Policy Management Examples Brad Becker : Info Assurance Policy February 12, 2007

Where do we go from here? Use the base material as a loose framework Look at the Venue’s Security Policy (CMU Computing) Analyze & utilize Create our policy

Mindset for Management Not what you can or cannot do Lays the context for the rest of policy Brings the human aspect of the policy into focus Keep in mind all the stakeholders at The Event! What are we trying to do, who does it apply to, how are we going to enforce it, and what’s going to happen to people who follow/violate it?

Purpose CMU Policy: “The purpose of this policy is to set forth guidelines so that members of our community may use the campus network and computing facilities in ways that are responsible and respectful of privacy.” Prioritizes on Privacy Straightforward and fairly clear

Our Purpose/Goals? Certainly privacy is a ‘high concern risk’ of ours Some other principles that we might want to mention in our purpose statement… –Integrity We need to be able to rely on the system –Availability It needs to be up in order to maintain control Others?

“The Event” Policy Statement The purpose of this policy is to set forth guidelines so that all shareholders at The Event may use the network and computing facilities in ways that ensure the availability of the network, integrity, and privacy of the information it contains.” Can people rally behind this cause? Can everyone understand what is at stake? We may need to clarify/reword a bit…

Scope it Out Who/what is this policy geared towards? CMU Policy: “This policy applies to all users of Carnegie Mellon computing systems, including students, faculty and staff, and any others granted the use of university computing resources. It applies to the use of all computing facilities owned, leased, operated or contracted by Carnegie Mellon University.”

Is this our Scope? The situation that CMU is in is not all that different to ours Users are affiliated with The Event at various strengths and levels Systems coming to The Event are not entirely under our control Can we think of any differences between these two organizations in terms of scope?

Scope Statement for The Event This policy applies to everyone granted the use of The Event’s computing resources. It applies to the use of all computing facilities owned, leased, operated or contracted by The Event and its organizers for the duration of The Event (from the date of issue to the end of post event activities). Does this cover everything we can control/monitor?

Enforcement Let’s give this thing some teeth: CMU: “Inappropriate behavior in the use of computers is punishable under the general university policies and regulations regarding faculty, students and staff. The offenses mentioned in this policy range from relatively minor to extremely serious, though even a minor offense may be treated severely if it is repeated or malicious. Certain offenses may also be subject to prosecution under federal, state or local laws.” Uh oh, we’ve got some work to do

Our Enforcement What can we salvage from CMU? –Granular offense structure What’s minor and what’s severe? –Repeated offense provision May not be an issue here, but good to put in Is there another policy (Attendee’s Guidebook) that has guidelines for handling incidents? –If so, we need to make the policies coherent.

Enforcement of Our Policy A granular approach is appropriate for this situation, since it gives us a little leeway in dealing with powerful attendees. Perhaps we should define the severity of the infraction based upon the intended (or actual) outcome of the infraction? Kind of vague, but can work in our favor. Do we need to explicitly state this?

Disciplinary Procedures Technical and Event Oriented CMU: “Appropriate disciplinary action depends not only on the nature of the offense, but also on the intent and previous history of the offender. The range of possible penalties includes reprimands, loss of computing privileges, course failures for students, disciplinary probation, suspension or dismissal from the university and/or criminal prosecution. Offenses that are minor or appear to be accidental in nature are often handled in a very informal manner such as through electronic mail. More serious offenses will involve formal procedures pursued through the Division of Student Affairs for students, Human Resources and/or the hiring university department or administrative unit for staff, or the Faculty Review Committee for faculty.” Other provisions include investigation ramifications and impacts on shared systems.

Discipline at the Event Combined with the enforcement provisions discussed earlier, we now have a way to determine severity: it depends on who did it, and what they did. This can work for our Event. Who makes the decision on severity? –Incident Response Team, Organizers? –All of the Above?

Enforcement & Discipline Proposed Policy: “Any non-compliance, inappropriate access, manipulation, and/or dissemination of information is punishable under the general Event guidelines. The offenses mentioned in this policy range from relatively minor to extremely serious, though even a minor offense may be treated severely if it is repeated or malicious. Certain offenses may also be subject to prosecution under federal, state or local laws. Appropriate disciplinary action depends not only on the nature of the offense, but also on the intent and previous history of the offender. The range of possible penalties includes, but not limited to, reprimands, loss of computing privileges, suspension or dismissal from the Event and/or criminal prosecution.”

Enforcement & Discipline 2 “Offenses that are minor or appear to be accidental in nature are often handled in a very informal manner such as through electronic mail or verbal discussion. More serious offenses will involve formal procedures pursued through Event organizers & staff. Severity of the offense will be determined primarily by the Information Technology team with consultation, as needed, to Event organizers.” Thoughts?

Monitoring and Auditing Extremely important aspect of enforcement In CMU Policy, it is assumed that IS will take care of this For our Event, this should be taken care of very delicately Notification to Event attendees Definition of what is to be monitored/audited Assure stakeholders of discretion

Monitoring & Auditing “In order to assure the privacy, integrity, and availability of the Event network, the IT staff of the Event reserves the right to monitor and/or audit information contained on the network. The procedures for completing these tasks will adhere to principles held by this document. If you have any questions regarding this practice, please contact ….” Key provision: auditors are subject to the same regulations as the participants

Give a Resource Undoubtedly, there will be concern regarding the policy Everybody has a stake in the security of the Event Solicit comments to a single point of contact!

Overview Anything we are missing from a management standpoint? In general, the management section of the policy lays the ground rules for our policy.