Upload
rudolph-kelly
View
220
Download
0
Tags:
Embed Size (px)
Citation preview
Security Policy Resources and Models
Educause Security Conference, Denver 2007
William L. Custer, Miami UniversityJack McCoy, University of Colorado
Connie Marie Popp, Eastern Michigan University
Wednesday, April 11, 2007 1:00PM in Colorado I/J
Session I2
Security Policy Models
Copyright William L. Custer, Jack McCoy, Connie M. Popp, 2007.
This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author
Security Policy Models
Presentation Overview
Part I: Introducing the Model Security Policy Committee (William Custer)
Part II: Demonstrating The Wiki (Connie Popp) Wiki Sections 2.0, 3.0, 4.0 Drill Down - Data Classification https://wiki.internet2.edu/confluence/display/secguide/Security+Policies+and+Procedures
Part III: Demonstrating The Wiki (Jack McCoy) Wiki Sections 5.0, 6.0 Drill Down - Incident Response
Part IV: Demonstrating The Wiki (William Custer) Wiki Sections 7.0, 8.0, 9.0 Drill Down - Security Management, Security Plan
Part V: Conclusions, Questions, and A Plea For Help
Security Policy Models
Related Presentations
Wed 10:45 Track 1 – Communications, Process, and Resources for Computer Incident Response
Wed 4:30 Track 2 – Security Standards in Higher Education
Wed 4:30 Track 4 – Developing a University System Wide Information Security Roadmap
Security Policy Models
Part I
Introducing
The Model Security Policy Committee
William L Custer
Security Policy Models Part I: Introduction
Educause Policy Conference – Washington, April 2005
A helpful “circle” of professionals
Security Policy ModelsPart I: Introduction
William CusterBob KalalJack McCoyKim MilfordConnie PoppDave Weil
Leslie MaltzTammy ClarkRodney Peterson, EducauseValerie Vogel, Educause
Security Policy ModelsPart I: Introduction
A. History and Philosophy of the Committee
B. The Need For Model Policy
C. Bibliography of Model Policy
D. Four Needed Models
E. Overview of Policy Development Lifecycle
F. Future Directions
G. Institutional Variants In Policy
Security Policy ModelsPart I: Introduction
A. History and Philosophy of the Committee1. Project Overview2. Project Deliverables3. Methodology4. Assignments5. Milestones
Security Policy ModelsPart I: Introduction
A. History and Philosophy of the Committee1. Project Overview
A body of model security policy for Educause member schools
Emphasize help to small & medium sized schools who generally lack resources.
Policy on all aspects of security, not simply crisis based
Security Policy ModelsPart I: Introduction
A. History and Philosophy of the Committee 2. Project Deliverables
October 2006: A list of model policies • and/or policy parts useful to schools interested in writing or
revising policy. To publish on the Educause site for Fall 2006
conference. Annotations on why a particular policy model is being
recommended. October 2007 Write model policy when none can be
found.
Security Policy ModelsPart I: Introduction
A. History and Philosophy of the Committee3. Methodology
Adopt a standard of policy completeness. Topics
Adopt a taxonomy of security policy. Sub-topics
Find an existing policy/or part for each of the sub-topics in the taxonomy.
Comments to explain why each was chosen
Security Policy ModelsPart I: Introduction
A. History and Philosophy of the Committee3. Methodology (cont.)
Topics
3.0 Asset Classification and Control Sub-topics
3.1 Accountability of assets – inventory
3.2 Information classification
Security Policy ModelsPart I: Introduction
A. History and Philosophy of the Committee 4. Assignments
Committee divided into three sub teams. • Each responsible to find model policy for 3 of the ten policy
topics in the taxonomy. Eight schools selected for “look here first”.
• Cornell, Georgetown, Indiana, Minnesota, Stanford, Iowa, SUNY Buffalo, Temple
• Branch out to other schools from here Review by full committee of all proposed models
before inclusion on the wiki.
