Security policies for institutions of higher education
This presentation is the property of its rightful owner.
Sponsored Links
1 / 41

Security Policies for Institutions of Higher Education PowerPoint PPT Presentation


  • 92 Views
  • Uploaded on
  • Presentation posted in: General

Security Policies for Institutions of Higher Education. Ardoth A. Hassler, Associate VP for University Information Services, Georgetown University Tracy B. Mitrano, Director of IT Policy and Computer Policy and Law Program, Cornell University. Abstract.

Download Presentation

Security Policies for Institutions of Higher Education

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Security policies for institutions of higher education

Security Policies for Institutions of Higher Education

Ardoth A. Hassler, Associate VP for University Information Services, Georgetown University

Tracy B. Mitrano, Director of IT Policy and Computer Policy and Law Program, Cornell University


Abstract

Abstract

  • Security policies are an important component of an overall security strategy. This presentation will describe the security policies of Georgetown University and Cornell University. It will include a discussion of the policy development process, lessons learned, efforts to inform users, and policy impact.


Higher ed it environments

Higher Ed IT Environments

  • Historically “open” network environments

  • Wide range of hardware and software from outdated to state-of-the-art

  • Increasing demands for distributed computing, distance learning and mobile/wireless capabilities which create unique security challenges

  • Lack of clearly defined security requirements (what do we need to protect and why)

  • Experimentation and anonymity highly valued (easy access in opposition with responsibility and security)

  • Students and staff with little or no security training

  • Persistent belief that security & academic freedom are antithetical

EDUCAUSE/NSF Scan of Higher Education IT/Data Environments, August 2002


Don t forget

Don’t forget….

  • Laws

  • Regulations

  • Contracts

  • Other campus policies…


Gu s policy development process http www georgetown edu policy technology process htm

GU’s Policy Development Processhttp://www.georgetown.edu/policy/technology/process.htm

  • Articulate a clear, concise rationale for the establishment of the policy or guidelines.

  • Identify the “process or executive sponsor(s).”

  • Establish the working group.

  • Establish a timeline.

  • Determine whether an interim policy or guidelines are needed.

  • Establish the approval process.

  • List all other (potentially) affected policies and guidelines.


Gu s policy development process

GU’s Policy Development Process

  • Good

    • We have a process!

    • Helps with campus-wide issues

    • We don’t have a central policy office

  • Not so good

    • We don’t have a central policy office

    • Harder to coordinate with other policy makers

    • Other units don’t have defined policy processes

    • Lack of common terminology


Cornell university policy process

Cornell University Policy Process

  • Process

    • Impact Statement

    • Executive Policy Review Group

    • Policy Review Group

    • Executive Policy Review Group final

  • Promulgation

  • Education

  • Implementation


Cornell university policy process1

Cornell University Policy Process

  • Good

    • Legitimates policy

    • Provides process

    • Harmonizes policy across organization

  • Not so Good

    • Finance centric

    • Limited representation, and buy in

    • Creates more challenges for IT policy


Georgetown s statement

Georgetown’s “Statement”

  • The Georgetown University Information Security Policy (the “Policy”) serves to create an environment that will help protect all members of the Georgetown University community (the “University”) from information security threats that could compromise privacy, productivity, reputation, or intellectual property rights. The Policy recognizes the vital role information plays in the University’s educational, research, operational, and medical advancement missions, and the importance of taking the necessary steps to protect information in all forms. As more information is used and shared by students, faculty and staff, both within and outside the University, a concomitant effort must be made to protect information. The Policy serves to protect information resources from threats from both within and outside of the University by setting forth responsibilities, guidelines, and practices that will help the University prevent, deter, detect, respond to, and recover from compromises to these resources, and to foster an environment of secure dissemination of information.


Cornell s statement

Cornell’s Statement

Cornell University expects all individuals using information technology devices connected to the network to take appropriate measures to manage the security of those devices.

The university must preserve its information technology resources, comply with applicable laws and regulations, and comply with other university or unit policy regarding protection and preservation of data.

Towards these ends, faculty, staff and students must share in the responsibility of the security of IT devices.


Information security policy obligations of all users

Georgetown:

assigns people into four main groups:

Information Service Providers

Both central and local

Information Stewards

Managers of Users

Users

Defines role of:

University Information Security Officer

Local Information Security Personnel

Cornell: assigns people into five groups:

IT Security Director

Unit Heads

Security Liaison

Local Support Provider

Users

Information Security Policy:Obligations of All Users


Information security policy

Information Security Policy

  • Georgetown:

    • Security Policy applies to all information

    • Data policy in progress

    • Defines

      • classifications of Information

      • Roles

      • Responsibilities

  • Cornell

    • Data explicitly separate from IT security policies

    • Data Stewardship and Custodianship

    • Authentication and Authorization policy does implicate data, but under the rubric of Data policy.


