Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

Published byClaud Douglas Modified over 8 years ago

Similar presentations

Presentation on theme: "INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their."— Presentation transcript:

1 INFORMATION ASSURANCE POLICY

2 Information Assurance Information operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities

3 Information Assurance Objectives Confidentiality - assurance that information is not disclosed to unauthorized persons, processes, or devices Availability - timely, reliable access to data and information services for authorized users; Integrity - protection against unauthorized modification or destruction of information; Authentication - security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual’s authorization to receive specific categories of information Non-repudiation - assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the data

4 U.S. National IT Security Strategy T H E N A T I O N A L S T R A T E G Y T O SECURE CYBERSPACE F E B R U A R Y 2 0 0 3

5 Reasons for not being concerned with security policy ● “Data doesn’t need protecting because it isn’t sensitive” ● “Risk must be accepted as a part of doing business” ● Technical personnel would rather work with the technical system than perform the mundane tasks associated with policy ● Security impedes productivity (efficiency and costs time and money) ● Policy is measure to control behavior ● Policy will be difficult to adhere to all the time

6 Reasons for Establishing Security Policy ● Provides comprehensive, integrated plan ● Defines appropriate behavior for all consumers/managers of system ● Defines the tools and procedures needed to meet the determined security requirements ●Communicates a consensus of what should be done ● Provides authority for response to inappropriate behavior

7 INDIANA UNIVERSITY OF PENNSYLVANIA INFORMATION PROTECTION POLICY December 1, 2005 Approved for implementation by Dr. Tony Atwater and President’s Cabinet October 31, 2005

8 IUP POLICIES (from ATS Homepage) ATS also provides guidelines on: IUP Computer Account Retention Policy Student Computing Rights Student Computing Responsibilities Guidelines for the IUP Computing Lab Facilities Guidelines for the IUP Computing Lab Facilities Computing Resources Policy Computer Software Policy E-mail Privacy Policy IUP Policy Pages New Information Protection Policy IMPORTANT NEW INFORMATION!! New Information Protection Policy IUP Use of E-mail Policy Academic Affairs Policies Student Affairs Policies The Source: Student Handbook Technology Services Center Policies

9 HIERARCHICAL POLICY MODEL VALUES + INTERESTS  GOALS OR OBJECTIVES (POLICY) + VULNERABILITIES + THREATS + CAPABILITIES  STRATEGY

10 VALUES

11 INTERESTS

12 POLICY It is the policy of IUP that all information be used in a manner that maintains an appropriate and relevant level of confidentiality and that provides sufficient assurance of its integrity in compliance with existing laws and PASSHE and University Policies. While the elimination of all risk is impossible, the goal of the policy is to minimize the possibility of information misuse, corruption, and loss through adoption of reasonable procedures for the University community to follow

13 1st Step – Define policy makers ● should represent all users (students/faculty/administrators) ● decide what will be the scope and goals of the policy ●● Who and what is covered? ●● How specific? ● Use vision statements from Academic, Administrative, and Library computing as to what they would like to be able to do with the IT system to assist in guiding policy development

14 IUP IT Security Policy Chain of Responsibility Information System Security Officer Academic Computing Policy Advisory Committee & Academic Technology Operating Group Administrative Computing Oversight Committee College Deans College Technology Managers Technolog y Services Center

15 2nd Step – Document IT system (Vulnerabilities & Capabilities) ● in order to protect have to know ●● What it is ●● What it does ●● What its weaknesses are ●● What potential threats to it exist ●● What has or is being done to mitigate the risks to your data and system ● Provides institutional data about system ● Documenting controls in place, or the planned controls, identifies specifics about a system’s security

16 Higher Ed vs Others requirement to protect data and data systems is present in today’s world; security issues same “open” academic environment vs requirement to protect data and data systems paramount to faculty no barriers to flow of information either coming into or going out from the institution

17 Higher Ed vs Others Administrative Domain: Restricted access to financial data Restricted access to student/administrative data Restricted access to alumni data Restricted access to marketing data -- Academic Domain Access to instructional programs Remote access (students and faculty) -- Commonalities (but may require different security requirements) E-mail Internet access Access to state and federal agencies

18 3rd Step – Assessments (Capabilities) ● Examine current policies ● Determine security requirements for all users based on ●● sensitivity and criticality of data processed/stored, ●● relationship of the IT system to the organization’s mission ●●economic value of system’s data and components ● Examine network infrastructure and operating system(s) ● Security requirements show developers, managers, and auditors what the system should be allowed to do or not do ● Define other security-related policies to fully implement institution’s IT security policy

19 4th Step – Develop Strategy ● Specify security controls to be implemented and maintained ● Define access between authorized users and the networking environment ● Define duties and authorization levels ● Define chain of command responsibility for execution and authorization levels ●● Ensure personnel given responsibility have the authority to carry out their responsibilities ● Address data ownership, confidentiality, availability, integrity, authentication, & non-repudiation standards ● Define system’s transmission accuracy, integrity, and recoverability requirements to be met ● specify a process for detection and reporting of errors ● Have to approval of institution’s administration

20 5th Step - Specific Issues All Institutions Should Address ● Physical Security ● Login Name Standards ● Password Standards ● Virus Protection ● Auditing ● Disaster Recovery/Contingency Planning ● Training

21 Conclusions ● Important as many ideas or requirements from as many different types of users as possible ● Important to win administration’s support for policy process and resulting policy ● Policy documents ●● The system’s basic security requirements ●● The controls in place ●● Planned controls ●● The responsibility of system users ●● Expected user behavior ● Strive for industry “best practices” security ● Resulting policy has to be implemented and enforceable to be effective ● Training ●Document is dynamic

Download ppt "INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Auditing Computer Systems

Auditing Computer Systems
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
The Islamic University of Gaza

The Islamic University of Gaza
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.

Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Information Assurance and Security: Overview. Information Assurance “Measures that protect and defend information and information systems by ensuring.

Information Assurance and Security: Overview. Information Assurance “Measures that protect and defend information and information systems by ensuring.
© 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force Computer Access, Privacy and Security: Legal Obligations and Liabilities Rodney J.

© 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force Computer Access, Privacy and Security: Legal Obligations and Liabilities Rodney J.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Similar presentations

Ads by Google