Security Policy ModelsPart I: Introduction
A. History and Philosophy of the Committee 5. Milestones
Dec 2005 Form the Committee, explore methodology Feb 2006 Begin trial write of a policy by committee Mar 2006 Decide on taxonomy of ten major categories Jun 2006 Assignment groups of two find models for each sub-
topics of ten categories Aug 2006 Critique proposed models & select items for the wiki Aug 2006 Three priorities from parent committee Sep 2006 Format the work & enter into wiki Oct 2006 Draft available for Educause. Plea for conference
members to contribute Dec 2006 Solicit contributions to the wiki through individual
contacts
Security Policy ModelsPart I: Introduction
B. The Need For Model Policy
1. Previous work
2. Measure of completeness
3. Measure of maturity
4. State of Security Policy in Education
Security Policy ModelsPart I: Introduction
B. The Need For Model Policy
1. Previous work Spreadsheet of 80 Educational Security Policy sites
• “College and University Security Resources”
Methodology for policy development written by Rodney Peterson and others
NIST Special Publication 800-53, “Recommended Security Controls for Federal Information Systems”, February 2005. Appendix G contains a mapping table comparing NIST controls to ISO 17799
Security Policy ModelsPart I: Introduction
B. The Need For Model Policy
2. Measure of completeness Do I have all the policy that I need?
• How do I know?• A taxonomy or list of policy topics – Many ways to organize
policy, what standards are there
Does my policy say all that it should say?• How do I know?• A standard of complete coverage in a particular policy
Security Policy ModelsPart I: Introduction
B. The Need For Model Policy
2. Measure of completeness (cont.) Do I have all the policy that I need?
• How do I know?• Some standards ISO 17799, SANS, CISSP • Ten high level topics were similar in all three• Committee adopted a working taxonomy• You will see these topics in the wiki
Security Policy ModelsPart I: Introduction
B. The Need For Model Policy
2. Measure of completeness (cont.) Does my policy say all that it should say?
• How do I know?• Standard of completeness in particular policy?• We did not find a standard at the time• Led to next slide – Policy Maturity
Security Policy ModelsPart I: Introduction
B. The Need For Model Policy
3. Measure of policy maturity Maturity not indicated by budget Maturity not indicated by number of staff Maturity not indicated by size of institution
Security Policy ModelsPart I: Introduction
B. The Need For Model Policy
3. Measure of policy maturity (cont) Connected to industry standard & well defined
vocabulary: Confidentiality, Integrity, Availability Flows from a Security Plan Acted upon rather than written to satisfy an audit
comment and shelved. Indications of action. Relates to standard such as ISO 17799
Security Policy ModelsPart I: Introduction
B. The Need For Model Policy4. State of Security Policy in Education Impressions of the Committee Much good policy work available Few have complete body of policy as judged by our
taxonomy Many write policy reactively in response to some
incident Many plan policy work but have an incomplete body
of policy Many have little or no security policy
Security Policy ModelsPart I: Introduction
C. A Bibliography of Model Policy
Bibliography is familiar territory
Selected yet contributed
A Wiki
A wiki is a website that allows visitors to add, remove, edit and change content, typically without the need for registration.
Security Policy ModelsPart I: Introduction
D. Four Needed Models1. Incident Response 2. Data Classification3. Security Management4. A Security Plan(5). Risk Assessment
Security Policy ModelsPart I: Introduction
D. Four Needed Models (cont.) 1. Incident Response 2. Data Classification 3. Security Management 4. A Security Plan (5). Risk AssessmentGet the 2007 edition Official (ISC)2 Guide to The CISSP CBK edited by Harold F. Tipton and Kevin Henry. Auerbach Publications, 2007. ISBN 0-8493-8231-9This title is similar to several other books published by Auerbach but by different authors.
Security Policy ModelsPart I: Introduction
E. The Policy Development Lifecycle
What Is It? Normal set of steps to implement policy Often measured in terms of years Why mention it here? As a caution
You cannot simply take someone else’s policy and plug in your institution’s name.
