Presentation is loading. Please wait.

Presentation is loading. Please wait.

Educause Security Professionals Conference April 2006 SEM02A: Information Security & Privacy Policy Development Copyright Milford, Mitrano, & Schuster,

Similar presentations


Presentation on theme: "Educause Security Professionals Conference April 2006 SEM02A: Information Security & Privacy Policy Development Copyright Milford, Mitrano, & Schuster,"— Presentation transcript:

1 Educause Security Professionals Conference April 2006 SEM02A: Information Security & Privacy Policy Development Copyright Milford, Mitrano, & Schuster, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.

2  Kim Milford, Information Security Officer University of Rochester  Tracy Mitrano, Director of IT Policy Cornell University  Steve Schuster, Director of IT Security Cornell University Information Security & Privacy Policy Development

3 Agenda  Model Security Policy  Framework for Information Technology Policy  Implementation of Information Security Policy  Scenarios  Discussion  Q & A

4 Educause Model Security Policy Kim Milford University of Rochester

5 Model Security Policy Educause Sub-Committee, December 2005 Goal:Create a template of policy statements from existing standards and policies. This model policy can then be used in whole or in part by organizations creating or updating their information security policy

6 Model Security Policy William Custer, Miami University Information Security Policy Manager Bob Kalal, Ohio State University Director, Information Technology Policy & Services Jack McCoy, East Carolina University Director, IT Security Kim Milford, University of Rochester Director & Information Security Officer David Weil, Ithaca College Director, Web, Systems & Department Services

7 Model Policy Deliverables (December 2006):  A category scheme of policy topics under which samples of existing policy from various universities may be displayed on the Educause web site  A set of prioritized categories about which we will write sample policy first  Some published drafts about which we can get informal feedback at the two conferences in April  A presentation at the fall Educause conference by which we can get feedback  A sample policy statement of about 10 pages on selected topics.  A statement about methodology and general assumptions.

8  Establishing common vocabulary & taxonomy  Will continue to evolve  Researched ISO 17799, NIST, ISC2  Compared to legal requirements  HIPAA, FERPA, GLB  Largely based on SANS major headings  Supplemented with examples from a review of over 80 University security policies Model Security Policy

9 Categories: 1. Security Policy 2. Organizational Security 3. Asset Classification and Control 4. Personnel Security 5. Physical and Environmental Security 6. Communication and Operations Management

10 Model Security Policy Categories (continued): 7. Access Control 8. System Development & Maintenance 9. Business Continuity Management 10. Compliance ** Security Policy & Acceptable Use

11 Model Security Policy Timeline (based on proposed priorities) June: Organizational Security “pilot” Sept:Asset Classification & Control Sept:Communications & Operations Management Sept:Access Control Oct:Presentation at Educause Conf Dec:Completion

12 Model Security Policy  This is developing rapidly… there will likely be many changes since these slides were prepared.  We will bring discussion back to Model Security Policy at the end of this morning’s session.

13 An Information Technology Policy Framework Tracy Mitrano Cornell University

14 Big “P” and Little “p” Policy  Big “P” is for more broadly represented issues, national policy EDUCAUSE position on FBI petition to the FCC to expand Communications Assistance Law Enforcement Act to data networks National security issues  Little “p” policy Institutional policy on, say, travel reimbursements, capital assets or appropriate use of IT resources

15 IT Policy Law NormsArchitectureMarket

16 IT Policy Framework at Cornell  University Policy Office  http://www.univco.cornell.edu/policy/home.html http://www.univco.cornell.edu/policy/home.html  http://www.univco.cornell.edu/policy/pop.html http://www.univco.cornell.edu/policy/pop.html  http://www.univco.cornell.edu/policy/current.html http://www.univco.cornell.edu/policy/current.html  IT Policy Office  http://www.cit.cornell.edu/oit/PolicyOffice.html http://www.cit.cornell.edu/oit/PolicyOffice.html  http://www.cit.cornell.edu/oit/policy/drafts/ http://www.cit.cornell.edu/oit/policy/drafts/  http://www.cit.cornell.edu/oit/policy/framework-chart.html http://www.cit.cornell.edu/oit/policy/framework-chart.html  http://www.cit.cornell.edu/oit/policy/framework.html http://www.cit.cornell.edu/oit/policy/framework.html

17 Two Themes for Subsequent Policy Development Protection and Preservation of Institutional Interests and Assets Security and Privacy* *Security and privacy could also be subsumed under the first theme, but because of the significance of the security and privacy concerns for campus networks, it is worth illuminating separately at this time in the history of IT policy development.

18 Security and Privacy  Maybe in national security arena and debates these qualities are pitted against each other in a “zero-sum” game kind of formula.  But in campus networking we should think of them as equally complementing each other, as if the old adage “you can’t have privacy without security…”  Private, criminal actions pose far greater compromise of privacy due to network security flaws than government surveillance.  Public laws weigh privacy and security provisions equally.

