Download
1 / 45
450 likes | 605 Views
The WVU Information Security Program ~~~~~~~~~~ If You Build It, They Will Use It. Introductions. Sue Ann Lipinski Management Auditor, Internal Audit Tim Marton Director, Information Systems Mark Six Manager, Systems Administration. Abstract.
E N D
The WVUInformation Security Program ~~~~~~~~~~ If You Build It, They Will Use It Educause/Internet2 Security Professionals Workshop
Introductions • Sue Ann Lipinski Management Auditor, Internal Audit • Tim Marton Director, Information Systems • Mark Six Manager, Systems Administration Educause/Internet2 Security Professionals Workshop
Abstract WVU is building an institution-wide information security program to ensure the continued confidentiality, integrity & availability of mission critical information resources. This presentation discusses our incremental implementation approach, including the development of policies / standards / procedures, as well as efforts to include this program in current & future information-related activities & projects. Educause/Internet2 Security Professionals Workshop
Some WVU Facts • Founded in 1867 in Morgantown, WV • Land Grant Institution • 13 colleges & schools, offering 170 bachelor’s, masters, doctoral & professional degree programs • Medical Center • Doctoral Research Extensive Classification • Spread over 3 Morgantown & 3 regional campuses • Enrollment of approximately 31,800 • Faculty/Staff of 6,487 Educause/Internet2 Security Professionals Workshop
Agenda • Evolution of WVU’s Program • Insight into Current Program • Where Are We Going Next • Words to the Wise Educause/Internet2 Security Professionals Workshop
Evolution of WVU’s Program • Drivers – Internal & External • Champions Promoted, Promoted, Promoted … • Defined Information Security for WVU • Developed / Updated Policies / Standards – On-going • Identified Information Security Program Elements Educause/Internet2 Security Professionals Workshop
Why? Why Now? • Internal Drivers • Recognized Need to Protect Information Resources • Impact of an Incident • External Drivers • Gramm-Leach-Bliley Act (GLB) • Health Insurance Portability & Accountability Act (HIPAA) • Family Education Rights & Privacy Act (FERPA) • The Privacy Act • West Virginia Code 18-2-5f – Use of Student SSNs • Demonstrate Due Diligence • Higher Education in the Headlines Educause/Internet2 Security Professionals Workshop
WVU’s Security Policy • Information Resources as Vital Assets • Definition / Purpose of Information Security • Elements of WVU’s Program • Structure, Composition & Responsibilities Educause/Internet2 Security Professionals Workshop
WVU Information Resources • WVU relies on numerous, diverse information resources to support the mission critical operations of administration, education, research & service. • If these information resources were unavailable, unreliable or disclosed in an inappropriate manner, the University could suffer damage to its reputation & incur serious financial & operational losses. • Accordingly, WVU acknowledges that information resources are vital assets requiring protection commensurate with their value. Educause/Internet2 Security Professionals Workshop
Definition & Purpose • The protection of information resources from unauthorized access, modification, destruction or harm • The establishment of controls & measures to minimize the risk of loss or damage to information resources • Inform users (students, staff and faculty) of essential requirements for protecting various assets including people hardware, software resources & data assets • Provide a baseline from which to acquire, configure & audit computer systems & networks for compliance with the policy Educause/Internet2 Security Professionals Workshop
Three Tenets • Confidentiality … addresses the protection of private, sensitive or trusted information resources from unauthorized access or disclosure • Integrity … refers to the accuracy, completeness & consistency of information resources • Availability … ensures reliable & timely access to information resources by appropriate personnel Educause/Internet2 Security Professionals Workshop
Elements of WVU’s Program • Defined Structure w/ Central Point of Coordination • Risk Assessment & Management • Policies & Standards / Policy Management • Communication & Education • Compliance • Reporting & Enforcement • Procurement Oversight for Service Providers • Security-related Projects Educause/Internet2 Security Professionals Workshop
Structure Educause/Internet2 Security Professionals Workshop
