Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Policies for Institutions of Higher Education Ardoth A. Hassler, Associate VP for University Information Services, Georgetown University Tracy.

Published byGeorgia Webb Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Policies for Institutions of Higher Education Ardoth A. Hassler, Associate VP for University Information Services, Georgetown University Tracy."— Presentation transcript:

1 Security Policies for Institutions of Higher Education Ardoth A. Hassler, Associate VP for University Information Services, Georgetown University Tracy B. Mitrano, Director of IT Policy and Computer Policy and Law Program, Cornell University

2 May 17, 2004 Abstract Security policies are an important component of an overall security strategy. This presentation will describe the security policies of Georgetown University and Cornell University. It will include a discussion of the policy development process, lessons learned, efforts to inform users, and policy impact.

3 May 17, 2004 Higher Ed IT Environments Historically “open” network environments Wide range of hardware and software from outdated to state-of-the-art Increasing demands for distributed computing, distance learning and mobile/wireless capabilities which create unique security challenges Lack of clearly defined security requirements (what do we need to protect and why) Experimentation and anonymity highly valued (easy access in opposition with responsibility and security) Students and staff with little or no security training Persistent belief that security & academic freedom are antithetical EDUCAUSE/NSF Scan of Higher Education IT/Data Environments, August 2002

4 May 17, 2004 Don’t forget…. LawsRegulationsContracts Other campus policies…

5 May 17, 2004 GU’s Policy Development Process http://www.georgetown.edu/policy/technology/process.htm 1.Articulate a clear, concise rationale for the establishment of the policy or guidelines. 2.Identify the “process or executive sponsor(s).” 3.Establish the working group. 4.Establish a timeline. 5.Determine whether an interim policy or guidelines are needed. 6.Establish the approval process. 7.List all other (potentially) affected policies and guidelines.

6 May 17, 2004 GU’s Policy Development Process Good We have a process! We have a process! Helps with campus-wide issues Helps with campus-wide issues We don’t have a central policy office We don’t have a central policy office Not so good We don’t have a central policy office We don’t have a central policy office Harder to coordinate with other policy makers Harder to coordinate with other policy makers Other units don’t have defined policy processes Other units don’t have defined policy processes Lack of common terminology Lack of common terminology

7 May 17, 2004 Cornell University Policy Process Process Impact Statement Impact Statement Executive Policy Review Group Executive Policy Review Group Policy Review Group Policy Review Group Executive Policy Review Group final Executive Policy Review Group finalPromulgationEducationImplementation

8 May 17, 2004 Cornell University Policy Process Good Legitimates policy Legitimates policy Provides process Provides process Harmonizes policy across organization Harmonizes policy across organization Not so Good Finance centric Finance centric Limited representation, and buy in Limited representation, and buy in Creates more challenges for IT policy Creates more challenges for IT policy

9 May 17, 2004

10 Georgetown’s “Statement” The Georgetown University Information Security Policy (the “Policy”) serves to create an environment that will help protect all members of the Georgetown University community (the “University”) from information security threats that could compromise privacy, productivity, reputation, or intellectual property rights. The Policy recognizes the vital role information plays in the University’s educational, research, operational, and medical advancement missions, and the importance of taking the necessary steps to protect information in all forms. As more information is used and shared by students, faculty and staff, both within and outside the University, a concomitant effort must be made to protect information. The Policy serves to protect information resources from threats from both within and outside of the University by setting forth responsibilities, guidelines, and practices that will help the University prevent, deter, detect, respond to, and recover from compromises to these resources, and to foster an environment of secure dissemination of information.

11 May 17, 2004 Cornell’s Statement Cornell University expects all individuals using information technology devices connected to the network to take appropriate measures to manage the security of those devices. The university must preserve its information technology resources, comply with applicable laws and regulations, and comply with other university or unit policy regarding protection and preservation of data. Towards these ends, faculty, staff and students must share in the responsibility of the security of IT devices.

