Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.

Slides:



Advertisements
Similar presentations
1 Capability Set - Bullet. 2 Common Community Problems Too Much Information –Institutions have to SPAM their faculty and students –Too many online sources.
Advertisements

When will the helicopters end? Giving Parents Access Case Study The University of Arkansas and Southern Methodist University M3.3 February 4, 2013.
Family Educational Rights and Privacy Act (FERPA) Basics For Faculty and Staff.
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
The Office of Information Technology Network Access Control (NAC) Anthony Espinoza Information Security Officer UTSA Office of Information Security.
FERPA: UPDATE ON THE FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Presented by Brenda V. S. Selman University Registrar-MU University of Missouri-Columbia.
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Christina Gilleland Jonathan Carrasco Sam Peterson Thomas McIntyre.
FERPA Refresher Training Start. Page 2 of 11 Copyright © 2006 Arizona Board of Regents FERPA Refresher Training What is FERPA FERPA stands for Family.
1 Office of the General Counsel FERPA  Family Educational Rights and Privacy Act (20 U.S.C § 1232g)
Family Educational Rights and Privacy Act Training for Employees Rooker, Leroy and Falkner, Tina. AACRAO 2012 FERPA Guide FERPA.
Data Ownership Responsibilities & Procedures
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
Federations in Texas Barry Ribbeck University of Texas Health Science Center at Houston.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Information Security Policies Larry Conrad September 29, 2009.
Identity Management: Some Basics Mark Crase, California State University Office of the Chancellor CENIC - March 9, 2011.
FERPA 2008 New regulations enact updates from over a decade of interpretations.
NHPRC ELECTRONIC RECORDS RESEARCH FELLOWSHIP SYMPOSIUM Nov. 19, 2004 Rebecca Schulte University of Kansas Project Title: Testing Boundaries—An Exploration.
The Family Educational Rights and Privacy Act (FERPA) The Importance of Protecting Student Records This session will help you better understand the law.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
1 Tuesday, August 16, 2005 W E B C A S T August 16, 2005 Policy Development Theory & Practice: An Emphasis on IT Pat Spellacy Director of Policy & Process.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
1 EDUCAUSE Midwest Regional Conference Top Strategies for Working with Stakeholders: Synopses of Recommendations from the Identity Management Summit Mark.
Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO.
Get Started With Marketing!. Marketing on Your Mind?  This presentation will include: Info for New and Experienced Users Ideas for marketing to Students.
Feide is a identity management system on a national level for the educational sector in Norway. Federated Electronic Identity for Norwegian Education Tromsø,
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Goose Creek CISD Special Education Confidentiality for Clerks.
Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.
Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.
Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.
FERPA 101 Student Records: Institutional Responsibility and Student Rights What Every University Employee Should Know Prepared by the Office of Academic.
Unlocking the door: The new Ellingsburg University Web Portal Seattle University Kristen Campbell, Julie Larsen, & Nancy Padgett.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
FERPA: What you Need to Know The Family Educational Rights and Privacy Act & SEI.
Shibboleth as Attribute Delivery for Authorization Renee Shuey Penn State University June 27, 2006.
Instructional & Information Technology Services Fall, Activities and Updates Teresa Macklin Information Security Officer Information Security.
Federations 101 John Krienke Internet2 Fall 2006 Internet2 Member Meeting.
Outsourcing Student at USC Institute for Computer Policy and Law Cornell University, August 2008 Asbed Bedrossian Director of Enterprise Applications.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
University and IT Policies: Match or Mis-match? Marilu Goodyear, Vice Provost for Information Services and CIO Jenny Mehmedovic, Coordinator of IT Policy.
IT Security Policies and Campus Networks The dilemma of translating good security policies to practical campus networking Sara McAneney IT Security Officer.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Educause Live! August 3, USA PATRIOT Act and Beyond: How Higher Education Institutions and Libraries are Cooperating and Coping Marilu Goodyear CIO.
2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH.
Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.
The Evolving Scholarly Record in the Campus Context Sarah M. Pritchard March 23, 2015.
1 Identities and Federation: The Next IT Wave (The Canadian Access Federation) Rick Bunt President The Canadian University Council of CIOs (CUCCIO)
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
Student Data Transparency and Security Act: What You Need to Know
Stop Those Prying Eyes Getting to Your Data
Federated Identity Management at Virginia Tech
John O’Keefe Director of Academic Technology & Network Services
Information Security Seminar
FERPA HEA Privacy Act: Protecting Students Data
ESA Single Sign On (SSO) and Federated Identity Management
Spencer County Public Schools Responsible Use Policy for Technology and Related Devices Spencer County Public Schools has access to and use of the Internet.
Virtual Private Network
PASSHE InCommon & Federated Identity Workshop
Shibboleth as Attribute Delivery for Authorization
Colorado “Protections For Consumer Data Privacy” Law
Presentation transcript:

