Security policies for institutions of higher education
1 / 41

Security Policies for Institutions of Higher Education - PowerPoint PPT Presentation

  • Uploaded on

Security Policies for Institutions of Higher Education. Ardoth A. Hassler, Associate VP for University Information Services, Georgetown University Tracy B. Mitrano, Director of IT Policy and Computer Policy and Law Program, Cornell University. Abstract.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Security Policies for Institutions of Higher Education' - herbst

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Security policies for institutions of higher education

Security Policies for Institutions of Higher Education

Ardoth A. Hassler, Associate VP for University Information Services, Georgetown University

Tracy B. Mitrano, Director of IT Policy and Computer Policy and Law Program, Cornell University


  • Security policies are an important component of an overall security strategy. This presentation will describe the security policies of Georgetown University and Cornell University. It will include a discussion of the policy development process, lessons learned, efforts to inform users, and policy impact.

Higher ed it environments
Higher Ed IT Environments

  • Historically “open” network environments

  • Wide range of hardware and software from outdated to state-of-the-art

  • Increasing demands for distributed computing, distance learning and mobile/wireless capabilities which create unique security challenges

  • Lack of clearly defined security requirements (what do we need to protect and why)

  • Experimentation and anonymity highly valued (easy access in opposition with responsibility and security)

  • Students and staff with little or no security training

  • Persistent belief that security & academic freedom are antithetical

EDUCAUSE/NSF Scan of Higher Education IT/Data Environments, August 2002

Don t forget
Don’t forget….

  • Laws

  • Regulations

  • Contracts

  • Other campus policies…

Gu s policy development process http www georgetown edu policy technology process htm
GU’s Policy Development Process

  • Articulate a clear, concise rationale for the establishment of the policy or guidelines.

  • Identify the “process or executive sponsor(s).”

  • Establish the working group.

  • Establish a timeline.

  • Determine whether an interim policy or guidelines are needed.

  • Establish the approval process.

  • List all other (potentially) affected policies and guidelines.

Gu s policy development process
GU’s Policy Development Process

  • Good

    • We have a process!

    • Helps with campus-wide issues

    • We don’t have a central policy office

  • Not so good

    • We don’t have a central policy office

    • Harder to coordinate with other policy makers

    • Other units don’t have defined policy processes

    • Lack of common terminology

Cornell university policy process
Cornell University Policy Process

  • Process

    • Impact Statement

    • Executive Policy Review Group

    • Policy Review Group

    • Executive Policy Review Group final

  • Promulgation

  • Education

  • Implementation

Cornell university policy process1
Cornell University Policy Process

  • Good

    • Legitimates policy

    • Provides process

    • Harmonizes policy across organization

  • Not so Good

    • Finance centric

    • Limited representation, and buy in

    • Creates more challenges for IT policy

Georgetown s statement
Georgetown’s “Statement”

  • The Georgetown University Information Security Policy (the “Policy”) serves to create an environment that will help protect all members of the Georgetown University community (the “University”) from information security threats that could compromise privacy, productivity, reputation, or intellectual property rights. The Policy recognizes the vital role information plays in the University’s educational, research, operational, and medical advancement missions, and the importance of taking the necessary steps to protect information in all forms. As more information is used and shared by students, faculty and staff, both within and outside the University, a concomitant effort must be made to protect information. The Policy serves to protect information resources from threats from both within and outside of the University by setting forth responsibilities, guidelines, and practices that will help the University prevent, deter, detect, respond to, and recover from compromises to these resources, and to foster an environment of secure dissemination of information.

Cornell s statement
Cornell’s Statement

Cornell University expects all individuals using information technology devices connected to the network to take appropriate measures to manage the security of those devices.

The university must preserve its information technology resources, comply with applicable laws and regulations, and comply with other university or unit policy regarding protection and preservation of data.

Towards these ends, faculty, staff and students must share in the responsibility of the security of IT devices.

