing5. Risk Analysis and Assessment
Model Security PolicyManagement Commitment
Statement of Values Goal(s) of policy Importance of information resources Importance of information security
Model Security PolicyManagement Commitment (cont’d) Includes Security Mandate
Protecting: Confidentiality Integrity Availability
Reduce risk of exposure that could damage reputation
Model Security Policy Information Security Infrastructure
A. Organization & GovernanceB. Information security coordinationC. Allocation of information security roles
& responsibilitiesD. Management information security
forumE. Authorization process for information
processing facilities
Model Security Policy Information Security Infrastructure
(Continued)F. Specialist information security
adviceG. Cooperation between organizationsH. Independent review of information
security
Model Security Policy Our work is continuing Your input is appreciated
Information Security & Privacy Policy Development
Questions?