The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy.

Slides:



Advertisements
Similar presentations
Reliability Center Data Request Task Force Report WECC Board Meeting April 2009.
Advertisements

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Clover Park School District Board of Directors 1.
Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Child Safeguarding Standards
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.
Presentation for the Management Study of the Code Enforcement Process City of Little Rock, Arkansas August 3, 2006.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
2010 Region II Conference Corporate Compliance Panel June 3, 2010
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Information Security Policies and Standards
Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.
National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,
Responsibilities and Organizational Structure of Ethiopian Vital Events Registration Agency December /2014 Addis Ababa.
The Pieces and the Puzzle of IT Policy University Computer Policy and Law Program April 7, 2004.
Payment Card Industry (PCI) Data Security Standard
Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.
Session 3 – Information Security Policies
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
TELLEFSEN AND COMPANY, L.L.C. SEC Regulation SCI and Automation Review Policy Compliance March 2013 Proprietary and Confidential.
Application Security Management Functional Project Manager (s) ERP Project Director ERP Campus Executive University & Campus Administration Security Policy.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Peer Information Security Policies: A Sampling Summer 2015.
National Smartcard Project Work Package 8 – Security Issues Report.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Institute for Criminal Justice Studies School Safety Teams School Safety Teams ©This TCLEOSE approved Crime Prevention Curriculum is the property of CSCS-ICJS.
Campus Safety The Sullivan University System There were no hate crimes reported that fit any reportable crime bias categories. In accordance with the Crime.
FORESEC Academy FORESEC Academy Security Essentials (II)
Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.
State Alliance for e-Health Conference Meeting January 26, 2007.
Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
FERPA: What you Need to Know The Family Educational Rights and Privacy Act & SEI.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
1 Information Sharing Environment (ISE) Privacy Guidelines Jane Horvath Chief Privacy and Civil Liberties Officer.
Europe's work in progress: quality of mHealth Pēteris Zilgalvis, J.D., Head of Unit, Health and Well-Being, DG CONNECT Voka Health Community 29 September.
UMBC POLICY ON ESH MANAGEMENT & ENFORCEMENT UMBC Policy #VI
Implementation and Policy of Rate Based Billing at Cornell Tracy Mitrano R. David Vernon.
1 Policy Types l Program l Issue Specific l System l Overall l Most Generic User Policies should be publicized l Internal Operations Policies should be.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Twelve Guiding Principles for the Regulation of Surveillance Camera Systems Presented by: Alastair Thomas Date: 23 rd October 2013.
DATA IT Senate Data Governance Membership IT Senate Data Governance Committee Membership Annie Burgad, Senior Programmer, Central IT Julie Cannon, Director.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
1 PARCC Data Privacy & Security Policy December 2013.
Staying ahead of the storm: know your role in information security before a crisis hits Jason Testart, IST Karen Jack, Secretariat.
1 Effective Incident Response Presented by Greg Hedrick, Manager of Security Services Copyright Purdue University This work is the intellectual property.
IT Summit November 4th, 2009 Presented by: IT Internal Audit Team Leroy Amos Sue Ann Lipinski Suzanne Lopez Janice Shelton.
Chapter 8 Auditing in an E-commerce Environment
ISO DOCUMENT CONTROL. ISO Environmental Management Systems2 Lesson Learning Goals At the end of this lesson you should be able to: 
1 CREATING AND MANAGING CERT. 2 Internet Wonderful and Terrible “The wonderful thing about the Internet is that you’re connected to everyone else. The.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
A REVIEW OF THE NPSD’S ACCEPTABLE USE POLICIES AND ADMINISTRATIVE REGULATIONS JUNE 17 TH & 20 TH TEACHER IN-SERVICE The Acceptable Use of Technology 1.
1 Network Quarantine At Cornell University Steve Schuster Director, Information Security Office.
A REVIEW OF THE NPSD’S ACCEPTABLE USE POLICIES AND ADMINISTRATIVE REGULATIONS JUNE 17 TH & 20 TH TEACHER IN-SERVICE The Acceptable Use of Technology 1.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Designing Identity Federation Policy, the right way Marina Vermezović, Academic Network of Serbia TNC2013 conference 4 May 2013.
T Mr.Willy Musinguzi, EAC. .Overview of EAC SQMT Infrastructure How EAC standards are Harmonized and Implemented How EAC Quality Infrastructure relates.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.
HIPAA PRIVACY & SECURITY TRAINING
Accountability & Structured Privacy Management
LAR in aspect of the cadastral managing – capacity building
Acceptable Use Policy (Draft)
The Acceptable Use of Technology
Update - Security Policies
GDPR (General Data Protection Regulation)
Office of the Head of Mission •
Presentation transcript:

The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy

General Context Cornell is not unique – and remains plagued by a growing spectrum of IT security concerns. In response Cornell has: –Created a security program –Is in the process of developing a suite of university policies to better stanchion Cornell’s ability to effectively address new security challenges.

