Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.

Published byRudolph Kelly Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie."— Presentation transcript:

1 Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie Marie Popp, Eastern Michigan University Wednesday, April 11, 2007 1:00PM in Colorado I/J Session I2

2 Security Policy Models Copyright William L. Custer, Jack McCoy, Connie M. Popp, 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author

3 Security Policy Models Presentation Overview Part I: Introducing the Model Security Policy Committee (William Custer) Part II: Demonstrating The Wiki (Connie Popp)  Wiki Sections 2.0, 3.0, 4.0  Drill Down - Data Classification  https://wiki.internet2.edu/confluence/display/secguide/Security+Policies+and+Procedures https://wiki.internet2.edu/confluence/display/secguide/Security+Policies+and+Procedures Part III: Demonstrating The Wiki (Jack McCoy)  Wiki Sections 5.0, 6.0  Drill Down - Incident Response Part IV: Demonstrating The Wiki (William Custer)  Wiki Sections 7.0, 8.0, 9.0  Drill Down - Security Management, Security Plan Part V: Conclusions, Questions, and A Plea For Help

4 Security Policy Models Related Presentations Wed 10:45 Track 1 – Communications, Process, and Resources for Computer Incident Response Wed 4:30 Track 2 – Security Standards in Higher Education Wed 4:30 Track 4 – Developing a University System Wide Information Security Roadmap

5 Security Policy Models Part I Introducing The Model Security Policy Committee William L Custer

6 Security Policy Models Part I: Introduction Educause Policy Conference – Washington, April 2005 A helpful “circle” of professionals

7 Security Policy Models Part I: Introduction William Custer Bob Kalal Jack McCoy Kim Milford Connie Popp Dave Weil Leslie Maltz Tammy Clark Rodney Peterson, Educause Valerie Vogel, Educause

8 Security Policy Models Part I: Introduction A. History and Philosophy of the Committee B. The Need For Model Policy C. Bibliography of Model Policy D. Four Needed Models E. Overview of Policy Development Lifecycle F. Future Directions G. Institutional Variants In Policy

9 Security Policy Models Part I: Introduction A. History and Philosophy of the Committee  1. Project Overview  2. Project Deliverables  3. Methodology  4. Assignments  5. Milestones

10 Security Policy Models Part I: Introduction A. History and Philosophy of the Committee  1. Project Overview  A body of model security policy for Educause member schools  Emphasize help to small & medium sized schools who generally lack resources.  Policy on all aspects of security, not simply crisis based

11 Security Policy Models Part I: Introduction A. History and Philosophy of the Committee  2. Project Deliverables  October 2006: A list of model policies and/or policy parts useful to schools interested in writing or revising policy.  To publish on the Educause site for Fall 2006 conference.  Annotations on why a particular policy model is being recommended.  October 2007 Write model policy when none can be found.

12 Security Policy Models Part I: Introduction A. History and Philosophy of the Committee  3. Methodology  Adopt a standard of policy completeness. Topics  Adopt a taxonomy of security policy. Sub-topics  Find an existing policy/or part for each of the sub-topics in the taxonomy.  Comments to explain why each was chosen

13 Security Policy Models Part I: Introduction A. History and Philosophy of the Committee  3. Methodology (cont.)  Topics 3.0 Asset Classification and Control  Sub-topics 3.1 Accountability of assets – inventory 3.2 Information classification

14 Security Policy Models Part I: Introduction A. History and Philosophy of the Committee  4. Assignments  Committee divided into three sub teams. Each responsible to find model policy for 3 of the ten policy topics in the taxonomy.  Eight schools selected for “look here first”. Cornell, Georgetown, Indiana, Minnesota, Stanford, Iowa, SUNY Buffalo, Temple Branch out to other schools from here  Review by full committee of all proposed models before inclusion on the wiki.

