ITS a BeAR: IT Security for Berkeley Academic Resources Masters Project Presentation iSchool, UC Berkeley May 15th, 2008 Project Team Matt Chew Spence Bindiya Jadhwani Lawan Likitpunpisit Meghalim Sarma Project Advisor Eric Kansa
Dec 20, 2015
ITS a BeAR:IT Security for Berkeley Academic Resources
Masters Project PresentationiSchool, UC Berkeley
May 15th, 2008Project Team
Matt Chew SpenceBindiya Jadhwani
Lawan LikitpunpisitMeghalim Sarma
Project AdvisorEric Kansa
04/18/23 21:29
Copyright© 2008 2
Agenda Problem Statement Project Background Needs Analysis ITS-a-BeAR: Security Plan Generator System System Walk Through Project Impact Future Work and Recommendations
04/18/23 21:29
Copyright© 2008 3
Our Clients and Key Stakeholders UC Berkeley Information Services & Technology (IST)
Bill Allison, Senior Manager Chair of the Campus Information Security and Privacy
Committee
Karen Eft, IT Policy ManagerWith advice from:
Chris Hoofnagle, Senior Staff Attorney Samuelson Law, Technology & Public Policy Clinic
Ryan Means, Chief Technical Officer UC Berkeley School of Law
Vice-Chair of the Campus Information Security and Privacy Committee
Jeremy Lapidus, Principal Auditor UC Berkeley Audit & Advisory Services
04/18/23 21:29
Copyright© 2008 4
Mark Deely – Researcher with Sensitive Data
51 years old, Married with 2 kids
Senior researcher, Anthropology
Work Focus: Studies Latin American ethnography Work based on observations of
people Uses his laptop to store all research
data
Collects and stores personal information
Encrypts data but wonders if that is enough
04/18/23 21:29
Copyright© 2008 5
Jing Wu – Administrator Managing IT system 33 years old, Single Director of computing
services, Anthropology Responsibilities :
In charge of technical support
Security of department system
Overburdened due to lack of resources for security compliance
04/18/23 21:29
Copyright© 2008 6
Problem Statement Need to protect sensitive
data at the university Difficulty due to
decentralized nature of campus
Must interpret multiple policies No single catalog of
requirements Limited guidance for
security compliance
04/18/23 21:29
Copyright© 2008 7
Project Background Information is the
lifeblood Current computers and
networks inherently insecure
Number of laws and policies that should be followed FERPA, HIPAA, GLBA,
SB1386, etc. Enforcement on campus is
effectively voluntary
04/18/23 21:29
Copyright© 2008 8
Needs Analysis CIO has limited visibility
into true state of campus compliance
Guidance to campus units is not readily available Mandates spread across UC and
campus policies No single list of recommended
practices that meet security requirements
Not easy for technical staff to justify need for controls
No Security Plan Template
04/18/23 21:29
Copyright© 2008 9
What are Controls? Things you have to do to
protect a system Implemented at various levels Controls are context
dependent Policy-based controls Risk-based controls Platform-specific-based controls
Policies describe controls at a high level Concrete steps up to the
interpretation of the reader
04/18/23 21:29
Copyright© 2008 10
Data Classification Overview
We care about :“Restricted, Essential, and Data of
Record”
04/18/23 21:29
Copyright© 2008 11
Data Classification (Cont.) Restricted Data:
Anything protected by law, policy, or contract Personal Identifiable
Information!
Essential System: Failure to function causes a major failure to university services.
Data of Record: Authoritative copy of data
04/18/23 21:29
Copyright© 2008 12
The Shift towards Risk-based Analysis Restricted Data Essential Data Data of Record
Existing Classification
Risk-based Classification
LowMedium
High
RestrictedConfidentiality
Data of Record
Integrity
EssentialAvailability
04/18/23 21:29
Copyright© 2008 13
Roles Administrative Officials
Unit heads, deans, etc Data Proprietors
Data owner Data Custodians
Everyone with privileged access to the system Data Users
People with access to data within an information system
Mark Deely
Jing Wu
04/18/23 21:29
Copyright© 2008 14
IT Security Control Catalog
Various Policies UC-Wide Campus-Wide
Standards NIST SP series
Data Classification Risk Based
Controls Roles Procedures
We created a single catalog that maps:
04/18/23 21:29
Copyright© 2008 15
Security Plan Template
04/18/23 21:29
Copyright© 2008 16
ITS a BeAR! Security Plan Generator A proof-of concept 5-steps, easy-to-use
web-based system Auto generation of
appropriate controls Recommends
procedures on how to implement controls
Generates a security plan at the end
04/18/23 21:29
Copyright© 2008 17
High-Level User Interaction
Step 1 Step 2 Step 3
Basic Information Data Classification
Detail Hardware Profile
All user information captured at Step 1 – Step 4
Security Plan Generator
Extract Appropriate controls based on Data classification
Implementation choice and details
Step 4
Step 5
User
Final Security Plan
04/18/23 21:29
Copyright© 2008 18
Detailed Flow Diagram
04/18/23 21:29
Copyright© 2008 19
Walk Through – Step 1
System Name is Captured
04/18/23 21:29
Copyright© 2008 20
Step 1: Basic InformationRoles and System Contacts Identified
04/18/23 21:29
Copyright© 2008 21
Step 2: Information Sensitivity Level
Provides Definitions
Sensitivity Level is identifiedSystem Type
identified
04/18/23 21:29
Copyright© 2008 22
Step 3: Purpose of the System
User Types identified
04/18/23 21:29
Copyright© 2008 23
Step 4: List of Controls are Generated
Controls Generated
04/18/23 21:29
Copyright© 2008 24
Step 4: List of Controls are Generated
Implementation Choice
Recommended Procedures
04/18/23 21:29
Copyright© 2008 25
Step 5: Final Security Plan
Security Plan Security Plan ready to print!ready to print!
Save, Submit, Print
04/18/23 21:29
Copyright© 2008 26
Benefits Users no longer need to
interpret complex policies Guidance provided on
implementing controls Less duplication of work! Assists IT audit process Better compliance Less embarrassment and
cost to campus
04/18/23 21:29
Copyright© 2008 27
Project Impact Created common catalog for
university IT security compliance Potentially shared across all UC
campuses Re-defines the IT Security
Plan submission and approval process
Re-use of information across different organizations (CPHS and RDM)
On the way to implementation!
04/18/23 21:29
Copyright© 2008 28
Future Work Integration with Campus IT Services
Auditor Interface
Incremental Entering of Information
Customized Guidance Reports For Units
Management Reporting
04/18/23 21:29
Copyright© 2008 29
Recommendations to the CIO Office Provide Security as a Service Insert Security into Mandatory
Processes Process Improvements
Create Standard Risk Assessment Methodology
Have More Granular Data Classifications Improve Periodic Review of Controls Consolidate Security Log Auditing
04/18/23 21:29
Copyright© 2008 30
Project Feedback!
Can we share this with other UC campuses?
- Karen Eft -
Great Recommendations! Very impressive!
A clear approach and a good synthesis of available resources.
- Shel Waggener -
It’s practical. We can implement it incrementally!
- Bill Allison -
04/18/23 21:29
Copyright© 2008 31
Acknowledgements IST IT Policy Team Ryan Means Jeremy Lapidus
iSchool FacultyEric Kansa Erik WildeBob Glushko Doug Tygar
04/18/23 21:29
Copyright© 2008 32
Questions & Answers