Converting Policy to Reality Designing an IT Security Program for Your Campus - PowerPoint PPT Presentation

Loading...

PPT – Converting Policy to Reality Designing an IT Security Program for Your Campus PowerPoint presentation | free to view - id: 15b64a-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Converting Policy to Reality Designing an IT Security Program for Your Campus

Description:

University of California Office of the President. The First Step ... a road map. an action plan. a means of ensuring policy compliance. throughout the campus community ... – PowerPoint PPT presentation

Number of Views:19
Avg rating:3.0/5.0
Slides: 31
Provided by: Jacqueli102
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Converting Policy to Reality Designing an IT Security Program for Your Campus


1
Converting Policy to RealityDesigning an IT
Security Program for Your Campus
  • 2nd Annual Conference on Technology and Standards
  • May 3, 2005
  • Jacqueline Craig
  • Director of Policy
  • Information Resources and Communications
  • University of California Office of the President

2
The First Step
Establish Policy
  • reflects the institution core values
  • establishes an integrated framework
  • identifies objectives
  • what needs to happen

3
Policy may include or reference
  • elements often included in policy
  • guidelines
  • procedures
  • standards
  • best practices
  • how to achieve objectives

4
Elements of security policy
  • Policy should identify
  • principles
  • roles and responsibilities
  • scope
  • identification of measures that comprise your
    security program

5
Moving from Policy to Reality
  • Create a Security Program
  • a road map
  • an action plan
  • a means of ensuring policy compliance
  • throughout the campus community

6
IT Security Program
  • The means to implement IT policy
  • it is a management concern not
  • just the responsibility of IT
  • input from administration, faculty, staff,
    students
  • publicize widely must be an open process
  • security planning must be incorporated into every
    management level
  • leverage campus governance structure

7
Campus Governance
Not only an enabler An integral part of
enterprise governance
  • establishes the risk management philosophy of the
    enterprise
  • articulates the ethical values of the enterprise
  • establishes the operating style
  • assigns authority and responsibility

8
Is the CIO at the head table?Do IT Personnel
participate in business decisions?
  • IT governance cannot be separated from the
    governance of the enterprise
  • Enterprise governance structure must include IT
    personnel at every level
  • Is there a campus Security Officer?
  • Is there a campus-wide committee to address
    security?

9
Campus Security Committee
  • represent campus-wide interests in information
    security
  • brings matters of information security to
    executive management
  • develop campus-wide strategy
  • provide direction, planning, and guidance in the
    area of information security
  • develop and review campus-wide
  • information security program

10
IT Security Program
  • assignment of responsibility
  • risk assessment requirements
  • security plan
  • mitigation plan
  • identification of internal controls

11
IT Security Program
  • business continuity
  • emergency operation
  • disaster recovery
  • incident response and mitigation
  • education and security awareness plan
  • evaluation of programs effectiveness

12
IT Security Program
  • establishes governance for security
  • management and administration
  • ensures network defense
  • architecture and security strategy
  • implements protection management
  • resources, procedures, projects

13
Risk Assessments
  • purpose
  • help management create appropriate strategies and
    controls for stewardship of information assets
  • a process
  • to understand and document potential risks to
    information assets
  • scope can vary
  • managerial view
  • institutional, division, department
  • IT view
  • systems application
  • outcome
  • create a security plan

14
Risk Assessments
  • May be mandated by policy or statute
  • Gramm-Leach-Bliley Act
  • Financial Modernization Act (G-L-B)
  • Implemented by May 23, 2003 FTC Safeguard Rule
  • established standards for administrative,
    technical, and physical safeguards for customer
    information
  • Health Insurance Portability and Accountability
    Act (HIPAA)
  • Security Rule compliance effective April 2005

15
Risk Assessments
  • Purpose and scope determine the assets to be
    covered in the risk assessment
  • Privacy
  • usually a focus on safeguards to protect data and
    resource
  • Criticality
  • focus is often on operations

16
Risk Assessments
  • Approaches
  • identify and classify information assets
  • identify processes
  • How does information flow through IT resources?
  • identify key players
  • identify types of resources
  • data centers, application systems, workstations,
    portable equipment?

17
Methodology Overview
  • may be formal (institutional) or informal
    (departmental review)
  • create a risk assessment team
  • set scope
  • identify assets to be covered
  • categorize potential losses
  • identify threats and vulnerabilities
  • identify existing controls
  • analyze the result of the data collected

18
Create a Security Plan
  • determine appropriate controls to address
    vulnerabilities and risks revealed by assessment
  • administrative/management/operational
  • logical/technical
  • physical measures
  • identify minimum requirements
  • identify procedures

19
Access Authorization and Authentication
  • Identity Management infrastructure for access
    authorization
  • establish procedures for verification of identify
  • facilitate role-based authorization
  • or authorization assignment
  • issuance of strong authentication credentials
  • termination procedures

20
Data Classification
  • How is data classified?
  • What is protected by law?
  • What are the disclosure requirements?
  • What privacy or criticality mandates apply?

21
Data Classification
22
Workforce
  • EDUCATION
  • customize training according to roles
  • identify responsibilities of supervisors, IT
    staff, researchers - everyone
  • ensure security reminders for new threats
  • PROCEDURES manage flow of information
  • BACKGROUND CHECKS for critical positions

23
Business Partners
  • contracts and agreements
  • confidentiality agreements

24
Logical (technical) Security
  • establish means to ensure
  • software updates
  • installation of security patches
  • intrusion detection
  • scanning for vulnerabilities
  • password management
  • protection against viruses
  • establish encryption key management plans
  • employ technology-implemented policy
  • compliance where possible

25
Physical Security
  • consider use of
  • professionally-managed data centers
  • ensure appropriate controls for
  • hardware, software, and administration
  • physical access controls
  • back up
  • business continuity and disaster recovery
  • device and media controls
  • procedural controls

26
Physical Security
  • When data centers cannot be utilized
  • identify rules for
  • departmental servers
  • desktop computers
  • portable devices
  • Stolen laptops account for 60 percent of
    security breach notifications in California

27
Incident Response
  • identify an Incident Response Manager
  • (may be a person or a team)
  • establish explicit procedures for
  • reporting suspected incidents
  • decision tree for resolution
  • summary reporting
  • feedback loop for remediation
  • revisit existing controls

28
Publicize to the Entire Community
  • Communicate with academic, administrative, and
    student communities
  • town meetings
  • hearings in standing committees and user groups
  • newsletters, websites, mailing lists
  • ensure a constant flow of information
  • to every segment of your community

29
Re-evaluate Security Program
  • role of auditors or external review
  • trained in enterprise risk management
  • ability to identify and assess risks
  • understand interrelated impacts
  • recommend appropriate control activities
  • perform role of monitoring the enterprise

30
Resources
  • Educause
  • http//www.educause.edu/Cybersecurity/
  • Security Standard ISO 17799
  • National Institute of Standards Technology
    Computer Security Division
  • Special Publications (800 series) and FIPS pubs
  • http//csrc.nist.gov/publications/index.html
  • Audit Framework Documents
  • Enterprise Risk Management Framework COSO
    (Committee of Sponsoring Organizations of the
    Treadway Commission)
  • IT Governance Institute Control Objectives for
    Information and related Technology (CobiT
    Framework)
About PowerShow.com