Presentation is loading. Please wait.

Presentation is loading. Please wait.

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th."— Presentation transcript:

1 University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th

2 IT Security policy What is it? –The IT Security policy defines the minimum security posture needed to be maintained to protect IT resources from compromise (internal or external) or loss. It defines the scope of the data and resources to be protected. It also protects the members of the University community when they need to make decisions or take actions when handling IT resources.

3 Why do we need it? Business risk management –Protect assets –Protect reputation –Due diligence Risks increasing –Virus, worms –Phishing, email scams –Social Engineering –Spyware, Trojans

4 Famous names in the news Tufts, Boston College, Columbia, Carnegie-Mellon ChoicePoint, Lexus Nexus, Polo Ralph Lauren, Ameritrade, HSBC Holdings, Bank of America, DSW Shoes, etc. All have had compromises that have made the evening news….this year

5 Additional factors Establishment of CIO position IT needs to move from technological to business issues Security is not just a firewall (crunchy on the outside, soft and chewy on the inside) External Security Audits Government legislation

6 Scope University Wide Departmental Regional Colleges Residences Wireless, PDA, Cellphone Home, Remote access

7 Elements of an IT Security Policy Based on standards – ISO 17790 – SANS – CERT – peers

8 Mission statement –Organizational roles Executive, HR, Board CIO Security officer Technical staff Campus Police Legal, Audit User community –Definitions

9 Data handling Policy Data sensitivity Electronics records retention Privacy

10 User Account management Accounts Management Password Management Acceptable Use Policy

11 Access Management –Trust model –Access Controls –Data classification

12 Virus Protection Policy Perimeter (email, firewall) Desktop Actions based on detection

13 Networking Standards (protocols, ports) Authorized Access Remote Access

14 Intrusion Detection / Logging Configurations / Backups Monitoring Log consolidation Incident Handling –Incident Response team –Reporting requirements Configuration management Backups / Archiving –Business resumption (not disaster recovery)

15 Unique requirements of University Environment Needs to be realistic for a University environment Students, Faculty, Staff, 3rd parties Mix of research, educational, business and personal data Open environment of collaboration and learning Wide range of research and educational issues

16 Development Process Develop Security Policy Team –Security officer alone should not write the policy –Broad cross-section of community, but not too big –Involve major stakeholders HR, Audit, Legal, IT staff

17 Risk Assessment (KISS) Asset inventory Asset values Threats Mitigations –Provides guideline for priorities

18 Review Existing policies Compare to standards Revise as needed Develop new policies to fill in gaps Use templates (SANS) Borrow from peers

19 Obtain approval

20 Establish audit & review process Measurements Revisions based on results, problems Ensure standards and practices are established –Document how policy will be followed –Defines technical elements to implementation

21 Communicate policy to community Promote better understanding Encourage feedback

22 Time? ASAP Take small steps when possible Generally considered a long process in the industry Consultants, products may speed up process.

Download ppt "University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th."

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Global Congress Global Leadership Vision for Project Management.

Global Congress Global Leadership Vision for Project Management.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Network security policy: best practices

Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
1 Tuesday, August 16, 2005 W E B C A S T August 16, 2005 Policy Development Theory & Practice: An Emphasis on IT Pat Spellacy Director of Policy & Process.

1 Tuesday, August 16, 2005 W E B C A S T August 16, 2005 Policy Development Theory & Practice: An Emphasis on IT Pat Spellacy Director of Policy & Process.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Similar presentations

Ads by Google