it security policies and campus networks the dilemma of translating good security policies to...
TRANSCRIPT
IT Security Policies and Campus Networks
The dilemma of translating good security policies to practical campus networking
Sara McAneneyIT Security OfficerTrinity College Dublin22/05/2007
Overview
• Creating the Security Policy
• The Implementation Dilemma
• What makes the Campus Environment Different?
• The Answer
• Case Study: Trinity College Dublin
Campus Networks and Security
Cultural Resistance
Gradual infiltration
Acceptance
Period of rapid catch up
Maturity?
Policies Implemented 2006
*ECAR – Educause Centre for Applied Research - 2006 IT Security Survey 492 Respondents
Creating the Security Policy
• ISO 27001• Relevant Legislation• Organisational Environment• Identify Assets• Resources E.g. USICA Information
Security Toolkit
Policy
• Main Policy• Supporting policy areas:
–Email–Internet use–System development etc
Implementation….
• Governing Body Approval• Communication to Users• Translation to Operational Procedures• Enforcement
Campus Implementation Difficulties
• Traditional ethos of free & open access to systems and information
• Diverse user base - Admin, teaching, research, grids, commerce, corporations, clubs, societies, college life, public guests
• Complex collaborative arrangements - institutions, individuals and industry
• Need to facilitate the rapid adoption of emerging & often immature technologies
• Diversity and decentralised management…
Traditional Implementation
Management
Area Head Area Head
End User End User
Policy Dissemination
University Structure
• Governing Body
• Committees
• Schools/Faculties
• Admin Areas
• Student Representatives
• Commercial Entities
Governing Body
CommitteesAdmin Body
Academic Body
Admin AreasSchool/Faculty
Campus Company
Research Affiliates
Student Body
Student Society
Student clubs
Committees
User Groups
Committees
User Groups
End User End User
End User End User
End User
Helpful to Focus on Similarities with all Large Networks
• Provide High Quality, Flexible Services
• Protect Confidential data
• Protect against Internal and External Security Threats
• Comply with Legislation
• Contingency and Disaster Recovery Planning
• Despite/Because of complexity and diversity vital to implement IT Security Framework
• Framework which facilitates & protects
Goal
The Answer?• Management Structure - Establish IT Security
Governance/Management Structure
• Involve Stakeholders - Identify key stakeholders and involve in creating policy, encourage ongoing communication.
• High Value Assets - Identify core IT Assets and prioritise
• Segregation - Functional and Security Boundaries
• Flexibility – make provision for high risk activity - Research, new technology etc
Case Study: Trinity College Dublin
• July 2003 - IT Security Policy Approved by College Governing Body
• 2004 - Awareness Exercises- Email, Booklet, website
• 2004-2006 - Translation to Operational procedures
• Ongoing - Adoption of Security Technologies
Security Management System
Implementation- College IT Security Governance
Governing Committee
Autonomous Network
Trinity College
Data Network
Autonomous Network
Local Area IT Support reps
End Users
End User End User
Implementation
• Internal Agreements - Central computing department & local IT interests.
• Regular Communication• Dissemination to IT Administration Staff &
End Users• Adoption of Technologies
Supporting Documentation
• Network Security • Internet Use • Email Use • Authentication/Passwords• Virus and Spam • Software Development • Data Backup • Disaster Recovery • Remote Access • Third Party Access • Legal Compliance Guidelines
Adopting Technologies
• Network Security– VPN, VLANs, Firewall, IDS, NAC,802.1x, guest network services, eduroam
• Host Security– Automatic Updates, Centrally Managed AV
• Enterprise Directory – secure Authentication• Removal Insecure Protocols
Wireless Services
Specialized Research
Specialized Production,
Cash Registers etc
AutonomousNetworks
Student Services
Teaching & General
Research
Central Services
Web, Mail, Proxy etc
Security Boundaries
Assessing the Progress
• Improved communications – move away from duplication of service
• Improved focus – strategic planning• Incident Reporting• Internal Audit – systems, applications,• External Audit• ISO27001 Certification
Future Challenges
• Exploding User Numbers – students/public on network, Guests, Eduroam
• Non traditional networked devices - PDA’s, phones, Xboxes, cameras, CEPOS
• Disappearing Network Boundary• Rapid Adoption New technology • Changing Threat profile• Data privacy concerns – Help users protect their
personal/financial data• More important than ever to deal with these
challenges via a strong IT Security Framework
References:
http://www.tcd.ie/itsecurity/policies/index.php
http://www.educause.edu/ecar
http://www.ucisa.ac.uk/