information security policies
DESCRIPTION
Information Security Policies. Larry Conrad September 29, 2009. The Need. University policies are needed to Mitigate risk of information security threats Meet compliance obligations - PowerPoint PPT PresentationTRANSCRIPT
Information Security Policies
Information Security PoliciesLarry Conrad
September 29, 2009
its.unc.edu 2
The NeedThe Need
University policies are needed to
•Mitigate risk of information security threats
•Meet compliance obligations
•Have comparable standards to the State as required by law, otherwise the university is subject to the State’s standards
its.unc.edu 3
Addressing ComplianceAddressing Compliance
Security Policies
Health Information Portability and Accountability Act
Payment Card Industry
NC Identity Theft
Family Educational Rights and Privacy Act
Gramm Leach Bliley ActLegend: Policies required
Policies or procedures implicated to establish compliance
Information Security Policies are needed to meet UNC’s compliance obligations:
its.unc.edu 4
An Expanding Definition of Sensitive
Data
An Expanding Definition of Sensitive
Data
PHIPHI
Credit Card
Information
Credit Card
Information
Personal Informatio
n
Personal Informatio
n
Customer records
Customer records Student
Education Records
Student Education Records
Research Data
Research Data
Public Safety
Information
Public Safety
Information
Information Security Records
Information Security Records
PasswordsPasswords
Personnel Informatio
n
Personnel Informatio
nConfidenti
alInformatio
n
Confidential
Information
Financial Donor
Information
Financial Donor
Information
File Encryption
Keys
File Encryption
Keys
PROTECTION REQUIREMENTS SET BY POLICY
its.unc.edu 5
ComplianceCompliance
Policies are intended to set requirements to protect data and support the compliance requirements imposed on University operations by applicable federal and state laws and regulations. • Ranging from the Health Insurance Portability and
Accountability Act of 1996 through the Family Educational Rights and Privacy Act and the recently passed Health Information Technology for Economic and Clinical Health Act (included in the American Recovery and Reinvestment Act of 2009), the compliance requirements keep changing and expanding.
• University policies need to adapt to these changes to ensure that university operations meet the changing compliance requirements.
its.unc.edu 6
AlternativesAlternatives
If UNC-Chapel Hill does not implement its own policies, it may be regulated by the North Carolina General Statutes that require comparable standards for information security to the standards required of the state agencies.
Therefore, even though not directly covered by the security standards set by the State CIO, the University of North Carolina must at minimum meet comparable standards as those set for state agencies.
its.unc.edu 7
State Standards in Comparison
State Standards in Comparison
UNC Proposed Information Security Policies
• 52 Pages
• 4 Standards
• Designed with UNC in mind
• UNC Input
State of NC Security Standards
• 220 Pages
• 40 Standards
• Designed for state agencies
• No University Input
its.unc.edu 8
What’s in a standard ?
What’s in a standard ?
Standards are set as requirements in policies.
More technical detail, which may be updated more frequently than a policy.
Example
•Length of password
•Acceptable encryption algorithms
Can be used as a technical “checklist”
its.unc.edu 9
Policy ContentPolicy Content
Two overarching policies:
Information Security Policy: Overarching information security policy that interfaces with all remaining information security-related policies as well as other University policies.
Data Governance Policy: Addresses classifications of data, roles and processes required to manage and protect the data.
Proposed policies can be found at:
its.unc.edu/InfoSecurity/proposed-policies/index.htm
its.unc.edu 10
Policy ContentPolicy Content
Information Security Standards Policy: Lists the minimum requirements for computing devices owned or managed by UNC-Chapel Hill. Policy is intended to implement industry best practices and safeguard university data
General User Password Policy: States the minimum requirements for password usage and incorporates the existing Onyen password guidelines
Password Policy for System and Application Administrators: States the heightened requirements for password usage by administrators ; requires technical enforcement
Policy on Transmission of Sensitive Information: Sets the requirements for transmitting sensitive information over public or wireless connections (encryption)
Security Liaison Policy: Defines the role and responsibilities of dept security liaisons
Vulnerability Management Policy: States the guidelines for managing web, database and operating system vulnerabilities.
Incident Management Policy: Defines the incident management responsibilities, process for investigating possible or actual breaches of sensitive information or mission critical devices--Formally assigns cost of breach to department that has primary responsibility for the breach
its.unc.edu 11
Policy ImplicationsPolicy Implications
University units will be required to bring servers/systems up to the minimum standards
Failure to do so may result in disciplinary action against employees
In general, these policies simply codify accepted best-practices
Units with competent systems administrators managing their systems will have few problems complying
Campus units will be responsible for the costs of bringing systems into compliance
Most controversial will likely be:
• Policy on Transmission of Sensitive Information: encryption requirement
• Incident Management Policy: charges to units for the costs of incident management ($62/hr proposed rate)
its.unc.edu 12
Departmental ImpactDepartmental Impact
Departmental resources and budgets will be impacted by policies and will vary depending on many factors including:• The number of systems in each department that process/store sensitive data
or that are considered mission critical
• The time frame set for compliance
• How close current departmental practices and safeguards are to policy requirements
• How many safeguards are implemented at a scalable enterprise level versus department by department
• Degree of interdepartmental consolidation of systems that process/store sensitive data or have mission critical functions.
Departments and researchers may be impacted by processes and organizational changes necessary to facilitate greater security oversight, consolidation of IT assets and compliance to standards• In some cases when there has not been sufficient planning by project
managers in integrating security requirements, projects could be delayed
its.unc.edu 13
Enterprise ImpactEnterprise Impact
Enterprise Funding
• Additional University investment is needed to provide cost effective security safeguards for University data
• Additional investment (people, technology) in a “security bank” infrastructure is necessary to offer cost effective security by moving sensitive University data to the “banks”
• The complete cost of protecting sensitive data cannot be accurately projected until an enterprise risk assessment has been completed
Formal Data Governance will become essential
• To oversee collection of sensitive data and make sure security requirements are met for research and administrative data
• A Data Governance coordinating committee is part of the new IT governance structure
its.unc.edu 14
Policy BenefitsPolicy Benefits
Protection of data and stakeholder privacy with appropriate levels of security
Greater data security with regard to availability, integrity and confidentiality (for private data and University Intellectual Property).
Consistent risk management via formal security guidance and direction for all departments
Compliance with the many University security obligations (State, Federal, grant, contractual …)
Avoidance of breach costs and non-compliance fines
Fewer and less severe incidents
Protection for the University’s reputation
Ability to attract and provide more opportunities for (secure) research
Avoidance of a requirement to implement State security standards
its.unc.edu 15
Questions ?