ITS a BeAR: IT Security for Berkeley Academic Resources Masters Project Presentation iSchool, UC Berkeley May 15th, 2008 Project Team Matt Chew Spence.

ITS a BeAR:IT Security for Berkeley Academic Resources

Masters Project PresentationiSchool, UC Berkeley

May 15th, 2008Project Team

Matt Chew SpenceBindiya Jadhwani

Lawan LikitpunpisitMeghalim Sarma

Project AdvisorEric Kansa

04/18/23 21:29

Copyright© 2008 2

Agenda Problem Statement Project Background Needs Analysis ITS-a-BeAR: Security Plan Generator System System Walk Through Project Impact Future Work and Recommendations

04/18/23 21:29

Copyright© 2008 3

Our Clients and Key Stakeholders UC Berkeley Information Services & Technology (IST)

Bill Allison, Senior Manager Chair of the Campus Information Security and Privacy

Committee

Karen Eft, IT Policy ManagerWith advice from:

Chris Hoofnagle, Senior Staff Attorney Samuelson Law, Technology & Public Policy Clinic

Ryan Means, Chief Technical Officer UC Berkeley School of Law

Vice-Chair of the Campus Information Security and Privacy Committee

Jeremy Lapidus, Principal Auditor UC Berkeley Audit & Advisory Services

04/18/23 21:29

Copyright© 2008 4

Mark Deely – Researcher with Sensitive Data

51 years old, Married with 2 kids

Senior researcher, Anthropology

Work Focus: Studies Latin American ethnography Work based on observations of

people Uses his laptop to store all research

data

Collects and stores personal information

Encrypts data but wonders if that is enough

04/18/23 21:29

Copyright© 2008 5

Jing Wu – Administrator Managing IT system 33 years old, Single Director of computing

services, Anthropology Responsibilities :

In charge of technical support

Security of department system

Overburdened due to lack of resources for security compliance

04/18/23 21:29

Copyright© 2008 6

Problem Statement Need to protect sensitive

data at the university Difficulty due to

decentralized nature of campus

Must interpret multiple policies No single catalog of

requirements Limited guidance for

security compliance

04/18/23 21:29

Copyright© 2008 7

Project Background Information is the

lifeblood Current computers and

networks inherently insecure

Number of laws and policies that should be followed FERPA, HIPAA, GLBA,

SB1386, etc. Enforcement on campus is

effectively voluntary

04/18/23 21:29

Copyright© 2008 8

Needs Analysis CIO has limited visibility

into true state of campus compliance

Guidance to campus units is not readily available Mandates spread across UC and

campus policies No single list of recommended

practices that meet security requirements

Not easy for technical staff to justify need for controls

No Security Plan Template

04/18/23 21:29

Copyright© 2008 9

What are Controls? Things you have to do to

protect a system Implemented at various levels  Controls are context

dependent Policy-based controls Risk-based controls Platform-specific-based controls

Policies describe controls at a high level Concrete steps up to the

interpretation of the reader

04/18/23 21:29

Copyright© 2008 10

Data Classification Overview

We care about :“Restricted, Essential, and Data of

Record”

04/18/23 21:29

Copyright© 2008 11

Data Classification (Cont.) Restricted Data:

Anything protected by law, policy, or contract Personal Identifiable

Information!

Essential System: Failure to function causes a major failure to university services.

Data of Record: Authoritative copy of data

04/18/23 21:29

Copyright© 2008 12

The Shift towards Risk-based Analysis Restricted Data Essential Data Data of Record

Existing Classification

Risk-based Classification

LowMedium

High

RestrictedConfidentiality

Data of Record

Integrity

EssentialAvailability

04/18/23 21:29

Copyright© 2008 13

Roles Administrative Officials

Unit heads, deans, etc Data Proprietors

Data owner Data Custodians

Everyone with privileged access to the system Data Users

People with access to data within an information system

Mark Deely

Jing Wu

04/18/23 21:29

Copyright© 2008 14

IT Security Control Catalog

Various Policies UC-Wide Campus-Wide

Standards NIST SP series

Data Classification Risk Based

Controls Roles Procedures

We created a single catalog that maps:

04/18/23 21:29

Copyright© 2008 15

Security Plan Template

04/18/23 21:29

Copyright© 2008 16

ITS a BeAR! Security Plan Generator A proof-of concept 5-steps, easy-to-use

web-based system Auto generation of

appropriate controls Recommends

procedures on how to implement controls

Generates a security plan at the end

04/18/23 21:29

Copyright© 2008 17

High-Level User Interaction

Step 1 Step 2 Step 3

Basic Information Data Classification

Detail Hardware Profile

All user information captured at Step 1 – Step 4

Security Plan Generator

Extract Appropriate controls based on Data classification

Implementation choice and details

Step 4

Step 5

User

Final Security Plan

04/18/23 21:29

Copyright© 2008 18

Detailed Flow Diagram

04/18/23 21:29

Copyright© 2008 19

Walk Through – Step 1

System Name is Captured

04/18/23 21:29

Copyright© 2008 20

Step 1: Basic InformationRoles and System Contacts Identified

04/18/23 21:29

Copyright© 2008 21

Step 2: Information Sensitivity Level

Provides Definitions

Sensitivity Level is identifiedSystem Type

identified

04/18/23 21:29

Copyright© 2008 22

Step 3: Purpose of the System

User Types identified

04/18/23 21:29

Copyright© 2008 23

Step 4: List of Controls are Generated

Controls Generated

04/18/23 21:29

Copyright© 2008 24

Step 4: List of Controls are Generated

Implementation Choice

Recommended Procedures

04/18/23 21:29

Copyright© 2008 25

Step 5: Final Security Plan

Security Plan Security Plan ready to print!ready to print!

Save, Submit, Print

04/18/23 21:29

Copyright© 2008 26

Benefits Users no longer need to

interpret complex policies Guidance provided on

implementing controls Less duplication of work! Assists IT audit process Better compliance Less embarrassment and

cost to campus

04/18/23 21:29

Copyright© 2008 27

Project Impact Created common catalog for

university IT security compliance Potentially shared across all UC

campuses Re-defines the IT Security

Plan submission and approval process

Re-use of information across different organizations (CPHS and RDM)

On the way to implementation!

04/18/23 21:29

Copyright© 2008 28

Future Work Integration with Campus IT Services

Auditor Interface

Incremental Entering of Information

Customized Guidance Reports For Units

Management Reporting

04/18/23 21:29

Copyright© 2008 29

Recommendations to the CIO Office Provide Security as a Service Insert Security into Mandatory

Processes Process Improvements

Create Standard Risk Assessment Methodology

Have More Granular Data Classifications Improve Periodic Review of Controls Consolidate Security Log Auditing

04/18/23 21:29

Copyright© 2008 30

Project Feedback!

Can we share this with other UC campuses?

- Karen Eft -

Great Recommendations! Very impressive!

A clear approach and a good synthesis of available resources.

- Shel Waggener -

It’s practical. We can implement it incrementally!

- Bill Allison -

04/18/23 21:29

Copyright© 2008 31

Acknowledgements IST IT Policy Team Ryan Means Jeremy Lapidus

iSchool FacultyEric Kansa Erik WildeBob Glushko Doug Tygar

04/18/23 21:29

Copyright© 2008 32

Questions & Answers