Agenda Model Security Policy Framework for Information Technology Policy Implementation of Information Security Policy Scenarios Discussion Q & A
Educause Model Security Policy Kim Milford University of Rochester
Model Security Policy Educause Sub-Committee, December 2005 Goal:Create a template of policy statements from existing standards and policies. This model policy can then be used in whole or in part by organizations creating or updating their information security policy
Model Security Policy William Custer, Miami University Information Security Policy Manager Bob Kalal, Ohio State University Director, Information Technology Policy & Services Jack McCoy, East Carolina University Director, IT Security Kim Milford, University of Rochester Director & Information Security Officer David Weil, Ithaca College Director, Web, Systems & Department Services
Model Policy Deliverables (December 2006): A category scheme of policy topics under which samples of existing policy from various universities may be displayed on the Educause web site A set of prioritized categories about which we will write sample policy first Some published drafts about which we can get informal feedback at the two conferences in April A presentation at the fall Educause conference by which we can get feedback A sample policy statement of about 10 pages on selected topics. A statement about methodology and general assumptions.
Establishing common vocabulary & taxonomy Will continue to evolve Researched ISO 17799, NIST, ISC2 Compared to legal requirements HIPAA, FERPA, GLB Largely based on SANS major headings Supplemented with examples from a review of over 80 University security policies Model Security Policy
Categories: 1. Security Policy 2. Organizational Security 3. Asset Classification and Control 4. Personnel Security 5. Physical and Environmental Security 6. Communication and Operations Management
Model Security Policy Categories (continued): 7. Access Control 8. System Development & Maintenance 9. Business Continuity Management 10. Compliance ** Security Policy & Acceptable Use
Model Security Policy Timeline (based on proposed priorities) June: Organizational Security “pilot” Sept:Asset Classification & Control Sept:Communications & Operations Management Sept:Access Control Oct:Presentation at Educause Conf Dec:Completion
Model Security Policy This is developing rapidly… there will likely be many changes since these slides were prepared. We will bring discussion back to Model Security Policy at the end of this morning’s session.
An Information Technology Policy Framework Tracy Mitrano Cornell University
Big “P” and Little “p” Policy Big “P” is for more broadly represented issues, national policy EDUCAUSE position on FBI petition to the FCC to expand Communications Assistance Law Enforcement Act to data networks National security issues Little “p” policy Institutional policy on, say, travel reimbursements, capital assets or appropriate use of IT resources
IT Policy Framework at Cornell University Policy Office http://www.univco.cornell.edu/policy/home.html http://www.univco.cornell.edu/policy/home.html http://www.univco.cornell.edu/policy/pop.html http://www.univco.cornell.edu/policy/pop.html http://www.univco.cornell.edu/policy/current.html http://www.univco.cornell.edu/policy/current.html IT Policy Office http://www.cit.cornell.edu/oit/PolicyOffice.html http://www.cit.cornell.edu/oit/PolicyOffice.html http://www.cit.cornell.edu/oit/policy/drafts/ http://www.cit.cornell.edu/oit/policy/drafts/ http://www.cit.cornell.edu/oit/policy/framework-chart.html http://www.cit.cornell.edu/oit/policy/framework-chart.html http://www.cit.cornell.edu/oit/policy/framework.html http://www.cit.cornell.edu/oit/policy/framework.html
Two Themes for Subsequent Policy Development Protection and Preservation of Institutional Interests and Assets Security and Privacy* *Security and privacy could also be subsumed under the first theme, but because of the significance of the security and privacy concerns for campus networks, it is worth illuminating separately at this time in the history of IT policy development.
Security and Privacy Maybe in national security arena and debates these qualities are pitted against each other in a “zero-sum” game kind of formula. But in campus networking we should think of them as equally complementing each other, as if the old adage “you can’t have privacy without security…” Private, criminal actions pose far greater compromise of privacy due to network security flaws than government surveillance. Public laws weigh privacy and security provisions equally.
