Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Georgia Institute of Technology, 2005 When the Rubber Meets the Road: Moving from IT Policy Development to Implementation CUMREC 2005 Jaime Galiano Project.

Published byEmil May Modified over 8 years ago

Similar presentations

Presentation on theme: "© Georgia Institute of Technology, 2005 When the Rubber Meets the Road: Moving from IT Policy Development to Implementation CUMREC 2005 Jaime Galiano Project."— Presentation transcript:

1 © Georgia Institute of Technology, 2005 When the Rubber Meets the Road: Moving from IT Policy Development to Implementation CUMREC 2005 Jaime Galiano Project Director Georgia Institute of Technology Office of Information Technology – Policy & Strategy This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 © Georgia Institute of Technology, 2005 GIT Institutional Background Public Research University, part of the University System of Georgia (USG) Atlanta campus: 400-acre city campus Enrollment: 16,000+ students Over 250 autonomous academic, research, and administrative units Decentralized IT support IT Policy Development function reporting to CIO / AVP

3 © Georgia Institute of Technology, 2005 Policy Development: The way things ought to be… Issue Identification & Scope Definition Research & Analysis (SMEs) Stakeholder Input Policy Drafting Draft Policy Posting & Comment Policy Approval Distribution & Adoption Policy Review Policy Retirement Policy Development & Review Full lifecycle policy development, refreshment and retirement Distribution & Adoption

4 © Georgia Institute of Technology, 2005 Policy Distribution & Adoption: the way things typically are… Signed, sealed, delivered and… –Promptly forgotten –Blindly and zealously enforced, or –Never even (properly) communicated Even with the best of intentions, distribution and adoption activities are mostly ineffective Rather than being seen as “living documents”, IT policies are typically seen as “dead documents” – a necessary evil

5 © Georgia Institute of Technology, 2005 Why? Policy Adoption Issues & Challenges Upstream issues – Policy approvals Management concerns Rank-and-file concerns Downstream issues –Communication & Awareness –Implementation –Training –Monitoring

6 © Georgia Institute of Technology, 2005 Best Practices: Communication & Awareness Execute the Communication Plan Define and implement communication channels as necessary Personalize and target the messages Use a combination of “Push” and “Pull” mechanisms –Push measures: Memo of Transmittal, policy “click-throughs”, portal announcements, etc. –Pull measures: FAQs, “What’s New?”, support groups/mailing lists, etc.

7 © Georgia Institute of Technology, 2005 Business Impact Analysis / Risk Assessment & Management Evaluate risk at the departmental or unit level Qualify & quantify the risks Accept, Mitigate or Transfer the risk –Understand the implications of each option –Trade-off analysis involved (tangibles and intangibles) Document the proposed (or adopted) solution and related tasks

8 © Georgia Institute of Technology, 2005 GIT Data Protection Safeguards [1] Safeguards: System = Information Technology, Admin = Administrative Procedures & Guidelines, Physical = Physical/Environmental security safeguards. [2] Safeguard Guidelines by Data Category: M = Mandatory safeguard, R = Recommended, S = Suggested [3] Measures: Procedures, processes and/or mechanisms to meet Internal Controls Any deviation from mandatory requirements must be documented and covered by adequate compensating control(s). The department of Internal Auditing is available to assist in reviewing compensating controls. Safeguards [1] Category of Data [2] Item Ref. Measures [3] Internal ControlReference SystemAdminPhysicalIIIIIIIV 1 - Control Physical access to data X RMM1-1 e.g. Security alarms, card readers, locks, etc… Institute physical security controls for each computer room, data center and other physical areas with systems that process and store data. ICG XXVIII X M1-2 Video cameras with active 24/7 monitoring in Operating Centers Constant monitoring is in place using video cameras in data centers to monitor storing/processing sensitive data. (Note: This is not mandatory for paper process and storage areas whose acccess is physically supervised or restricted when unmanned.) CISP 12.1 XX RMM1-3 Consoles for systems that store and/or transmit sensitive data are “locked” to prevent unauthorized use. (Note: this refers to cabinet mounted servers with doors) CISP 12.1 XXX MMMM1-4 Physical disconnection of unused jacks, connection access authentication, etc. Active GT Network jacks are only accessible to authorized users.ISO -17799 X MMMM1-5 Network Access closets should be maintained locked with access only to authorized personnel. X RM1-6 Procedures must exist so all personnel can easily distinguish between employees and visitors, especially in areas where sensitive information is accessible. XX RM1-7 ID badges: Visitor ID badges do not permit unescorted access to physical areas that store sensitive data. CISP 12.3

