The WVU Information Security Program: If You Build It, They Will Use It - PowerPoint PPT Presentation

Loading...

PPT – The WVU Information Security Program: If You Build It, They Will Use It PowerPoint presentation | free to download - id: 1d0cc4-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

The WVU Information Security Program: If You Build It, They Will Use It

Description:

Health Insurance Portability & Accountability Act (HIPAA) ... West Virginia Code 18-2-5f Use of Student SSNs. Demonstrate Due Diligence ... – PowerPoint PPT presentation

Number of Views:19
Avg rating:3.0/5.0
Slides: 46
Provided by: sueannl
Learn more at: http://net.educause.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: The WVU Information Security Program: If You Build It, They Will Use It


1
The WVUInformation Security Program If
You Build It, They Will Use It
2
Introductions
  • Sue Ann Lipinski
  • Management Auditor, Internal Audit
  • Tim Marton
  • Director, Information Systems
  • Mark Six
  • Manager, Systems Administration

3
Abstract
  • WVU is building an institution-wide
    information security program to ensure the
    continued confidentiality, integrity
    availability of mission critical information
    resources. This presentation discusses our
    incremental implementation approach, including
    the development of policies / standards /
    procedures, as well as efforts to include this
    program in current future information-related
    activities projects.

4
Some WVU Facts
  • Founded in 1867 in Morgantown, WV
  • Land Grant Institution
  • 13 colleges schools, offering 170 bachelors,
    masters, doctoral professional degree programs
  • Medical Center
  • Doctoral Research Extensive Classification
  • Spread over 3 Morgantown 3 regional campuses
  • Enrollment of approximately 31,800
  • Faculty/Staff of 6,487

5
Agenda
  • Evolution of WVUs Program
  • Insight into Current Program
  • Where Are We Going Next
  • Words to the Wise

6
Evolution of WVUs Program
  • Drivers Internal External
  • Champions Promoted, Promoted, Promoted
  • Defined Information Security for WVU
  • Developed / Updated Policies / Standards
    On-going
  • Identified Information Security Program Elements

7
Why? Why Now?
  • Internal Drivers
  • Recognized Need to Protect Information Resources
  • Impact of an Incident
  • External Drivers
  • Gramm-Leach-Bliley Act (GLB)
  • Health Insurance Portability Accountability Act
    (HIPAA)
  • Family Education Rights Privacy Act (FERPA)
  • The Privacy Act
  • West Virginia Code 18-2-5f Use of Student SSNs
  • Demonstrate Due Diligence
  • Higher Education in the Headlines

8
WVUs Security Policy
  • Information Resources as Vital Assets
  • Definition / Purpose of Information Security
  • Elements of WVUs Program
  • Structure, Composition Responsibilities

9
WVU Information Resources
  • WVU relies on numerous, diverse information
    resources to support the mission critical
    operations of administration, education, research
    service.
  • If these information resources were unavailable,
    unreliable or disclosed in an inappropriate
    manner, the University could suffer damage to its
    reputation incur serious financial
    operational losses.
  • Accordingly, WVU acknowledges that information
    resources are vital assets requiring protection
    commensurate with their value.

10
Definition Purpose
  • The protection of information resources from
    unauthorized access, modification, destruction or
    harm
  • The establishment of controls measures to
    minimize the risk of loss or damage to
    information resources
  • Inform users (students, staff and faculty) of
    essential requirements for protecting various
    assets including people hardware, software
    resources data assets
  • Provide a baseline from which to acquire,
    configure audit computer systems networks for
    compliance with the policy

11
Three Tenets
  • Confidentiality
  • addresses the protection of private, sensitive
    or trusted information resources from
    unauthorized access or disclosure
  • Integrity
  • refers to the accuracy, completeness
    consistency of information resources
  • Availability
  • ensures reliable timely access to information
    resources by appropriate personnel

