UW Information Systems Security Policy

1
UW Information Systems Security Policy

• Stephen Rondeau
• Institute of Technology
• Computing Labs Administrator
• 18 Nov 2005

2
Agenda

• Components
• Sampling of Laws
• Complying with the Law
• Consideration of Ethics
• Consequences
• References

3
Components

• Computing Device
• takes some input
• processes it
• OS, services, applications
• provides some output
• Network
• connects device
• Data
• ?

4
Computing Devices Reality
In
Human K/M/touch,etc.
Out
Human A/V
Data Scanner/GPS
In/Out
Data Storage Device, PC Card, Network, Printer,
Etc.
5
Computing Devices Connections

• removable media
• floppy,CD/DVD,flash,microdrive
• PC Card
• wired
• serial/parallel,USB,Firewire,IDE,SCSI,twisted
  pair
• wireless
• radio (802.11, cellular, Bluetooth)
• Infrared (IR)
• Ultrasound

6
Lab Network Environment
H/S
R
C
C
C
C
AP
H/S
C
Server
C
Time- Share
C
C
Internet
UW Net
R
C
7
Data Issues

• Sensitivity public or confidential
• confidential
• minimal, more sensitive, most sensitive
• owned by someone
• specific statements for access, distribution,
  storage, disposal and penalties for disclosure
• Criticality how important to function

8
Key Security Concepts

• Must protect
• Services/Use
• Functionality perform function or use device
• Availability device or data is ready for use on
  demand and at operational speed and capacity
• Data
• Confidentiality prevent disclosure to
  unauthorized people
• Integrity unaltered, intact

9
Sampling of Laws

• International, federal, state, UW
• statutes and regulations
• Federal
• privacy, wiretapping, fraud, disclosure,
  surveillance, counterterrorism
• grant-related policy
• WA State
• privacy, malicious mischief, public records,
  spam, disclosure
• UW Administrative Code
• student and general conduct, records access

10
Complying with the Laws

• Comply take action to conform
• Law gt Policies Standards Guidelines
• Policies state what needs to be done
• Standards define how to implement the policy (via
  procedures)
• Guidelines are strongly-recommended practices to
  assist in adhering to standards

11
Roles and Responsibilities

• System owners and operators
• comply with laws, policies, guidelines
• maintain confidentiality of sensitive data
• grant access based on least privilege and
  separation of duties principles
• report security incidents and perform incident
  response
• Data Custodians
• Users

12
Policies

• May monitor user accounts, files and access
• Understand nature of data on systems, and manage
  it appropriately
• Provide logical and physical access control and
  logging commensurate with sensitivity and
  criticality of computing devices, networks and
  data
• Document procedures for issuing, altering and
  revoking access privileges
• Implement minimum computer and network measures
  and practices

13
Consideration of Ethics

• Ethics are the principles of conduct that are
  harmonious with society
• arguably higher than policy
• notable examples
• whistleblowing
• preventing conflicts of interest
• protecting life
• Use of university resources data sensitivity

14
Consequences

• Worm/Virus authoring and release
• Trojans
• Unauthorized wireless access
• Keylogging
• Botnets

15
References

• UW Information Systems Security
• http//www.washington.edu/admin/rules/APS/02.01TOC
  .html
• UW Minimum Computing Security Standards
• http//www.washington.edu/computing/security/pass/
  MinCompSec.html
• UW Electronic Information Privacy Policy
• http//www.washington.edu/computing/rules/privacyp
  olicy.html
• SANS Institute Policy Templates
• http//www.sans.org/resources/policies/