The Cornell IT Policy – Past, Present and Future

Policy Review RESPONSIBLE USE OF ELECTRONIC COMMUNICATIONS –Became policy in 1995 Cornell University expects all members of its community to use electronic communications in a responsible manner. The university may restrict the use of its computers and network systems for electronic communications, in response to complaints presenting evidence of violations of other university policies or codes, or state or federal laws. Parts of this policy are now reflected in new policy development – it will likely be refined to focus on just issues of abuse in the future.

Policies Under Development Reporting Electronic Security Incidents –In Draft (August 29 th 2003) –Reason for Policy [To enable] prompt and consistent reporting of electronic security incidents protects and preserves these resources by enabling expeditious action in the event of such an incident, and aids the university in compliance with applicable law.

Reporting Electronic Security Incidents - Procedures “If you suspect that an electronic security incident may have occurred or may be imminent, you are expected to take the actions detailed …” –Contact local support provide or the Cornell Network Operations Center –Local support provide is obligated to collect relevant information and report to Security. –Security Office will open a problem report and has the authority to “perform any action necessary …”

Security Of Information Technology Resources Draft (August 29 th 2003) Reason for Policy –[As] the university must preserve its information technology resources, comply with applicable laws and regulations, comply with other university or unit policy regarding protection and preservation of data, and fulfill its missions. Toward these ends, faculty, staff, and students must share in the responsibility for the security of information technology devices.

Security Of Information Technology Resources… Establishes the principle that every IT device connected to the Cornell network must have at least one individual managing the security of that device. Defines roles (Users, Local Support Providers, Security Liaison, Unit Heads, IT Security Director)

Security Of Information Technology Resources - Procedures Users –If no support provider user is obligated to: Secure host (strong passwords, virus updates, etc) Allow access by Security office –If there is a local support provider, then: Report all electronic security incidents to your local support provider immediately, as detailed in University Policy 5.4.2, Reporting Electronic Security Incidents.

Security Of Information Technology Resources - Procedures Support Providers Is Obligated To: –Secure hosts under their control –Report incidents and allow access Unit Security Liaison Is Obligated To: –Act as the unit point of contact with IT Security Director –Implement a security program consistent with requirements of this policy …

Security Of Information Technology Resources - Procedures Unit Head –Obligated to appoint Unit Security Liaison IT Security Director –The IT Security Director is the university office with the authority to coordinate campus information technology security …

Network Registry Draft (Nov 4 th 2003) Reason for Policy –To enhance the maintenance and security of the university network, and to alleviate potential legal liability, the university supports the creation of a central registry of devices connected to the university network.

Network Registry – Procedures All devices on the network must be registered to a central database –All applicable information for a given device, such as MAC address, IP, responsible party, location … – Implied is the development of an online registration service

Policy on Authentication and Authorization Status: Impact Statement Policy goal is to facilitate a comprehensive strategy for controlling electronic access and coordinating deployment of university authentication and authorization mechanisms. –Define owner(s) Advisory board –Authentication vs Authorization –Exception process

NUBB Not a university policy – however … –Users of the network are responsible for network fees – even if their system is compromised.* Defines a “responsible party.” Huge impact on system awareness Single most positive impact on securing systems at Cornell to date.

Other Polices Worth Noting 1) Access to Electronic Mail. 2) Access to Network Log Data. –Both define “owner” and process for access to information –Trying to address the issue of “privacy” Escrow of Encryption Keys –Approved Policy Focused on administrative data

Deployment Concerns Creation of the registration database Automation of the incident reporting and tracking process Education (Users, Support Providers, Security Liaisons) Campus participation

Closing Thoughts Policy development process is as important as the finished product Key themes are: –Responsible party –Clearly understood processes for reporting –Formal authority of the Security Office –Development of tools to enable the smooth realization of these new polices. URL: –

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.