University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

Slides:



Advertisements
Similar presentations
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Advertisements

Global Congress Global Leadership Vision for Project Management.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works
Information Security Policies and Standards
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
First Practice - Information Security Management System Implementation and ISO Certification.
Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
1 Tuesday, August 16, 2005 W E B C A S T August 16, 2005 Policy Development Theory & Practice: An Emphasis on IT Pat Spellacy Director of Policy & Process.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Peer Information Security Policies: A Sampling Summer 2015.
Security Awareness Norfolk State University Policies.
SEC835 Database and Web application security Information Security Architecture.
Rodney Petersen Security Task Force Coordinator EDUCAUSE
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Creating an Effective Policy Central Missouri Chapter Jesse Wilkins April 16, 2009.
ISA 562 Internet Security Theory & Practice
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Security considerations for mobile devices in GoRTT
© 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC Standard for Information Security Management Systems.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Information Systems Security Operational Control for Information Security.
Information Systems Security Operations Security Domain #9.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.
Engineering Essential Characteristics Security Engineering Process Overview.
Note1 (Admi1) Overview of administering security.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
The Direction of Information Security and Privacy in State Government Presented by Colleen Pedroza Chief Information Security Officer California State.
Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &
Frontline Enterprise Security
IT Security Policies and Campus Networks The dilemma of translating good security policies to practical campus networking Sara McAneney IT Security Officer.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Information Security IBK3IBV01 College 3 Paul J. Cornelisse.
Security Discussion IST Retreat June IT Security Statement definition In the context of computer science, security is the prevention of, or protection.
1 CREATING AND MANAGING CERT. 2 Internet Wonderful and Terrible “The wonderful thing about the Internet is that you’re connected to everyone else. The.
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
Computer Policy and Security Report to Faculty Council Jeanne Smythe ATN Director for Computing Policy March 26,2004.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Information Security tools for records managers Frank Rankin.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Chapter 3 “A Case Study of Effectively Implemented Information Systems Security Policy[1]” John Doran, CST554, Spring 2008.
ISO17799 / BS ISO / BS Introduction Information security has always been a major challenge to most organizations. Computer infections.
Information Security Program
Cybersecurity - What’s Next? June 2017
Critical Security Controls
Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.
Cybersecurity Policies & Procedures ICA
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
I have many checklists: how do I get started with cyber security?
IT Development Initiative: Status and Next Steps
Introduction to the PACS Security
Presentation transcript:

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th

IT Security policy What is it? –The IT Security policy defines the minimum security posture needed to be maintained to protect IT resources from compromise (internal or external) or loss. It defines the scope of the data and resources to be protected. It also protects the members of the University community when they need to make decisions or take actions when handling IT resources.

Why do we need it? Business risk management –Protect assets –Protect reputation –Due diligence Risks increasing –Virus, worms –Phishing, scams –Social Engineering –Spyware, Trojans

Famous names in the news Tufts, Boston College, Columbia, Carnegie-Mellon ChoicePoint, Lexus Nexus, Polo Ralph Lauren, Ameritrade, HSBC Holdings, Bank of America, DSW Shoes, etc. All have had compromises that have made the evening news….this year

Additional factors Establishment of CIO position IT needs to move from technological to business issues Security is not just a firewall (crunchy on the outside, soft and chewy on the inside) External Security Audits Government legislation

Scope University Wide Departmental Regional Colleges Residences Wireless, PDA, Cellphone Home, Remote access

Elements of an IT Security Policy Based on standards – ISO – SANS – CERT – peers

Mission statement –Organizational roles Executive, HR, Board CIO Security officer Technical staff Campus Police Legal, Audit User community –Definitions

Data handling Policy Data sensitivity Electronics records retention Privacy

User Account management Accounts Management Password Management Acceptable Use Policy

Access Management –Trust model –Access Controls –Data classification

Virus Protection Policy Perimeter ( , firewall) Desktop Actions based on detection

Networking Standards (protocols, ports) Authorized Access Remote Access

Intrusion Detection / Logging Configurations / Backups Monitoring Log consolidation Incident Handling –Incident Response team –Reporting requirements Configuration management Backups / Archiving –Business resumption (not disaster recovery)

Unique requirements of University Environment Needs to be realistic for a University environment Students, Faculty, Staff, 3rd parties Mix of research, educational, business and personal data Open environment of collaboration and learning Wide range of research and educational issues

Development Process Develop Security Policy Team –Security officer alone should not write the policy –Broad cross-section of community, but not too big –Involve major stakeholders HR, Audit, Legal, IT staff

Risk Assessment (KISS) Asset inventory Asset values Threats Mitigations –Provides guideline for priorities

Review Existing policies Compare to standards Revise as needed Develop new policies to fill in gaps Use templates (SANS) Borrow from peers

Obtain approval

Establish audit & review process Measurements Revisions based on results, problems Ensure standards and practices are established –Document how policy will be followed –Defines technical elements to implementation

Communicate policy to community Promote better understanding Encourage feedback

Time? ASAP Take small steps when possible Generally considered a long process in the industry Consultants, products may speed up process.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.