9 © Georgia Institute of Technology, 2005 Unit-level Implementation Example

10 © Georgia Institute of Technology, 2005

11 Best Practices: DAP Implementation Guidelines Data Classification Guidelines –Mapping of typical data to data categories Quick-Reference Checklists –Single-page “to-do” lists by roles Comprehensive guidelines –User Guidelines –Administrator Guidelines –Hardware/Machine Guidelines

12 © Georgia Institute of Technology, 2005 Best Practices: Training Formal training program and materials –Staff –Faculty –Students Offer training through multiple delivery methods –Formal classes, one-on-one, CBT, user support groups, etc. –Self-assessments

13 © Georgia Institute of Technology, 2005 Best Practices: Monitoring & Support Collaborative effort Triage –Policy issue –Implementation issue –Information Security issue Appropriate representation in core support group Adequate support at the unit-level Issue escalation

14 © Georgia Institute of Technology, 2005 DAP Rollout Anecdotes Successes –GT Health Services –Enterprise Information Systems (EIS) sensitive data scans Challenges –Student information handled by graduate Teaching Assistants –Laptop computers and encryption

15 © Georgia Institute of Technology, 2005 Questions? Jaime Galiano Project Director Georgia Institute of Technology OIT – Policy & Strategy jaime.galiano@oit.gatech.edu

Download ppt "© Georgia Institute of Technology, 2005 When the Rubber Meets the Road: Moving from IT Policy Development to Implementation CUMREC 2005 Jaime Galiano Project."

Similar presentations

Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Office of Information Technology Affiliates/Guests – Who are these people and how do we give them services? Copyright, Barbara Hope, University of Maryland,

Office of Information Technology Affiliates/Guests – Who are these people and how do we give them services? Copyright, Barbara Hope, University of Maryland,
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
A Web-based Bibliography Management Initiative: Collaborating for Classroom and Library Technology Integration Brian Nielsen, Academic Technologies Denise.

A Web-based Bibliography Management Initiative: Collaborating for Classroom and Library Technology Integration Brian Nielsen, Academic Technologies Denise.
Disaster Recovery Planning Because It’s Time! Copyright Columbia University and Bentley College, 2003. This work is the intellectual property of the author.

Disaster Recovery Planning Because It’s Time! Copyright Columbia University and Bentley College, This work is the intellectual property of the author.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Evaluating a Mass Notification Service for Campus Wide Communication Lori Sundal Georgia Institute of Technology EDUCAUSE Southeast Regional Conference.

Evaluating a Mass Notification Service for Campus Wide Communication Lori Sundal Georgia Institute of Technology EDUCAUSE Southeast Regional Conference.
Dialogue: Does the Cornell Policy Process Play in Peoria? David Stack, Ph.D. Deputy CIO University of Wisconsin–Milwaukee Merri Beth Lavagnino, M.L.S.,

Dialogue: Does the Cornell Policy Process Play in Peoria? David Stack, Ph.D. Deputy CIO University of Wisconsin–Milwaukee Merri Beth Lavagnino, M.L.S.,
Serving the Research Mission: An Approach to Central IT’s Role Matthew Stock University at Buffalo.

Serving the Research Mission: An Approach to Central IT’s Role Matthew Stock University at Buffalo.
Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.

Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
UWM CIO Office A Collaborative Process for IT Training and Development Copyright UW-Milwaukee, 2007. This work is the intellectual property of the author.

UWM CIO Office A Collaborative Process for IT Training and Development Copyright UW-Milwaukee, This work is the intellectual property of the author.
Pam Downs Ajay Gupta The Pennsylvania Prince George’s State University Community College Copyright Penn State University-2008. This work is the intellectual.

Pam Downs Ajay Gupta The Pennsylvania Prince George’s State University Community College "Copyright Penn State University This work is the intellectual.
Copyright Statement © Jason Rhode and Carol Scheidenhelm. 2006. This work is the intellectual property of the authors. Permission is granted for this material.

Copyright Statement © Jason Rhode and Carol Scheidenhelm This work is the intellectual property of the authors. Permission is granted for this material.
Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.

Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.
National Research Agenda to Support Transformation National Learning Infrastructure Initiative Focus Session June, 2003 Copyright Jillian Kinzie, 2003.

National Research Agenda to Support Transformation National Learning Infrastructure Initiative Focus Session June, 2003 Copyright Jillian Kinzie, 2003.
Copyright Anthony K. Holden, 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Anthony K. Holden, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
3/20/20071 IT Strategy and Leadership in Higher Education: Two Case Studies Case 1: Roberts Wesleyan College. Presented by Pradeep (Peter) Saxena, CIO.

3/20/20071 IT Strategy and Leadership in Higher Education: Two Case Studies Case 1: Roberts Wesleyan College. Presented by Pradeep (Peter) Saxena, CIO.

Similar presentations

Ads by Google