Security Policy Resources and Models

Educause Security Conference, Denver 2007

William L. Custer, Miami UniversityJack McCoy, University of Colorado

Connie Marie Popp, Eastern Michigan University

Wednesday, April 11, 2007 1:00PM in Colorado I/J

Session I2

Security Policy Models

Copyright William L. Custer, Jack McCoy, Connie M. Popp, 2007.

This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author

Security Policy Models

Presentation Overview

Part I: Introducing the Model Security Policy Committee (William Custer)    

Part II: Demonstrating The Wiki (Connie Popp) Wiki Sections 2.0, 3.0, 4.0 Drill Down - Data Classification https://wiki.internet2.edu/confluence/display/secguide/Security+Policies+and+Procedures

Part III: Demonstrating The Wiki (Jack McCoy) Wiki Sections 5.0, 6.0 Drill Down - Incident Response

Part IV: Demonstrating The Wiki (William Custer) Wiki Sections 7.0, 8.0, 9.0 Drill Down - Security Management, Security Plan

Part V: Conclusions, Questions, and A Plea For Help

Security Policy Models

Related Presentations

Wed 10:45 Track 1 – Communications, Process, and Resources for Computer Incident Response

Wed 4:30 Track 2 – Security Standards in Higher Education

Wed 4:30 Track 4 – Developing a University System Wide Information Security Roadmap

Security Policy Models

Part I

Introducing

The Model Security Policy Committee

William L Custer

Security Policy Models Part I: Introduction

Educause Policy Conference – Washington, April 2005

A helpful “circle” of professionals

Security Policy ModelsPart I: Introduction

William CusterBob KalalJack McCoyKim MilfordConnie PoppDave Weil

Leslie MaltzTammy ClarkRodney Peterson, EducauseValerie Vogel, Educause

Security Policy ModelsPart I: Introduction

A. History and Philosophy of the Committee

B. The Need For Model Policy

C. Bibliography of Model Policy

D. Four Needed Models

E. Overview of Policy Development Lifecycle

F. Future Directions

G. Institutional Variants In Policy

Security Policy ModelsPart I: Introduction

A. History and Philosophy of the Committee1. Project Overview2. Project Deliverables3. Methodology4. Assignments5. Milestones

Security Policy ModelsPart I: Introduction

A. History and Philosophy of the Committee1. Project Overview

A body of model security policy for Educause member schools

Emphasize help to small & medium sized schools who generally lack resources.

Policy on all aspects of security, not simply crisis based

Security Policy ModelsPart I: Introduction

A. History and Philosophy of the Committee 2. Project Deliverables

October 2006: A list of model policies • and/or policy parts useful to schools interested in writing or

revising policy.  To publish on the Educause site for Fall 2006

conference. Annotations on why a particular policy model is being

recommended. October 2007 Write model policy when none can be

found.

Security Policy ModelsPart I: Introduction

A. History and Philosophy of the Committee3. Methodology

Adopt a standard of policy completeness. Topics

Adopt a taxonomy of security policy. Sub-topics

Find an existing policy/or part for each of the sub-topics in the taxonomy. 

Comments to explain why each was chosen

Security Policy ModelsPart I: Introduction

A. History and Philosophy of the Committee3. Methodology (cont.)

Topics

3.0 Asset Classification and Control Sub-topics

3.1 Accountability of assets – inventory

3.2 Information classification

Security Policy ModelsPart I: Introduction

A. History and Philosophy of the Committee 4. Assignments

Committee divided into three sub teams.  • Each responsible to find model policy for 3 of the ten policy

topics in the taxonomy. Eight schools selected for “look here first”.

• Cornell, Georgetown, Indiana, Minnesota, Stanford, Iowa, SUNY Buffalo, Temple

• Branch out to other schools from here Review by full committee of all proposed models

before inclusion on the wiki.  