Patrick Spellacy, U of Minnesota, Educause Web Cast, Aug 9, 2005
http://www.educause.edu/LibraryDetailPage/666?ID=LIVE0516
Security Policy ModelsPart I: Introduction
E. The Policy Development Lifecycle – Best Practice
1. Identify Issues – Be proactive2. Conduct Analysis
Identify an “Owner”Determine the Path – eg. Regents, Board of Directors, AdministrativeAssemble Team – IT, Finance, Student
3. Draft LanguageAgree on termsUse Common format
4. Get Approvals5. Determine Distribution / Education
Plan communicationPut onlineMake is searchable
6. Solicit Evaluation and ReviewPlan for maintenanceEncourage feedbackArchive changes – they use a content management system for change control
7. Plan and measure outcomes
Security Policy ModelsPart I: Introduction
F. Future Directions of the Committee Leverage industry progress on these
topics. Incorporate recently published standardsPrioritize next policy topics as focusStandards, procedures, and guidelinesEnlist contributions to the Wiki
G. Institutional Variants in Policy
“Reasonable Security” Factors
Institution size and resources expectations and limitations
Organizational structure roles, responsibilities, and accountabilities
Institutional culture values, beliefs, processes
Security Policy ModelsPart I: Introduction
Security Policy ModelsPart I: Introduction
A. History and Philosophy of the Committee
B. The Need For Model Policy
C. Bibliography of Model Policy
D. Four Needed Models
E. Overview of Policy Development Lifecycle
F. Future Directions
G. Institutional Variants In Policy
Wiki Overview2.0 Organizational Security
3.0 Asset Classification4.0 Personnel Security
Connie M. Popp, M.S.W., SPHR
Eastern Michigan University
Security Policy Models Part II: Demonstrating The Wiki
Security Policy ModelsPart II: Demonstrating The Wiki
http://www.educause.edu/security
Security Policy ModelsPart II: Demonstrating The Wiki
Security Policy ModelsPart II: Demonstrating The Wiki
Security Policy ModelsPart II: Demonstrating The Wiki
Security Policy ModelsPart II: Demonstrating The Wiki
2.0 Organizational Security
Security Policy ModelsPart II: Demonstrating The Wiki
2.0 Organizational Security Allocation of security roles State, university, and business unit levels Users, managers, IT security, oversight
committees
Allocation of security responsibilities Training Policy Incident handling and reporting
Security Policy ModelsPart II: Demonstrating The Wiki
2.0 Organizational Security
Information Security Policy, Georgetown University. Responsibilities defined for roles, from
auditors to users. Managers train users Individual users shall report compromises
Security Policy ModelsPart II: Demonstrating The Wiki
2.5 Risk Analysis and Assessment
Who is responsible?
What is expected?
Who is authorized to accept risk?
Security Policy ModelsPart II: Demonstrating The Wiki
2.5 Risk Analysis and Assessment
SANS Risk Assessment policy (www.sans.org)
Who is authorized to accept risk?
OCTAVE
STARS
3.0 Asset Classification
Security Policy ModelsPart II: Demonstrating The Wiki
Security Policy ModelsPart II: Demonstrating The Wiki
3.1 Accountability and Inventory of Assets
Description of assets
Acquiring, managing and disposal of assets.
Security Policy ModelsPart II: Demonstrating The Wiki
3.2 Information ClassificationPublic or private Governing laws
Reason to classify Disposal, archiving, and storage Data protection
Security Policy ModelsPart II: Demonstrating The Wiki
Security Policy ModelsPart II: Demonstrating The Wiki
Protection and Security of Records, University System of Georgia
Data Stewardship Policy, George Mason University
Data Classification Guidelines, Stanford University
Security Policy ModelsPart II: Demonstrating The Wiki
Drill Down onData Classification Policy
University of South Carolina: Data Access
Security Policy ModelsPart II: Demonstrating The Wiki
University of South Carolina: Data Access
Purpose Information is an “asset”…to preserve and protect
OwnershipClarity of definition “..stored on paper, digital text, graphic, images, sound
or video.”
Classifications General, Limited, and Restricted access
4.0 Personnel Security
Security Policy ModelsPart II: Demonstrating The Wiki
4.0 Personnel SecurityBackground investigation of personnel Criminal
• Local, state, federal• Frequency
Professional conduct
Training and awareness
Security Policy ModelsPart II: Demonstrating The Wiki
Security Policy ModelsPart II: Demonstrating The Wiki
5.0 Physical & Environ Security6.0 Com & Operations Mgmt
With Drill Down On Incident Response
Jack McCoy, CISM
ISO - University of Colorado System
Security Policy ModelsPart III: Demonstrating The Wiki
“Reasonable Security” Factors
Institution size and resources expectations and limitations
Organizational structure roles, responsibilities, and accountabilities
Institutional culture values, beliefs, processes
Security Policy ModelsPart III: Demonstrating The Wiki
5.0 Physical and Environmental Security
Security Policy ModelsPart III: Demonstrating The Wiki
Security Policy ModelsPart III: Demonstrating The Wiki
Security Policy ModelsPart III: Demonstrating The Wiki
5.1 Secure Area: security perimeters, entry controls, offices & facilities, delivery areas
Protecting core IT services vs. all valuable data
Physical security vs. personal safety
An IT responsibility vs. shared responsibility with HR, PS, business units, compliance, legal, etc.