Composition • Reports to cabinet level authority • Member of AAIMS Executive Committee • Chairs the Information Security Council Educause/Internet2 Security Professionals Workshop
Responsibilities • Risk management • Policies & standards • Communicate & educate • Compliance • Report & enforce • Service provider oversight • Security-related projects Educause/Internet2 Security Professionals Workshop
Composition Chaired by Provost Office includes VP (or Director) from Academic Affairs Finance & Administration Health Sciences Human Resources Information Technology Internal Audit Library Student Affairs Educause/Internet2 Security Professionals Workshop
Responsibilities • Sponsor the Information Security Program • Establish an Information Security Environment • Coordinate access to necessary support Educause/Internet2 Security Professionals Workshop
Composition Chaired by the ISO includes Information Security Representatives from the administration, faculty & staff with support from Internal Audit IT Specialists Legal Counsel Purchasing Educause/Internet2 Security Professionals Workshop
ISC Charter • Serve as senior management sponsors of the WVU Information Security Program • Provide management & coordination of a University-wide information security program • Review & revise information security policies, standards and procedures • Establish & maintain a comprehensive risk management program • Establish & maintain an information security compliance program • Recommend & sponsor information security awareness, communication & education programs • Provide a forum to discuss & assess pending regulations & requirements • Perform periodic reviews of information security incidents / violations • Govern contractual relationships with vendors, consultants & other 3rd parties Educause/Internet2 Security Professionals Workshop
Composition/Responsibilities • Assist development of data definitions • Assign data elements to categories • Provide framework for classifying data • Authorize access to information resources • Implement controls to secure resources Senior level University officials Educause/Internet2 Security Professionals Workshop
Composition/Responsibilities • Representatives of: • Each major application/system • Each academic college • Each business unit • Primary units of IT • Disseminate policy • Assist in detection / reporting of violations • Departmental point-of-contact Educause/Internet2 Security Professionals Workshop
Composition/Responsibilities • Protect information resources per 3 tenets • Use information responsibly / appropriately • Comply with policy Any user authorized to access data and/or systems Educause/Internet2 Security Professionals Workshop
Composition Independent, objective appraisal function Reporting to the WVU President’s Office & the Board of Governors’ Audit Committee Educause/Internet2 Security Professionals Workshop
Responsibilities Assist WVU administration in the effective implementation of internal controls: • Safeguarding of University assets • Integrity & reliability of information systems & related resources • Compliance with University, State & Federal regulations • Effective & efficient use & management of University resources • Accomplishment of University goals • Risk assessment • Evaluation of controls • Determine compliance with regulations, policy, etc. • Issue recommendations Educause/Internet2 Security Professionals Workshop
Risk Management • Identify & Classify Resources • Identify Threats & Vulnerabilities • Determine & Prioritize Risks • Determine Response: • Prevent, Mitigate or Accept • Risk Assessment: • Periodic: ISO & ISC • Independent: Internal Audit Educause/Internet2 Security Professionals Workshop
Policies/Standards • Contain senior management directives to create an information security program, establish its goals & measures, & assign responsibilities; define an organization’s information security philosophy • Mandatory activities, rules, measures of minimal performance or achievement, designed to provide support & structure; intended for universal application throughout the organization; used to implement the general policies/standards Educause/Internet2 Security Professionals Workshop
Policies/Standards (cont’d) • Recently Developed / Updated • Acceptable (Appropriate) Use • Anti-Spam, Anti-Virus • Data Center Access • e-Commerce Management • Electronic Mail • End-User Accountability • Network Security • Under Development • Data Ownership / Classification / Security • Security Awareness / Education • Security Incident Reporting / Response Educause/Internet2 Security Professionals Workshop
Policy Management • Posted on the ISO Web Site • Formal Protocol for Policy Evolution • Policy Waivers Educause/Internet2 Security Professionals Workshop
