IT Security and Policy Issues Mark Bruhn University IT Policy Officer Office of the Vice President for Information Technology Indiana University.

Slides:



Advertisements
Similar presentations
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Advertisements

Incident Response Managing Security at Microsoft Published: April 2004.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Security and Personnel
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.
Security Controls – What Works
Information Security Policies and Standards
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
INDIANAUNIVERSITYINDIANAUNIVERSITY Automated Network Isolation at Indiana University David A. Greenberg Information Technology Security and Policy Office.
Session 3 – Information Security Policies
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.
1 Mark Bruhn Indiana University IT Policy Officer.
Peer Information Security Policies: A Sampling Summer 2015.
User Services. Services Desktop Support Technical Support Help Desk User Services Customer Relationship Management.
Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
General Awareness Training
MnSCU Audit Reports Presentation to the MnSCU Audit Committee Office of the Legislative Auditor September 21, 2004.
© TecSec® Incorporated 2003 Threat Notification Model for Federal, State and Local Authorities Threat Notification Model for Federal, State and Local Authorities.
Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Sensitive Data Accessibility Financial Management College of Education Michigan State University.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435.
Incident Response CSG September 2004 Harvard University.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Note1 (Admi1) Overview of administering security.
Information and Records Management INFM 718X/LBSC 708X Seminar on E-Discovery.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Features Governmental organization Critically important ICT objects Distributed infrastructure Three levels of confidentiality Dozens of subsidiary organizations.
ORGANIZING IT SERVICES AND PERSONNEL (PART 1) Lecture 7.
Frontline Enterprise Security
IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
Security Discussion IST Retreat June IT Security Statement definition In the context of computer science, security is the prevention of, or protection.
Development of a Clean Room/Highly Restricted Zone June 12, 2012 Thomas Garrubba - CVS Caremark; Manager, Technical Assessments Group ©2011 The Shared.
Ed Tech Audit Case Study Pete Reilly. Process Meetings with the Superintendent Extended meetings with the technology coordinator Meeting with each administrator.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
Information Security tools for records managers Frank Rankin.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
Computer Security Sample security policy Dr Alexei Vernitski.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Incident Response Strategy and Implementation Anthony J. Scaturro University IT Security Officer September 22, 2004.
Blackboard Security System
Data and database administration
Mark Bruhn Indiana University IT Policy Officer
Adapting Enterprise Security to a University Environment
when you have not been breached.
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
IT Development Initiative: Status and Next Steps
UConn NIST Compliance Project
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO
PLANNING A SECURE BASELINE INSTALLATION
Introduction to the PACS Security
Anatomy of a Common Cyber Attack
Presentation transcript:

IT Security and Policy Issues Mark Bruhn University IT Policy Officer Office of the Vice President for Information Technology Indiana University

Security Issues Distributed servers, data, authentication, authority. Wireless, mobile computing. Library authentication. Administrative systems reengineering. Probes. Viruses. To firewall or not to firewall. Intrusion detection. Desktop power. “System Administrator” fuzzy. Technician training. “Dictating” standards into departments. Security Officer (or lack thereof). Security staff (or lack thereof).

Data Distribution/Server Proliferation At our institutions, thousands of users in departments have formal authorization to extract confidential information from central databases. At large institutions, there are 10s-of-thousands of computers that are configured to provide access to files and programs. Servers are being managed by wide variety of individuals, from poorly trained undergraduates (“out of high school all day”) to veteran professional administrators. Servers are being maintained in a wide variety of facilities, from small dedicated machine rooms to beneath a staff member’s desk.

Wireless/Mobile Computing Laptop stations. Wireless zones. Current capabilities not scaleable: e.g., “CSG” for 40 people may work, but not for Is a big VLAN enough? A bunch of VLANs? Unauthenticated accesses remain a problem. To VPN or not to VPN (yes, at IU).

Library Authentication (or not) Differing opinions about what level of service our libraries must provide to the community. That doesn’t matter: permitting access to the public does not mean without authentication. University Counsel now concerned about this. Temporary credentials.

Admin System Reengineering Peoplesoft.

Reported Probes Against All IU Systems

Viruses

General Technology Misuse Incidents

Intrusions Into IU Systems

Security Organization Security Officers must be: –Technically savvy, with broad technical knowledge. –Able to cultivate trustworthy technical contacts. –Diplomats. –Negotiators. –Translators. –Able to talk others into accepting responsibility when appropriate. –Able to relinquish responsibility when appropriate. –Reasonable when risk is low. –Hardcases when risk is high.