5.1 Secure AreaOld Dominion U. - IT Physical Security Policy
Policy scope beyond IT security and central ITFire extinguishers in officesOffices with desktops to have AC, door locksOff campus equipment (e.g., at home) the responsibility of the employeeEmployees to report unauthorized access or suspicious activity
Security Policy ModelsPart III: Demonstrating The Wiki
5.2 Equipment Security: equip siting protection, maint, cabling security, disposal, off-premises
Dedicated and shared equipment space
Cabled and wireless net services on contiguous campus, and non-campus properties
Responsibilities and involvement of HR, public safety, asset management, etc.
Security Policy ModelsPart III: Demonstrating The Wiki
5.3 General Controls: clear desk and clear screen policy, removal of property
Policy scope - electronic data, paper, other
Distribution of oversight authority by data form (e.g., electronic, paper) data type (e.g., financial, HR) regulation (e.g., HIPAA, FERPA) function (e.g., privacy, legal)
Security Policy ModelsPart III: Demonstrating The Wiki
6.0 Communications & Operations Management
Security Policy ModelsPart III: Demonstrating The Wiki
Security Policy ModelsPart III: Demonstrating The Wiki
Security Policy ModelsPart III: Demonstrating The Wiki
Security Policy ModelsPart III: Demonstrating The Wiki
6.1 Operational Procedures and Responsibilities: procedures, change control, incident mgmt,
patches, segregation of duties, test/dev systems
Institution size, resources segregation of duties change controls, life cycle management separation of test and development systems
Balance of centralized & distributed computingDegree of engagement by other university areas
Security Policy ModelsPart III: Demonstrating The Wiki
6.2 System Planning and Acceptance: capacity planning, system acceptance
Existing committees for review and planning
Advisory vs. acceptance roles
Technical vs. functional assessments
Security Policy ModelsPart III: Demonstrating The Wiki
6.3 Protection Against Malware
U. of Chicago - Protection from Malicious Software
Technical: anti-virus on all desktops and servers
Process: formal, documented process for prevention, detection, reporting, and recovery
Education: regularly train and remind workforce members about their responsibilities
Security Policy ModelsPart III: Demonstrating The Wiki
6.4 Housekeeping: information back-up, operator logs, fault logging
Central IT and ISO’s responsibilities for DRP, BCP, other group efforts
Distributed computing responsibilities and resources cost vs. operational, business, compliance needs
Security Policy ModelsPart III: Demonstrating The Wiki
6.5 Network Management: network controls, air space, res hall bandwidth, ACL’s, firewalls, IDS
Authority for network standards, controls
Physical campus environment and impact on network management
Influence of network design on placement and use of network security devices
Security Policy ModelsPart III: Demonstrating The Wiki
6.5 Network ManagementUC Berkeley - Minimum Network Security Stds
Security and privacy committee provides policy, procedures, and standardsAdministrative officials ensure IT personnel capable of maintaining devices to standardsSystem admins maintain devices to standards System and network security office assists implementation, places network access blocks
Security Policy ModelsPart III: Demonstrating The Wiki
6.6 Media Handling and Security: media mgmt and disposal, data handling procedures, erasure
Procedures and pervasiveness of sensitive data
Regulatory and statutory requirements
Access to tools and expertise for data erasure
Security Policy ModelsPart III: Demonstrating The Wiki
6.7 Exchange of Information and Software: exchange agreements, media in transit, e-
commerce, e-mail, publicly available systems
Offsite storage location, data delivery
E-commerce systems, internal vs. outsourced
Central e-mail services, security assurances
Record retention, e-discovery requirements
Formal vendor arrangements
Security Policy ModelsPart III: Demonstrating The Wiki
6.8 Responding to Incidents & Malfunctions: reporting incidents, security weaknesses,
software malfunctions, learning from incidents
Accountability for breaches
Responsibility for incident response
Applicable regulations, laws, standards
Security Policy ModelsPart III: Demonstrating The Wiki
Drill Down onIncident Response Policies
Security Policy ModelsPart III: Demonstrating The Wiki
Incident Response Policy
Institutions often have one IR policy
Clear assignment of responsibilities
Clear guidance on how to respond
Resulting policies often a blend of policy, procedure, and general information
Security Policy ModelsPart III: Demonstrating The Wiki
