1 / 41

Security Policies for Institutions of Higher Education

Security Policies for Institutions of Higher Education. Ardoth A. Hassler, Associate VP for University Information Services, Georgetown University Tracy B. Mitrano, Director of IT Policy and Computer Policy and Law Program, Cornell University. Abstract.

herbst
Download Presentation

Security Policies for Institutions of Higher Education

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security Policies for Institutions of Higher Education Ardoth A. Hassler, Associate VP for University Information Services, Georgetown University Tracy B. Mitrano, Director of IT Policy and Computer Policy and Law Program, Cornell University

  2. Abstract • Security policies are an important component of an overall security strategy. This presentation will describe the security policies of Georgetown University and Cornell University. It will include a discussion of the policy development process, lessons learned, efforts to inform users, and policy impact.

  3. Higher Ed IT Environments • Historically “open” network environments • Wide range of hardware and software from outdated to state-of-the-art • Increasing demands for distributed computing, distance learning and mobile/wireless capabilities which create unique security challenges • Lack of clearly defined security requirements (what do we need to protect and why) • Experimentation and anonymity highly valued (easy access in opposition with responsibility and security) • Students and staff with little or no security training • Persistent belief that security & academic freedom are antithetical EDUCAUSE/NSF Scan of Higher Education IT/Data Environments, August 2002

  4. Don’t forget…. • Laws • Regulations • Contracts • Other campus policies…

  5. GU’s Policy Development Processhttp://www.georgetown.edu/policy/technology/process.htm • Articulate a clear, concise rationale for the establishment of the policy or guidelines. • Identify the “process or executive sponsor(s).” • Establish the working group. • Establish a timeline. • Determine whether an interim policy or guidelines are needed. • Establish the approval process. • List all other (potentially) affected policies and guidelines.

  6. GU’s Policy Development Process • Good • We have a process! • Helps with campus-wide issues • We don’t have a central policy office • Not so good • We don’t have a central policy office • Harder to coordinate with other policy makers • Other units don’t have defined policy processes • Lack of common terminology

  7. Cornell University Policy Process • Process • Impact Statement • Executive Policy Review Group • Policy Review Group • Executive Policy Review Group final • Promulgation • Education • Implementation

  8. Cornell University Policy Process • Good • Legitimates policy • Provides process • Harmonizes policy across organization • Not so Good • Finance centric • Limited representation, and buy in • Creates more challenges for IT policy

  9. Georgetown’s “Statement” • The Georgetown University Information Security Policy (the “Policy”) serves to create an environment that will help protect all members of the Georgetown University community (the “University”) from information security threats that could compromise privacy, productivity, reputation, or intellectual property rights. The Policy recognizes the vital role information plays in the University’s educational, research, operational, and medical advancement missions, and the importance of taking the necessary steps to protect information in all forms. As more information is used and shared by students, faculty and staff, both within and outside the University, a concomitant effort must be made to protect information. The Policy serves to protect information resources from threats from both within and outside of the University by setting forth responsibilities, guidelines, and practices that will help the University prevent, deter, detect, respond to, and recover from compromises to these resources, and to foster an environment of secure dissemination of information.

  10. Cornell’s Statement Cornell University expects all individuals using information technology devices connected to the network to take appropriate measures to manage the security of those devices. The university must preserve its information technology resources, comply with applicable laws and regulations, and comply with other university or unit policy regarding protection and preservation of data. Towards these ends, faculty, staff and students must share in the responsibility of the security of IT devices.

  11. Georgetown: assigns people into four main groups: Information Service Providers Both central and local Information Stewards Managers of Users Users Defines role of: University Information Security Officer Local Information Security Personnel Cornell: assigns people into five groups: IT Security Director Unit Heads Security Liaison Local Support Provider Users Information Security Policy:Obligations of All Users

  12. Information Security Policy • Georgetown: • Security Policy applies to all information • Data policy in progress • Defines • classifications of Information • Roles • Responsibilities • Cornell • Data explicitly separate from IT security policies • Data Stewardship and Custodianship • Authentication and Authorization policy does implicate data, but under the rubric of Data policy.