Security Policy ModelsPart I: Introduction

A. History and Philosophy of the Committee 5. Milestones

Dec 2005 Form the Committee, explore methodology Feb 2006 Begin trial write of a policy by committee Mar 2006 Decide on taxonomy of ten major categories Jun 2006 Assignment groups of two find models for each sub-

topics of ten categories Aug 2006 Critique proposed models & select items for the wiki Aug 2006 Three priorities from parent committee  Sep 2006 Format the work & enter into wiki Oct 2006 Draft available for Educause.  Plea for conference

members to contribute Dec 2006 Solicit contributions to the wiki through individual

contacts

Security Policy ModelsPart I: Introduction

B. The Need For Model Policy

1. Previous work

2. Measure of completeness

3. Measure of maturity

4. State of Security Policy in Education

Security Policy ModelsPart I: Introduction

B. The Need For Model Policy

1. Previous work Spreadsheet of 80 Educational Security Policy sites

• “College and University Security Resources”

Methodology for policy development written by Rodney Peterson and others

NIST Special Publication 800-53, “Recommended Security Controls for Federal Information Systems”, February 2005.  Appendix G contains a mapping table comparing NIST controls to ISO 17799

Security Policy ModelsPart I: Introduction

B. The Need For Model Policy

2. Measure of completeness Do I have all the policy that I need?

• How do I know?• A taxonomy or list of policy topics – Many ways to organize

policy, what standards are there

Does my policy say all that it should say?• How do I know?• A standard of complete coverage in a particular policy

Security Policy ModelsPart I: Introduction

B. The Need For Model Policy

2. Measure of completeness (cont.) Do I have all the policy that I need?

• How do I know?• Some standards ISO 17799, SANS, CISSP • Ten high level topics were similar in all three• Committee adopted a working taxonomy• You will see these topics in the wiki

Security Policy ModelsPart I: Introduction

B. The Need For Model Policy

2. Measure of completeness (cont.) Does my policy say all that it should say?

• How do I know?• Standard of completeness in particular policy?• We did not find a standard at the time• Led to next slide – Policy Maturity

Security Policy ModelsPart I: Introduction

B. The Need For Model Policy

3. Measure of policy maturity Maturity not indicated by budget Maturity not indicated by number of staff Maturity not indicated by size of institution

Security Policy ModelsPart I: Introduction

B. The Need For Model Policy

3. Measure of policy maturity (cont) Connected to industry standard & well defined

vocabulary: Confidentiality, Integrity, Availability Flows from a Security Plan Acted upon rather than written to satisfy an audit

comment and shelved. Indications of action. Relates to standard such as ISO 17799

Security Policy ModelsPart I: Introduction

B. The Need For Model Policy4. State of Security Policy in Education Impressions of the Committee Much good policy work available Few have complete body of policy as judged by our

taxonomy Many write policy reactively in response to some

incident Many plan policy work but have an incomplete body

of policy Many have little or no security policy

Security Policy ModelsPart I: Introduction

C. A Bibliography of Model Policy

Bibliography is familiar territory

Selected yet contributed

A Wiki

A wiki is a website that allows visitors to add, remove, edit and change content, typically without the need for registration.

Security Policy ModelsPart I: Introduction

D. Four Needed Models1. Incident Response 2. Data Classification3. Security Management4. A Security Plan(5). Risk Assessment

Security Policy ModelsPart I: Introduction

D. Four Needed Models (cont.) 1. Incident Response 2. Data Classification 3. Security Management 4. A Security Plan (5). Risk AssessmentGet the 2007 edition Official (ISC)2 Guide to The CISSP CBK edited by Harold F. Tipton and Kevin Henry.  Auerbach Publications, 2007.  ISBN 0-8493-8231-9This title is similar to several other books published by Auerbach but by different authors.

Security Policy ModelsPart I: Introduction

E. The Policy Development Lifecycle

What Is It? Normal set of steps to implement policy Often measured in terms of years Why mention it here? As a caution

You cannot simply take someone else’s policy and plug in your institution’s name.

