Presentation is loading. Please wait.

Presentation is loading. Please wait.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

Published byAlexander Allen Modified over 8 years ago

Similar presentations

Presentation on theme: "Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline."— Presentation transcript:

1 Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline Craig Director of Policy Information Resources and Communications University of California Office of the President

2 The First Step reflects the institution core values establishes an integrated framework identifies objectives  “what” needs to happen Establish Policy

3 Policy may include or reference elements often included in policy  guidelines  procedures  standards  best practices “how” to achieve objectives

4 Elements of security policy Policy should identify: principles roles and responsibilities scope identification of measures that comprise your security program

5 Moving from Policy to Reality Create a Security Program → a road map → an action plan → a means of ensuring policy compliance throughout the campus community

6 IT Security Program The means to implement IT policy it is a management concern – not just the responsibility of IT input from administration, faculty, staff, students publicize widely – must be an open process security planning must be incorporated into every management level leverage campus governance structure

7 Campus Governance establishes the risk management philosophy of the enterprise articulates the ethical values of the enterprise establishes the operating style assigns authority and responsibility Not only an enabler An integral part of enterprise governance

8 Is the CIO at the head table? Do IT Personnel participate in business decisions? IT governance cannot be separated from the governance of the enterprise Enterprise governance structure must include IT personnel at every level Is there a campus Security Officer? Is there a campus-wide committee to address security?

9 Campus Security Committee represent campus-wide interests in information security brings matters of information security to executive management develop campus-wide strategy provide direction, planning, and guidance in the area of information security → develop and review campus-wide information security program

10 IT Security Program assignment of responsibility risk assessment requirements security plan  mitigation plan  identification of internal controls

11 IT Security Program business continuity  emergency operation  disaster recovery incident response and mitigation education and security awareness plan evaluation of program’s effectiveness

12 IT Security Program establishes governance for security –management and administration ensures network defense –architecture and security strategy implements protection management –resources, procedures, projects

13 Risk Assessments purpose  help management create appropriate strategies and controls for stewardship of information assets a process  to understand and document potential risks to information assets scope can vary  managerial view institutional, division, department  IT view systems application outcome  create a security plan

14 Risk Assessments May be mandated by policy or statute Gramm-Leach-Bliley Act -Financial Modernization Act (G-L-B) -Implemented by May 23, 2003 FTC Safeguard Rule established standards for administrative, technical, and physical safeguards for customer information Health Insurance Portability and Accountability Act – (HIPAA) -Security Rule compliance effective April 2005

15 Risk Assessments Purpose and scope determine the assets to be covered in the risk assessment Privacy  usually a focus on safeguards to protect data and resource Criticality  focus is often on operations

16 Risk Assessments Approaches: identify and classify information assets identify processes  How does information flow through IT resources? identify key players identify types of resources  data centers, application systems, workstations, portable equipment?

17 Methodology Overview may be formal (institutional) or informal (departmental review) create a risk assessment team –set scope –identify assets to be covered –categorize potential losses –identify threats and vulnerabilities –identify existing controls –analyze the result of the data collected

18 Create a Security Plan determine appropriate controls to address vulnerabilities and risks revealed by assessment → administrative/management/operational → logical/technical → physical measures identify minimum requirements identify procedures

19 Access Authorization and Authentication Identity Management – infrastructure for access authorization establish procedures for verification of identify facilitate role-based authorization or authorization assignment issuance of strong authentication credentials termination procedures

20 Data Classification How is data classified? What is protected by law? What are the disclosure requirements? What privacy or criticality mandates apply?

21 Data Classification FIPS publication 199 LowModerateHigh Confidentiality limited adverse effect serious adverse effect severe or catastrophic adverse effect Integrity limited adverse effect serious adverse effect severe or catastrophic adverse effect Availability limited adverse effect serious adverse effect severe or catastrophic adverse effect

22 Workforce EDUCATION –customize training according to roles –identify responsibilities of supervisors, IT staff, researchers - everyone –ensure security reminders for new threats PROCEDURES – manage flow of information BACKGROUND CHECKS for critical positions

23 Business Partners contracts and agreements confidentiality agreements

24 Logical (technical) Security establish means to ensure: –software updates –installation of security patches –intrusion detection –scanning for vulnerabilities –password management –protection against viruses establish encryption key management plans → employ technology-implemented policy compliance where possible

25 Physical Security consider use of professionally-managed data centers ensure appropriate controls for –hardware, software, and administration –physical access controls –back up –business continuity and disaster recovery –device and media controls –procedural controls

26 Physical Security When data centers cannot be utilized identify rules for → departmental servers → desktop computers → portable devices Stolen laptops account for 60 percent of security breach notifications in California

27 Incident Response identify an Incident Response Manager (may be a person or a team) establish explicit procedures for –reporting suspected incidents –decision tree for resolution –summary reporting feedback loop for remediation revisit existing controls

28 Publicize to the Entire Community Communicate with academic, administrative, and student communities town meetings hearings in standing committees and user groups newsletters, websites, mailing lists → ensure a constant flow of information to every segment of your community

29 Re-evaluate Security Program role of auditors or external review –trained in enterprise risk management –ability to identify and assess risks –understand interrelated impacts –recommend appropriate control activities –perform role of monitoring the enterprise

30 Resources Educause –http://www.educause.edu/Cybersecurity/ Security Standard: ISO 17799 National Institute of Standards & Technology – Computer Security Division –Special Publications (800 series) and FIPS pubs –http://csrc.nist.gov/publications/index.html Audit Framework Documents –Enterprise Risk Management Framework – COSO (Committee of Sponsoring Organizations of the Treadway Commission) –IT Governance Institute – Control Objectives for Information and related Technology (CobiT Framework)

Download ppt "Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Control and Accounting Information Systems

Control and Accounting Information Systems
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
Risk Assessment Frameworks

Risk Assessment Frameworks
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Information Security Framework & Standards

Information Security Framework & Standards
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.

Similar presentations

Ads by Google