15 Security Policy Models Part I: Introduction A. History and Philosophy of the Committee  5. Milestones  Dec 2005 Form the Committee, explore methodology  Feb 2006 Begin trial write of a policy by committee  Mar 2006 Decide on taxonomy of ten major categories  Jun 2006 Assignment groups of two find models for each sub- topics of ten categories  Aug 2006 Critique proposed models & select items for the wiki  Aug 2006 Three priorities from parent committee  Sep 2006 Format the work & enter into wiki  Oct 2006 Draft available for Educause. Plea for conference members to contribute  Dec 2006 Solicit contributions to the wiki through individual contacts

16 Security Policy Models Part I: Introduction B. The Need For Model Policy 1. Previous work 2. Measure of completeness 3. Measure of maturity 4. State of Security Policy in Education

17 Security Policy Models Part I: Introduction B. The Need For Model Policy 1. Previous work  Spreadsheet of 80 Educational Security Policy sites “College and University Security Resources”  Methodology for policy development written by Rodney Peterson and others  NIST Special Publication 800-53, “Recommended Security Controls for Federal Information Systems”, February 2005. Appendix G contains a mapping table comparing NIST controls to ISO 17799

18 Security Policy Models Part I: Introduction B. The Need For Model Policy 2. Measure of completeness  Do I have all the policy that I need? How do I know? A taxonomy or list of policy topics – Many ways to organize policy, what standards are there  Does my policy say all that it should say? How do I know? A standard of complete coverage in a particular policy

19 Security Policy Models Part I: Introduction B. The Need For Model Policy 2. Measure of completeness (cont.)  Do I have all the policy that I need? How do I know? Some standards ISO 17799, SANS, CISSP Ten high level topics were similar in all three Committee adopted a working taxonomy You will see these topics in the wiki

20 Security Policy Models Part I: Introduction B. The Need For Model Policy 2. Measure of completeness (cont.)  Does my policy say all that it should say? How do I know? Standard of completeness in particular policy? We did not find a standard at the time Led to next slide – Policy Maturity

21 Security Policy Models Part I: Introduction B. The Need For Model Policy 3. Measure of policy maturity  Maturity not indicated by budget  Maturity not indicated by number of staff  Maturity not indicated by size of institution

22 Security Policy Models Part I: Introduction B. The Need For Model Policy 3. Measure of policy maturity (cont)  Connected to industry standard & well defined vocabulary: Confidentiality, Integrity, Availability  Flows from a Security Plan  Acted upon rather than written to satisfy an audit comment and shelved. Indications of action.  Relates to standard such as ISO 17799

23 Security Policy Models Part I: Introduction B. The Need For Model Policy 4. State of Security Policy in Education  Impressions of the Committee  Much good policy work available  Few have complete body of policy as judged by our taxonomy  Many write policy reactively in response to some incident  Many plan policy work but have an incomplete body of policy  Many have little or no security policy

24 Security Policy Models Part I: Introduction C. A Bibliography of Model Policy Bibliography is familiar territory Selected yet contributed A Wiki A wiki is a website that allows visitors to add, remove, edit and change content, typically without the need for registration.

25 Security Policy Models Part I: Introduction D. Four Needed Models  1. Incident Response  2. Data Classification  3. Security Management  4. A Security Plan  (5). Risk Assessment

26 Security Policy Models Part I: Introduction D. Four Needed Models (cont.)  1. Incident Response  2. Data Classification  3. Security Management  4. A Security Plan  (5). Risk Assessment Get the 2007 edition Official (ISC)2 Guide to The CISSP CBK edited by Harold F. Tipton and Kevin Henry. Auerbach Publications, 2007. ISBN 0-8493-8231-9 This title is similar to several other books published by Auerbach but by different authors.