Patrick Spellacy, U of Minnesota, Educause Web Cast, Aug 9, 2005

http://www.educause.edu/LibraryDetailPage/666?ID=LIVE0516

Security Policy ModelsPart I: Introduction

E. The Policy Development Lifecycle – Best Practice

1. Identify Issues – Be proactive2. Conduct Analysis

Identify an “Owner”Determine the Path – eg. Regents, Board of Directors, AdministrativeAssemble Team – IT, Finance, Student

3. Draft LanguageAgree on termsUse Common format

4. Get Approvals5. Determine Distribution / Education

Plan communicationPut onlineMake is searchable

6. Solicit Evaluation and ReviewPlan for maintenanceEncourage feedbackArchive changes – they use a content management system for change control

7. Plan and measure outcomes

Security Policy ModelsPart I: Introduction

F. Future Directions of the Committee Leverage industry progress on these

topics. Incorporate recently published standardsPrioritize next policy topics as focusStandards, procedures, and guidelinesEnlist contributions to the Wiki

G. Institutional Variants in Policy

“Reasonable Security” Factors

Institution size and resources expectations and limitations

Organizational structure roles, responsibilities, and accountabilities

Institutional culture values, beliefs, processes

Security Policy ModelsPart I: Introduction

Security Policy ModelsPart I: Introduction

A. History and Philosophy of the Committee

B. The Need For Model Policy

C. Bibliography of Model Policy

D. Four Needed Models

E. Overview of Policy Development Lifecycle

F. Future Directions

G. Institutional Variants In Policy

Wiki Overview2.0 Organizational Security

3.0 Asset Classification4.0 Personnel Security

Connie M. Popp, M.S.W., SPHR

Eastern Michigan University

Security Policy Models Part II: Demonstrating The Wiki

Security Policy ModelsPart II: Demonstrating The Wiki

http://www.educause.edu/security

Security Policy ModelsPart II: Demonstrating The Wiki

Security Policy ModelsPart II: Demonstrating The Wiki

Security Policy ModelsPart II: Demonstrating The Wiki

Security Policy ModelsPart II: Demonstrating The Wiki

2.0 Organizational Security

Security Policy ModelsPart II: Demonstrating The Wiki

2.0 Organizational Security Allocation of security roles State, university, and business unit levels Users, managers, IT security, oversight

committees

Allocation of security responsibilities Training Policy Incident handling and reporting

Security Policy ModelsPart II: Demonstrating The Wiki

2.0 Organizational Security

Information Security Policy, Georgetown University. Responsibilities defined for roles, from

auditors to users. Managers train users Individual users shall report compromises

Security Policy ModelsPart II: Demonstrating The Wiki

2.5 Risk Analysis and Assessment

Who is responsible?

What is expected?

Who is authorized to accept risk?

Security Policy ModelsPart II: Demonstrating The Wiki

2.5 Risk Analysis and Assessment

SANS Risk Assessment policy (www.sans.org)

Who is authorized to accept risk?

OCTAVE

STARS

3.0 Asset Classification

Security Policy ModelsPart II: Demonstrating The Wiki

Security Policy ModelsPart II: Demonstrating The Wiki

3.1 Accountability and Inventory of Assets

Description of assets

Acquiring, managing and disposal of assets.

Security Policy ModelsPart II: Demonstrating The Wiki

3.2 Information ClassificationPublic or private Governing laws

Reason to classify Disposal, archiving, and storage Data protection

Security Policy ModelsPart II: Demonstrating The Wiki

Security Policy ModelsPart II: Demonstrating The Wiki

Protection and Security of Records, University System of Georgia

Data Stewardship Policy,  George Mason University

Data Classification Guidelines, Stanford University

Security Policy ModelsPart II: Demonstrating The Wiki

Drill Down onData Classification Policy

University of South Carolina: Data Access

Security Policy ModelsPart II: Demonstrating The Wiki

University of South Carolina: Data Access

Purpose Information is an “asset”…to preserve and protect

OwnershipClarity of definition “..stored on paper, digital text, graphic, images, sound

or video.”

