Schools/Centers must identify Personal Computing Devices that pose a significant ... threats: theft of portable computing devices, if used in conjunction ...
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Network Planning Task Force Information Security Strategy
Mary Alice Annecharico/Rod MacNeil, SOM Robin Beck, ISC Chris Bradie/Dave Carrol, Business Services Cathy DiBonaventura, School of Design Geoff Filinuk, ISC John Keane/ Grover McKenzie, Library John Irwin, GSE Marilyn Jost, ISC Deke Kassabian /Melissa Muth, ISC Doug Berger/ Manuel Pena, Housing and Conference Services Mike Weaver, Budget Mgmt. Analysis Dominic Pasqualino, OAC James Kaylor, CCEB Helen Anderson, SEAS Kayann McDonnell, Law Donna Milici, Nursing Dave Millar, ISC Michael Palladino, ISC (Chair) Jeff Fahnoe, Dental Mary Spada, VPUL Marilyn Spicer, College Houses Steve Stines / Joseph Shannon, Div. of Finance Ira Winston, SEAS, SAS, School of Design Mark Aseltine/ Mike Lazenka, ISC Ken McCardle, Vet School Brian Doherty, SAS Richard Cardona, Annenberg Deirdre Woods/Bob Zarazowski, Wharton NPTF FY ’07 Members
Meeting Schedule – FY ‘07 • Meetings 1:30-3:00pm, 3401 Walnut Street • Fall Meetings / Process • Intake and Current Status Review – August 21 • Agenda Setting & Focus Group Planning – September 18 • Strategy Discussions – October 2 • Security Strategy Discussions – October 16 (357A) • Strategy Discussions – October 30 • Prioritization – November 6 • Focus Group Feedback – November 20 • Rate Setting – December 04
Security Feedback from 8/21 • Review of what we are currently doing and where we are going and policy impact on LSPs. • Review of each step and our response/procedures including prevention, detection, escalation, impact of incidents and forensics. • Connecting the appropriate people – having a local security provider and a privacy security liaison. • A need for low probability / high catastrophe case studies with a playbook type response. (Business continuity type tabletop exercises) Brown bag lunch? • Encryption • Scan and Block
FY07 Information Security Initiatives • Achieve Full Payment Card Industry Standards Compliance • Scan and Block available for implementation in 5 or more University areas. • SPIA • Complete Early Adopters project • Implement Risk Management and Reporting • Pilot Campus Authorization Service • Evaluate Security Incident Tracking and Management • LSP Security Certification • 2007 SANS Windows Security Class
Encryption • Pros • Encrypting disks or file systems are now widely available within operating systems of all supported platforms. • Offers considerable protection from some of our most likely threats: theft of portable computing devices, if used in conjunction with other methods. • Cons • Associated support cost and limited pilot experience • Risk of total loss of data requires backup of encrypting keys. • Will require additional spending on storage. • Not widely available as standard option in common PDAs.
Personal Computing Device Security • Scope: Laptops, PDAs, Blackberries, Treos, USB storage, iPods, etc. • Background/Issues • Specifically included in “risk assessment” section of proposed critical host policy. • PDAs not as mature a market as desktops/laptops w/r/t security. Solutions are many and varied. No silver bullets -- lots of point solutions for many and varied devices. Sometimes security can be achieved with configuration changes, but sometimes requires 3rd party products. • Personal ownership and shared family use at home complicates matters.
Possible Personal Computing Device Security Strategy • Short-term • Require basic protections such as encryption, strong passwords, anti-virus (where available) and best practice configuration. • Long-term • Preference to keep confidential data off of personal computing devices. • Otherwise, waiver required with compensating controls. • Provide secure remote access to secure, decentralized servers • May require broad use of virtual private networks or comparable feature. • Standards apply irrespective of ownership • Devices are for exclusive use of employee