19 Cornell Security Program http://www.cit.cornell.edu/oit/policy/security.html

20 Cornell Privacy Program http://www.cit.cornell.edu/oit/policy/privacy.html

21 Cornell IT Policy Framework http://www.cit.cornell.edu/oit/policy/framework-chart.html

22 Policy Implementation  Good balance between policy statements and procedures Balance is relative to structure and traditions of the institution  Cornell’s “rule of thumb” is to include the level of procedure only at the highest university wide level  IT organization does the documentation for deeper level of implementation and backline procedures  Intelligibility to technical and non-technical users  IT organization documentation can augment dry bones policy form and substance  And meet the needs of both technical and non-technical uses

23 Policy Implementation  Exceptions Every policy has exceptions (just like every law!)  Make sure the exceptions are for important reasons are appropriately tailored  Requisite authority Centralized or non-centralized processes Enforceable  Usually through audit at the institutional level and to each individual through disciplinary measures (HR, JA, etc.) ould not cause additional burden

24 Policy Implementation  Address administrative/financial burden Up front so that stakeholders and authorizing parties are aware of the financial, business and administrative costs Balance those costs with clear explication of the benefits that the policy provides the institution Build cost/benefit analysis into implementation  Education for the community  Tools (e.g. software or new programs)  Training for relevant personnel  Time line for full implementation

25 Final Thoughts  IT Policy externally influenced by law, technology, business models and social norms.  IT Policy development challenging due to the diverse nature of our institutions One size does not fit all! Different policy processes Passionate stakeholder concerns…  IT Policy function requires different styles of leadership.

26 Three Axioms: Conclusion  Only write IT policy for IT matters Where technology meets law and behavior  Give unto Caesar what is Caesar's... Harassment as an example, political speech in email  Communicate, Educate and Commiserate, but don’t be afraid to… EXERCISE LEADERSHIP!

27 Policy Implementation Steve Schuster Cornell University

28 Cornell Network Registry (Case Study)  Must be understandable The policy must be clear to technical and non- technical people What needs to be done to meet the requirements of the policy Network Registry policy.htm

29 Cornell Network Registry (Case Study)  Exceptions need to be well understood and articulated Are exceptions acceptable? What are acceptable reasons? DNSDB Tools for Network Registration.htm

30 Cornell Network Registry (Case Study)  Must be implementable A policy that can not be implemented is not worth writing DNSDB Tools for Network Registration.htm

31 Cornell Network Registry (Case Study)  Must be enforceable A way is required to validate compliance Non compliance should mean consequences Network Registry audit of 128842030.txt

32 Cornell Network Registry (Case Study)  Should not cause substantially additional burden Staff time Financial

33 Lessons Learned  There is no way to over communicate  There are almost as many unique situations as there are people on campus  Regardless of how straight forward people will not be happy  Enforcement and compliance are difficult to get your arms around

34 Information Security & Privacy Policy Development Break Time: Review scenarios for discussion after the break

35 Information Security & Privacy Policy Development Scenarios: - Break into small groups & discuss - Come back to full group discussion

36 Scenario 1: Information Security & Privacy Policy Development A local system administrator receives a call from a law enforcement officer requesting any information that can be provided for a specific IP number. The situation sounds very serious and the officer is explaining that this information is critical to determine how to proceed. What steps should be captured in policy?

37 Information Security & Privacy Policy Development Scenario 2: An administrative assistant has filled a complaint with the university counsel that her boss spends an enormous amount of time surfing the web and searching for porn. There have been no previous complaints concerning this activity and the individual being accused has a good university record. What questions need to be answered? What steps should be taken? What should be represented in policy?

38 Information Security & Privacy Policy Development Scenario 3: A small group of graduate students are not overly happy with the networking arrangements they have in their work space. They have complained to the local network administrator but the situation has still not been resolved to their satisfaction. One of the graduate students purchases a small wireless access point and installs it in the work space for others to use. What questions need to be answered? What steps should be taken? What should be represented in policy?

39 Information Security & Privacy Policy Development Case Studies: - Break into small groups & discuss - Come back to full group discussion - Bring back to model security policy

40 Information Security & Privacy Policy Development Case Study 1: You have been hired as the new Information Security Director. Welcome aboard! A few things to know about your new job…

41 Information Security & Privacy Policy Development Case Study 2: Inadvertant release of patient data and questions of privacy.

42 Model Security Policy Categories: 1. Security Policy 2. Organizational Security 3. Asset Classification and Control 4. Personnel Security 5. Physical and Environmental Security 6. Communication and Operations Management

43 Model Security Policy Categories (continued): 7. Access Control 8. System Development & Maintenance 9. Business Continuity Management 10. Compliance

44 Model Security Policy Priorities: Organizational Security Asset Classification & Control Communications & Operations Management Access Control

45 Model Security Policy Organizational Security 1. Management Commitment 2. Information Security Infrastructure 3. Security of Third Party Access 4. Outsourcing 5. Risk Analysis and Assessment

46 Model Security Policy Management Commitment Statement of Values Goal(s) of policy Importance of information resources Importance of information security

47 Model Security Policy Management Commitment (cont’d)  Includes Security Mandate Protecting:  Confidentiality  Integrity  Availability Reduce risk of exposure that could damage reputation

48 Model Security Policy Information Security Infrastructure A.Organization & Governance B.Information security coordination C.Allocation of information security roles & responsibilities D.Management information security forum E.Authorization process for information processing facilities

49 Model Security Policy Information Security Infrastructure (Continued) F. Specialist information security advice G. Cooperation between organizations H. Independent review of information security

50 Model Security Policy  Our work is continuing  Your input is appreciated

51 Information Security & Privacy Policy Development Questions?


Download ppt "Educause Security Professionals Conference April 2006 SEM02A: Information Security & Privacy Policy Development Copyright Milford, Mitrano, & Schuster,"

Similar presentations


Ads by Google