Classifications General, Limited, and Restricted access

4.0 Personnel Security

Security Policy ModelsPart II: Demonstrating The Wiki

4.0 Personnel SecurityBackground investigation of personnel Criminal

• Local, state, federal• Frequency

Professional conduct

Training and awareness

Security Policy ModelsPart II: Demonstrating The Wiki

Security Policy ModelsPart II: Demonstrating The Wiki

5.0 Physical & Environ Security6.0 Com & Operations Mgmt

With Drill Down On Incident Response

Jack McCoy, CISM

ISO - University of Colorado System

Security Policy ModelsPart III: Demonstrating The Wiki

“Reasonable Security” Factors

Institution size and resources expectations and limitations

Organizational structure roles, responsibilities, and accountabilities

Institutional culture values, beliefs, processes

Security Policy ModelsPart III: Demonstrating The Wiki

5.0 Physical and Environmental Security

Security Policy ModelsPart III: Demonstrating The Wiki

Security Policy ModelsPart III: Demonstrating The Wiki

Security Policy ModelsPart III: Demonstrating The Wiki

5.1 Secure Area: security perimeters, entry controls, offices & facilities, delivery areas

Protecting core IT services vs. all valuable data

Physical security vs. personal safety

An IT responsibility vs. shared responsibility with HR, PS, business units, compliance, legal, etc.

5.1 Secure AreaOld Dominion U. - IT Physical Security Policy

Policy scope beyond IT security and central ITFire extinguishers in officesOffices with desktops to have AC, door locksOff campus equipment (e.g., at home) the responsibility of the employeeEmployees to report unauthorized access or suspicious activity

Security Policy ModelsPart III: Demonstrating The Wiki

5.2 Equipment Security: equip siting protection, maint, cabling security, disposal, off-premises

Dedicated and shared equipment space

Cabled and wireless net services on contiguous campus, and non-campus properties

Responsibilities and involvement of HR, public safety, asset management, etc.

Security Policy ModelsPart III: Demonstrating The Wiki

5.3 General Controls: clear desk and clear screen policy, removal of property

Policy scope - electronic data, paper, other

Distribution of oversight authority by data form (e.g., electronic, paper) data type (e.g., financial, HR) regulation (e.g., HIPAA, FERPA) function (e.g., privacy, legal)

Security Policy ModelsPart III: Demonstrating The Wiki

6.0 Communications & Operations Management

Security Policy ModelsPart III: Demonstrating The Wiki

Security Policy ModelsPart III: Demonstrating The Wiki

Security Policy ModelsPart III: Demonstrating The Wiki

Security Policy ModelsPart III: Demonstrating The Wiki

6.1 Operational Procedures and Responsibilities: procedures, change control, incident mgmt,

patches, segregation of duties, test/dev systems

Institution size, resources segregation of duties change controls, life cycle management separation of test and development systems

Balance of centralized & distributed computingDegree of engagement by other university areas

Security Policy ModelsPart III: Demonstrating The Wiki

6.2 System Planning and Acceptance: capacity planning, system acceptance

Existing committees for review and planning

Advisory vs. acceptance roles

Technical vs. functional assessments

Security Policy ModelsPart III: Demonstrating The Wiki

6.3 Protection Against Malware

U. of Chicago - Protection from Malicious Software

Technical: anti-virus on all desktops and servers

Process: formal, documented process for prevention, detection, reporting, and recovery

Education: regularly train and remind workforce members about their responsibilities

Security Policy ModelsPart III: Demonstrating The Wiki

6.4 Housekeeping: information back-up, operator logs, fault logging

Central IT and ISO’s responsibilities for DRP, BCP, other group efforts

Distributed computing responsibilities and resources cost vs. operational, business, compliance needs