Cornell Security Program http://www.cit.cornell.edu/oit/policy/security.html
Cornell Privacy Program http://www.cit.cornell.edu/oit/policy/privacy.html
Cornell IT Policy Framework http://www.cit.cornell.edu/oit/policy/framework-chart.html
Policy Implementation Good balance between policy statements and procedures Balance is relative to structure and traditions of the institution Cornell’s “rule of thumb” is to include the level of procedure only at the highest university wide level IT organization does the documentation for deeper level of implementation and backline procedures Intelligibility to technical and non-technical users IT organization documentation can augment dry bones policy form and substance And meet the needs of both technical and non-technical uses
Policy Implementation Exceptions Every policy has exceptions (just like every law!) Make sure the exceptions are for important reasons are appropriately tailored Requisite authority Centralized or non-centralized processes Enforceable Usually through audit at the institutional level and to each individual through disciplinary measures (HR, JA, etc.) ould not cause additional burden
Policy Implementation Address administrative/financial burden Up front so that stakeholders and authorizing parties are aware of the financial, business and administrative costs Balance those costs with clear explication of the benefits that the policy provides the institution Build cost/benefit analysis into implementation Education for the community Tools (e.g. software or new programs) Training for relevant personnel Time line for full implementation
Final Thoughts IT Policy externally influenced by law, technology, business models and social norms. IT Policy development challenging due to the diverse nature of our institutions One size does not fit all! Different policy processes Passionate stakeholder concerns… IT Policy function requires different styles of leadership.
Three Axioms: Conclusion Only write IT policy for IT matters Where technology meets law and behavior Give unto Caesar what is Caesar's... Harassment as an example, political speech in email Communicate, Educate and Commiserate, but don’t be afraid to… EXERCISE LEADERSHIP!
Policy Implementation Steve Schuster Cornell University
Cornell Network Registry (Case Study) Must be understandable The policy must be clear to technical and non- technical people What needs to be done to meet the requirements of the policy Network Registry policy.htm
Cornell Network Registry (Case Study) Exceptions need to be well understood and articulated Are exceptions acceptable? What are acceptable reasons? DNSDB Tools for Network Registration.htm
Cornell Network Registry (Case Study) Must be implementable A policy that can not be implemented is not worth writing DNSDB Tools for Network Registration.htm
Cornell Network Registry (Case Study) Must be enforceable A way is required to validate compliance Non compliance should mean consequences Network Registry audit of 128842030.txt
Cornell Network Registry (Case Study) Should not cause substantially additional burden Staff time Financial
Lessons Learned There is no way to over communicate There are almost as many unique situations as there are people on campus Regardless of how straight forward people will not be happy Enforcement and compliance are difficult to get your arms around
Model Security Policy Categories: 1. Security Policy 2. Organizational Security 3. Asset Classification and Control 4. Personnel Security 5. Physical and Environmental Security 6. Communication and Operations Management
Model Security Policy Categories (continued): 7. Access Control 8. System Development & Maintenance 9. Business Continuity Management 10. Compliance
Model Security Policy Priorities: Organizational Security Asset Classification & Control Communications & Operations Management Access Control
Model Security Policy Organizational Security 1. Management Commitment 2. Information Security Infrastructure 3. Security of Third Party Access 4. Outsourcing 5. Risk Analysis and Assessment
Model Security Policy Management Commitment Statement of Values Goal(s) of policy Importance of information resources Importance of information security
Model Security Policy Management Commitment (cont’d) Includes Security Mandate Protecting: Confidentiality Integrity Availability Reduce risk of exposure that could damage reputation
Model Security Policy Information Security Infrastructure A.Organization & Governance B.Information security coordination C.Allocation of information security roles & responsibilities D.Management information security forum E.Authorization process for information processing facilities
Model Security Policy Information Security Infrastructure (Continued) F. Specialist information security advice G. Cooperation between organizations H. Independent review of information security
Model Security Policy Our work is continuing Your input is appreciated