12 May 17, 2004 Information Security Policy: Obligations of All Users Georgetown: assigns people into four main groups: assigns people into four main groups: Information Service Providers Both central and local Both central and local Information Stewards Managers of Users Users Defines role of: Defines role of: University Information Security Officer Local Information Security Personnel Cornell: assigns people into five groups: IT Security Director Unit Heads Security Liaison Local Support Provider Users

13 May 17, 2004 Information Security Policy Georgetown: Security Policy applies to all information Security Policy applies to all information Data policy in progress Data policy in progress Defines Defines classifications of Information RolesResponsibilitiesCornell Data explicitly separate from IT security policies Data explicitly separate from IT security policies Data Stewardship and Custodianship Data Stewardship and Custodianship Authentication and Authorization policy does implicate data, but under the rubric of Data policy. Authentication and Authorization policy does implicate data, but under the rubric of Data policy.

14 May 17, 2004 GU’s Information Security Policy Responsibilities: Classifying information Classifying information Separate policy at Cornell Managing authorization Managing authorization Separate policy at Cornell Backing up information Backing up information Separate policy at Cornell, and up to the data steward Computer security (passwords, antivirus, software patches, etc.) Computer security (passwords, antivirus, software patches, etc.) Incident reporting and record keeping Incident reporting and record keeping Establishing local security policies and procedures Establishing local security policies and procedures

15 May 17, 2004 Cornell Data Stewardship and Custodianship Policy For administrative data Seven functional areas Seven functional areas Data stewards required to set policy for their own area No dispute resolution for cross data usage No dispute resolution for cross data usage Custodian Prohibitions No changing data No changing data No “administrative voyeurism” No “administrative voyeurism” No resolving IP addresses without authority No resolving IP addresses without authority

16 May 17, 2004 Cornell Policy Promulgation Coordination with central policy office Education Forums on each policy, with demonstration of associated software and personnel for procedures Forums on each policy, with demonstration of associated software and personnel for procedures List services to targeted groups, raises lots of questions, gets issues out on the table, especially for people more comfortable with computer for expression and communication than in a public setting List services to targeted groups, raises lots of questions, gets issues out on the table, especially for people more comfortable with computer for expression and communication than in a public settingImplementation Always raises new issues, procedures and problems unforeseen in the drafting and promulgation of policy Always raises new issues, procedures and problems unforeseen in the drafting and promulgation of policy Domain Name as an issue

17 May 17, 2004 GU’s efforts to inform users Education What is information security? What is information security? Why do we need it? Why do we need it? What’s in the policy? What’s in the policy? What does this mean to me? What does this mean to me? Everyone’s responsibilities Everyone’s responsibilities Excerpts from our “road show”

18 May 17, 2004 What is Information Security?

19 May 17, 2004 Why we need the policy?

20 May 17, 2004 What are the goals of the policy?

21 May 17, 2004 More on why we need the policy and it’s goals…

22 May 17, 2004 Scare tactics

23 May 17, 2004 This one really got them!

24 May 17, 2004 Other reasons we need the policy

25 May 17, 2004 A bit about…

26 May 17, 2004 …a bit more…

27 May 17, 2004 While we have their attention…

28 May 17, 2004 About the policy itself…

29 May 17, 2004 Who’s who

30 May 17, 2004 What it’s all about…

31 May 17, 2004 Now, we got specific…

32 May 17, 2004 Mantra 2004 Privacy and Security Security and Privacy Privacy and Security Security and Privacy Equally weighted in regulatory legislation Equally weighted in regulatory legislation Complement each other Complement each other Works with everyone in the community, unifies rather than bifurcates. Works with everyone in the community, unifies rather than bifurcates.

33 May 17, 2004 GU Policy Impact Made HIPAA, GLBA easier Satisfied external and internal auditors Opportunity to educate the community Provides operating framework

34 May 17, 2004 CU’s Policy Impact Part of the security program package Director level IT Security for entire university Director level IT Security for entire university Part of compliance with federal law and regulations Part of IT policy framework Protecting and preserving university interests and assets Protecting and preserving university interests and assets Balancing security and privacy Balancing security and privacy Part of policy framework Community effort Community effort Policy as “citizenship” Policy as “citizenship”

35 May 17, 2004 Action Agenda 1.Identify Responsibilities and Accountability for Information Security 2.Conduct Institutional Risk Assessments 3.Develop Security Policies, Procedures, and Standards 4.Increase Everyone’s Awareness and Enhance Training

