Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

Converting Policy to RealityDesigning an IT Security Program

for Your Campus

2nd Annual Conference on Technology and Standards

May 3, 2005

Jacqueline CraigDirector of Policy

Information Resources and CommunicationsUniversity of California Office of the President

The First Step

• reflects the institution core values• establishes an integrated

framework• identifies objectives

“what” needs to happen

Establish Policy

Policy may include or reference

• elements often included in policy guidelines procedures standards best practices

• “how” to achieve objectives

Elements of security policy

Policy should identify:

• principles

• roles and responsibilities

• scope

• identification of measures that comprise your security program

Moving from Policy to Reality

Create a Security Program

→ a road map

→ an action plan

→ a means of ensuring policy compliance

throughout the campus community

IT Security Program

The means to implement IT policy• it is a management concern – not just the responsibility of IT• input from administration, faculty, staff,

students• publicize widely – must be an open process• security planning must be incorporated into

every management level• leverage campus governance structure

Campus Governance

• establishes the risk management philosophy of the enterprise

• articulates the ethical values of the enterprise

• establishes the operating style

• assigns authority and responsibility

Not only an enabler An integral part of enterprise governance

Is the CIO at the head table?Do IT Personnel participate in

business decisions?

• IT governance cannot be separated from the governance of the enterprise

• Enterprise governance structure must include IT personnel at every level

• Is there a campus Security Officer?• Is there a campus-wide committee to

address security?

Campus Security Committee

• represent campus-wide interests in information security

• brings matters of information security to executive management

• develop campus-wide strategy• provide direction, planning, and guidance in

the area of information security→ develop and review campus-wide information security program

IT Security Program

• assignment of responsibility

• risk assessment requirements

• security plan mitigation plan identification of internal controls

IT Security Program

• business continuity emergency operation disaster recovery

• incident response and mitigation

• education and security awareness plan

• evaluation of program’s effectiveness

IT Security Program

• establishes governance for security– management and administration

• ensures network defense– architecture and security strategy

• implements protection management– resources, procedures, projects

Risk Assessments• purpose

help management create appropriate strategies and controls for stewardship of information assets

• a process to understand and document potential risks to

information assets• scope can vary

managerial view• institutional, division, department

IT view• systems application

• outcome create a security plan

Risk Assessments

May be mandated by policy or statute• Gramm-Leach-Bliley Act

- Financial Modernization Act (G-L-B)- Implemented by May 23, 2003 FTC Safeguard Rule

established standards for administrative, technical, and physical safeguards for customer information

• Health Insurance Portability and Accountability Act – (HIPAA)- Security Rule compliance effective April 2005

Risk Assessments

Purpose and scope determine the assets to be covered in the risk assessment

• Privacy usually a focus on safeguards to protect data

and resource

• Criticality focus is often on operations

Risk Assessments

Approaches:• identify and classify information assets • identify processes

How does information flow through IT resources?

• identify key players• identify types of resources

data centers, application systems, workstations, portable equipment?

Methodology Overview

• may be formal (institutional) or informal (departmental review)

• create a risk assessment team– set scope– identify assets to be covered– categorize potential losses– identify threats and vulnerabilities– identify existing controls– analyze the result of the data collected

Create a Security Plan

• determine appropriate controls to address vulnerabilities and risks revealed by assessment→ administrative/management/operational→ logical/technical→ physical measures

• identify minimum requirements

• identify procedures

Access Authorization and Authentication

• Identity Management – infrastructure for access authorization

• establish procedures for verification of identify • facilitate role-based authorization

or authorization assignment • issuance of strong authentication credentials• termination procedures

Data Classification

How is data classified?• What is protected by law?• What are the disclosure requirements?• What privacy or criticality mandates apply?

Data Classification

FIPS publication 199 Low Moderate High

Confidentiality limited adverse effect

serious adverse effect

severe or catastrophic adverse effect

Integrity limited adverse effect

serious adverse effect

severe or catastrophic adverse effect

Availability limited adverse effect

serious adverse effect

severe or catastrophic adverse effect

Workforce

• EDUCATION– customize training according to roles– identify responsibilities of supervisors, IT staff,

researchers - everyone– ensure security reminders for new threats

• PROCEDURES – manage flow of information

• BACKGROUND CHECKS for critical positions

Business Partners

• contracts and agreements

• confidentiality agreements

Logical (technical) Security

• establish means to ensure:– software updates– installation of security patches– intrusion detection– scanning for vulnerabilities– password management– protection against viruses

• establish encryption key management plans→ employ technology-implemented policy compliance where possible

Physical Security

consider use of

professionally-managed data centers

• ensure appropriate controls for– hardware, software, and administration– physical access controls– back up– business continuity and disaster recovery– device and media controls– procedural controls

Physical Security

When data centers cannot be utilized• identify rules for

→ departmental servers

→ desktop computers

→ portable devices

Stolen laptops account for 60 percent of security breach notifications in California

Incident Response

• identify an Incident Response Manager (may be a person or a team)

• establish explicit procedures for– reporting suspected incidents– decision tree for resolution– summary reporting

• feedback loop for remediation

• revisit existing controls

Publicize to the Entire Community

Communicate with academic, administrative, and student communities• town meetings• hearings in standing committees and user

groups• newsletters, websites, mailing lists

→ ensure a constant flow of information

to every segment of your community

Re-evaluate Security Program

• role of auditors or external review– trained in enterprise risk management– ability to identify and assess risks– understand interrelated impacts– recommend appropriate control activities– perform role of monitoring the enterprise

Resources

• Educause– http://www.educause.edu/Cybersecurity/

• Security Standard: ISO 17799 • National Institute of Standards & Technology –

Computer Security Division– Special Publications (800 series) and FIPS pubs– http://csrc.nist.gov/publications/index.html

• Audit Framework Documents– Enterprise Risk Management Framework – COSO (Committee

of Sponsoring Organizations of the Treadway Commission)– IT Governance Institute – Control Objectives for Information and

related Technology (CobiT Framework)