Security Policy Development for College of IT

1. Security Policy Development for College of IT Rich Larsen UNC-Charlotte College of IT Information Security Administrator rlarsen@uncc.edu x4566

2. Security Policy Framework • Policies define “appropriate behavior” • Policies set the stage for developing procedures and standards • Policies communicate a consensus • Policies provide a basis for action in response to inappropriate behavior • Policies assist in prosecution of cases

3. Who should be concerned? • Users- policies impact them the most • Tech Support staff- they are required to implement, comply with and support policy • Management- concerned with the cost associated with implementing the policy • Lawyers/Auditors- they are concerned with the impact to the organization’s reputation as a result of an “incident”

4. Security Policy Design Best Practices(from SANS Institute) • A cross-section of people affected by the policy should have an opportunity to review/comment • Tech Support staff should be involved in development and should review policy • Policies should be discussed as part of orientation process and should be posted in accessible locations (e.g., Intranet) • Provide refresher training on policies periodically

5. Security Policy Requirements • Policies must: • Be enforceable and feasible to implement • Be concise and understandable • Balance protection with productivity • Policies should: • Clearly state the policy’s purpose • Describe the scope of the policy • Define roles and responsibilities • Discuss how violations will be handled • Provide a basis for audit

6. Security Policy Structure • Depends on size of the organization and its mission • Some policies are appropriate for all types of organizations; others are specific to a a particular environment • Some key policies for all organizations: • Acceptable use • Remote Access • Network security/perimeter security

7. COIT Policy Framework Development • Plan to use the ISO 17799 standard which is considered the current industry standard • Work in conjunction with ITS to ensure no conflicts • Proposed policies will be reviewed by the COIT Task Force on Information Security and Privacy before being submitted to all faculty • Standards/procedures will be discussed by COIT Task Force but will not be submitted to all faculty • “Top-down” approach

8. Proposed Research Lab Security Policy • COIT research labs are greatest potential security risks • Nature of research requires experimentation, formulation and testing • Security incident in a COIT lab could have detrimental effect on external funding and reputation of college • Balancing act

9. Proposed Research Lab Security Policy • Roles: • Lab Director/Manager • Lab Administrator • Primary User • Managed vs. Unmanaged computers • Each “network-capable device” associated with a primary user (single point accountability) • User is accountable for security issues occurring on their assigned device(s) as a result of willful disregard of policy and/or negligence • Labs cannot host “production” IT services

10. Proposed Anti-virus Policy • All Windows and Macintosh-based computers required to have approved anti-virus software loaded at all times • This includes laptops/home computers which are used for remote access to campus • Users required to check for updates daily (or setting automatic updates to run daily) • UNIX/Linux –based computers exempt

11. COIT Tech Update • Streaming Media/ E-LAT • WebCT Upgrade • COIT Modem Bank • Reminder: ITS Migration Presentation/Demo tomorrow 9-12 in 125 Atkins