12
Elements of WVUs Program
  • Defined Structure w/ Central Point of
    Coordination
  • Risk Assessment Management
  • Policies Standards / Policy Management
  • Communication Education
  • Compliance
  • Reporting Enforcement
  • Procurement Oversight for Service Providers
  • Security-related Projects

13
Structure
14
Composition
  • Reports to cabinet level authority
  • Member of AAIMS Executive Committee
  • Chairs the Information Security Council

15
Responsibilities
  • Risk management
  • Policies standards
  • Communicate educate
  • Compliance
  • Report enforce
  • Service provider oversight
  • Security-related projects

16
Composition
Chaired by Provost Office includes VP (or
Director) from Academic Affairs Finance
Administration Health Sciences Human
Resources Information Technology Internal
Audit Library Student Affairs
17
Responsibilities
  • Sponsor the Information Security Program
  • Establish an Information Security Environment
  • Coordinate access to necessary support

18
Composition
Chaired by the ISO includes Information Security
Representatives from the administration, faculty
staff with support from Internal Audit IT
Specialists Legal Counsel Purchasing
19
ISC Charter
  • Serve as senior management sponsors of the WVU
    Information Security Program
  • Provide management coordination of a
    University-wide information security program
  • Review revise information security policies,
    standards and procedures
  • Establish maintain a comprehensive risk
    management program
  • Establish maintain an information security
    compliance program
  • Recommend sponsor information security
    awareness, communication education programs
  • Provide a forum to discuss assess pending
    regulations requirements
  • Perform periodic reviews of information security
    incidents / violations
  • Govern contractual relationships with vendors,
    consultants other 3rd parties

20
Composition/Responsibilities
  • Assist development of data definitions
  • Assign data elements to categories
  • Provide framework for classifying data
  • Authorize access to information resources
  • Implement controls to secure resources

Senior level University officials
21
Composition/Responsibilities
  • Representatives of
  • Each major application/system
  • Each academic college
  • Each business unit
  • Primary units of IT
  • Disseminate policy
  • Assist in detection / reporting of violations
  • Departmental point-of-contact

22
Composition/Responsibilities
  • Protect information resources per 3 tenets
  • Use information responsibly / appropriately
  • Comply with policy

Any user authorized to access data and/or systems
23
Composition
Independent, objective appraisal
function Reporting to the WVU Presidents
Office the Board of Governors Audit Committee
24
Responsibilities
  • Assist WVU administration in the effective
    implementation of internal controls
  • Safeguarding of University assets
  • Integrity reliability of information systems
    related resources
  • Compliance with University, State Federal
    regulations
  • Effective efficient use management of
    University resources
  • Accomplishment of University goals
  • Risk assessment
  • Evaluation of controls
  • Determine compliance with regulations, policy,
    etc.
  • Issue recommendations

25
Risk Management
  • Identify Classify Resources
  • Identify Threats Vulnerabilities
  • Determine Prioritize Risks
  • Determine Response
  • Prevent, Mitigate or Accept
  • Risk Assessment
  • Periodic ISO ISC
  • Independent Internal Audit

26
Policies/Standards
  • Contain senior management directives to create an
    information security program, establish its goals
    measures, assign responsibilities define an
    organizations information security philosophy
  • Mandatory activities, rules, measures of minimal
    performance or achievement, designed to provide
    support structure intended for universal
    application throughout the organization used to
    implement the general policies/standards

27
Policies/Standards (contd)
  • Recently Developed / Updated
  • Acceptable (Appropriate) Use
  • Anti-Spam, Anti-Virus
  • Data Center Access
  • e-Commerce Management
  • Electronic Mail
  • End-User Accountability
  • Network Security
  • Under Development
  • Data Ownership / Classification / Security
  • Security Awareness / Education
  • Security Incident Reporting / Response

28
Policy Management
  • Posted on the ISO Web Site
  • Formal Protocol for Policy Evolution
  • Policy Waivers

29
Communication Education
  • Student, Faculty Employee Orientation
  • e-News Tips for the Day
  • Web Site
  • Simple but informative
  • Intranet version debuted April 2004
  • Internet version _at_ http//oit.wvu.edu/iso
  • Posters
  • Classes and/or Mini-Workshops Planning