27 Security Policy Models Part I: Introduction E. The Policy Development Lifecycle What Is It?  Normal set of steps to implement policy  Often measured in terms of years  Why mention it here? As a caution  You cannot simply take someone else’s policy and plug in your institution’s name.  Patrick Spellacy, U of Minnesota, Educause Web Cast, Aug 9, 2005  http://www.educause.edu/LibraryDetailPage/666?ID= LIVE0516 http://www.educause.edu/LibraryDetailPage/666?ID= LIVE0516

28 Security Policy Models Part I: Introduction E. The Policy Development Lifecycle – Best Practice 1. Identify Issues – Be proactive 2. Conduct Analysis Identify an “Owner” Determine the Path – eg. Regents, Board of Directors, Administrative Assemble Team – IT, Finance, Student 3. Draft Language Agree on terms Use Common format 4. Get Approvals 5. Determine Distribution / Education Plan communication Put online Make is searchable 6. Solicit Evaluation and Review Plan for maintenance Encourage feedback Archive changes – they use a content management system for change control 7. Plan and measure outcomes

29 Security Policy Models Part I: Introduction F. Future Directions of the Committee  Leverage industry progress on these topics.  Incorporate recently published standards  Prioritize next policy topics as focus  Standards, procedures, and guidelines  Enlist contributions to the Wiki

30 G. Institutional Variants in Policy “Reasonable Security” Factors Institution size and resources  expectations and limitations Organizational structure  roles, responsibilities, and accountabilities Institutional culture  values, beliefs, processes Security Policy Models Part I: Introduction

31 A. History and Philosophy of the Committee B. The Need For Model Policy C. Bibliography of Model Policy D. Four Needed Models E. Overview of Policy Development Lifecycle F. Future Directions G. Institutional Variants In Policy

32 Wiki Overview 2.0 Organizational Security 3.0 Asset Classification 4.0 Personnel Security Connie M. Popp, M.S.W., SPHR Eastern Michigan University Security Policy Models Part II: Demonstrating The Wiki

33 http://www.educause.edu/security

34 Security Policy Models Part II: Demonstrating The Wiki

35

36

37

38 2.0 Organizational Security

39 Security Policy Models Part II: Demonstrating The Wiki 2.0 Organizational Security Allocation of security roles  State, university, and business unit levels  Users, managers, IT security, oversight committees Allocation of security responsibilities  Training  Policy  Incident handling and reporting

40 Security Policy Models Part II: Demonstrating The Wiki 2.0 Organizational Security Information Security Policy, Georgetown University.  Responsibilities defined for roles, from auditors to users.  Managers train users  Individual users shall report compromises

41 Security Policy Models Part II: Demonstrating The Wiki 2.5 Risk Analysis and Assessment Who is responsible? What is expected? Who is authorized to accept risk?

42 Security Policy Models Part II: Demonstrating The Wiki 2.5 Risk Analysis and Assessment SANS Risk Assessment policy (www.sans.org)  Who is authorized to accept risk? OCTAVE STARS

43 3.0 Asset Classification

44 Security Policy Models Part II: Demonstrating The Wiki

45 3.1 Accountability and Inventory of Assets Description of assets Acquiring, managing and disposal of assets.

46 Security Policy Models Part II: Demonstrating The Wiki 3.2 Information Classification Public or private  Governing laws Reason to classify  Disposal, archiving, and storage  Data protection

47 Security Policy Models Part II: Demonstrating The Wiki

48 Protection and Security of Records, University System of Georgia Data Stewardship Policy, George Mason University Data Classification Guidelines, Stanford University

49 Security Policy Models Part II: Demonstrating The Wiki Drill Down on Data Classification Policy University of South Carolina: Data Access

50 Security Policy Models Part II: Demonstrating The Wiki University of South Carolina: Data Access Purpose  Information is an “asset”…to preserve and protect Ownership Clarity of definition  “..stored on paper, digital text, graphic, images, sound or video.” Classifications  General, Limited, and Restricted access

51 4.0 Personnel Security

52 Security Policy Models Part II: Demonstrating The Wiki 4.0 Personnel Security Background investigation of personnel  Criminal Local, state, federal Frequency Professional conduct Training and awareness

53 Security Policy Models Part II: Demonstrating The Wiki

54

55 5.0 Physical & Environ Security 6.0 Com & Operations Mgmt With Drill Down On Incident Response Jack McCoy, CISM ISO - University of Colorado System Security Policy Models Part III: Demonstrating The Wiki