Iowa State - IT Security Incident Reporting Policy
A balance of IR policy topics:
Definition of “IT security incident”
Responsibilities for incident response response team, IT support, individuals
Procedures for reporting and responding
Web link to incident report form
Security Policy ModelsPart III: Demonstrating The Wiki
Iowa State - IT Security Incident Reporting Policy
IT security incident defined
Any accidental or malicious act with potential: misappropriation / misuse of confidential data significantly imperils the functionality of IT unauthorized access to resources or information use of IT resources to attack other organizations
Security Policy ModelsPart III: Demonstrating The Wiki
Miami University - Critical Incident Response Plan
Incident severity level based on potential impact to operations or reputationCritical: successful penetration / DoS, significant operational impact and risk to fin resources or PRMedium: minimally successful penetration / DoS, limited operational impact and risk to fin resources or PRLow: significant number of probes and scans, a targeted reconnaissance activity. Penetration / DoS unsuccessful
Security Policy ModelsPart III: Demonstrating The Wiki
Baylor - Computer Technology Security
Incident Response
ITS security notified immediately of suspected or real Security Incident involving an IT asset
If unclear whether a situation is considered a Security Incident, contact security to evaluate
Security Policy ModelsPart III: Demonstrating The Wiki
Baylor - Computer Technology Security Incident Response Policy
In the mean time . . .
Don’t troubleshoot the system or investigate
If the incident involves a compromised computer, do not alter the state of the computer
Disconnect the computer from the network
Security Policy ModelsPart III: Demonstrating The Wiki
UCSC Plan for Protection of PII
Response process initiated by a confirmed security breach of unencrypted PII
System steward creates Initial Report
IRT convenes to determine notification needs
Security and service provider restore service, preserving evidence
System steward submits Final Report
Security Policy ModelsPart III: Demonstrating The Wiki
UCSC Plan for Protection of PII
Notification Procedures:
Final Report and law enforcement authorization initiate notification procedures
VP-IT and IRT develops notification plan
General counsel approves plan
VP-IT and PIO work to issue notifications
Security Policy ModelsPart III: Demonstrating The Wiki
Discussion
Security Policy ModelsPart III: Demonstrating The Wiki
7.0 Access Control8.0 System Dev and Maint9.0 Business Continuity
With Drill Down On
Security Management & Security PlanWilliam L. Custer, MA, CISSP
Information Security Policy ManagerMiami University, Ohio
Security Policy ModelsPart IV: Demonstrating The Wiki
7.0 Access Control
Security Policy ModelsPart IV: Demonstrating The Wiki
7.0 Access Control 7.1 Business requirement for access control 7.2 Identity management 7.3 User responsibilities 7.4 Network access 7.5 Operating system 7.6 Application access control 7.7 Monitoring system access in use 7.8 Mobile computing and teleworking
Security Policy ModelsPart III: Demonstrating The Wiki
7.0 Access Control
Access control tends to be interleafed with other policy, see especially section 4.0
Several general policies are listed
The wiki perhaps needs more detail here
Security Policy ModelsPart III: Demonstrating The Wiki
7.0 Access ControlTitle:IndianaUniversity. http://datamgmt.iu.edu/CDS/da_guidelines.htmlPolicy value: These guidelines are fairly comprehensive and a good starting point. Based on documents from Virginia Polytechnic Institute. See especially the sections called Data Access, Data Availability, and Data Manipulation. Other sections are valuable as well. Title:Cornell: www.cit.cornell.edu/services/identity/netid-terms.htmlPolicy value: Focused on user responsibilities for campus identifier. Helpful information for a Responsible Use document.Title: DartmouthCollege Information Technology PolicyDartmouth. www.dartmouth.edu/comp/about/policies/general/itpolicyPolicy value: This brief policy includes statements on registration and review of access rights, account naming and allocation of resources. Also valuable as input to a general Responsible Use Policy.Title:UniversityofWisconsin. www.doit.wisc.edu/security/policies/Policy value: See especially Electronic Devices Policy, Guest NetID Policy, Password Policy, Draft Policy for UniversityofWisconsin Data Networkwhich will prohibit anonymous use.Title:Iowa. http://cio.uiowa.edu/ITsecurity/Infosec-Plan.shtmlPolicy value: An example of a rather complete policy site that is user friendly see section 4.0 for material on access control.