Security Policy ModelsPart III: Demonstrating The Wiki

6.5 Network Management: network controls, air space, res hall bandwidth, ACL’s, firewalls, IDS

Authority for network standards, controls

Physical campus environment and impact on network management

Influence of network design on placement and use of network security devices

Security Policy ModelsPart III: Demonstrating The Wiki

6.5 Network ManagementUC Berkeley - Minimum Network Security Stds

Security and privacy committee provides policy, procedures, and standardsAdministrative officials ensure IT personnel capable of maintaining devices to standardsSystem admins maintain devices to standards System and network security office assists implementation, places network access blocks

Security Policy ModelsPart III: Demonstrating The Wiki

6.6 Media Handling and Security: media mgmt and disposal, data handling procedures, erasure

Procedures and pervasiveness of sensitive data

Regulatory and statutory requirements

Access to tools and expertise for data erasure

Security Policy ModelsPart III: Demonstrating The Wiki

6.7 Exchange of Information and Software: exchange agreements, media in transit, e-

commerce, e-mail, publicly available systems

Offsite storage location, data delivery

E-commerce systems, internal vs. outsourced

Central e-mail services, security assurances

Record retention, e-discovery requirements

Formal vendor arrangements

Security Policy ModelsPart III: Demonstrating The Wiki

6.8 Responding to Incidents & Malfunctions: reporting incidents, security weaknesses,

software malfunctions, learning from incidents

Accountability for breaches

Responsibility for incident response

Applicable regulations, laws, standards

Security Policy ModelsPart III: Demonstrating The Wiki

Drill Down onIncident Response Policies

Security Policy ModelsPart III: Demonstrating The Wiki

Incident Response Policy

Institutions often have one IR policy

Clear assignment of responsibilities

Clear guidance on how to respond

Resulting policies often a blend of policy, procedure, and general information

Security Policy ModelsPart III: Demonstrating The Wiki

Iowa State - IT Security Incident Reporting Policy

A balance of IR policy topics:

Definition of “IT security incident”

Responsibilities for incident response response team, IT support, individuals

Procedures for reporting and responding

Web link to incident report form

Security Policy ModelsPart III: Demonstrating The Wiki

Iowa State - IT Security Incident Reporting Policy

IT security incident defined

Any accidental or malicious act with potential: misappropriation / misuse of confidential data significantly imperils the functionality of IT unauthorized access to resources or information use of IT resources to attack other organizations

Security Policy ModelsPart III: Demonstrating The Wiki

Miami University - Critical Incident Response Plan

Incident severity level based on potential impact to operations or reputationCritical: successful penetration / DoS, significant operational impact and risk to fin resources or PRMedium: minimally successful penetration / DoS, limited operational impact and risk to fin resources or PRLow: significant number of probes and scans, a targeted reconnaissance activity. Penetration / DoS unsuccessful

Security Policy ModelsPart III: Demonstrating The Wiki

Baylor - Computer Technology Security

Incident Response

ITS security notified immediately of suspected or real Security Incident involving an IT asset

If unclear whether a situation is considered a Security Incident, contact security to evaluate

Security Policy ModelsPart III: Demonstrating The Wiki

Baylor - Computer Technology Security Incident Response Policy

In the mean time . . .

Don’t troubleshoot the system or investigate

If the incident involves a compromised computer, do not alter the state of the computer

Disconnect the computer from the network

Security Policy ModelsPart III: Demonstrating The Wiki

UCSC Plan for Protection of PII

Response process initiated by a confirmed security breach of unencrypted PII

System steward creates Initial Report

IRT convenes to determine notification needs

Security and service provider restore service, preserving evidence

System steward submits Final Report

Security Policy ModelsPart III: Demonstrating The Wiki

UCSC Plan for Protection of PII

Notification Procedures:

