Converting Policy to Reality Designing an IT Security Program for Your Campus - PowerPoint PPT Presentation


PPT – Converting Policy to Reality Designing an IT Security Program for Your Campus PowerPoint presentation | free to view - id: 15b64a-ZDc1Z


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Converting Policy to Reality Designing an IT Security Program for Your Campus


University of California Office of the President. The First Step ... a road map. an action plan. a means of ensuring policy compliance. throughout the campus community ... – PowerPoint PPT presentation

Number of Views:19
Avg rating:3.0/5.0
Slides: 31
Provided by: Jacqueli102


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Converting Policy to Reality Designing an IT Security Program for Your Campus

Converting Policy to RealityDesigning an IT
Security Program for Your Campus
  • 2nd Annual Conference on Technology and Standards
  • May 3, 2005
  • Jacqueline Craig
  • Director of Policy
  • Information Resources and Communications
  • University of California Office of the President

The First Step
Establish Policy
  • reflects the institution core values
  • establishes an integrated framework
  • identifies objectives
  • what needs to happen

Policy may include or reference
  • elements often included in policy
  • guidelines
  • procedures
  • standards
  • best practices
  • how to achieve objectives

Elements of security policy
  • Policy should identify
  • principles
  • roles and responsibilities
  • scope
  • identification of measures that comprise your
    security program

Moving from Policy to Reality
  • Create a Security Program
  • a road map
  • an action plan
  • a means of ensuring policy compliance
  • throughout the campus community

IT Security Program
  • The means to implement IT policy
  • it is a management concern not
  • just the responsibility of IT
  • input from administration, faculty, staff,
  • publicize widely must be an open process
  • security planning must be incorporated into every
    management level
  • leverage campus governance structure

Campus Governance
Not only an enabler An integral part of
enterprise governance
  • establishes the risk management philosophy of the
  • articulates the ethical values of the enterprise
  • establishes the operating style
  • assigns authority and responsibility

Is the CIO at the head table?Do IT Personnel
participate in business decisions?
  • IT governance cannot be separated from the
    governance of the enterprise
  • Enterprise governance structure must include IT
    personnel at every level
  • Is there a campus Security Officer?
  • Is there a campus-wide committee to address

Campus Security Committee
  • represent campus-wide interests in information
  • brings matters of information security to
    executive management
  • develop campus-wide strategy
  • provide direction, planning, and guidance in the
    area of information security
  • develop and review campus-wide
  • information security program

IT Security Program
  • assignment of responsibility
  • risk assessment requirements
  • security plan
  • mitigation plan
  • identification of internal controls

IT Security Program
  • business continuity
  • emergency operation
  • disaster recovery
  • incident response and mitigation
  • education and security awareness plan
  • evaluation of programs effectiveness

IT Security Program
  • establishes governance for security
  • management and administration
  • ensures network defense
  • architecture and security strategy
  • implements protection management
  • resources, procedures, projects

Risk Assessments
  • purpose
  • help management create appropriate strategies and
    controls for stewardship of information assets
  • a process
  • to understand and document potential risks to
    information assets
  • scope can vary
  • managerial view
  • institutional, division, department
  • IT view
  • systems application
  • outcome
  • create a security plan

Risk Assessments
  • May be mandated by policy or statute
  • Gramm-Leach-Bliley Act
  • Financial Modernization Act (G-L-B)
  • Implemented by May 23, 2003 FTC Safeguard Rule
  • established standards for administrative,
    technical, and physical safeguards for customer
  • Health Insurance Portability and Accountability
    Act (HIPAA)
  • Security Rule compliance effective April 2005

Risk Assessments
  • Purpose and scope determine the assets to be
    covered in the risk assessment
  • Privacy
  • usually a focus on safeguards to protect data and
  • Criticality
  • focus is often on operations

Risk Assessments
  • Approaches
  • identify and classify information assets
  • identify processes
  • How does information flow through IT resources?
  • identify key players
  • identify types of resources
  • data centers, application systems, workstations,
    portable equipment?

Methodology Overview
  • may be formal (institutional) or informal
    (departmental review)
  • create a risk assessment team
  • set scope
  • identify assets to be covered
  • categorize potential losses
  • identify threats and vulnerabilities
  • identify existing controls
  • analyze the result of the data collected

Create a Security Plan
  • determine appropriate controls to address
    vulnerabilities and risks revealed by assessment
  • administrative/management/operational
  • logical/technical
  • physical measures
  • identify minimum requirements
  • identify procedures

Access Authorization and Authentication
  • Identity Management infrastructure for access
  • establish procedures for verification of identify
  • facilitate role-based authorization
  • or authorization assignment
  • issuance of strong authentication credentials
  • termination procedures

Data Classification
  • How is data classified?
  • What is protected by law?
  • What are the disclosure requirements?
  • What privacy or criticality mandates apply?

Data Classification
  • customize training according to roles
  • identify responsibilities of supervisors, IT
    staff, researchers - everyone
  • ensure security reminders for new threats
  • PROCEDURES manage flow of information
  • BACKGROUND CHECKS for critical positions

Business Partners
  • contracts and agreements
  • confidentiality agreements

Logical (technical) Security
  • establish means to ensure
  • software updates
  • installation of security patches
  • intrusion detection
  • scanning for vulnerabilities
  • password management
  • protection against viruses
  • establish encryption key management plans
  • employ technology-implemented policy
  • compliance where possible

Physical Security
  • consider use of
  • professionally-managed data centers
  • ensure appropriate controls for
  • hardware, software, and administration
  • physical access controls
  • back up
  • business continuity and disaster recovery
  • device and media controls
  • procedural controls

Physical Security
  • When data centers cannot be utilized
  • identify rules for
  • departmental servers
  • desktop computers
  • portable devices
  • Stolen laptops account for 60 percent of
    security breach notifications in California

Incident Response
  • identify an Incident Response Manager
  • (may be a person or a team)
  • establish explicit procedures for
  • reporting suspected incidents
  • decision tree for resolution
  • summary reporting
  • feedback loop for remediation
  • revisit existing controls

Publicize to the Entire Community
  • Communicate with academic, administrative, and
    student communities
  • town meetings
  • hearings in standing committees and user groups
  • newsletters, websites, mailing lists
  • ensure a constant flow of information
  • to every segment of your community

Re-evaluate Security Program
  • role of auditors or external review
  • trained in enterprise risk management
  • ability to identify and assess risks
  • understand interrelated impacts
  • recommend appropriate control activities
  • perform role of monitoring the enterprise

  • Educause
  • http//
  • Security Standard ISO 17799
  • National Institute of Standards Technology
    Computer Security Division
  • Special Publications (800 series) and FIPS pubs
  • http//
  • Audit Framework Documents
  • Enterprise Risk Management Framework COSO
    (Committee of Sponsoring Organizations of the
    Treadway Commission)
  • IT Governance Institute Control Objectives for
    Information and related Technology (CobiT