Security Policy ModelsPart III: Demonstrating The Wiki
8.0 System Developmentand Maintenance
Security Policy ModelsPart IV: Demonstrating The Wiki
8.0 System DevelopmentAnd Maintenance
8.0 System Development & Maintenance
Title: Information Security Framework, “Information Integrity Controls”Iowa: http://cio.uiowa.edu/policy/policy-information-security-framework.shtml Policy Value: A brief statement on Information Integrity Controls is relevant to systemdevelopment and maintenance. Data classification is tied to system controls in section
4.3
Title: Guidelines for Systems and Network AdministratorsGeorgetown: http://uis.georgetown.edu/policies/technology/snaguidelines.htmlPolicy Value: A brief extension of their general responsible use statement. Applies
primarily to operations rather than development.
Security Policy ModelsPart III: Demonstrating The Wiki
9.0 Business ContinuityManagement
(Disaster Recovery)
Security Policy ModelsPart IV: Demonstrating The Wiki
9.0 Business Continuity Management
Management process
Impact analysis
Writing and implementing the plan
Planning framework
Testing, maintaining, and re-assessing
Security Policy ModelsPart III: Demonstrating The Wiki
9.0 Business Continuity Management
9.0 Business Continuity Management
Title: Backup and Recovery Policy
Indiana (School of Med): http://technology.iusm.iu.edu/security/iusm_policy_sec_03.aspx
Policy Value: Concise one page statement of minimum requirements
Title: MIT Business Continuity Plan
MIT: http://web.mit.edu/security/www/pubplan.htm
Policy Value: Comprehensive plan using industry standard categories and terminology
Title:
LSU: http://appl003.lsu.edu/itsweb/securityweb.nsf/$Content/State/$file/IT-POL-011.pdf
Policy Value: Concise outline of major components of a high level DR/BCP
Security Policy ModelsPart III: Demonstrating The Wiki
10.0 Compliance
Security Policy ModelsPart IV: Demonstrating The Wiki
10.0 Compliance
10.1 Compliance with legal requirements
10.2 Review compliance of Security Policy and technical compliance
10.3 System audit considerations
10.4 Archiving explicit material
Security Policy ModelsPart III: Demonstrating The Wiki
10.0 Compliance
10.1 Compliance with legal requirements
Title: Campus Information Technology Security Policy
http://security.berkeley.edu/IT.sec.policy.html#comp
Policy Value: This is an example of a broader acceptable use policy that includes a statement on compliance with other laws and regulations (see Heading: COMPLIANCE WITH LAW AND POLICY).
Security Policy ModelsPart III: Demonstrating The Wiki
Drill Down on
Security ManagementSecurity Plan
Security Policy ModelsPart IV: Demonstrating The Wiki
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Management
“Organizational Security Policy” written by the committee listed in the wiki section 2.0
Alternate title for this policy is
“Information Security Policy”The committee’s first model document
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Management
1.0 Management Commitment Protect the confidentiality, integrity, and availability
2.0 Information Security Infrastructure 2.1 Organization and Governance
• 2.1.1 Information Security coordination• 2.1.2 Roles and responsibilities. • 2.1.3 Advisory council• 2.1.4 Information processing facilities• 2.1.5 Security advice• 2.1.6 Cooperation between organizations• 2.1.7 Independent review
3.0 Third Party Access 4.0 Outsourcing 5.0 Risk analysis
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Management
1.0 Management Commitment Protect the confidentiality, integrity, and availability 1.0 Management Commitment: Statement of Responsibility and
Commitment. The University considers information to be a strategic asset that is essential to its core mission and business operations.
Furthermore, the University values the privacy of individuals and is dedicated to protecting the information with which it is entrusted.
Therefore, the University is committed to providing the resources needed to ensure confidentiality, integrity, and availability of its information as well as reduce the risk of exposure that would damage the reputation of the university.
Information Technology Policy shall be established that supports the following core security values:
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Management
1.0 Management Commitment core values Support University mission Consistent with institutional policies, contracts, and laws Privacy Appropriate and cost-effective Best practices Shared responsibility Accountability Flexible and adaptable Emergency preparedness Reassessment
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Management
1.0 Management Commitment core values Each core value is elaborated, eg. Support University mission. The Policy is designed to
support the mission of the University, notably the creation and dissemination of new knowledge, by protecting the University’s resources, reputation, legal position, and ability to conduct its operations. It is intended to facilitate activities that are important to the University.
