Upload File

university laptop information security policies

prev
next
out of 5
Download University Laptop Information Security Policies

Upload: timothy-vollmer

Post on 31-May-2018

216 views

Category:

Documents


0 download

Report

TRANSCRIPT

  • 8/14/2019 University Laptop Information Security Policies

    1/5

    Timothy VollmerAlex KanousSI 621 Research and Fact-Finding AssignmentDecember 4, 2006

    University Laptop Information Security Policies

    For our research assignment, we have looked at the issue of data sensitive to theUniversity being stored or accessed on laptops and the risks such situations bear for theinstitution. To this end we have examined existing university-wide policy and intervieweddepartmental-level officials responsible for both implementing those policies as well asdepartment specific versions.

    Stakeholders

    The stakeholders in this issue comprise a large group, the members of which shift

    depending on whether a University-wide or department specific focus is utilized. First, and mostobvious, the entity most concerned with the security and potential abuse of sensitive informationin the University of Michigan itself. As will be addressed later, the inadvertent release of certaintypes of information can result in substantial liability for the institution, not to mention the lossof reputation. At the individual level, the information security officers of ITSS (InformationTechnology Security Services) are primary stakeholders. These staff members are responsiblefor developing broad information management policies like the Standard Practice Guides as wellas examining information issues for potential concerns. Due to the extremely decentralized,federated nature of the University, these general policies are then left to the individualdepartments or schools to implement. Those department or school level individuals tasked withthis implementation are thus likewise stakeholders. Since the policies passed down by entitiessuch as the ITSS are generalized in nature, these individuals are also responsible for creating andimplementing department and school-specific policies that address their particular needs.

    Related to these stakeholders are the Information Security Coordinators (outlined inStandard Practice Guide 601.25) who are tasked with evaluating and responding to informationsecurity incidents, the data stewards who are responsible for the integrity of data, and UM mediarelations who must run interference and public image damage control when necessary. There arealso staff that ensure compliance with federal regulations such as FERPA (Family EducationRights and Privacy Act), HIPAA (Health Insurance Portability and Accountability Act), andFOIA (Freedom of Information Act). While the departmental level policy officials mentionedabove are oftentimes also the systems and security administrators (like Vlad at SI), in caseswhere this is not the case such individuals also have a stake in issues of sensitive information.They are the ones responsible for creating the technological protective measures for this data aswell as providing access to faculty and staff. This latter category of individuals, who are theprimary users of the information, are also stakeholders. Those that are given or utilize universitylaptops are particularly relevant to our issue.

    The final stakeholders that we identified are perhaps the most readily apparent theindividuals to whom this sensitive information relates and the attackers that seek access to it.

  • 8/14/2019 University Laptop Information Security Policies

    2/5

    Depending on the specific department discussed, the former category might include differentstakeholders. At the medical school for instance, the stakeholders would include patients(medical records), while at schools and departments like SI, the stakeholders would primarily bestudents (student records). As an extension of this, further stakeholders might includeprospective students or patients. Their views of how information is maintained and exchanged

    will influence whether they choose to attend or become a patient. Finally, an attacker who aimsto steal or corrupt data, and is thus either foiled by sufficient policies or enable by insufficientones, is another stakeholder in this equation.

    Technology

    The technologies involved in our case study include physical protection, local dataencryption technologies for laptops, the departmental servers that house databases of sensitiveinformation, and the web-based interfaces for those databases. First, we see an analogtechnology in that users of the laptops are expected to physically protect their computers fromtheft, such as by locking office doors while laptops are inside. A novel measure is the MToken,

    a flash drive-sized artifact that can be carried on the users person and generates a continuouslychanging access code that is keyed to a particular users access. An additional physical measurefor the safeguarding of sensitive data is the proper destruction and disposal of storage devices,which is variously accomplished via a literal shredding or magnetic wiping of the hard drive.

