Strategies for Crafting Effective IT Security Policies CIO Forum March 12, 2003 Dennis Maloney & Marin Stanek The University of Colorado at Boulder

Why Now?? Internal Drivers Telecommunications & wireless audit Campus-wide IT Strategic Plan = greater coordination & collaboration External Drivers 9/11 Federal Laws & Agencies (FERPA, HIPAA, NSF) State Laws Private Research Communities (NASA)

2002 – The Year of Policy Development Established policies Computing and Network Resources for all Users (Rights and Responsibilities Doc) Student as an Official Means of Communication (FERPA, HIPAA, Confidential/Sensitive Information) Campus-wide Access & Authorization (Encrypted Authentication) Directories Wireless Policies still under development Identity Management Copyright Antivirus

Policy Roadmap A great idea for a policy Then a flurry of communication occurs CIO, ITS & IT Coordinators begin drafting ITC discusses & revises Legal Counsel advises Appropriate constituencies involved Endless revisions occur Life looks bleak A better policy emerges because of campus input Policy is reviewed & approved by CEC ITC & LC review again Policy is signed by the Chancellor Policy is communicated to campus and life is good!

Policy Development: Step One – Be Aware of Existing Policies Federal (Research requirements, FERPA, HIPPA, Copyright) State (Campaign Fair Practices Act, Conflict of Interest) University Policies Current Campus Policies

Policy Development: Step Two – Conceptualizing High Priority Policies/Basic Set of Policies (Our List) Accountability (Rights & Responsibilities/Acceptable Use, C&NR) Availability (Wireless) Integrity (Server Security, Directories) Access Control (Access & Authorization, Identity Management) Determination of Data Sensitivity (Copyright, and Guidelines for Computer Users) Security Management (Network Security, Antivirus) Policies managing flow of information (Web Publishing Policy, Portal Policy)

Accountability (Rights & Responsibilities/Acceptable Use, C&NR) Security Management (Network Security, Antivirus) Integrity (Server Security, Directories) Access Control (Access & Authorization, Identity Management) Determination of Data Sensitivity (Copyright, & Guidelines for Computer Users) Availability (Wireless) E-Policies (Web Pub, , Portal) Visualizing Your Policy/Practices Framework

Policy Development: Step Three – Policy Outline (time saver or time sucker) Develop a policy template – Introduction/Purpose of the Policy – Definitions – Scope of the Policy – Policy Statement (most important) – Sanctions – References – Responsible Office & Review Schedule – Date of implementation – Attachments (might include guidelines, standards, procedures/processes) Name Audience Policy Emphasis Technical Emphasis Who handles the violation

Policy Development: Step Four – Discussion, Process, & Approval Review what other similar schools are doing ( -- do your homeworkwww.educause.edu Gain support & approval from senior level –find a champion Contact key constituencies for informal input Establish or recognize who will formally approve policy Establish buy-in Provide information online & accessible from one location Provide an interim phase for feedback Develop accompanying guidelines, standards, process/procedures documentation

Educational Campaign Initial Announcement (from highest source possible) Accompanying website (includes policy, FAQ, guidelines, standards, procedures/process, AND who to contact! Tailor specific messages to audiences (faculty, students, staff) Listen to feedback! Evaluate impact

Lessons Learned 1.Research & make connections w/other schools – build on what they’ve developed 2.Collaborate across campus 3.Have patience – good policy development is about building consensus and awareness 4.Maintenance = effectiveness; don’t let a policy become “dusty”

Good References – – – –

Contact Information Marin Stanek, IT Initiatives Coordinator – Dennis Maloney, Executive Director, ITS – CU-Boulder Policy website: –