Information security policy obligations of all users


assigns people into four main groups:

Information Service Providers

Both central and local

Information Stewards

Managers of Users


Defines role of:

University Information Security Officer

Local Information Security Personnel

Cornell: assigns people into five groups:

IT Security Director

Unit Heads

Security Liaison

Local Support Provider


Information Security Policy:Obligations of All Users

Information security policy
Information Security Policy

  • Georgetown:

    • Security Policy applies to all information

    • Data policy in progress

    • Defines

      • classifications of Information

      • Roles

      • Responsibilities

  • Cornell

    • Data explicitly separate from IT security policies

    • Data Stewardship and Custodianship

    • Authentication and Authorization policy does implicate data, but under the rubric of Data policy.

Gu s information security policy
GU’s Information Security Policy

  • Responsibilities:

    • Classifying information

      • Separate policy at Cornell

    • Managing authorization

      • Separate policy at Cornell

    • Backing up information

      • Separate policy at Cornell, and up to the data steward

    • Computer security (passwords, antivirus, software patches, etc.)

    • Incident reporting and record keeping

    • Establishing local security policies and procedures

Cornell data stewardship and custodianship policy
Cornell Data Stewardship and Custodianship Policy

  • For administrative data

    • Seven functional areas

  • Data stewards required to set policy for their own area

    • No dispute resolution for cross data usage

  • Custodian Prohibitions

    • No changing data

    • No “administrative voyeurism”

    • No resolving IP addresses without authority

Cornell policy promulgation
Cornell Policy Promulgation

  • Coordination with central policy office

  • Education

    • Forums on each policy, with demonstration of associated software and personnel for procedures

    • List services to targeted groups, raises lots of questions, gets issues out on the table, especially for people more comfortable with computer for expression and communication than in a public setting

  • Implementation

    • Always raises new issues, procedures and problems unforeseen in the drafting and promulgation of policy

      • Domain Name as an issue

Gu s efforts to inform users
GU’s efforts to inform users

  • Education

    • What is information security?

    • Why do we need it?

    • What’s in the policy?

    • What does this mean to me?

    • Everyone’s responsibilities

  • Excerpts from our “road show”

Mantra 2004
Mantra 2004

  • Privacy and Security

  • Security and Privacy

  • Privacy and Security

  • Security and Privacy

    • Equally weighted in regulatory legislation

    • Complement each other

    • Works with everyone in the community, unifies rather than bifurcates.

Gu policy impact
GU Policy Impact

  • Made HIPAA, GLBA easier

  • Satisfied external and internal auditors

  • Opportunity to educate the community

  • Provides operating framework

Cu s policy impact
CU’s Policy Impact

  • Part of the security program package

    • Director level IT Security for entire university

  • Part of compliance with federal law and regulations

  • Part of IT policy framework

    • Protecting and preserving university interests and assets

    • Balancing security and privacy

  • Part of policy framework

    • Community effort

    • Policy as “citizenship”

Action agenda
Action Agenda

  • Identify Responsibilities and Accountability for Information Security

  • Conduct Institutional Risk Assessments

  • Develop Security Policies, Procedures, and Standards

  • Increase Everyone’s Awareness and Enhance Training

Action agenda cont d
Action Agenda (cont’d)

  • Require Secure Products From Vendors

  • Design, Develop, and Deploy Secure Communication and Information Systems

  • Invest in Staff and Tools

  • Establish Collaboration and Information Sharing Mechanisms

Lessons learned
Lessons Learned

  • Cornell

    • Work procedurally and frame conceptually in the context of one’s own environment

  • Georgetown:

    • Make sure you’ve got the right “usual suspects”

    • Take the time to achieve consensus or work through the issues

    • Educate the community

Summary crisis begets opportunity
SummaryCrisis begets opportunity

  • Information Security has become a major opportunity at universities for leadership

  • Problems can impact an organization’s reputation, operational responsibilities, and financial health

  • Needs to be a top IT agenda issue

  • Senior University leadership must be aware of the risks posed by information security

  • University Information Security Policy enables the university to better protect information

  • Creates a sense of community: everyone has responsibility

  • Create an awareness in perpetuity

Bottom line
“Bottom line…”

All users are responsible for protecting information resources to which they have access


  • Ardoth Hassler



    • Security Officer: Brian Reilly

  • Tracy Mitrano



    • Security Officer: Steve Schuster