56 “Reasonable Security” Factors Institution size and resources  expectations and limitations Organizational structure  roles, responsibilities, and accountabilities Institutional culture  values, beliefs, processes Security Policy Models Part III: Demonstrating The Wiki

57 5.0 Physical and Environmental Security Security Policy Models Part III: Demonstrating The Wiki

58

59 5.1 Secure Area: security perimeters, entry controls, offices & facilities, delivery areas Protecting core IT services vs. all valuable data Physical security vs. personal safety An IT responsibility vs. shared responsibility with HR, PS, business units, compliance, legal, etc.

60 5.1 Secure Area Old Dominion U. - IT Physical Security Policy Policy scope beyond IT security and central IT Fire extinguishers in offices Offices with desktops to have AC, door locks Off campus equipment (e.g., at home) the responsibility of the employee Employees to report unauthorized access or suspicious activity Security Policy Models Part III: Demonstrating The Wiki

61 5.2 Equipment Security: equip siting protection, maint, cabling security, disposal, off-premises Dedicated and shared equipment space Cabled and wireless net services on contiguous campus, and non-campus properties Responsibilities and involvement of HR, public safety, asset management, etc. Security Policy Models Part III: Demonstrating The Wiki

62 5.3 General Controls: clear desk and clear screen policy, removal of property Policy scope - electronic data, paper, other Distribution of oversight authority by  data form (e.g., electronic, paper)  data type (e.g., financial, HR)  regulation (e.g., HIPAA, FERPA)  function (e.g., privacy, legal) Security Policy Models Part III: Demonstrating The Wiki

63 6.0 Communications & Operations Management Security Policy Models Part III: Demonstrating The Wiki

64

65

66

67 6.1 Operational Procedures and Responsibilities: procedures, change control, incident mgmt, patches, segregation of duties, test/dev systems Institution size, resources  segregation of duties  change controls, life cycle management  separation of test and development systems Balance of centralized & distributed computing Degree of engagement by other university areas Security Policy Models Part III: Demonstrating The Wiki

68 6.2 System Planning and Acceptance: capacity planning, system acceptance Existing committees for review and planning Advisory vs. acceptance roles Technical vs. functional assessments Security Policy Models Part III: Demonstrating The Wiki

69 6.3 Protection Against Malware U. of Chicago - Protection from Malicious Software Technical: anti-virus on all desktops and servers Process: formal, documented process for prevention, detection, reporting, and recovery Education: regularly train and remind workforce members about their responsibilities Security Policy Models Part III: Demonstrating The Wiki

70 6.4 Housekeeping: information back-up, operator logs, fault logging Central IT and ISO’s responsibilities for DRP, BCP, other group efforts Distributed computing  responsibilities and resources  cost vs. operational, business, compliance needs Security Policy Models Part III: Demonstrating The Wiki

71 6.5 Network Management: network controls, air space, res hall bandwidth, ACL’s, firewalls, IDS Authority for network standards, controls Physical campus environment and impact on network management Influence of network design on placement and use of network security devices Security Policy Models Part III: Demonstrating The Wiki

72 6.5 Network Management UC Berkeley - Minimum Network Security Stds Security and privacy committee provides policy, procedures, and standards Administrative officials ensure IT personnel capable of maintaining devices to standards System admins maintain devices to standards System and network security office assists implementation, places network access blocks Security Policy Models Part III: Demonstrating The Wiki

73 6.6 Media Handling and Security: media mgmt and disposal, data handling procedures, erasure Procedures and pervasiveness of sensitive data Regulatory and statutory requirements Access to tools and expertise for data erasure Security Policy Models Part III: Demonstrating The Wiki

74 6.7 Exchange of Information and Software: exchange agreements, media in transit, e- commerce, e-mail, publicly available systems Offsite storage location, data delivery E-commerce systems, internal vs. outsourced Central e-mail services, security assurances Record retention, e-discovery requirements Formal vendor arrangements Security Policy Models Part III: Demonstrating The Wiki

