Presentation is loading. Please wait.

Presentation is loading. Please wait.

Normative vs. Descriptive vs. Pragmatic. Sad reality Faculty, staff and students are using mobile devices today, with or without our help (probably without)

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Normative vs. Descriptive vs. Pragmatic. Sad reality Faculty, staff and students are using mobile devices today, with or without our help (probably without)"— Presentation transcript:

1 Normative vs. Descriptive vs. Pragmatic

2 Sad reality Faculty, staff and students are using mobile devices today, with or without our help (probably without) Most of us are significantly under-resourced Our users have probably already lost mobile devices containing sensitive university data, we just weren’t told it happened What do we tell our bosses when they ask about mobile device incidents?

3 Policy What is it? Does one size fit all? What will my organizational culture accept? What can *I* do to address this?

4 Policy Standards Procedures and Guidelines Increasing rate of change Originates and maintained at the Trustee/Executive level Requires revision only if university goals or mission change Easy to understand, written for a broad audience Avoids specifics subject to change Links to detailed supporting documents Stands the test of time U. of S.C. Policy Framework Characteristics of good policy: Support policy goals Specific without implementation guidance Originates and maintained by Data Steward Changes more frequently than policy Changes less frequently than procedures and guidelines Characteristics of good standards: Describes how to comply with Policy and Standards Varies by business unit need or requirement Created and maintained by business unit Characteristics of good procedures: Order of creation Definition: Overall intention and direction as formally expressed by management. Definition: Basis with which to measure policy. Definition: A description that clarifies what should be done and how, to achieve the objectives set out in policies.

5 Policy Standards Procedures and Guidelines Increasing rate of change Framework in Action Order of creation UNIV 1.50 “The purpose of this policy is to establish standards to manage, protect, secure and control system institutional data that will promote and support the efficient conduct of University business. The objective of this policy is to minimize impediment to access of this data, yet provide a secure environment.” Future standards to be issued by Data Stewards Potential University standards: ISO 27002 Sensitive Data Security Logging Practices Workstation Security Server Security Password Practices Media Sanitization Current examples Specific to University Technology Services: Firewall Configuration Management (UTS 300.20.2) Computer Room Protocol (UTS 300.30.1) Operations Guide for VM Admins (UTS 300.70.1a) General Information Security guidelines posted to the USC Information Security Program website: security.sc.edu

6 Information Security (IT 3.00) Data Access (UNIV 1.50) Information Security Related Policies (www.sc.edu/policies) Acceptable Use of Information Technology (IT 1.06) Other Related Policy datawarehouse.sc.edusecurity.sc.edu Location of associated standards, procedures and guidelines

7

8 Keep it simple

9 Give yourself the authority

10 Make it happen

11

12

13

14

15

16 Mobile device configuration guidelines coming soon! If all goes well, you now have the freedom to add new guidelines quickly and as needed. Very agile and flexible approach Likely compatible with your current environment… In the mean time, I like Carnegie Mellon’s mobile Internet device recommendations: http://www.cmu.edu/iso/governance/guidelines/ mobile-device.html

17 So how did I get this new policy published? Thanks, accreditation!

18 Catalyst for InfoSec Program push?

19 A wise person once said, “Never let a good crisis go to waste.” (or something to that effect!)

20 “I rooted my device so that *I* am in control!” – Oh, really?

21

22

23 You can keep an eye out for other indicators of “mobile malware.” So far, we are not aware of other mobile- flavored malware detections… which makes me awfully suspicious.

24 Potential ways to implement Look for cross platform vendors, such as MobileIron Draw the line at the top 3(?) devices, but even still that might be too resource intensive

Download ppt "Normative vs. Descriptive vs. Pragmatic. Sad reality Faculty, staff and students are using mobile devices today, with or without our help (probably without)"

Similar presentations

The International Security Standard

The International Security Standard
ANSI/ASQ E Overview Gary L. Johnson U.S. EPA

ANSI/ASQ E Overview Gary L. Johnson U.S. EPA
How to Document A Business Management System

How to Document A Business Management System
NOTES TO ANDERSON, CHAPTERS 3 PROFESSIONAL WRITING.

NOTES TO ANDERSON, CHAPTERS 3 PROFESSIONAL WRITING.
Screen 1 of 24 Reporting Food Security Information Understanding the User’s Information Needs At the end of this lesson you will be able to: define the.

Screen 1 of 24 Reporting Food Security Information Understanding the User’s Information Needs At the end of this lesson you will be able to: define the.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
CST 481/598 x.2.  Broad overview of policy material  What is a “process”  Tiers (not tears) Many thanks to Jeni Li.

CST 481/598 x.2.  Broad overview of policy material  What is a “process”  Tiers (not tears) Many thanks to Jeni Li.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Purpose of the Standards

Purpose of the Standards
Network security policy: best practices

Network security policy: best practices
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
General Awareness Training

General Awareness Training
SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved.

SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved.
Creating an Effective Email Policy Central Missouri Chapter Jesse Wilkins April 16, 2009.

Creating an Effective Policy Central Missouri Chapter Jesse Wilkins April 16, 2009.
Purchasing Ethics and Vendor Relations

Purchasing Ethics and Vendor Relations
Quote for today “Sometimes the questions are complicated and the answers are simple” - ?? ????? “Sometimes the questions are complicated and the answers.

Quote for today “Sometimes the questions are complicated and the answers are simple” - ?? ????? “Sometimes the questions are complicated and the answers.
COBIT - IT Governance.

COBIT - IT Governance.

Similar presentations

Ads by Google