1 / 26

New and Upcoming IT Security Policies at K-State

New and Upcoming IT Security Policies at K-State. Harvard Townsend Chief Information Security Officer harv@ksu.edu Jan. 16, 2009. Agenda. Why so many policies now?!? IT security incident reporting and response Data classification and security Media sanitization and disposal

randi
Download Presentation

New and Upcoming IT Security Policies at K-State

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. New and Upcoming IT Security Policies at K-State Harvard Townsend Chief Information Security Officer harv@ksu.edu Jan. 16, 2009

  2. Agenda • Why so many policies now?!? • IT security incident reporting and response • Data classification and security • Media sanitization and disposal • Physical security • Others planned for the spring • State policy on security awareness and training • New IT security threats blog

  3. Why so many policies?!? • SSN breaches last year • Data classification in the works for four years • State media sanitization and disposal policy • Follow-up security audit by the state • More resources allocated to security and policy writing • Growing, evolving threats • Policies, procedures, standards, guidelines important in distributed, open environment

  4. IT Security Incident Reporting and Response Policy • Approved by IRMC in November, final approval by CEC last week • Gist of the policy is that any incident or suspected incident must be reported to the CISO, especially incidents involving confidential data • Defines severity of incident and who must be notified • Also has extensive procedures associated with the policy

  5. Incident Categories • Defined in the procedures • Confidential personal identity data exposure • Criminal activity/investigation • Denial of Service • DMCA violation • Malicious code activity • Policy violation • Reconnaissance activity • Rogue server or service • Spam source • Spear phishing • Unauthorized access • Un-patched vulnerability • Web/BBS defacement • No Incident

  6. Data Classification andSecurity Policy • Four years in the works • Passed IRMC Dec. 18, 2008 • Currently being reviewed by Faculty Senate, Dean’s Council • CEC approval expected January 2009

  7. Policy “All University Data must be classified according to the K-State Data Classification Schema and protected according to K-State Data Security Standards. This policy applies to data in all formats or media. The Vice Provost for Information Technology Services or designee must approve any exception to this policy. The Chief Information Security Officer must approve any exceptions to the Data Security Standards.”

  8. Data Classification Schema • Public • Public web sites • Course catalog and semester course schedule • Extension publications • Press releases • Internal • Departmental intranet • Budget data • Purchase orders • Student education records • Transaction logs

  9. Data Classification Schema • Confidential • SSNs, Credit Card Info • Personal Identity Information • Personnel records, medical records • Authentication tokens (passwords, biometric, personal digital certificates) • Proprietary • “Data provided to or created by K-State on behalf of a third party” • Fed data – Classified National Security Information

  10. Access Controls Copying/Printing Network Security System Security Virtual Environments Physical Security Remote Access Storage Transmission Backup/DR Media Sanitization Training Audit Schedule Data Security Standards

  11. Effective Dates • Dec. 18, 2008 – passed IRMC • January 2009 – expected approval from CEC • Effective immediately, all new systems being designed and implemented must comply • January 1, 2010 – data stewards have compliance plan for all systems with confidential data

  12. What does this mean for you? • Know your data and where it is • Focus on confidential data first • SSN awareness campaign this spring • New “Spider” tool will help with discovery • Whole disk encryption on laptops • Shred those old course rosters • Develop plans for compliance

  13. Media Sanitization and Disposal Policy • Draft presented to IRMC Dec. 18, 2008, 2nd draft will be discussed Jan. 22 • Based on state policy that mandates we have a policy • Driven by audit of state surplus equipment • Sampled 15 computers • Recovered files from 10 • 7 contained confidential info (SSNs, Medicaid info, passwords) • Also best practice, common sense

  14. Media Sanitization and Disposal Policy • Modeled after federal guidelines • NIST SP 800-88 “Guidelines for Media Sanitization” • Internal re-use, purge data with 3 passes before reformat/reinstall • Leaving the university, destroy the hard drive (still open for debate) • Are guidelines for all media types, including paper, in NIST 800-88

  15. What Should You Do Now? • Internal re-use? Overwrite ALL data on hard drive with 3 passes before reformat/reinstall • If disposing of computers, purge ALL data, remove the hard drive and give it to Facilities recycling. They have a contractor who destroys them for free • Get a micro-cut cross-cut shredder that also does CDs, DVDs

  16. Other policies this spring • Driven by follow-up audit to the IT security audit performed by the state In 2005 • Still have 18 areas where we have inadequate or no policy • Will provide drafts to IRMC each month, starting with physical security

  17. Physical Security Policy • Prevent theft, damage, unauthorized access • Locks on network wiring closets/cabinets (already have this policy) • Keep office doors locked after hours • Store laptops and other portable devices securely when unattended • UPSes on all critical equipment

  18. Other Policies From the Audit • Access Controls, welcome banner on login screen (Feb.) • System Development (Mar.) • Security Management (Apr.) • Operations (May) • We have to report on May 1, Sep. 1, Jan. 1 2010; full compliance by Jan. 2010

  19. New State Policy on Security Awareness and Training • Passed state IT Security Council (ITSEC) in the fall • Expected to pass ITEC in January • “Every state employee, contractor or other third parties shall receive annual training” in IT security. • ITSEC specifies requirements • Have to “implement processes to monitor and track attendance at IT security training”

  20. New State Policy on Security Awareness and Training • ITSEC specifies requirements • Have to “implement processes to monitor and track attendance at IT security training” • Requires IT security training as part of new employee orientation • Document users’ acceptance of agency security policies after receiving IT security training • All these are good… but challenging in our environment and un-funded

  21. Future Policies • Finish what the audit started so have comprehensive IT security policies • Take current disparate policies and reorganize with these new policies into structure based on ISO standard and EDUCAUSE guidelines • 12 sections:

  22. Future Policy Categories • Security policy (Intro) • Organizational security • Asset classification • Personnel security • Physical and environmental security • Communications and operations management • Access control • System development and maintenance • Business continuity management • Compliance • Incident management • Security plans

  23. Challenges • Implementing the data classification policy is ominous and potentially very expensive at a time of serious budget challenges • Media sanitization a challenge for departments w/o IT support staff • Balancing security best practices with practical realities of K-State’s culture, distributed IT environment, and budget limitations • Unfunded mandates like the security awareness and training policy

  24. New Threats Blog • Post info on current threats, such as vulnerabilities and patches, malware, attacks, etc. • View blog, receive notices via email, or subscribe via RSS • http://threats.itsecurity.k-state.edu • For email, subscribe to sirt-threats LISTSERV mailing list

  25. What’s on your mind?

  26. Approval Process • IT security team drafts policy with SIRT input • IRMC reviews draft, with Faculty Senate input • IRMC votes to recommend adoption of the policy to Vice Provost for IT Services • VP-ITS distributes to Faculty Senate, Dean’s Council for review, signature • Final approval by Computing Executive Committee • Publish in PPM

More Related