Normative vs. Descriptive vs. Pragmatic. Sad reality Faculty, staff and students are using mobile devices today, with or without our help (probably without)

Slides:

Advertisements

Similar presentations

The International Security Standard

Advertisements

ANSI/ASQ E Overview Gary L. Johnson U.S. EPA

How to Document A Business Management System

NOTES TO ANDERSON, CHAPTERS 3 PROFESSIONAL WRITING.

Screen 1 of 24 Reporting Food Security Information Understanding the User’s Information Needs At the end of this lesson you will be able to: define the.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

CST 481/598 x.2.  Broad overview of policy material  What is a “process”  Tiers (not tears) Many thanks to Jeni Li.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Purpose of the Standards

Network security policy: best practices

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Complying With The Federal Information Security Act (FISMA)

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

General Awareness Training

SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved.

Creating an Effective Policy Central Missouri Chapter Jesse Wilkins April 16, 2009.

Purchasing Ethics and Vendor Relations

Quote for today “Sometimes the questions are complicated and the answers are simple” - ?? ????? “Sometimes the questions are complicated and the answers.

COBIT - IT Governance.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

ETICS2 All Hands Meeting VEGA GmbH INFSOM-RI Uwe Mueller-Wilm Palermo, Oct ETICS Service Management Framework Business Objectives and “Best.

Privacy & Security Policy Meets Technology at the Crossroads: Best Practice Methods & Approaches to Developing Organizational Frameworks to Avoid Collision.

Information Security Awareness Training. Why Information Security? Information is a valuable asset for all kinds of business More and more information.

Writing a Successful IRB Application Karen Adams Regulatory Specialist, ITHS May 17, 2013.

Building an information organization/staff - 6 Barbie E. Keiser University of Vilnius May 2007.

Copyright (c) Cem Kaner. 1 Software Testing 1 CSE 3411 SWE 5411 Assignment #1 Replicate and Edit Bugs.

October 29, 2015 The University Information Security Policy & InfoSec one year on… Tom Anstey Weatherall Institute of Molecular Medicine & InfoSec

IFS310: Module 3 1/25/2007 Fact Finding Techniques.

A Day of technology Improving upon your technology skills Giving every child the opportunity to learn in a robust digital environment everyday. making.

Mtivity Client Support System Quick start guide. Mtivity Client Support System We are very pleased to announce the launch of a new Client Support System.

Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.

EECS 4482 Fall 2014 Session 8 Slides. IT Security Standards and Procedures An information security policy is at a corporate, high level and generally.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

Data Integrity # Best Practices & Lessons Learned. Does It Fit Your Organization?

Staying ahead of the storm: know your role in information security before a crisis hits Jason Testart, IST Karen Jack, Secretariat.

Security Environment Assessment. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.

Prepared By: Razif Razali 1 TMK 264: COMPUTER SECURITY CHAPTER SIX : ADMINISTERING SECURITY.

Role Of Network IDS in Network Perimeter Defense.

Information Security tools for records managers Frank Rankin.

1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Information Security in Laurier Grant Li Wilfrid Laurier University.

IT Governance Purpose: Information technology is a catalyst for productivity, creativity and community that enhances learning opportunities in an environment.

Security Methods and Practice Principles of Information Security, Fourth Edition CET4884 Planning for Security Ch5 Part I.

ISO17799 / BS ISO / BS Introduction Information security has always been a major challenge to most organizations. Computer infections.

Introduction to The Rational IT Model

Cybersecurity - What’s Next? June 2017

Patricia M. Alt, Ph.D. Dept. of Health Science Towson University

Start Why ISO In WWM CRC?.

A Practitioner’s Approach for Implementing Information Security Policy

Backdoor Attacks.

What Is Tapestry? An Online learning journal system.

CMMI – Staged Representation

I have many checklists: how do I get started with cyber security?

Project Prepare Blue Program Youth Guidance Presentation

Why ISO 27001? Subtitle or presenter

Architecture Competency Group

Digital Stewardship Curriculum

Detecting, reporting & investigating data breaches under GDPR

Why ISO 27001? MARIANNE ENGELBRECHT

Quality Management System ISO 9001:2008

Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Introduction to the PACS Security

DRAFT ISO 10007:2017 Revision Overview Quality management – Guidelines for configuration management ISO/TC176 TG 01.

The Technology Policies We Need Now and Why

Presentation transcript:

Normative vs. Descriptive vs. Pragmatic

Sad reality Faculty, staff and students are using mobile devices today, with or without our help (probably without) Most of us are significantly under-resourced Our users have probably already lost mobile devices containing sensitive university data, we just weren’t told it happened What do we tell our bosses when they ask about mobile device incidents?

Policy What is it? Does one size fit all? What will my organizational culture accept? What can *I* do to address this?

Policy Standards Procedures and Guidelines Increasing rate of change Originates and maintained at the Trustee/Executive level Requires revision only if university goals or mission change Easy to understand, written for a broad audience Avoids specifics subject to change Links to detailed supporting documents Stands the test of time U. of S.C. Policy Framework Characteristics of good policy: Support policy goals Specific without implementation guidance Originates and maintained by Data Steward Changes more frequently than policy Changes less frequently than procedures and guidelines Characteristics of good standards: Describes how to comply with Policy and Standards Varies by business unit need or requirement Created and maintained by business unit Characteristics of good procedures: Order of creation Definition: Overall intention and direction as formally expressed by management. Definition: Basis with which to measure policy. Definition: A description that clarifies what should be done and how, to achieve the objectives set out in policies.

Policy Standards Procedures and Guidelines Increasing rate of change Framework in Action Order of creation UNIV 1.50 “The purpose of this policy is to establish standards to manage, protect, secure and control system institutional data that will promote and support the efficient conduct of University business. The objective of this policy is to minimize impediment to access of this data, yet provide a secure environment.” Future standards to be issued by Data Stewards Potential University standards: ISO Sensitive Data Security Logging Practices Workstation Security Server Security Password Practices Media Sanitization Current examples Specific to University Technology Services: Firewall Configuration Management (UTS ) Computer Room Protocol (UTS ) Operations Guide for VM Admins (UTS a) General Information Security guidelines posted to the USC Information Security Program website: security.sc.edu

Information Security (IT 3.00) Data Access (UNIV 1.50) Information Security Related Policies ( Acceptable Use of Information Technology (IT 1.06) Other Related Policy datawarehouse.sc.edusecurity.sc.edu Location of associated standards, procedures and guidelines

Keep it simple

Give yourself the authority

Make it happen

Mobile device configuration guidelines coming soon! If all goes well, you now have the freedom to add new guidelines quickly and as needed. Very agile and flexible approach Likely compatible with your current environment… In the mean time, I like Carnegie Mellon’s mobile Internet device recommendations: mobile-device.html

So how did I get this new policy published? Thanks, accreditation!

Catalyst for InfoSec Program push?

A wise person once said, “Never let a good crisis go to waste.” (or something to that effect!)

“I rooted my device so that *I* am in control!” – Oh, really?

You can keep an eye out for other indicators of “mobile malware.” So far, we are not aware of other mobile- flavored malware detections… which makes me awfully suspicious.

Potential ways to implement Look for cross platform vendors, such as MobileIron Draw the line at the top 3(?) devices, but even still that might be too resource intensive