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas

Goals for the Security Policy? Protection of the network Physical assets Physical assets Network functionality/reliability Network functionality/reliability Protect Institutional Data Protect Institutional Systems

What is the Security Domain? The people, data, systems, and devices that must comply with your security policy, i.e. The scope statement of your security policy.

The Complexity of the Campus Environment Campuses are more than faculty, staff and students Other organizations: institutes, affiliates Other organizations: institutes, affiliates Related individuals to campus players: parents, etc. Related individuals to campus players: parents, etc. Network is complex Where does your network begin and end? Where does your network begin and end? Where are the boundaries?

Security Domain and People Identity Management Identity Management Defines the people who are a part of your institution (Identification and Authentication) Defines the people who are a part of your institution (Identification and Authentication) Authorizes access to systems on campus Authorizes access to systems on campus Passes credentials to other trusted institutions and systems (Shibboleth) Passes credentials to other trusted institutions and systems (Shibboleth) Security Domain Larger than Identity Management since people are only one element of the domain Larger than Identity Management since people are only one element of the domain

The Security Domain is Not just the campus network Not just the campus administrative structure Not just campus data Not just campus people But is a combination of all

Elements of Determining Who and What is in the Security Domain Why? and Who? What?How? Whom to grant access? Why are you granting them access? Data Open Open Restricted RestrictedSystems Open Open Restricted Restricted How do they get access (telecom path)?

Why? and Who? Individuals authorized as a member of your community Employees (when acting within scope of employment) Employees (when acting within scope of employment) Students Students Affiliates Affiliates Visitors Visitors Means of authorization Campus online ID/PKI/Biometric Campus online ID/PKI/Biometric Trusted Visitor authorization Trusted Visitor authorization No authorization (open/public wired or wireless access) No authorization (open/public wired or wireless access)

The Security Domain and Policies In addition to the Security Policy your organization has other policies that include “scope statements” (i.e. who the policy applies to) that relate to the security domain

Policies that Relate to Who Gets Access to Your Systems EmployeesStudentsAffiliatesVisitors

What? Data Freely available university data Web site data (examples) Basic institutional info Basic institutional info Research reports Research reports Press releases Press releases Restricted or confidential data Federal law confidential (examples) HIPPA HIPPA FERPA FERPA University policy restricted (examples) account content account content University policy sensitive (examples) Financial data Financial data

What? Systems Public systems Web pages Web pages Library and Museum Catalogs Library and Museum Catalogs Institutional repositories Institutional repositorieswww.kuscholarworks.ku.edu Institution systems Administrative Systems Administrative Systems Financial, Student Information, Human Resources, Parking, etc. Academic Systems Academic Systems Course management, library integrated systems, Research Systems Research Systems

Data and Systems Policies University Data and Records Policies Policies that relate to legally defined confidential data (e.g. HIPPA, GLB, etc.) Policies that relate to access to confidential data Authorization policies and procedures as they relate to defining access to campus systems (the why of the who)

Public and Private Networks Federal law provides definitions for public and private networks Our institutional networks are generally considered to be private networks Public networks or common carriers generally Charge a fee to their users Charge a fee to their users Are considered “public” networks because they provide(mostly sell) services to any individual Are considered “public” networks because they provide(mostly sell) services to any individual

The Campus Network as a Private Network It is important to higher education institutions that our networks be defined as private networks in relation to federal law. This allows us to manage the network and the privacy of the users and data. As federal government requires more of network operators, it is important that we know and understand the boundaries of our networks, i.e. What exactly are we responsible for?