75 6.8 Responding to Incidents & Malfunctions: reporting incidents, security weaknesses, software malfunctions, learning from incidents Accountability for breaches Responsibility for incident response Applicable regulations, laws, standards Security Policy Models Part III: Demonstrating The Wiki

76 Drill Down on Incident Response Policies Security Policy Models Part III: Demonstrating The Wiki

77 Incident Response Policy Institutions often have one IR policy Clear assignment of responsibilities Clear guidance on how to respond Resulting policies often a blend of policy, procedure, and general information Security Policy Models Part III: Demonstrating The Wiki

78 Iowa State - IT Security Incident Reporting Policy A balance of IR policy topics: Definition of “IT security incident” Responsibilities for incident response  response team, IT support, individuals Procedures for reporting and responding Web link to incident report form Security Policy Models Part III: Demonstrating The Wiki

79 Iowa State - IT Security Incident Reporting Policy IT security incident defined Any accidental or malicious act with potential:  misappropriation / misuse of confidential data  significantly imperils the functionality of IT  unauthorized access to resources or information  use of IT resources to attack other organizations Security Policy Models Part III: Demonstrating The Wiki

80 Miami University - Critical Incident Response Plan Incident severity level based on potential impact to operations or reputation Critical: successful penetration / DoS, significant operational impact and risk to fin resources or PR Medium: minimally successful penetration / DoS, limited operational impact and risk to fin resources or PR Low: significant number of probes and scans, a targeted reconnaissance activity. Penetration / DoS unsuccessful Security Policy Models Part III: Demonstrating The Wiki

81 Baylor - Computer Technology Security Incident Response ITS security notified immediately of suspected or real Security Incident involving an IT asset If unclear whether a situation is considered a Security Incident, contact security to evaluate Security Policy Models Part III: Demonstrating The Wiki

82 Baylor - Computer Technology Security Incident Response Policy In the mean time... Don’t troubleshoot the system or investigate If the incident involves a compromised computer, do not alter the state of the computer Disconnect the computer from the network Security Policy Models Part III: Demonstrating The Wiki

83 UCSC Plan for Protection of PII Response process initiated by a confirmed security breach of unencrypted PII System steward creates Initial Report IRT convenes to determine notification needs Security and service provider restore service, preserving evidence System steward submits Final Report Security Policy Models Part III: Demonstrating The Wiki

84 UCSC Plan for Protection of PII Notification Procedures: Final Report and law enforcement authorization initiate notification procedures VP-IT and IRT develops notification plan General counsel approves plan VP-IT and PIO work to issue notifications Security Policy Models Part III: Demonstrating The Wiki

85 Discussion Security Policy Models Part III: Demonstrating The Wiki

86 7.0 Access Control 8.0 System Dev and Maint 9.0 Business Continuity With Drill Down On Security Management & Security Plan William L. Custer, MA, CISSP Information Security Policy Manager Miami University, Ohio Security Policy Models Part IV: Demonstrating The Wiki

87 7.0 Access Control Security Policy Models Part IV: Demonstrating The Wiki

88 7.0 Access Control  7.1 Business requirement for access control  7.2 Identity management  7.3 User responsibilities  7.4 Network access  7.5 Operating system  7.6 Application access control  7.7 Monitoring system access in use  7.8 Mobile computing and teleworking Security Policy Models Part III: Demonstrating The Wiki

89 7.0 Access Control Access control tends to be interleafed with other policy, see especially section 4.0 Several general policies are listed The wiki perhaps needs more detail here Security Policy Models Part III: Demonstrating The Wiki

