information security policies

15
Information Security Policies Larry Conrad September 29, 2009

Upload: theophilia-xylia

Post on 03-Jan-2016

41 views

Category:

Documents


1 download

DESCRIPTION

Information Security Policies. Larry Conrad September 29, 2009. The Need. University policies are needed to Mitigate risk of information security threats Meet compliance obligations - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Information Security Policies

Information Security Policies

Information Security PoliciesLarry Conrad

September 29, 2009

Page 2: Information Security Policies

its.unc.edu 2

The NeedThe Need

University policies are needed to

•Mitigate risk of information security threats

•Meet compliance obligations

•Have comparable standards to the State as required by law, otherwise the university is subject to the State’s standards

Page 3: Information Security Policies

its.unc.edu 3

Addressing ComplianceAddressing Compliance

Security Policies

Health Information Portability and Accountability Act

Payment Card Industry

NC Identity Theft

Family Educational Rights and Privacy Act

Gramm Leach Bliley ActLegend: Policies required

Policies or procedures implicated to establish compliance

Information Security Policies are needed to meet UNC’s compliance obligations:

Page 4: Information Security Policies

its.unc.edu 4

An Expanding Definition of Sensitive

Data

An Expanding Definition of Sensitive

Data

PHIPHI

Credit Card

Information

Credit Card

Information

Personal Informatio

n

Personal Informatio

n

Customer records

Customer records Student

Education Records

Student Education Records

Research Data

Research Data

Public Safety

Information

Public Safety

Information

Information Security Records

Information Security Records

PasswordsPasswords

Personnel Informatio

n

Personnel Informatio

nConfidenti

alInformatio

n

Confidential

Information

Financial Donor

Information

Financial Donor

Information

File Encryption

Keys

File Encryption

Keys

PROTECTION REQUIREMENTS SET BY POLICY

Page 5: Information Security Policies

its.unc.edu 5

ComplianceCompliance

Policies are intended to set requirements to protect data and support the compliance requirements imposed on University operations by applicable federal and state laws and regulations. • Ranging from the Health Insurance Portability and

Accountability Act of 1996 through the Family Educational Rights and Privacy Act and the recently passed Health Information Technology for Economic and Clinical Health Act (included in the American Recovery and Reinvestment Act of 2009), the compliance requirements keep changing and expanding.

• University policies need to adapt to these changes to ensure that university operations meet the changing compliance requirements.

Page 6: Information Security Policies

its.unc.edu 6

AlternativesAlternatives

If UNC-Chapel Hill does not implement its own policies, it may be regulated by the North Carolina General Statutes that require comparable standards for information security to the standards required of the state agencies.

Therefore, even though not directly covered by the security standards set by the State CIO, the University of North Carolina must at minimum meet comparable standards as those set for state agencies.

Page 7: Information Security Policies

its.unc.edu 7

State Standards in Comparison

State Standards in Comparison

UNC Proposed Information Security Policies

• 52 Pages

• 4 Standards

• Designed with UNC in mind

• UNC Input

State of NC Security Standards

• 220 Pages

• 40 Standards

• Designed for state agencies

• No University Input

Page 8: Information Security Policies

its.unc.edu 8

What’s in a standard ?

What’s in a standard ?

Standards are set as requirements in policies.

More technical detail, which may be updated more frequently than a policy.

Example

•Length of password

•Acceptable encryption algorithms

Can be used as a technical “checklist”

Page 9: Information Security Policies

its.unc.edu 9

Policy ContentPolicy Content

Two overarching policies:

Information Security Policy: Overarching information security policy that interfaces with all remaining information security-related policies as well as other University policies.

Data Governance Policy: Addresses classifications of data, roles and processes required to manage and protect the data.

Proposed policies can be found at:

its.unc.edu/InfoSecurity/proposed-policies/index.htm

Page 10: Information Security Policies

its.unc.edu 10

Policy ContentPolicy Content

Information Security Standards Policy: Lists the minimum requirements for computing devices owned or managed by UNC-Chapel Hill. Policy is intended to implement industry best practices and safeguard university data

General User Password Policy: States the minimum requirements for password usage and incorporates the existing Onyen password guidelines

Password Policy for System and Application Administrators: States the heightened requirements for password usage by administrators ; requires technical enforcement

Policy on Transmission of Sensitive Information: Sets the requirements for transmitting sensitive information over public or wireless connections (encryption)

Security Liaison Policy: Defines the role and responsibilities of dept security liaisons

Vulnerability Management Policy: States the guidelines for managing web, database and operating system vulnerabilities.

Incident Management Policy: Defines the incident management responsibilities, process for investigating possible or actual breaches of sensitive information or mission critical devices--Formally assigns cost of breach to department that has primary responsibility for the breach

Page 11: Information Security Policies

its.unc.edu 11

Policy ImplicationsPolicy Implications

University units will be required to bring servers/systems up to the minimum standards

Failure to do so may result in disciplinary action against employees

In general, these policies simply codify accepted best-practices

Units with competent systems administrators managing their systems will have few problems complying

Campus units will be responsible for the costs of bringing systems into compliance

Most controversial will likely be:

• Policy on Transmission of Sensitive Information: encryption requirement

• Incident Management Policy: charges to units for the costs of incident management ($62/hr proposed rate)

Page 12: Information Security Policies

its.unc.edu 12

Departmental ImpactDepartmental Impact

Departmental resources and budgets will be impacted by policies and will vary depending on many factors including:• The number of systems in each department that process/store sensitive data

or that are considered mission critical

• The time frame set for compliance

• How close current departmental practices and safeguards are to policy requirements

• How many safeguards are implemented at a scalable enterprise level versus department by department

• Degree of interdepartmental consolidation of systems that process/store sensitive data or have mission critical functions.

Departments and researchers may be impacted by processes and organizational changes necessary to facilitate greater security oversight, consolidation of IT assets and compliance to standards• In some cases when there has not been sufficient planning by project

managers in integrating security requirements, projects could be delayed

Page 13: Information Security Policies

its.unc.edu 13

Enterprise ImpactEnterprise Impact

Enterprise Funding

• Additional University investment is needed to provide cost effective security safeguards for University data

• Additional investment (people, technology) in a “security bank” infrastructure is necessary to offer cost effective security by moving sensitive University data to the “banks”

• The complete cost of protecting sensitive data cannot be accurately projected until an enterprise risk assessment has been completed

Formal Data Governance will become essential

• To oversee collection of sensitive data and make sure security requirements are met for research and administrative data

• A Data Governance coordinating committee is part of the new IT governance structure

Page 14: Information Security Policies

its.unc.edu 14

Policy BenefitsPolicy Benefits

Protection of data and stakeholder privacy with appropriate levels of security

Greater data security with regard to availability, integrity and confidentiality (for private data and University Intellectual Property).

Consistent risk management via formal security guidance and direction for all departments

Compliance with the many University security obligations (State, Federal, grant, contractual …)

Avoidance of breach costs and non-compliance fines

Fewer and less severe incidents

Protection for the University’s reputation

Ability to attract and provide more opportunities for (secure) research

Avoidance of a requirement to implement State security standards

Page 15: Information Security Policies

its.unc.edu 15

Questions ?