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Management
2.1 Organization and GovernanceIn order to promote the security mandate of the university, (fill in some governing
body) shall:1. Oversee risk management and compliance programs pertaining, to information
security such as Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, and PCI.2. Approve and adopt broad information security program principles and approve
assignment of key managers responsible for information security.3. Strive to protect the interests of all stakeholders dependent on information
security.4. Review information security policies regarding strategic partners and other third-
parties.5. Strive to ensure business continuity.6. Review provisions for internal and external audits of the information security
program.7. Collaborate with management to specify the information security metrics to be
reported to the board.Notes: These points taken from www.educause.edu/ir/library/word/SWR0514.doc
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Management
2.1.1 Information Security coordination. In order to promote the security mandate of the university, management shall:
1. Establish information security management policies and controls and monitor compliance.2. Assign information security roles, responsibilities, requires skills, and enforce role-base
information access privileges.3. Assess information risks, establish risk thresholds and actively manage risk mitigation.4. Ensure implementation of information security requirements for strategic partners and other
third-parties.5. Identify and classify information assets.6. Implement and test business continuity plans.7. Approve information systems architecture during acquisition, development, operations, and
maintenance.8. Protect the physical environment.9. Ensure internal and external audits of the information security program with timely follow-up.10. Collaborate with security staff to specify the information security metrics to be reported to
management.Notes: These points taken from www.educause.edu/ir/library/word/SWR0514.doc
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Management
2.12 Roles and Responsibilities Chief Information Security Officer (CISO) Chief Information Officer (CIO Chief Security Officer Information Security Officer Information Privacy Officer Auditor Office of Counsel Data Stewards
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Management
2.12 Roles and Responsibilities Chief Information Security Officer (CISO) responsibility for the design, implementation, and management of
the university's Information Security Program. promotes a strategic vision for information security, oversees information security policy development and compliance, provides direction on user awareness and education programming, manages large-scale projects and initiatives as needed, and advises senior management on the risks to university information in
the context of regulatory, legal, audit, contractual, and other applicable requirements.
provides direction to security policy. The CISO role does not usually include …
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Management
2.12 Roles and Responsibilities Chief Security Officer coordinates (or oversees) all security programs
and staff for the entire organization. includes physical security and almost always
includes information security. some recent security programs have been made
part of a broader risk management program and could include business continuity as well.
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Management
Notes are included
Policy: Office of Counsel – Responsible to offer legal advice to the University. Some counsels manage risk compliance and also security policy.
Notes: Many policy experts recommend that the Office of Counsel not have final authority on what policy is adopted. This is because the goal of good policy may not be coincident with policy that avoids the fewest legal actions.
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Management
Resources Information Security Governance Self Assessment Tool for Higher Education,
items 4.9 - 4.34 http://www.educause.edu/ir/library/pdf/SEC0421.pdf “Sources for Developing Information Security Policies” in Appendix D
• http://www.educause.edu/ir/library/pdf/CSD3661.pdf• Corporate Information Security Working Group (CISWG)• Report of the Best Practices and Metrics Teams• Subcommittee on Policy, Information Technology, Intergovernmental Relations and the
Census• Government Reform Committee United States House of Representatives• “Sources for Developing Information Security Policies” in Appendix D
“Establish Information Security Management Policies and Controls and Monitor Compliance” is on page 16 of the CISWG document above
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Plan
Two resources Draft Special Publication 800-18. Revision 1, Guide for
Developing Security Plans for Federal Information Systems(http://csrc.nist.gov/publications/nistpubs/index.html)
Georgia State University http://www.educause.edu/LibraryDetailPage/666?ID=CSD4889
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Plan
Features of the Georgia State Plan
Security Policy ModelsPart V: Conclusion
Part V
Future Directions of the Committee
Questions and Answers
Questionnaire
Security Policy ModelsPart V: Conclusion
Future Directions of the Committee Leverage industry progress on these
topics. Incorporate recently published standardsPrioritize next policy topics as focusStandards, procedures, and guidelinesEnlist contributions to the Wiki
Security Policy ModelsPart V: Conclusion
Questions and Answers
Questionnaire