90 7.0 Access Control Title: IndianaUniversity. http://datamgmt.iu.edu/CDS/da_guidelines.html Policy value: These guidelines are fairly comprehensive and a good starting point. Based on documents from Virginia Polytechnic Institute. See especially the sections called Data Access, Data Availability, and Data Manipulation. Other sections are valuable as well. Title: Cornell: www.cit.cornell.edu/services/identity/netid-terms.html Policy value: Focused on user responsibilities for campus identifier. Helpful information for a Responsible Use document. Title: DartmouthCollege Information Technology Policy Dartmouth. www.dartmouth.edu/comp/about/policies/general/itpolicy Policy value: This brief policy includes statements on registration and review of access rights, account naming and allocation of resources. Also valuable as input to a general Responsible Use Policy. Title: UniversityofWisconsin. www.doit.wisc.edu/security/policies/ Policy value: See especially Electronic Devices Policy, Guest NetID Policy, Password Policy, Draft Policy for UniversityofWisconsin Data Networkwhich will prohibit anonymous use. Title: Iowa. http://cio.uiowa.edu/ITsecurity/Infosec-Plan.shtml Policy value: An example of a rather complete policy site that is user friendly see section 4.0 for material on access control. Security Policy Models Part III: Demonstrating The Wiki

91 8.0 System Development and Maintenance Security Policy Models Part IV: Demonstrating The Wiki

92 8.0 System Development And Maintenance 8.0 System Development & Maintenance Title: Information Security Framework, “Information Integrity Controls” Iowa: http://cio.uiowa.edu/policy/policy-information-security-framework.shtmlhttp://cio.uiowa.edu/policy/policy-information-security-framework.shtml Policy Value: A brief statement on Information Integrity Controls is relevant to system development and maintenance. Data classification is tied to system controls in section 4.3 Title: Guidelines for Systems and Network Administrators Georgetown: http://uis.georgetown.edu/policies/technology/snaguidelines.htmlhttp://uis.georgetown.edu/policies/technology/snaguidelines.html Policy Value: A brief extension of their general responsible use statement. Applies primarily to operations rather than development. Security Policy Models Part III: Demonstrating The Wiki

93 9.0 Business Continuity Management (Disaster Recovery) Security Policy Models Part IV: Demonstrating The Wiki

94 9.0 Business Continuity Management Management process Impact analysis Writing and implementing the plan Planning framework Testing, maintaining, and re-assessing Security Policy Models Part III: Demonstrating The Wiki

95 9.0 Business Continuity Management Title: Backup and Recovery Policy Indiana (School of Med): http://technology.iusm.iu.edu/security/iusm_policy_sec_03.aspxhttp://technology.iusm.iu.edu/security/iusm_policy_sec_03.aspx Policy Value: Concise one page statement of minimum requirements Title: MIT Business Continuity Plan MIT: http://web.mit.edu/security/www/pubplan.htmhttp://web.mit.edu/security/www/pubplan.htm Policy Value: Comprehensive plan using industry standard categories and terminology Title: LSU: http://appl003.lsu.edu/itsweb/securityweb.nsf/$Content/State/$file/IT-POL-011.pdfhttp://appl003.lsu.edu/itsweb/securityweb.nsf/$Content/State/$file/IT-POL-011.pdf Policy Value: Concise outline of major components of a high level DR/BCP Security Policy Models Part III: Demonstrating The Wiki

96 10.0 Compliance Security Policy Models Part IV: Demonstrating The Wiki

97 10.0 Compliance 10.1 Compliance with legal requirements 10.2 Review compliance of Security Policy and technical compliance 10.3 System audit considerations 10.4 Archiving explicit material Security Policy Models Part III: Demonstrating The Wiki

98 10.0 Compliance 10.1 Compliance with legal requirements Title: Campus Information Technology Security Policy http://security.berkeley.edu/IT.sec.policy.html#comp Policy Value: This is an example of a broader acceptable use policy that includes a statement on compliance with other laws and regulations (see Heading: COMPLIANCE WITH LAW AND POLICY). Security Policy Models Part III: Demonstrating The Wiki

99 Drill Down on Security Management Security Plan Security Policy Models Part IV: Demonstrating The Wiki

100 Drill Down on Security Management  “Organizational Security Policy”  written by the committee  listed in the wiki section 2.0  Alternate title for this policy is “Information Security Policy”  The committee’s first model document