Final Report and law enforcement authorization initiate notification procedures

VP-IT and IRT develops notification plan

General counsel approves plan

VP-IT and PIO work to issue notifications

Security Policy ModelsPart III: Demonstrating The Wiki

Discussion

Security Policy ModelsPart III: Demonstrating The Wiki

7.0 Access Control8.0 System Dev and Maint9.0 Business Continuity

With Drill Down On

Security Management & Security PlanWilliam L. Custer, MA, CISSP

Information Security Policy ManagerMiami University, Ohio

Security Policy ModelsPart IV: Demonstrating The Wiki

7.0 Access Control

Security Policy ModelsPart IV: Demonstrating The Wiki

7.0 Access Control 7.1 Business requirement for access control 7.2 Identity management 7.3 User responsibilities 7.4 Network access 7.5 Operating system 7.6 Application access control 7.7 Monitoring system access in use 7.8 Mobile computing and teleworking

Security Policy ModelsPart III: Demonstrating The Wiki

7.0 Access Control

Access control tends to be interleafed with other policy, see especially section 4.0

Several general policies are listed

The wiki perhaps needs more detail here

Security Policy ModelsPart III: Demonstrating The Wiki

7.0 Access ControlTitle:IndianaUniversity. http://datamgmt.iu.edu/CDS/da_guidelines.htmlPolicy value: These guidelines are fairly comprehensive and a good starting point.  Based on documents from Virginia Polytechnic Institute.  See especially the sections called Data Access, Data Availability, and Data Manipulation.  Other sections are valuable as well.  Title:Cornell:  www.cit.cornell.edu/services/identity/netid-terms.htmlPolicy value: Focused on user responsibilities for campus identifier.  Helpful information for a Responsible Use document.Title: DartmouthCollege Information Technology PolicyDartmouth.  www.dartmouth.edu/comp/about/policies/general/itpolicyPolicy value: This brief policy includes statements on registration and review of access rights, account naming and allocation of resources.  Also valuable as input to a general Responsible Use Policy.Title:UniversityofWisconsin. www.doit.wisc.edu/security/policies/Policy value: See especially Electronic Devices Policy, Guest NetID Policy, Password Policy, Draft Policy for UniversityofWisconsin Data Networkwhich will prohibit anonymous use.Title:Iowa.  http://cio.uiowa.edu/ITsecurity/Infosec-Plan.shtmlPolicy value: An example of a rather complete policy site that is user friendly see section 4.0 for material on access control.

Security Policy ModelsPart III: Demonstrating The Wiki

8.0 System Developmentand Maintenance

Security Policy ModelsPart IV: Demonstrating The Wiki

8.0 System DevelopmentAnd Maintenance

8.0 System Development & Maintenance

Title: Information Security Framework, “Information Integrity Controls”Iowa: http://cio.uiowa.edu/policy/policy-information-security-framework.shtml Policy Value: A brief statement on Information Integrity Controls is relevant to systemdevelopment and maintenance. Data classification is tied to system controls in section

4.3

Title: Guidelines for Systems and Network AdministratorsGeorgetown: http://uis.georgetown.edu/policies/technology/snaguidelines.htmlPolicy Value: A brief extension of their general responsible use statement. Applies

primarily to operations rather than development.

Security Policy ModelsPart III: Demonstrating The Wiki

9.0 Business ContinuityManagement

(Disaster Recovery)

Security Policy ModelsPart IV: Demonstrating The Wiki

9.0 Business Continuity Management

Management process

Impact analysis

Writing and implementing the plan

Planning framework

Testing, maintaining, and re-assessing

Security Policy ModelsPart III: Demonstrating The Wiki

9.0 Business Continuity Management

9.0 Business Continuity Management

Title: Backup and Recovery Policy

Indiana (School of Med): http://technology.iusm.iu.edu/security/iusm_policy_sec_03.aspx

Policy Value: Concise one page statement of minimum requirements

Title: MIT Business Continuity Plan

MIT: http://web.mit.edu/security/www/pubplan.htm

Policy Value: Comprehensive plan using industry standard categories and terminology

Title:

LSU: http://appl003.lsu.edu/itsweb/securityweb.nsf/$Content/State/$file/IT-POL-011.pdf

