October 16, Network Planning Task Force Information Security Strategy

2 NPTF FY ’07 Members ■ Mary Alice Annecharico/Rod MacNeil, SOM ■ Robin Beck, ISC ■ Chris Bradie/Dave Carrol, Business Services ■ Cathy DiBonaventura, School of Design ■ Geoff Filinuk, ISC ■ John Keane/ Grover McKenzie, Library ■ John Irwin, GSE ■ Marilyn Jost, ISC ■ Deke Kassabian /Melissa Muth, ISC ■ Doug Berger/ Manuel Pena, Housing and Conference Services ■ Mike Weaver, Budget Mgmt. Analysis ■ Dominic Pasqualino, OAC ■ James Kaylor, CCEB ■ Helen Anderson, SEAS ■ Kayann McDonnell, Law ■ Donna Milici, Nursing ■ Dave Millar, ISC ■ Michael Palladino, ISC (Chair) ■ Jeff Fahnoe, Dental ■ Mary Spada, VPUL ■ Marilyn Spicer, College Houses ■ Steve Stines / Joseph Shannon, Div. of Finance ■ Ira Winston, SEAS, SAS, School of Design ■ Mark Aseltine/ Mike Lazenka, ISC ■ Ken McCardle, Vet School ■ Brian Doherty, SAS ■ Richard Cardona, Annenberg ■ Deirdre Woods/Bob Zarazowski, Wharton

3 Meeting Schedule – FY ‘07 ■ Meetings 1:30-3:00pm, 3401 Walnut Street ■ Fall Meetings / Process ■ Intake and Current Status Review – August 21 ■ Agenda Setting & Focus Group Planning – September 18 ■ Strategy Discussions – October 2 ■ Security Strategy Discussions – October 16 (357A) ■ Strategy Discussions – October 30 ■ Prioritization – November 6 ■ Focus Group Feedback – November 20 ■ Rate Setting – December 04

4 Security Feedback from 8/21 ■ Review of what we are currently doing and where we are going and policy impact on LSPs. ■ Review of each step and our response/procedures including prevention, detection, escalation, impact of incidents and forensics. ■ Connecting the appropriate people – having a local security provider and a privacy security liaison. ■ A need for low probability / high catastrophe case studies with a playbook type response. (Business continuity type tabletop exercises) Brown bag lunch? ■ Encryption ■ Scan and Block

5 Other security concerns or priorities?

6 FY07 Information Security Initiatives ■ Achieve Full Payment Card Industry Standards Compliance ■ Scan and Block available for implementation in 5 or more University areas. ■ SPIA ■ Complete Early Adopters project ■ Implement Risk Management and Reporting ■ Pilot Campus Authorization Service ■ Evaluate Security Incident Tracking and Management ■ LSP Security Certification ■ 2007 SANS Windows Security Class

7 Possible Policy Directions Jul 1, 2007■ Scanned monthly ■ Password cracking twice/year ■ Accounts disabled when employees leave ■ Physically secure ■ Management overseen by full time IT ■ professional Jul 1, 2008■ Mandatory backup and recovery for ■ Operational Data ■ Firewall (or comparable) for confidential data Jul 1, 2009■ Intrusion detection for confidential data ■ Schools/Centers must identify Personal Computing Devices that pose a significant threat and employ encryption and personal firewall

8 Encryption ■ Pros ■ Encrypting disks or file systems are now widely available within operating systems of all supported platforms. ■ Offers considerable protection from some of our most likely threats: theft of portable computing devices, if used in conjunction with other methods. ■ Cons ■ Associated support cost and limited pilot experience ■ Risk of total loss of data requires backup of encrypting keys. ■ Will require additional spending on storage. ■ Not widely available as standard option in common PDAs.

9 Personal Computing Device Security ■Scope: Laptops, PDAs, Blackberries, Treos, USB storage, iPods, etc. ■Background/Issues ■Specifically included in “risk assessment” section of proposed critical host policy. ■PDAs not as mature a market as desktops/laptops w/r/t security. Solutions are many and varied. No silver bullets -- lots of point solutions for many and varied devices. Sometimes security can be achieved with configuration changes, but sometimes requires 3rd party products. ■Personal ownership and shared family use at home complicates matters.

10 Possible Personal Computing Device Security Strategy ■ Short-term ■ Require basic protections such as encryption, strong passwords, anti-virus (where available) and best practice configuration. ■ Long-term ■ Preference to keep confidential data off of personal computing devices. ■ Otherwise, waiver required with compensating controls. ■ Provide secure remote access to secure, decentralized servers ■ May require broad use of virtual private networks or comparable feature. ■ Standards apply irrespective of ownership ■ Devices are for exclusive use of employee

11 Possible Plans FY07FY08FY09Beyond ■ Create documentation for recommended security configurations for most common devices ■ Evaluate 3rd party mobile data security tools and services. ■ Develop a secure remote access strategy. ■ Develop a strategy for protecting mobile devices, poss. to include key recovery ■ Pilot a central file service (e.g. WebDav). ■ Pilot mobile data security tools as appropriate ■ Design and implement secure remote access pilot. ■ Develop decentralized IDS strategy. ■ In policy, require encryption of confidential data. ■ Roll out WebDav, secure remote access, mobile security tools as approp. ■ Design and pilot decentralized IDS. ■ In policy, forbid confidential data on portable devices without a waiver. ■ Universal access control: authentication, scan and block ■ Perimeter firewall