1. © 2008 CH2M HILL, Inc Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 1 The CSU System-wide Policy Project Communications Materials A Package for Project Advocates August 2008

2. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 2 What is an Information Security Program? An organized effort across all domains (physical, logical, procedural) to provide appropriate levels of confidentiality, integrity, availability, and accountability for information regardless of format or representation.

3. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 3 Information Security Program Cycle Strategy Remediation Monitoring Implementation Awareness Policy Stepping Through the InforSec Program,; ISACA

4. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 4 The Elements Strategy Awareness Policy  Objectives – what needs to be protected and why  Roles and Responsibilities  Structure – centralized or decentralized  Policy – high level statements  Standards – specific guidance  Procedures – step by step instructions  Guidelines – best practice recommendations  Orientations  Training  Reminders  Forums, Working Groups, Wikis

5. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 5 The Elements (cont) ‏ Remediation Monitoring Implementation  Administrative Controls – procedures and processes  Technical Controls – firewalls, permissions, intrusion detection, etc.  Physical Controls – barriers limiting contact with protected resources  Asset Management  Change Control  Network Monitoring  Self Assessments  Incident Response  Risk Management  Self Assessments  Compensating Controls

6. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 6 Information Security Program – Touches Everyone Administration and Staff A sustainable program is established and a bar is set Implementation freedom preserved Efficiencies gained from eliminating guesswork Students Privacy acknowledged Protections provided Rules of the Road identified Consistency in expectations Faculty Academic Freedom acknowledged Protection of research enhanced Not set in stone; will continue to evolve Consistency in expectations Auxiliaries Part of the integrated approach Responsibilities identified Visitors Still has access to information Few noticeable impacts Privacy more clearly addressed

7. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 7 Proposed Changes To Campus Practices  All IT-related audit submissions approved by ISO  Periodic review of department access lists and practices by ISO  IT security assessments required for some organizations  Many former “practices” documented as procedure  IT security governance structure strengthened

8. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 8 Student Affairs Impact - Examples Data Classification (Standard 15) ‏  Student Affairs will be required to identify applications and systems which access or store protected data.  Some data may not be sent unless encrypted  Annual reviews of security permissions & practices.  Approval required to create “shadow” systems. Mobile Devices (Standards 12.2 & 12.3)  No protected data store on mobile devices unless encrypted/protected. (Laptops, data phones, memory sticks) ‏ Info Security Awareness (Standard 10) ‏  Required and tracked for every employee Procurement/Contracts (Standards 6, 11) ‏  Risk management process prior to procuring new systems  Third party contract changes Personnel (Standard 8) ‏  Exit process must include securing data and access.

9. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 9 System-wide Security Program Benefits Supports Compliance Requirements  demands for personal privacy and data protection continue to increase Demonstrates Leadership Commitment  a key to any successful program Promotes Broad Discussion and Awareness of Information Security  increased awareness – consistently the most effective means for reducing security incidents and data exposure Promotes Consistency  common framework and expectations Establishes a Benchmark  eliminates guessing about what needs to be done Provides Evidence of Due Diligence  important in cases of litigation

10. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 10 Project Background Timeline  September 2007 – Project Begins  October 2008 – Draft Policy and Standards Produced  Fall 2008 – Initiate Executive Order Coordination From the RFP  The project proposal is to develop viable system-wide information security policies and standards for the CSU System.  This information security policy project will provide means of furthering information security education.  Instill more secure working habits for individuals and entities that deal with CSU information assets.  Will position the University to be in compliance with privacy and security regulations. Deliverables  System-Wide Security Policies  System-Wide Security Standards  Communication Materials  Sample Implementation Strategies

11. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 11 Policy Objectives The CSU is committed to:  the ideals of academic freedom and freedom of expression.  protecting the confidentiality, integrity, and availability of information assets entrusted to the University. A delicate balancing act. Policy: A policy is a broad statement of principles that presents management’s position for a defined subject.

12. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 12 Standards and Samples Standard: A standard provides more specific guidance on a particular topic. They have been written as standalone documents so that they can be more easily incorporated into legal agreements where third parties are providing services. Sample (Remote Access) Policy  Campuses must develop procedures that prevent unauthorized remote access to critical information systems or protected data, while ensuring that authorized users have appropriate remote access. Standard  All remote access to non-public campus information systems, data, and network resources must be authenticated and authorized.

13. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 13 Policy Standards Procedures (as needed)‏ Guidelines (as needed)‏ Security Program Components Produced at the System Level Produced at the Campus Level

14. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 14 Policy Management and Updates This policy will be updated to reflect changes in the CSU's academic, administrative, or technical environments, or applicable state, federal, or international laws and regulations. The CSU's Senior Director for Information Security Management oversee an annual review of this policy. Regular opportunity for updates, modifications, and adjustments!

15. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 15 Topics Addressed by Policy and Standards Information Security Roles and Responsibilities Risk Management Acceptable Use Personnel Security Privacy Security Awareness and Training Third Party Services Security Information Technology Security Configuration Management and Change Control Access Control Asset Management Management of Information Systems Information Security Incident Management Physical Security Business Continuity and Disaster Recovery Legal and Regulatory Compliance

16. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 16 Information Security Roles and Responsibilities Key Policy Concepts  Everyone (executives, managers, faculty, students, and staff) is responsible for information security including:  the privacy of personally identifiable information (PII).  the integrity of data stored.  the maintenance of applications installed on CSU information systems.  the availability of information.  compliance with applicable local, state, federal, and international laws and regulations, including intellectual property and copyright. Key Standards  Campus President – establishes campus program  Campus Chief Information Officer  Information Security Officer

17. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 17 Risk Management Key Policy Concepts  Campuses must conduct periodic risk assessments when security requirements change or when significant changes occur in the campus environment. Key Standards  Risk Assessment  Risk Management Plan

18. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 18 Personnel Security Key Policy Concepts  Employee information security related duties and responsibilities must be defined in the employee position description.  When employees separate from the University their access (physical and logical) must be promptly disabled or removed. Key Standards  Position Change  Background Checks

19. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 19 Security Awareness and Training Key Policy Concepts  Campuses must ensure that system administrators and managers are provided with sufficient ongoing training to stay current with the best practices and technology. Key Standards  Content  Awareness and Training Activities

20. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 20 Third Party Security Services Key Policy Concepts  Before third parties are granted access, a basic risk assessment must be performed.  Contract terms and conditions must include appropriate information security safeguards. Key Standards  N/A

21. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 21 Information Technology Security Key Policy Concepts  Need procedures in place to effectively detect, prevent, and report malicious software.  Networks (wired and wireless) need to be designed and segmented based on risk, data, and access.  Procedures must prevent unauthorized remote access to critical information systems or protected data. Key Standards  Network Controls Management  Remote Access  Mobile Device Management  Boundary Protection and Isolation  Malicious Software Protection  Wireless Access Points  Logging Elements

22. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 22 Configuration Management and Change Control Key Policy Concepts  Must maintain a program designed to ensure that operating systems and applications are routinely updated to correct flaws and close vulnerabilities.  Must review changes to critical information systems, protected data, and network resources. Key Standards  Change Control  Configuration Management

23. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 23 Access Control Key Policy Concepts  Managers and data stewards define and approve access.  A documented process is used to approve additions, changes, and terminations of access rights.  User rights must be regularly reviewed. Key Standards  User Credential and Privilege Management  Password Management  Encryption

24. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 24 Asset Management Key Policy Concepts  All information assets must be classified according to the CSU’s data classification standard.  Critical systems and protected data must be appropriately controlled.  Media and hardware must be securely dispositioned when no longer needed. Key Standards  Data Classification  Data Handling  Data Retention (see EO 1031) ‏  Data Disposal  Clean Desk

25. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 25 Management of Information Systems Key Policy Concepts  A documented process for developing and procuring applications and information systems.  Use of protected data for testing is to be avoided.  Testing of security controls required prior to operations. Key Standards  Development Management  Secure Web Application Coding  Life Cycle Management

26. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 26 Information Security Incident Management Key Policy Concepts  Each campus must have a security incident response team (SIRT) and a incident response plan.  Training for response activities and testing response plans must occur regularly.  Contracts should compel third parties to report security incidents involving campus information. Key Standards  Evidence Collection and Handling  Reporting

27. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 27 Physical Security Key Policy Concepts  Protected data must be physically secure.  Credentials (e.g. badges, tokens) must be regularly reviewed. Key Standards  Definition of Protection Areas  Access to Data Closets and Cabling Restricted  Limit Casual Viewing of Private Information (e.g. health centers) ‏

28. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 28 Business Continuity and Disaster Recovery Key Policy Concepts  Continuation essential functions and operations following a catastrophic event.  Must be in compliance with the CSU Executive Order 1014. Key Standards  N/A

29. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 29 Legal and Regulatory Compliance Key Policy Concepts  CSU legal staff will help regularly identify and define the local, state, federal, and international laws and regulations that apply to the CSU campuses.  Campus-specific policies, standards or procedures must meet or exceed system-wide policies and standards. Key Standards  N/A

30. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 30 System-wide Security Program Benefits  Review Supports Compliance Requirements  demands for personal privacy and data protection continue to increase Demonstrates Leadership Commitment  a key to any successful program Promotes Broad Discussion and Awareness of Information Security  increased awareness – consistently the most effective means for reducing security incidents and data exposure Promotes Consistency  common framework and expectations Establishes a Benchmark  eliminates guessing about what needs to be done Provides Evidence of Due Diligence  important in cases of litigation

31. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 31 Additional Benefits – Audits Audit/Review Savings and Efficiencies  Everyone graded against the same base criteria  Information security integrated into campus operations  Routine self assessments  Active risk management  Audit becomes verification not discovery  verification of the controls that have been put into place

32. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 32 Additional Benefits  Planning Improved Planning and Coordination  A common framework established  Forums available for technical exchanges  ISOs  ITAC  ITRP II  Identification of joint or system efforts enabled  Risk-driven priorities and justifications

33. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 33 Additional Benefits  Continuous Improvement Opportunity to Raise the Bar  Standards can be enhanced or added to address changing threats.  Campus or system guidelines can be used to try out proposed updates.  Self assessments and audits can be used to identify gaps. Trending and Analysis  Risk-based approach supports decisions based on information not speculation.  A metrics program (future) will track program effectiveness.

34. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 34 Possible Campus Rollout Activities Respond to specific document requests by ISO Develop new internal processes to meet new requirements Engage in development process for implementing new policies & standards Establish division responsibility for annual reports and internal security audits (with ISO) ‏

35. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 35 Sources for Additional Information Campus CIO  name  e-mail  number Campus ISO  name  e-mail  number Senior Director for Information Security Management, Chancellor’s Office  Cheryl Washington  cwashington@calstate.edu cwashington@calstate.edu  562-951-4190

36. © 2008 CH2M HILL, Inc. Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 36 Q&A