Gu s information security policy

GU’s Information Security Policy

  • Responsibilities:

    • Classifying information

      • Separate policy at Cornell

    • Managing authorization

      • Separate policy at Cornell

    • Backing up information

      • Separate policy at Cornell, and up to the data steward

    • Computer security (passwords, antivirus, software patches, etc.)

    • Incident reporting and record keeping

    • Establishing local security policies and procedures


Cornell data stewardship and custodianship policy

Cornell Data Stewardship and Custodianship Policy

  • For administrative data

    • Seven functional areas

  • Data stewards required to set policy for their own area

    • No dispute resolution for cross data usage

  • Custodian Prohibitions

    • No changing data

    • No “administrative voyeurism”

    • No resolving IP addresses without authority


Cornell policy promulgation

Cornell Policy Promulgation

  • Coordination with central policy office

  • Education

    • Forums on each policy, with demonstration of associated software and personnel for procedures

    • List services to targeted groups, raises lots of questions, gets issues out on the table, especially for people more comfortable with computer for expression and communication than in a public setting

  • Implementation

    • Always raises new issues, procedures and problems unforeseen in the drafting and promulgation of policy

      • Domain Name as an issue


Gu s efforts to inform users

GU’s efforts to inform users

  • Education

    • What is information security?

    • Why do we need it?

    • What’s in the policy?

    • What does this mean to me?

    • Everyone’s responsibilities

  • Excerpts from our “road show”


What is information security

What is Information Security?


Why we need the policy

Why we need the policy?


What are the goals of the policy

What are the goals of the policy?


More on why we need the policy and it s goals

More on why we need the policy and it’s goals…


Scare tactics

Scare tactics


This one really got them

This one really got them!


Other reasons we need the policy

Other reasons we need the policy


A bit about

A bit about…


A bit more

…a bit more…


While we have their attention

While we have their attention…


About the policy itself

About the policy itself…


Who s who

Who’s who


What it s all about

What it’s all about…


Now we got specific

Now, we got specific…


Mantra 2004

Mantra 2004

  • Privacy and Security

  • Security and Privacy

  • Privacy and Security

  • Security and Privacy

    • Equally weighted in regulatory legislation

    • Complement each other

    • Works with everyone in the community, unifies rather than bifurcates.


Gu policy impact

GU Policy Impact

  • Made HIPAA, GLBA easier

  • Satisfied external and internal auditors

  • Opportunity to educate the community

  • Provides operating framework


Cu s policy impact

CU’s Policy Impact

  • Part of the security program package

    • Director level IT Security for entire university

  • Part of compliance with federal law and regulations

  • Part of IT policy framework

    • Protecting and preserving university interests and assets

    • Balancing security and privacy

  • Part of policy framework

    • Community effort

    • Policy as “citizenship”


Action agenda

Action Agenda

  • Identify Responsibilities and Accountability for Information Security

  • Conduct Institutional Risk Assessments

  • Develop Security Policies, Procedures, and Standards

  • Increase Everyone’s Awareness and Enhance Training


Action agenda cont d

Action Agenda (cont’d)

  • Require Secure Products From Vendors

  • Design, Develop, and Deploy Secure Communication and Information Systems

  • Invest in Staff and Tools

  • Establish Collaboration and Information Sharing Mechanisms


Lessons learned

Lessons Learned

  • Cornell

    • Work procedurally and frame conceptually in the context of one’s own environment

  • Georgetown:

    • Make sure you’ve got the right “usual suspects”

    • Take the time to achieve consensus or work through the issues

    • Educate the community


Summary crisis begets opportunity

SummaryCrisis begets opportunity

  • Information Security has become a major opportunity at universities for leadership

  • Problems can impact an organization’s reputation, operational responsibilities, and financial health

  • Needs to be a top IT agenda issue

  • Senior University leadership must be aware of the risks posed by information security

  • University Information Security Policy enables the university to better protect information

  • Creates a sense of community: everyone has responsibility

  • Create an awareness in perpetuity


Bottom line

“Bottom line…”

All users are responsible for protecting information resources to which they have access


Contacts

Contacts

  • Ardoth Hassler

    • [email protected]

    • security.georgetown.edu

    • Security Officer: Brian Reilly

  • Tracy Mitrano

    • [email protected]

    • http://www.cit.cornell.edu/oit/PolicyOffice.html

    • Security Officer: Steve Schuster


Questions

Questions?


  • Login