Policy Value: Concise outline of major components of a high level DR/BCP

Security Policy ModelsPart III: Demonstrating The Wiki

10.0 Compliance

Security Policy ModelsPart IV: Demonstrating The Wiki

10.0 Compliance

10.1 Compliance with legal requirements

10.2 Review compliance of Security Policy and technical compliance

10.3 System audit considerations

10.4 Archiving explicit material

Security Policy ModelsPart III: Demonstrating The Wiki

10.0 Compliance

10.1 Compliance with legal requirements

Title: Campus Information Technology Security Policy

http://security.berkeley.edu/IT.sec.policy.html#comp

Policy Value: This is an example of a broader acceptable use policy that includes a statement on compliance with other laws and regulations (see Heading: COMPLIANCE WITH LAW AND POLICY).

Security Policy ModelsPart III: Demonstrating The Wiki

Drill Down on

Security ManagementSecurity Plan

Security Policy ModelsPart IV: Demonstrating The Wiki

Security Policy Models Part IV: Demonstrating The Wiki

Drill Down on Security Management

“Organizational Security Policy” written by the committee listed in the wiki section 2.0

Alternate title for this policy is

“Information Security Policy”The committee’s first model document

Security Policy Models Part IV: Demonstrating The Wiki

Drill Down on Security Management

1.0 Management Commitment Protect the confidentiality, integrity, and availability

2.0 Information Security Infrastructure 2.1 Organization and Governance

• 2.1.1 Information Security coordination• 2.1.2 Roles and responsibilities. • 2.1.3 Advisory council• 2.1.4 Information processing facilities• 2.1.5 Security advice• 2.1.6 Cooperation between organizations• 2.1.7 Independent review

3.0 Third Party Access 4.0 Outsourcing 5.0 Risk analysis

Security Policy Models Part IV: Demonstrating The Wiki

Drill Down on Security Management

1.0 Management Commitment Protect the confidentiality, integrity, and availability 1.0 Management Commitment: Statement of Responsibility and

Commitment. The University considers information to be a strategic asset that is essential to its core mission and business operations.

Furthermore, the University values the privacy of individuals and is dedicated to protecting the information with which it is entrusted.

Therefore, the University is committed to providing the resources needed to ensure confidentiality, integrity, and availability of its information as well as reduce the risk of exposure that would damage the reputation of the university.

Information Technology Policy shall be established that supports the following core security values:

Security Policy Models Part IV: Demonstrating The Wiki

Drill Down on Security Management

1.0 Management Commitment core values Support University mission Consistent with institutional policies, contracts, and laws Privacy Appropriate and cost-effective Best practices Shared responsibility Accountability Flexible and adaptable Emergency preparedness Reassessment

Security Policy Models Part IV: Demonstrating The Wiki

Drill Down on Security Management

1.0 Management Commitment core values Each core value is elaborated, eg. Support University mission. The Policy is designed to

support the mission of the University, notably the creation and dissemination of new knowledge, by protecting the University’s resources, reputation, legal position, and ability to conduct its operations. It is intended to facilitate activities that are important to the University. 

Security Policy Models Part IV: Demonstrating The Wiki

Drill Down on Security Management

2.1 Organization and GovernanceIn order to promote the security mandate of the university, (fill in some governing

body) shall:1. Oversee risk management and compliance programs pertaining, to information

security such as Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, and PCI.2. Approve and adopt broad information security program principles and approve

assignment of key managers responsible for information security.3. Strive to protect the interests of all stakeholders dependent on information

security.4. Review information security policies regarding strategic partners and other third-

parties.5. Strive to ensure business continuity.6. Review provisions for internal and external audits of the information security

program.7. Collaborate with management to specify the information security metrics to be

reported to the board.Notes: These points taken from www.educause.edu/ir/library/word/SWR0514.doc