    Next, laptop users may encrypt their laptop hard disks in order to make it more difficultfor attackers to retrieve information. Basic forms of such encryption are now standard optionswith operating systems such as Windows. Finally, and most relevant in our case, there has beena progression towards using web-based access to a centralized server as a way to ensure thatlarge databases have no need to be kept locally on laptops. In this way, faculty, staff, andresearchers are able to upload information to a database in a well-protected server through theuse of a website or other web interface. We have noticed that departments have a varying degreeof knowledge and incentives to use these new technologies. Some departments like the medicalschool encrypt all data and use web-based tools to manage data, while other departments uselesser degrees of protection for data. Weve also noticed that there are few technical barriers that prevent laptop owners from downloading data sets from servers onto their laptops. Instead ofenacting barriers and policies that restrict access, systems administrators have focused theirenergies on providing the information, education, and tools for laptop owners that will hopefullyenable them to make good decisions about protecting the information they are able to access anddownload to their computers.

    Legal Issues

    Legal concerns regarding the maintenance and protection of sensitive information onuniversity laptops revolve around the various regulations concerning this information FERPAprimarily and HIPAA in regards to the medical school and hospital. Additionally, FOIA poses aproblem as information requests must be carefully vetted so as not to result in the inadvertentrelease of sensitive information. While allowing sensitive information to be released poses a riskto the reputation of the University, non-compliance with these regulations can result in the lossof funding or criminal punishment for the University.

  • 8/14/2019 University Laptop Information Security Policies

    3/5

    FERPA, for instance, denies funding from any U.S. Department of Education programfor an educational institution which has a policy or practice of permitting the release ofeducation records (20 U.S.C. 1232g(b)(1)) or which has a policy or practice of releasing, orproviding access to, any personally identifiable information in education records (1232g(b)(2)).

    In either situation, written consent by the student, or the parent if the student is under 18, ismandated prior to the release of such information. Some allowance is given for the release ofdirectory information without prior consent, but as this information is by definition non-sensitive (1232g(a)(5)(A)), its not relevant to our case study.

    HIPAA provides harsher penalties than the potential loss of federal funding. Under thatstatute, the knowing use of an individual health identifier or the disclosure of individuallyidentifiable health information to another person can result in fines of $50,000 (up to $250,000if done maliciously or for commercial use) and up to 1 year (10 years) in jail (sec. 1177). Eventhe unknowing disclosure of identifying information can result in fines of $100 per incident, to atotal of $25,000 in fines in a calendar year (sec. 1176).

    Existing Policies

    Throughout our interviews and fact-finding process, weve realized that there are fewspecific policies concerning information security on laptops within the University of Michigansystem. Beginning at the top, security policies are decentralized. According to Paul Howell, theChief Information Technology Security Officer at Michigan, there is no one-size-fits-all solutionto the problem of information security, especially concerning laptops. Since the university is solarge and departments so diverse, no generalized policy could effectively address thisenvironment. Additionally, as technology and its capabilities evolve so quickly, a narrowlyfocused policy is unlikely to outlive its own implementation. Instead, University-wide policiesfocus on addressing unchanging themes and persistent issues and give the departmental deans theleeway for determining the best security solutions for their own programs. Howell and ITSS areable to work with these department heads in conjunction with risk managers in order to create auseful (and cost effective) information security plan. They are able to provide necessaryeducation, incident response support and compliance directives to create tailored informationsecurity programs. In this way, ITSS is able to supply tools and resources so that individualdepartments can hopefully make informed decisions.

    Security administrators at the Medical School, Engineering, and School of Informationechoed this support-based role. Some departmental information policies are set-up in order toensure compliance with standards set forth by HIPPA and FIRPA. Specifically concerninglaptops, departments like the Medical School and SI have set up certain technological measuresthat limit the need for large, possibly sensitive information sets to be kept on laptops in the first place they have set up web-based interfaces that allow direct entry of information onto acentralized server. This server, in turn, is protected by powerful encryption technologiesmaintained by trained departmental security administrators.