What are the network boundaries? Institutional Network Institutionally infrastructure owned and run by Institution, either by Institutionally infrastructure owned and run by Institution, either by Central IT Departmental Unit Cluster of Units in Buildings Institutionally owned but run by other entity (outsourced) Institutionally owned but run by other entity (outsourced) Corporation owned infrastructure either: Corporation owned infrastructure either: managed by the institution managed by the private entity In this case contract language would be important in delineating responsibility Public Network Member of the University has an individual account on a network owned and managed by a corporate entity (i.e. faculty members home account on local cable provider system) Member of the University has an individual account on a network owned and managed by a corporate entity (i.e. faculty members home account on local cable provider system)

Network Policies and the Security Domain Institutional Network Policy Domain sometimes is limited to centrally managed network Domain sometimes is limited to centrally managed network Domain should include networks run by departments Domain should include networks run by departments A good Network Policy should define the network boundary which in turn affects the definition of the security domain

Inside or Outside of the Security Domain ? When will a security breach affect the institution in some way? A function of three questions: Who? Who? What? What?DataSystems How? How?

Example #1 Employee of institution is at their private residence on a local cable network searching the institution library catalog Are they in the Security Domain? Who? Yes (employee) Who? Yes (employee) What? No (public system and data) What? No (public system and data) How? No (private network) How? No (private network)NO

Example #2 A student is in their private apartment on a cable network accessing their grades through the portal and student information system Are they in the Security Domain? Who? Yes (student) Who? Yes (student) What? Yes (Confidential data and private system) What? Yes (Confidential data and private system) How? No (private network) How? No (private network)Yes

Example #3 A affiliated corporation employee is in their office on the institution owned and run network searching the CNN Web site Are they in the Security Domain? Who? Yes (affiliate employee) Who? Yes (affiliate employee) What? No (assessing public system and data) What? No (assessing public system and data) How? Yes (institution network) How? Yes (institution network)Yes

Example #4 Institutional employee at an off campus location on a cable network is searching the Student Information System for information about a student Are they in the Security Domain? Who? Yes (employee) Who? Yes (employee) What? Yes (confidential data and private system) What? Yes (confidential data and private system) How? No (private network) How? No (private network)Yes

Example #5 Institutional employee at an off campus location on a cable network is searching the institution web site for information on an academic program Are they in the Security Domain? Who? Yes (employee) Who? Yes (employee) What? No (public data and system) What? No (public data and system) How? No (private network) How? No (private network) Yes or No

Example #6 University IT employee at an EDUCAUSE Security Conference in Denver through the EDUCAUSEAir Wireless service reading an about an employee discipline problem. Are they in the Security Domain? Who? Yes (employee) Who? Yes (employee) What? Yes (confidential data and institutional system) What? Yes (confidential data and institutional system) How? No (EDUCAUSE and hotel network) or Yes (if on VPN) How? No (EDUCAUSE and hotel network) or Yes (if on VPN)Yes

Most of the time you are in the Security Domain, if If you are on the (or an) institutional network If you are accessing confidential data or systems, Unless data as moved beyond the institution Unless data as moved beyond the institution If you are acting in your role as a university employee or student employee But not if you are a student

Thinking about Control and Responsibility When do we want control? When behavior can affect us we need sanctions When behavior can affect us we need sanctions Who do we want to be responsible for? As few people as possible As few people as possible Particularly interested in NOT being responsible for students. Particularly interested in NOT being responsible for students. If inside the security domain the institution is affected by the behavior and maybe responsible for the behavior.

Conclusion Defining a Security Domain for your institution is a critical step in implementing your Security Policy and the scope of other policies Boundaries can be fuzzy, but need definition so that accountability is as clear as it can be.

Questions?

Marilu Goodyear John Louis University of Kansas

KU Network Definitions The University network begins at the point where an end-user device (located on University-owned or leased property, or on KU Endowment property utilized by the University’s Lawrence or Edwards campuses) gains access to this infrastructure and ends at the point where the University network attaches to external non-KU networks. End-user devices that indirectly connect via a third-party telecommunications provider (a connection made to the KU network via a home broadband or dial up connection for example) are not considered part of the University network.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.