Security Policy Models Part IV: Demonstrating The Wiki

Drill Down on Security Management

2.1.1 Information Security coordination. In order to promote the security mandate of the university, management shall:

1. Establish information security management policies and controls and monitor compliance.2. Assign information security roles, responsibilities, requires skills, and enforce role-base

information access privileges.3. Assess information risks, establish risk thresholds and actively manage risk mitigation.4. Ensure implementation of information security requirements for strategic partners and other

third-parties.5. Identify and classify information assets.6. Implement and test business continuity plans.7. Approve information systems architecture during acquisition, development, operations, and

maintenance.8. Protect the physical environment.9. Ensure internal and external audits of the information security program with timely follow-up.10. Collaborate with security staff to specify the information security metrics to be reported to

management.Notes: These points taken from www.educause.edu/ir/library/word/SWR0514.doc

Security Policy Models Part IV: Demonstrating The Wiki

Drill Down on Security Management

2.12 Roles and Responsibilities Chief Information Security Officer (CISO) Chief Information Officer (CIO Chief Security Officer Information Security Officer Information Privacy Officer Auditor Office of Counsel Data Stewards

Security Policy Models Part IV: Demonstrating The Wiki

Drill Down on Security Management

2.12 Roles and Responsibilities Chief Information Security Officer (CISO) responsibility for the design, implementation, and management of

the university's Information Security Program. promotes a strategic vision for information security, oversees information security policy development and compliance, provides direction on user awareness and education programming, manages large-scale projects and initiatives as needed, and advises senior management on the risks to university information in

the context of regulatory, legal, audit, contractual, and other applicable requirements.

provides direction to security policy. The CISO role does not usually include …

Security Policy Models Part IV: Demonstrating The Wiki

Drill Down on Security Management

2.12 Roles and Responsibilities Chief Security Officer coordinates (or oversees) all security programs

and staff for the entire organization. includes physical security and almost always

includes information security. some recent security programs have been made

part of a broader risk management program and could include business continuity as well.

Security Policy Models Part IV: Demonstrating The Wiki

Drill Down on Security Management

Notes are included

Policy: Office of Counsel – Responsible to offer legal advice to the University. Some counsels manage risk compliance and also security policy.

Notes: Many policy experts recommend that the Office of Counsel not have final authority on what policy is adopted. This is because the goal of good policy may not be coincident with policy that avoids the fewest legal actions.

Security Policy Models Part IV: Demonstrating The Wiki

Drill Down on Security Management

Resources Information Security Governance Self Assessment Tool for Higher Education,

items 4.9 - 4.34 http://www.educause.edu/ir/library/pdf/SEC0421.pdf  “Sources for Developing Information Security Policies” in Appendix D

• http://www.educause.edu/ir/library/pdf/CSD3661.pdf• Corporate Information Security Working Group (CISWG)• Report of the Best Practices and Metrics Teams• Subcommittee on Policy, Information Technology, Intergovernmental Relations and the

Census• Government Reform Committee United States House of Representatives• “Sources for Developing Information Security Policies” in Appendix D

“Establish Information Security Management Policies and Controls and Monitor Compliance” is on page 16 of the CISWG document above

Security Policy Models Part IV: Demonstrating The Wiki

Drill Down on Security Plan

Two resources Draft Special Publication 800-18. Revision 1, Guide for

Developing Security Plans for Federal Information Systems(http://csrc.nist.gov/publications/nistpubs/index.html)

Georgia State University http://www.educause.edu/LibraryDetailPage/666?ID=CSD4889

Security Policy Models Part IV: Demonstrating The Wiki

Drill Down on Security Plan

Features of the Georgia State Plan

Security Policy ModelsPart V: Conclusion

Part V

Future Directions of the Committee

Questions and Answers

Questionnaire

Security Policy ModelsPart V: Conclusion

Future Directions of the Committee Leverage industry progress on these

topics. Incorporate recently published standardsPrioritize next policy topics as focusStandards, procedures, and guidelinesEnlist contributions to the Wiki

Security Policy ModelsPart V: Conclusion

Questions and Answers

Questionnaire

Security Policy Models

The Presenters

William.Custer@muohio.edu

Connie.Popp@emich.edu

Jack.McCoy@cusys.edu