    A common theme on information security states that information should be protectedmost vigilantly closest to its source. While the University of Michigan determines what pieces

  • 8/14/2019 University Laptop Information Security Policies

    4/5

    of information shall be deemed sensitive, responsibility lies within each department indetermining which personnel will have access to each data set. At SI, access is granted basedupon a need to use the information (although one employee agreed that they feel they have moreaccess than they need).

    Ethical Issues

    The ethical issues in our case echo those embodied in the Fair Information Practices.Though the applicable statutes dont directly address minimization of data collection, they dohold the institution accountable for the security of the data and the disclosure of information toonly authorized parties. In the case of FERPA, the opportunity for students or their parents toreview student records is explicitly called for and HIPAA moderates secondary use by imposingstiff fines for the commercial use of sensitive individually identifying information. Theseaspects of the statutes reflect the general overarching ethical concern in this case the studentstrust in the University to appropriately manage and safeguard the sensitive information thestudent or patient has entrusted in the institution. A final relevant principal of the Fair

    Information Practices is that concerning education. As will be discussed in our recommendation,educating staff and faculty of the seriousness of protecting sensitive information and of usingtheir access responsibly is of paramount importance.

    Development Levels

    Though we are addressing a policy situation at the University, rather than a specificincident, an analysis of relevant development levels is important in particular impulse controldevelopment. Information that is readily accessible runs the risk of being perceived as lesssensitive. The installation of barriers of access that makes getting to information difficultnaturally fosters a respect for the importance of that information. In the situation at theUniversity of Michigan, where users have quick and ready access to sensitive information viaefficient technological access ways, this is a particular concern. As many policies rely on thecharacter of a mature user to know what access theyre allowed and the appropriate scope forusing that information, it is crucial that only those individuals with well-defined impulsecontrols, who can resist the lure of easy access, are given such access.

    Potential Actions

    The most drastic, yet likely most secure option would be to attack the independentpolicy-making functions of individual departments and schools and force the entire University toabide by centrally-designed policies. The ITSS, or some evolved incarnation of it, could beresponsible for policy creation as well as the storage of all sensitive data. New sensitive data,such as that generated from patient admissions or student applications, would be immediatelyhoused in this repository. Only selected ITSS staff would have access to this data in its entiretyand they would function as the gate-keepers through which departments would have to go to getinformation they needed. Alternatively, these individuals could be tasked with the creation offrequently used data sets (student contact information, transcripts, etc.) that have been carefullypurged of any sensitive components. Such a structure would no doubt provide the most secureinfrastructure for storing and distributing sensitive information, but it would also serve as a

  • 8/14/2019 University Laptop Information Security Policies

    5/5

    substantial bottleneck. Also, as note previously, the diverse natures of the various schools anddepartments would not be best served by a system such as this, which tries to force generalitiesupon them.

    An alternative spin on this central repository option would be to allow direct

    departmental access to the information, but only by specifically identified staff or faculty. Theseindividuals would be the gate-keepers through which the rest of their particular departmentwould funnel their data requests. Such an arrangement would also benefit the centralizedorganization (ITSS or otherwise) which could focus on the education and supervision of theseindividuals. However, the federated nature of the University would once again prove animpediment to such a structure as the centrally-defined policies would no doubt clash with thefreedom of action currently afforded individual departments and schools. Additionally, the costof implementing a system of supervision insuring that department gate-keepers were abiding bypolicy would be high and require a significant expansion of the scope of ITSS.