Communication & Education • Student, Faculty & Employee Orientation • e-News – Tips for the Day • Web Site • Simple but informative • Intranet version debuted April 2004 • Internet version @ http://oit.wvu.edu/iso • Posters • Classes and/or Mini-Workshops – Planning Educause/Internet2 Security Professionals Workshop
Compliance Program • Measures to Prevent & Detect • Response to Compromise or Violations • Continually Evaluate Regulations, Policies & Standards • ISC plus Management, Providers & Users • Internal Audit • Critical role in evaluation of compliance & recommendation of measures to help ensure compliance Educause/Internet2 Security Professionals Workshop
Reporting & Enforcement • Vanity e-Mail Account • Information_Security@mail.wvu.edu • For submitting “general” inquiries or reporting potential violations or concerns • Developing Formal Reporting / Response Protocol • Information Security Liaisons • ISC “Action Team” • Fore-runner to an incident response team • Consequences for Non-compliance Educause/Internet2 Security Professionals Workshop
Procurement Oversight • Service Providers Held to Same Standard as Staff • Confidential Information [Contract] Addendum • Definitions of covered data & information • Acknowledgement of required access • Safeguard standards • Reporting • Audit Standards for Service Provider Contracts Educause/Internet2 Security Professionals Workshop
Security-related Efforts • Business Continuity Plan • Disaster Recovery Plan – In Place • Business Resumption Plan – In Planning • e-Commerce Review Committee • Ethics & Confidentiality Notice / Certification • University-wide coverage – Replacement under Review • Departmental / project specific – Some in Place • SSN Replacement • Identity Management / Central Authentication Educause/Internet2 Security Professionals Workshop
ID Management Project • Charter … to define and/or recommend a central (i.e., University-wide) identity management and authentication solution • Multi-Phase Project • Phase I – Unique ID [WVUID] • Completed • Phase II – ID Management • Proof of Concept – Completed • Tool Kit – Plan under Review (1/31/05 completion date) • Phase III – Central Authentication • Campus-wide wireless access Educause/Internet2 Security Professionals Workshop
Project Pyramid Educause/Internet2 Security Professionals Workshop
WVU-ID “ToolKit” Educause/Internet2 Security Professionals Workshop
Uniqueness Elements Educause/Internet2 Security Professionals Workshop
Where Are We Going Next • Establish the Information Security Office(r) • Develop Risk Assessment “Plan of Attack” • Job of the Information Security Council • Initial Focus on Electronic Resources • Risk Assessment Algorithms • Classify Information Resources • Continue to Address the Use of SSN at WVU • Complete the ID Management / Authentication Project • Continue to Spread the Word • Continue to Review Current Policies / Procedures • Implement Compliance, Reporting & Enforcement Educause/Internet2 Security Professionals Workshop
A Word To The Wise • Terminology • Information Security vs. Computer Security • Cost & Benefits • Determine risk algorithms early in the process • Consider Current Security Environment • Whenever possible, use existing elements • Can have reasonable plan by connecting dots Educause/Internet2 Security Professionals Workshop
A Word To The Wise (cont’d) • If Policy is Too Relaxed or Non-Existent • Little or no enforcement • If Policy is Too Strict • Nobody pays attention to it (“hope I don’t get caught!”) • Too complicated, too cumbersome • Flexibility / Adaptability is Key • Should be independent of specific HW/SW • Policy update mechanisms should be clearly spelled out Educause/Internet2 Security Professionals Workshop
Resource Examples • Federal / State laws, regulations, statutes • WV State Information SecurityPolicy Guidelines • Other Colleges & Universities • “Information Security Policies Made Easy” • by Charles Wood • Information Systems Audit & Control (ISACA) • CERT, NIST, NSA, SANS, … Educause/Internet2 Security Professionals Workshop
Never-Ending Cycle Risk Assessment Policies/ Standards/ Procedures - Update / Create • Management: • Compliance • Reporting • Enforcement Education, Communications & Awareness Programs Educause/Internet2 Security Professionals Workshop
Questions and/or Comments Educause/Internet2 Security Professionals Workshop
Contacts • http://oit.wvu.edu/iso • Information_Security@mail.wvu.edu • SueAnn.Lipinski@mail.wvu.edu • RTMarton@mail.wvu.edu • Mark.Six@mail.wvu.edu Educause/Internet2 Security Professionals Workshop
