INFORMATION ASSURANCE POLICY

Information Assurance Information operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities

Information Assurance Objectives Confidentiality - assurance that information is not disclosed to unauthorized persons, processes, or devices Availability - timely, reliable access to data and information services for authorized users; Integrity - protection against unauthorized modification or destruction of information; Authentication - security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual’s authorization to receive specific categories of information Non-repudiation - assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the data

U.S. National IT Security Strategy T H E N A T I O N A L S T R A T E G Y T O SECURE CYBERSPACE F E B R U A R Y

Reasons for not being concerned with security policy ● “Data doesn’t need protecting because it isn’t sensitive” ● “Risk must be accepted as a part of doing business” ● Technical personnel would rather work with the technical system than perform the mundane tasks associated with policy ● Security impedes productivity (efficiency and costs time and money) ● Policy is measure to control behavior ● Policy will be difficult to adhere to all the time

Reasons for Establishing Security Policy ● Provides comprehensive, integrated plan ● Defines appropriate behavior for all consumers/managers of system ● Defines the tools and procedures needed to meet the determined security requirements ●Communicates a consensus of what should be done ● Provides authority for response to inappropriate behavior

INDIANA UNIVERSITY OF PENNSYLVANIA INFORMATION PROTECTION POLICY December 1, 2005 Approved for implementation by Dr. Tony Atwater and President’s Cabinet October 31, 2005

IUP POLICIES (from ATS Homepage) ATS also provides guidelines on: IUP Computer Account Retention Policy Student Computing Rights Student Computing Responsibilities Guidelines for the IUP Computing Lab Facilities Guidelines for the IUP Computing Lab Facilities Computing Resources Policy Computer Software Policy Privacy Policy IUP Policy Pages New Information Protection Policy IMPORTANT NEW INFORMATION!! New Information Protection Policy IUP Use of Policy Academic Affairs Policies Student Affairs Policies The Source: Student Handbook Technology Services Center Policies

HIERARCHICAL POLICY MODEL VALUES + INTERESTS  GOALS OR OBJECTIVES (POLICY) + VULNERABILITIES + THREATS + CAPABILITIES  STRATEGY

VALUES

INTERESTS

POLICY It is the policy of IUP that all information be used in a manner that maintains an appropriate and relevant level of confidentiality and that provides sufficient assurance of its integrity in compliance with existing laws and PASSHE and University Policies. While the elimination of all risk is impossible, the goal of the policy is to minimize the possibility of information misuse, corruption, and loss through adoption of reasonable procedures for the University community to follow

1st Step – Define policy makers ● should represent all users (students/faculty/administrators) ● decide what will be the scope and goals of the policy ●● Who and what is covered? ●● How specific? ● Use vision statements from Academic, Administrative, and Library computing as to what they would like to be able to do with the IT system to assist in guiding policy development

IUP IT Security Policy Chain of Responsibility Information System Security Officer Academic Computing Policy Advisory Committee & Academic Technology Operating Group Administrative Computing Oversight Committee College Deans College Technology Managers Technolog y Services Center

2nd Step – Document IT system (Vulnerabilities & Capabilities) ● in order to protect have to know ●● What it is ●● What it does ●● What its weaknesses are ●● What potential threats to it exist ●● What has or is being done to mitigate the risks to your data and system ● Provides institutional data about system ● Documenting controls in place, or the planned controls, identifies specifics about a system’s security

Higher Ed vs Others requirement to protect data and data systems is present in today’s world; security issues same “open” academic environment vs requirement to protect data and data systems paramount to faculty no barriers to flow of information either coming into or going out from the institution

Higher Ed vs Others Administrative Domain: Restricted access to financial data Restricted access to student/administrative data Restricted access to alumni data Restricted access to marketing data -- Academic Domain Access to instructional programs Remote access (students and faculty) -- Commonalities (but may require different security requirements) Internet access Access to state and federal agencies

3rd Step – Assessments (Capabilities) ● Examine current policies ● Determine security requirements for all users based on ●● sensitivity and criticality of data processed/stored, ●● relationship of the IT system to the organization’s mission ●●economic value of system’s data and components ● Examine network infrastructure and operating system(s) ● Security requirements show developers, managers, and auditors what the system should be allowed to do or not do ● Define other security-related policies to fully implement institution’s IT security policy

4th Step – Develop Strategy ● Specify security controls to be implemented and maintained ● Define access between authorized users and the networking environment ● Define duties and authorization levels ● Define chain of command responsibility for execution and authorization levels ●● Ensure personnel given responsibility have the authority to carry out their responsibilities ● Address data ownership, confidentiality, availability, integrity, authentication, & non-repudiation standards ● Define system’s transmission accuracy, integrity, and recoverability requirements to be met ● specify a process for detection and reporting of errors ● Have to approval of institution’s administration

5th Step - Specific Issues All Institutions Should Address ● Physical Security ● Login Name Standards ● Password Standards ● Virus Protection ● Auditing ● Disaster Recovery/Contingency Planning ● Training

Conclusions ● Important as many ideas or requirements from as many different types of users as possible ● Important to win administration’s support for policy process and resulting policy ● Policy documents ●● The system’s basic security requirements ●● The controls in place ●● Planned controls ●● The responsibility of system users ●● Expected user behavior ● Strive for industry “best practices” security ● Resulting policy has to be implemented and enforceable to be effective ● Training ●Document is dynamic