Organizational Issues Issues related to conflict of interest dictate that Security Officers report to the CIO. Issues related to conflict of interest and consistency of approach dictate that dedicated security staff report to the Security Officer. Security Officers must have the visible support of the CIO. Security Officers can be more technical and less schmoozy if there is also a Policy Officer. Security Officers/staff should not be seen as the “police”. Security offices should be a resource for technicians. They should be helpful and interactions should be non- contentious. The “police” role should be reserved for an Internal Audit function or for the IT Policy Officer…

Responsibilities Service managers and technicians must retain primary responsibility for security of systems. Data “owners” or “stewards” must retain responsibility for security of data. Security Officers are responsible for adequately translating technical vulnerabilities to risk factors for data owners. Security Officers provide security toolkits and specialized knowledge in risk assessment. CIOs must be interested, and must have a sense of the overall security climate of their campus. (“Sleeplessness factor”).

Mark Bruhn Policy Officer Contracts & Agreements Officer Jason Abels Summer Ulrich Alix Sebesta Incident Response Coordinator Technical Investigators University Information Technology Policy Office Linda McNabb (Admin Asst) Stacie Wiegand Data Administrator Info Mgt Officer Tammy Grubb Rose Ann Hasty Melissa Silvers Barbara Hanes IUPUI Accts Coord Chris Conklin IUB Accts Coord Tom Davis Security Officer Michael McRobbie VP/CIO Information Technology Security Office Allan Strieb Sasha Haywood Terry Crowe (UIS) Milan Tasic (UIS) Laura Klein Andrew Korty Ben Boruff Marge Abels* Frank Nevers Sean Krulewitch Marge Abels Disaster Recovery Program Manager Recovery Planning Team Global Directory Services

IU IT Policy Office Scope is all campuses and all departments. IT policy development, dissemination, education, and interpretation (coordinating with many University offices and groups). Electronic information policy development and education (in conjunction with data management committees). Coordinating response to incidents of abuse or misuse use of information technology. Coordinating response or advising departments engaged in response to incidents of abuse or inappropriate use of electronic information. Global Directory Services: identification, authentication, authorization, and enterprise directories. Handles all non-security incidents, so the SO doesn’t have to.’

IU IT Security Office Scope is all campuses and all departments. IT security awareness and education IT security guidelines and standard Security consulting and review Maintain production services in support of policy and security operations (Kerberos, etc.) Investigate and document IT security incidents Six security engineers/analysts located at IUB and IUPUI Staff knowledgeable in a wide range of technologies (Unix, Windows, MVS, Networks, Encryption, etc.)

Services - Security Awareness and Education General education and/or presentations on common security issues – Comprehensive resource for information on security alerts, bulletins, and patches – –

Services - Security Guidelines and Standards Function dedicated to developing and maintaining consistent security standards. Comprehensive resource for security information, resources, etc. – Resource for security related software – –

Services - Security Consulting and Review Assistance in reviewing specific situations and analyzing exposures. –Technical architecture diagram required –Data flow diagram beneficial Requires departments and technicians to have a better understanding of their environment.

Services - Production Services Security scanning in support of system administrators and audit activities – Central Kerberos authentication servers Central SafeWord token authentication servers

Services - IT Security Incidents Assistance in coordinating appropriate technical investigation of security breaches. Assistance in packaging technical security information for IU governance agencies, IU legal counsel, law enforcement, prosecutors, university administration, etc. Common and consistent incident response.

Top 10 Security Mistakes (Tom Davis, IU ITSO) 1.Installing unnecessary programs and services. 2.Not keeping current on software patches, especially security related ones. 3.Not installing anti-virus software and keeping its virus patterns current. 4.Opening attachments from unknown people. 5.Bringing up lab (test) machines and forgetting about them.

Top 10 Security Mistakes (continued) 6.Lack of adequate training to administer the system. 7.Inadequate handling of sensitive data (gathering more than what they need, keying files off of SSN, etc.) 8.Not deploying encryption where available. 9.Propagating virus hoax and chain mail. 10.Sharing passwords.

Trustees Resolution RESOLUTION WHEREAS, the advent of the Internet has significantly transformed the manner in which information is stored on interconnected servers throughout the world; and WHEREAS, the Internet is an information technology environment in which it is possible to have inadvertent or intentional unauthorized access to Internet sites and related servers; and WHEREAS, successful intrusions into Internet sites and servers can lead to the disclosure of sensitive personal and institutional information; and WHEREAS, it is critical that Indiana University protect its institutional information and information technology infrastructure so as to reduce the possibility of unauthorized access to servers holding sensitive information or running mission-critical applications. NOW THEREFORE BE IT RESOLVED that the Trustees direct the Office of the Vice President for Information Technology and CIO to develop and implement policies necessary to minimize the possibility of unauthorized access to Indiana University's information technology infrastructure regardless of the Indiana University office involved; and BE IT FURTHER RESOLVED that the Trustees direct the Office of the Vice President for Information Technology and CIO, which may draw upon the experience and expertise and resources of other University offices (including the Office of Internal Audit), to assume leadership, responsibility, and control of responses to unauthorized access to Indiana University's information technology infrastructure, unauthorized disclosure of electronic information and computer security breaches regardless of the Indiana University office involved. (Passed by the Indiana University Board of Trustees, 4 May, 2001)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.