36 May 17, 2004 Action Agenda (cont’d) 5.Require Secure Products From Vendors 6.Design, Develop, and Deploy Secure Communication and Information Systems 7.Invest in Staff and Tools 8.Establish Collaboration and Information Sharing Mechanisms

37 May 17, 2004 Lessons Learned Cornell Work procedurally and frame conceptually in the context of one’s own environment Work procedurally and frame conceptually in the context of one’s own environmentGeorgetown: Make sure you’ve got the right “usual suspects” Make sure you’ve got the right “usual suspects” Take the time to achieve consensus or work through the issues Take the time to achieve consensus or work through the issues Educate the community Educate the community

38 May 17, 2004 Summary Crisis begets opportunity Information Security has become a major opportunity at universities for leadership Problems can impact an organization’s reputation, operational responsibilities, and financial health Needs to be a top IT agenda issue Senior University leadership must be aware of the risks posed by information security University Information Security Policy enables the university to better protect information Creates a sense of community: everyone has responsibility Create an awareness in perpetuity

39 May 17, 2004 “Bottom line…” All users are responsible for protecting information resources to which they have access All users are responsible for protecting information resources to which they have access

40 May 17, 2004 Contacts Ardoth Hassler hasslera@georgetown.edu hasslera@georgetown.edu hasslera@georgetown.edu security.georgetown.edu security.georgetown.edu Security Officer: Brian Reilly Security Officer: Brian Reilly Tracy Mitrano tbm3@cornell.edu tbm3@cornell.edu tbm3@cornell.edu http://www.cit.cornell.edu/oit/PolicyOffice.html http://www.cit.cornell.edu/oit/PolicyOffice.html Security Officer: Steve Schuster Security Officer: Steve Schuster

41 Questions?

Download ppt "Security Policies for Institutions of Higher Education Ardoth A. Hassler, Associate VP for University Information Services, Georgetown University Tracy."

Similar presentations

Gaining Senior Leadership Support for Continuity of Operations

Gaining Senior Leadership Support for Continuity of Operations
Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,

Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,
Research Administration Capacity Building in an Established Institution Presenter: M.M.Aboud, MD Director of Research and Publications, MUHAS.

Research Administration Capacity Building in an Established Institution Presenter: M.M.Aboud, MD Director of Research and Publications, MUHAS.
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Child Safeguarding Standards

Child Safeguarding Standards
Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian Davis IT Security & Policy Office of Information.

Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian Davis IT Security & Policy Office of Information.
Administration, Management, and Coordination of Supportive Housing: Guidelines from CSH’s Dimensions of Quality MHSA TA Operations Call September 1, 2010.

Administration, Management, and Coordination of Supportive Housing: Guidelines from CSH’s Dimensions of Quality MHSA TA Operations Call September 1, 2010.
National Incident Management System (NIMS)  Part of Homeland Security Presidential Directive-5, February 28, 2003.  Campuses must be NIMS compliant in.

National Incident Management System (NIMS)  Part of Homeland Security Presidential Directive-5, February 28,  Campuses must be NIMS compliant in.
The importance of a Compliance program is to ensure that our agency meets the highest possible standards for all relevant federal, state and local regulations,

The importance of a Compliance program is to ensure that our agency meets the highest possible standards for all relevant federal, state and local regulations,
1 1 Risk Management: How to Comply with Everything July 11, 2013.

1 1 Risk Management: How to Comply with Everything July 11, 2013.
Enterprise Security A Framework For Tomorrow Christopher P. Buse, CPA, CISA, CISSP Chief Information Security Officer State of Minnesota.

Enterprise Security A Framework For Tomorrow Christopher P. Buse, CPA, CISA, CISSP Chief Information Security Officer State of Minnesota.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
Security Controls – What Works

Security Controls – What Works
On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.

On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.
Fluff Matters! Information Governance in an Online Era Lisa Welchman.

Fluff Matters! Information Governance in an Online Era Lisa Welchman.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
STANDARDS FOR SCHOOL LEADERS DR. Robert Buchanan Southeast Missouri State University.

STANDARDS FOR SCHOOL LEADERS DR. Robert Buchanan Southeast Missouri State University.

Similar presentations

Ads by Google