Presentation is loading. Please wait.

Presentation is loading. Please wait.

Strategies for Crafting Effective IT Security Policies CIO Forum March 12, 2003 Dennis Maloney & Marin Stanek The University of Colorado at Boulder.

Published byAlicia Dawson Modified over 9 years ago

Similar presentations

Presentation on theme: "Strategies for Crafting Effective IT Security Policies CIO Forum March 12, 2003 Dennis Maloney & Marin Stanek The University of Colorado at Boulder."— Presentation transcript:

1 Strategies for Crafting Effective IT Security Policies CIO Forum March 12, 2003 Dennis Maloney & Marin Stanek The University of Colorado at Boulder

2 Why Now?? Internal Drivers Telecommunications & wireless audit Campus-wide IT Strategic Plan = greater coordination & collaboration External Drivers 9/11 Federal Laws & Agencies (FERPA, HIPAA, NSF) State Laws Private Research Communities (NASA)

3 2002 – The Year of Policy Development Established policies Computing and Network Resources for all Users (Rights and Responsibilities Doc) Student Email as an Official Means of Communication (FERPA, HIPAA, Confidential/Sensitive Information) Campus-wide Access & Authorization (Encrypted Authentication) Directories Wireless Policies still under development Identity Management Copyright Antivirus

4 Policy Roadmap A great idea for a policy Then a flurry of communication occurs CIO, ITS & IT Coordinators begin drafting ITC discusses & revises Legal Counsel advises Appropriate constituencies involved Endless revisions occur Life looks bleak A better policy emerges because of campus input Policy is reviewed & approved by CEC ITC & LC review again Policy is signed by the Chancellor Policy is communicated to campus and life is good!

5 Policy Development: Step One – Be Aware of Existing Policies Federal (Research requirements, FERPA, HIPPA, Copyright) State (Campaign Fair Practices Act, Conflict of Interest) University Policies Current Campus Policies

6 Policy Development: Step Two – Conceptualizing High Priority Policies/Basic Set of Policies (Our List) Accountability (Rights & Responsibilities/Acceptable Use, C&NR) Availability (Wireless) Integrity (Server Security, Directories) Access Control (Access & Authorization, Identity Management) Determination of Data Sensitivity (Copyright, and Guidelines for Computer Users) Security Management (Network Security, Antivirus) Policies managing flow of information (Web Publishing Policy, Portal Policy)

7 Accountability (Rights & Responsibilities/Acceptable Use, C&NR) Security Management (Network Security, Antivirus) Integrity (Server Security, Directories) Access Control (Access & Authorization, Identity Management) Determination of Data Sensitivity (Copyright, & Guidelines for Computer Users) Availability (Wireless) E-Policies (Web Pub, Email, Portal) Visualizing Your Policy/Practices Framework

8 Policy Development: Step Three – Policy Outline (time saver or time sucker) Develop a policy template – Introduction/Purpose of the Policy – Definitions – Scope of the Policy – Policy Statement (most important) – Sanctions – References – Responsible Office & Review Schedule – Date of implementation – Attachments (might include guidelines, standards, procedures/processes) Name Audience Policy Emphasis Technical Emphasis Who handles the violation

9 Policy Development: Step Four – Discussion, Process, & Approval Review what other similar schools are doing (www.educause.edu) -- do your homeworkwww.educause.edu Gain support & approval from senior level –find a champion Contact key constituencies for informal input Establish or recognize who will formally approve policy Establish buy-in Provide information online & accessible from one location Provide an interim phase for feedback Develop accompanying guidelines, standards, process/procedures documentation

10 Educational Campaign Initial Announcement (from highest source possible) Accompanying website (includes policy, FAQ, guidelines, standards, procedures/process, AND who to contact! Tailor specific messages to audiences (faculty, students, staff) Listen to feedback! Evaluate impact

11 Lessons Learned 1.Research & make connections w/other schools – build on what they’ve developed 2.Collaborate across campus 3.Have patience – good policy development is about building consensus and awareness 4.Maintenance = effectiveness; don’t let a policy become “dusty”

12 Good References – http://www.sans.org/resources/policies/ http://www.sans.org/resources/policies/ – http://www.educause.edu http://www.educause.edu – http://www.inform.umd.edu/acupa/ http://www.inform.umd.edu/acupa/ – http://www.cit.cornell.edu/oit/policy/drafts/

13 Contact Information Marin Stanek, IT Initiatives Coordinator – Marin.Stanek@colorado.edu Marin.Stanek@colorado.edu Dennis Maloney, Executive Director, ITS – Dennis.Maloney@colorado.edu Dennis.Maloney@colorado.edu CU-Boulder Policy website: – http://www.colorado.edu/policies/index.html http://www.colorado.edu/policies/index.html

Download ppt "Strategies for Crafting Effective IT Security Policies CIO Forum March 12, 2003 Dennis Maloney & Marin Stanek The University of Colorado at Boulder."

Similar presentations

Planning Collaborative Spaces in Libraries

Planning Collaborative Spaces in Libraries
How Will it Help Me Do My Job?

How Will it Help Me Do My Job?
Manatt manatt | phelps | phillips New York State Health Information Technology Summit Initiative Overview and Update Rachel Block, Project Director United.

Manatt manatt | phelps | phillips New York State Health Information Technology Summit Initiative Overview and Update Rachel Block, Project Director United.
Legal Work Group Developing a Uniform EHR/HIE Patient Consent Form.

Legal Work Group Developing a Uniform EHR/HIE Patient Consent Form.
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.
Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.

Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.
Overview of Priorities and Activities: Shared Services Canada Presentation to the Information Technology Infrastructure Roundtable June 17, 2013 Liseanne.

Overview of Priorities and Activities: Shared Services Canada Presentation to the Information Technology Infrastructure Roundtable June 17, 2013 Liseanne.
October 2010  A Web Portal recognized as the authoritative source for national interagency wildland fire information is needed to.

October  A Web Portal recognized as the authoritative source for national interagency wildland fire information is needed to.
On Beyond Z Building a Directory Service educause presentation #074 University of Colorado at Boulder Deborah Keyek-Franssen Marin Stanek Paula J. Vaughan.

On Beyond Z Building a Directory Service educause presentation #074 University of Colorado at Boulder Deborah Keyek-Franssen Marin Stanek Paula J. Vaughan.
Why are we scared of Social Media in our schools? Why do we need a policy? Does it need to be slanted toward a specific technology?

Why are we scared of Social Media in our schools? Why do we need a policy? Does it need to be slanted toward a specific technology?
Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.

Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Content Management System (CMS) Implementation at SFU Feb 10, 2011 Frances Atkinson Director, Institutional, Collaborative & Academic Technologies IT Services.

Content Management System (CMS) Implementation at SFU Feb 10, 2011 Frances Atkinson Director, Institutional, Collaborative & Academic Technologies IT Services.
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Data Management Awareness January 23, 2008 1 University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.

Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
July 12, 2005 CSU SIMI Workshop - Melding Policy and Technology to Manage Identity1 Provisioning Services Collaborative CSU, East Bay and CSU, San Bernardino.

July 12, 2005 CSU SIMI Workshop - Melding Policy and Technology to Manage Identity1 Provisioning Services Collaborative CSU, East Bay and CSU, San Bernardino.

Similar presentations

Ads by Google