IT Security Policies and Campus Networks

The dilemma of translating good security policies to practical campus networking

Sara McAneneyIT Security OfficerTrinity College Dublin22/05/2007

Overview

• Creating the Security Policy

• The Implementation Dilemma

• What makes the Campus Environment Different?

• The Answer

• Case Study: Trinity College Dublin

Campus Networks and Security

Cultural Resistance

Gradual infiltration

Acceptance

Period of rapid catch up

Maturity?

Policies Implemented 2006

*ECAR – Educause Centre for Applied Research - 2006 IT Security Survey 492 Respondents

Creating the Security Policy

• ISO 27001• Relevant Legislation• Organisational Environment• Identify Assets• Resources E.g. USICA Information

Security Toolkit

Policy

• Main Policy• Supporting policy areas:

–Email–Internet use–System development etc

Implementation….

• Governing Body Approval• Communication to Users• Translation to Operational Procedures• Enforcement

Campus Implementation Difficulties

• Traditional ethos of free & open access to systems and information

• Diverse user base - Admin, teaching, research, grids, commerce, corporations, clubs, societies, college life, public guests

• Complex collaborative arrangements - institutions, individuals and industry

• Need to facilitate the rapid adoption of emerging & often immature technologies

• Diversity and decentralised management…

Traditional Implementation

Management

Area Head Area Head

End User End User

Policy Dissemination

University Structure

• Governing Body

• Committees

• Schools/Faculties

• Admin Areas

• Student Representatives

• Commercial Entities

Governing Body

CommitteesAdmin Body

Academic Body

Admin AreasSchool/Faculty

Campus Company

Research Affiliates

Student Body

Student Society

Student clubs

Committees

User Groups

Committees

User Groups

End User End User

End User End User

End User

Helpful to Focus on Similarities with all Large Networks

• Provide High Quality, Flexible Services

• Protect Confidential data

• Protect against Internal and External Security Threats

• Comply with Legislation

• Contingency and Disaster Recovery Planning

• Despite/Because of complexity and diversity vital to implement IT Security Framework

• Framework which facilitates & protects

Goal

The Answer?• Management Structure - Establish IT Security

Governance/Management Structure

• Involve Stakeholders - Identify key stakeholders and involve in creating policy, encourage ongoing communication.

• High Value Assets - Identify core IT Assets and prioritise

• Segregation - Functional and Security Boundaries

• Flexibility – make provision for high risk activity - Research, new technology etc

Case Study: Trinity College Dublin

• July 2003 - IT Security Policy Approved by College Governing Body

• 2004 - Awareness Exercises- Email, Booklet, website

• 2004-2006 - Translation to Operational procedures

• Ongoing - Adoption of Security Technologies

Security Management System

Implementation- College IT Security Governance

Governing Committee

Autonomous Network

Trinity College

Data Network

Autonomous Network

Local Area IT Support reps

End Users

End User End User

Implementation

• Internal Agreements - Central computing department & local IT interests.

• Regular Communication• Dissemination to IT Administration Staff &

End Users• Adoption of Technologies

Supporting Documentation

• Network Security • Internet Use • Email Use • Authentication/Passwords• Virus and Spam • Software Development • Data Backup • Disaster Recovery • Remote Access • Third Party Access • Legal Compliance Guidelines

Adopting Technologies

• Network Security– VPN, VLANs, Firewall, IDS, NAC,802.1x, guest network services, eduroam

• Host Security– Automatic Updates, Centrally Managed AV

• Enterprise Directory – secure Authentication• Removal Insecure Protocols

Wireless Services

Specialized Research

Specialized Production,

Cash Registers etc

AutonomousNetworks

Student Services

Teaching & General

Research

Central Services

Web, Mail, Proxy etc

Security Boundaries

Assessing the Progress

• Improved communications – move away from duplication of service

• Improved focus – strategic planning• Incident Reporting• Internal Audit – systems, applications,• External Audit• ISO27001 Certification

Future Challenges

• Exploding User Numbers – students/public on network, Guests, Eduroam

• Non traditional networked devices - PDA’s, phones, Xboxes, cameras, CEPOS

• Disappearing Network Boundary• Rapid Adoption New technology • Changing Threat profile• Data privacy concerns – Help users protect their

personal/financial data• More important than ever to deal with these

challenges via a strong IT Security Framework

References:

http://www.tcd.ie/itsecurity/policies/index.php

http://www.educause.edu/ecar

http://www.ucisa.ac.uk/