101 Security Policy Models Part IV: Demonstrating The Wiki Drill Down on Security Management  1.0 Management Commitment  Protect the confidentiality, integrity, and availability  2.0 Information Security Infrastructure  2.1 Organization and Governance 2.1.1 Information Security coordination 2.1.2 Roles and responsibilities. 2.1.3 Advisory council 2.1.4 Information processing facilities 2.1.5 Security advice 2.1.6 Cooperation between organizations 2.1.7 Independent review  3.0 Third Party Access  4.0 Outsourcing  5.0 Risk analysis

102 Security Policy Models Part IV: Demonstrating The Wiki Drill Down on Security Management  1.0 Management Commitment  Protect the confidentiality, integrity, and availability  1.0 Management Commitment: Statement of Responsibility and Commitment. The University considers information to be a strategic asset that is essential to its core mission and business operations.  Furthermore, the University values the privacy of individuals and is dedicated to protecting the information with which it is entrusted.  Therefore, the University is committed to providing the resources needed to ensure confidentiality, integrity, and availability of its information as well as reduce the risk of exposure that would damage the reputation of the university.  Information Technology Policy shall be established that supports the following core security values:

103 Security Policy Models Part IV: Demonstrating The Wiki Drill Down on Security Management  1.0 Management Commitment core values  Support University mission  Consistent with institutional policies, contracts, and laws  Privacy  Appropriate and cost-effective  Best practices  Shared responsibility  Accountability  Flexible and adaptable  Emergency preparedness  Reassessment

104 Security Policy Models Part IV: Demonstrating The Wiki Drill Down on Security Management  1.0 Management Commitment core values  Each core value is elaborated, eg.  Support University mission. The Policy is designed to support the mission of the University, notably the creation and dissemination of new knowledge, by protecting the University’s resources, reputation, legal position, and ability to conduct its operations. It is intended to facilitate activities that are important to the University.

105 Security Policy Models Part IV: Demonstrating The Wiki Drill Down on Security Management 2.1 Organization and Governance In order to promote the security mandate of the university, (fill in some governing body) shall: 1. Oversee risk management and compliance programs pertaining, to information security such as Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, and PCI. 2. Approve and adopt broad information security program principles and approve assignment of key managers responsible for information security. 3. Strive to protect the interests of all stakeholders dependent on information security. 4. Review information security policies regarding strategic partners and other third- parties. 5. Strive to ensure business continuity. 6. Review provisions for internal and external audits of the information security program. 7. Collaborate with management to specify the information security metrics to be reported to the board. Notes: These points taken from www.educause.edu/ir/library/word/SWR0514.docwww.educause.edu/ir/library/word/SWR0514.doc

106 Security Policy Models Part IV: Demonstrating The Wiki Drill Down on Security Management 2.1.1 Information Security coordination. In order to promote the security mandate of the university, management shall: 1. Establish information security management policies and controls and monitor compliance. 2. Assign information security roles, responsibilities, requires skills, and enforce role-base information access privileges. 3. Assess information risks, establish risk thresholds and actively manage risk mitigation. 4. Ensure implementation of information security requirements for strategic partners and other third-parties. 5. Identify and classify information assets. 6. Implement and test business continuity plans. 7. Approve information systems architecture during acquisition, development, operations, and maintenance. 8. Protect the physical environment. 9. Ensure internal and external audits of the information security program with timely follow-up. 10. Collaborate with security staff to specify the information security metrics to be reported to management. Notes: These points taken from www.educause.edu/ir/library/word/SWR0514.docwww.educause.edu/ir/library/word/SWR0514.doc

107 Security Policy Models Part IV: Demonstrating The Wiki Drill Down on Security Management  2.12 Roles and Responsibilities  Chief Information Security Officer (CISO)  Chief Information Officer (CIO  Chief Security Officer  Information Security Officer  Information Privacy Officer  Auditor  Office of Counsel  Data Stewards