    Defensible Choice

    Instead of proposing the types of dramatic restructuring suggested above, we believe thatin making recommendations for the security of sensitive information, particularly on laptops, weneed to look to existing policies rather than reinvent the wheel. Throughout the parts of theuniversity we examined, departments aimed to provide information security without enactingrestrictive new policies. Instead, they rely on more general university and departmental policies,standard practice guides, and ethics in order to guide action. We see that applying existingprinciples to current information issues can properly solve most information security dilemmas.Information technologies change so rapidly that new policies to cover each new item would soonbecome unmanageable. On the other hand, departments should also remain flexible in adaptingto novel technologies at which application of old standards seems inapplicable. In these cases,administrators need to employ creative and critical thinking to determine whether new issues andparticularly novel technologies might call for a reanalysis of modification of security policies.

    We believe that these ends can be achieved by providing the necessary technical andethical training in order to guide employees into making sound decisions concerning informationsecurity, whether the security involves laptops or sensitive information in general. Opencommunication, trust, and personal ethical behavior need to be stressed in order to help staffmake the best moral decisions when dealing with potentially sensitive information. Educationcan be accomplished through broad awareness campaigns as well as through venues like facultymeetings and technology training sessions. Systems administrators should be tasked withmaintaining knowledge of developing security tools and practices. All staff should properlyutilize disk encryption, which has now become extremely cheap. A security map showingthe access granted to each departmental staff member should be implemented and regularlyrevised. There should be increased educational awareness concerning issues such as wirelessconnectivity and remote access security. In relying on such an educational system, theUniversity would be able to maintain its federated nature, show its respect for its employees byrecognizing their integrity, and yet still foster a secure data environment.


Laptop and Mobile Device Security Policy

12/13/20151 Computer Security Security Policies

Information Security Policies

Laptop Security Best Practice White Paper

ISO27k Model Policy on Laptop Security

Enhancing Desktop and Laptop Security Performance With ...downloads.diskeeper.com/pdf/Enhancing_Desktop_and...Enhancing Desktop and Laptop Security Performance With Disk Defragmentation

Purview Privacy, Security and Compliance Overview Purview Privacy Security and... · • Information Security Policies: We maintain internal information security policies, including

Laptop 101. Laptop Policies and Procedures Employee Laptop Handbook Employee Laptop Agreement Acceptable Use Policy Every employee of Wilkes County Schools

Security mechanisms planning to enforce security policies

Linux Laptop−HOWTO - stuff.mit.edu: students' portal · Linux Laptop−HOWTO ii. Table of Contents Introduction ... additional security strategies. Though there are laptop related

Laptop Security SIRT IT Security Roundtable Harvard Townsend IT Security Officer [email protected] May 2, 2008

Organizational Security Policies

Security: Foundations, Security Policies, Capabilities · June, 8, 2015 5 Security: Foundations, Security Policies, Capabilities Distributed Operating Systems Marcus Völp, Hermann

Campus Laptop Security 2010

Information Security Policies: User/Employee use policies

Laptop physical security

Security - HP - United States | Laptop Computers, Desktops

Complex Security Policies

Expectations, Procedures, Policies Developed by Technology Services 1:1 Laptop Initiative

Information Security Policies Handbook - Kansas State ... Security Policies...1. Security Policies Introduction 1.1. Effective Date: 1.2. Type of Action: Update 1.3. Summary 1.3.1

Security Audit Consultant Windows Xp Laptop Auditors Perspective 117

Csci5233 computer security & integrity 1 Security Policies

Mandatory Security Policies

Security: Foundations, Security Policies, Capabilities

SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved

INFORMATION SECURITY POLICIES...information security policies that all have equal standing. Policies are grouped in to two sets: 1. Policies about the Organization 2. Policies for

Security Policies

LAPTOP SECURITY JUST GOT

HIPAA Security Policies and Procedures Manual DHS -- HIPAA Security Policies... · 2019-09-09 · incomplete information security policies, insufficient safeguards to protect facilities

Module5 desktop-laptop-security-b

MOB Global Ponemon Laptop Security White Paper External

Laptop security using biometric measures

Network security policies

Laptop Security

HP FortiFy SoFtware Security center - HP - United States | Laptop