  13. GU’s Information Security Policy • Responsibilities: • Classifying information • Separate policy at Cornell • Managing authorization • Separate policy at Cornell • Backing up information • Separate policy at Cornell, and up to the data steward • Computer security (passwords, antivirus, software patches, etc.) • Incident reporting and record keeping • Establishing local security policies and procedures

  14. Cornell Data Stewardship and Custodianship Policy • For administrative data • Seven functional areas • Data stewards required to set policy for their own area • No dispute resolution for cross data usage • Custodian Prohibitions • No changing data • No “administrative voyeurism” • No resolving IP addresses without authority

  15. Cornell Policy Promulgation • Coordination with central policy office • Education • Forums on each policy, with demonstration of associated software and personnel for procedures • List services to targeted groups, raises lots of questions, gets issues out on the table, especially for people more comfortable with computer for expression and communication than in a public setting • Implementation • Always raises new issues, procedures and problems unforeseen in the drafting and promulgation of policy • Domain Name as an issue

  16. GU’s efforts to inform users • Education • What is information security? • Why do we need it? • What’s in the policy? • What does this mean to me? • Everyone’s responsibilities • Excerpts from our “road show”

  17. What is Information Security?

  18. Why we need the policy?

  19. What are the goals of the policy?

  20. More on why we need the policy and it’s goals…

  21. Scare tactics

  22. This one really got them!

  23. Other reasons we need the policy

  24. A bit about…

  25. …a bit more…

  26. While we have their attention…

  27. About the policy itself…

  28. Who’s who

  29. What it’s all about…

  30. Now, we got specific…

  31. Mantra 2004 • Privacy and Security • Security and Privacy • Privacy and Security • Security and Privacy • Equally weighted in regulatory legislation • Complement each other • Works with everyone in the community, unifies rather than bifurcates.

  32. GU Policy Impact • Made HIPAA, GLBA easier • Satisfied external and internal auditors • Opportunity to educate the community • Provides operating framework

  33. CU’s Policy Impact • Part of the security program package • Director level IT Security for entire university • Part of compliance with federal law and regulations • Part of IT policy framework • Protecting and preserving university interests and assets • Balancing security and privacy • Part of policy framework • Community effort • Policy as “citizenship”

  34. Action Agenda • Identify Responsibilities and Accountability for Information Security • Conduct Institutional Risk Assessments • Develop Security Policies, Procedures, and Standards • Increase Everyone’s Awareness and Enhance Training

  35. Action Agenda (cont’d) • Require Secure Products From Vendors • Design, Develop, and Deploy Secure Communication and Information Systems • Invest in Staff and Tools • Establish Collaboration and Information Sharing Mechanisms

  36. Lessons Learned • Cornell • Work procedurally and frame conceptually in the context of one’s own environment • Georgetown: • Make sure you’ve got the right “usual suspects” • Take the time to achieve consensus or work through the issues • Educate the community

  37. SummaryCrisis begets opportunity • Information Security has become a major opportunity at universities for leadership • Problems can impact an organization’s reputation, operational responsibilities, and financial health • Needs to be a top IT agenda issue • Senior University leadership must be aware of the risks posed by information security • University Information Security Policy enables the university to better protect information • Creates a sense of community: everyone has responsibility • Create an awareness in perpetuity

  38. “Bottom line…” All users are responsible for protecting information resources to which they have access

  39. Contacts • Ardoth Hassler • hasslera@georgetown.edu • security.georgetown.edu • Security Officer: Brian Reilly • Tracy Mitrano • tbm3@cornell.edu • http://www.cit.cornell.edu/oit/PolicyOffice.html • Security Officer: Steve Schuster

  40. Questions?

More Related