108 Security Policy Models Part IV: Demonstrating The Wiki Drill Down on Security Management  2.12 Roles and Responsibilities  Chief Information Security Officer (CISO)  responsibility for the design, implementation, and management of the university's Information Security Program.  promotes a strategic vision for information security,  oversees information security policy development and compliance,  provides direction on user awareness and education programming,  manages large-scale projects and initiatives as needed, and  advises senior management on the risks to university information in the context of regulatory, legal, audit, contractual, and other applicable requirements.  provides direction to security policy.  The CISO role does not usually include …

109 Security Policy Models Part IV: Demonstrating The Wiki Drill Down on Security Management  2.12 Roles and Responsibilities  Chief Security Officer  coordinates (or oversees) all security programs and staff for the entire organization.  includes physical security and almost always includes information security.  some recent security programs have been made part of a broader risk management program and could include business continuity as well.

110 Security Policy Models Part IV: Demonstrating The Wiki Drill Down on Security Management Notes are included Policy: Office of Counsel – Responsible to offer legal advice to the University. Some counsels manage risk compliance and also security policy. Notes: Many policy experts recommend that the Office of Counsel not have final authority on what policy is adopted. This is because the goal of good policy may not be coincident with policy that avoids the fewest legal actions.

111 Security Policy Models Part IV: Demonstrating The Wiki Drill Down on Security Management Resources  Information Security Governance Self Assessment Tool for Higher Education, items 4.9 - 4.34 http://www.educause.edu/ir/library/pdf/SEC0421.pdf http://www.educause.edu/ir/library/pdf/SEC0421.pdf  “Sources for Developing Information Security Policies” in Appendix D http://www.educause.edu/ir/library/pdf/CSD3661.pdf Corporate Information Security Working Group (CISWG) Report of the Best Practices and Metrics Teams Subcommittee on Policy, Information Technology, Intergovernmental Relations and the Census Government Reform Committee United States House of Representatives “Sources for Developing Information Security Policies” in Appendix D  “Establish Information Security Management Policies and Controls and Monitor Compliance” is on page 16 of the CISWG document above

112 Security Policy Models Part IV: Demonstrating The Wiki Drill Down on Security Plan Two resources  Draft Special Publication 800-18. Revision 1, Guide for Developing Security Plans for Federal Information Systems (http://csrc.nist.gov/publications/nistpubs/index.html)http://csrc.nist.gov/publications/nistpubs/index.html  Georgia State University http://www.educause.edu/LibraryDetailPage/666?ID=CSD4889

113 Security Policy Models Part IV: Demonstrating The Wiki Drill Down on Security Plan Features of the Georgia State Plan 

114 Security Policy Models Part V: Conclusion Part V Future Directions of the Committee Questions and Answers Questionnaire

115 Security Policy Models Part V: Conclusion Future Directions of the Committee  Leverage industry progress on these topics.  Incorporate recently published standards  Prioritize next policy topics as focus  Standards, procedures, and guidelines  Enlist contributions to the Wiki

116 Security Policy Models Part V: Conclusion Questions and Answers Questionnaire

117 Security Policy Models The Presenters William.Custer@muohio.edu Connie.Popp@emich.edu Jack.McCoy@cusys.edu

Download ppt "Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie."

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Auditing, Assurance and Governance in Local Government

Auditing, Assurance and Governance in Local Government
The International Security Standard

The International Security Standard
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Security and Personnel

Security and Personnel
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
IS 700.a NIMS An Introduction. The NIMS Mandate HSPD-5 requires all Federal departments and agencies to: Adopt and use NIMS in incident management programs.

IS 700.a NIMS An Introduction. The NIMS Mandate HSPD-5 requires all Federal departments and agencies to: Adopt and use NIMS in incident management programs.
Contractor Management and ISO 14001:2004

Contractor Management and ISO 14001:2004
Security Controls – What Works

Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Fluff Matters! Information Governance in an Online Era Lisa Welchman.

Fluff Matters! Information Governance in an Online Era Lisa Welchman.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice

Similar presentations

Ads by Google