30
(No Transcript)
31
Compliance Program
  • Measures to Prevent Detect
  • Response to Compromise or Violations
  • Continually Evaluate Regulations, Policies
    Standards
  • ISC plus Management, Providers Users
  • Internal Audit
  • Critical role in evaluation of compliance
    recommendation of measures to help ensure
    compliance

32
Reporting Enforcement
  • Vanity e-Mail Account
  • Information_Security_at_mail.wvu.edu
  • For submitting general inquiries or reporting
    potential violations or concerns
  • Developing Formal Reporting / Response Protocol
  • Information Security Liaisons
  • ISC Action Team
  • Fore-runner to an incident response team
  • Consequences for Non-compliance

33
Procurement Oversight
  • Service Providers Held to Same Standard as Staff
  • Confidential Information Contract Addendum
  • Definitions of covered data information
  • Acknowledgement of required access
  • Safeguard standards
  • Reporting
  • Audit Standards for Service Provider Contracts

34
Security-related Efforts
  • Business Continuity Plan
  • Disaster Recovery Plan In Place
  • Business Resumption Plan In Planning
  • e-Commerce Review Committee
  • Ethics Confidentiality Notice / Certification
  • University-wide coverage Replacement under
    Review
  • Departmental / project specific Some in Place
  • SSN Replacement
  • Identity Management / Central Authentication

35
ID Management Project
  • Charter
  • to define and/or recommend a central (i.e.,
    University-wide) identity management and
    authentication solution
  • Multi-Phase Project
  • Phase I Unique ID WVUID
  • Completed
  • Phase II ID Management
  • Proof of Concept Completed
  • Tool Kit Plan under Review (1/31/05 completion
    date)
  • Phase III Central Authentication
  • Campus-wide wireless access

36
Project Pyramid
37
WVU-ID ToolKit
38
Uniqueness Elements
39
Where Are We Going Next
  • Establish the Information Security Office(r)
  • Develop Risk Assessment Plan of Attack
  • Job of the Information Security Council
  • Initial Focus on Electronic Resources
  • Risk Assessment Algorithms
  • Classify Information Resources
  • Continue to Address the Use of SSN at WVU
  • Complete the ID Management / Authentication
    Project
  • Continue to Spread the Word
  • Continue to Review Current Policies / Procedures
  • Implement Compliance, Reporting Enforcement

40
A Word To The Wise
  • Terminology
  • Information Security vs. Computer Security
  • Cost Benefits
  • Determine risk algorithms early in the process
  • Consider Current Security Environment
  • Whenever possible, use existing elements
  • Can have reasonable plan by connecting dots

41
A Word To The Wise (contd)
  • If Policy is Too Relaxed or Non-Existent
  • Little or no enforcement
  • If Policy is Too Strict
  • Nobody pays attention to it (hope I dont get
    caught!)
  • Too complicated, too cumbersome
  • Flexibility / Adaptability is Key
  • Should be independent of specific HW/SW
  • Policy update mechanisms should be clearly
    spelled out

42
Resource Examples
  • Federal / State laws, regulations, statutes
  • WV State Information Security Policy Guidelines
  • Other Colleges Universities
  • Information Security Policies Made Easy
  • by Charles Wood
  • Information Systems Audit Control (ISACA)
  • CERT, NIST, NSA, SANS,

43
Never-Ending Cycle
Risk Assessment
Policies/ Standards/ Procedures - Update / Create
  • Management
  • Compliance
  • Reporting
  • Enforcement

Education, Communications Awareness Programs
44
  • Questions
  • and/or
  • Comments

45
Contacts
  • http//oit.wvu.edu/iso
  • Information_Security_at_mail.wvu.edu
  • SueAnn.Lipinski_at_mail.wvu.edu
  • RTMarton_at_mail.wvu.edu
  • Mark.Six_at_mail.wvu.edu
About PowerShow.com