Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin."— Presentation transcript:

1 IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin 16/11/2007

2 Overview Creating the Security Policy The Implementation Dilemma What makes the Campus Environment Different? The Answer Trinity College Dublin Implementation…

3 Campus Networks & Security 90’s2002/3 2007?? Cultural Resistance Gradual infiltration Acceptance Rapid Catch Up Maturity!

4 2003/04 Sobig Slammer Lovgate Fizzer Blaster/Welchia/Mimail Randex Sasser

5 2005/06 Yahoo Search Returns Faculty, Student Social Security Numbers - Utah Valley State College Student Information "Inadvertently" Left Exposed On Public Website- Mississippi State University UC-Boulder Web Site Exploit Exposes 17,500 Student Records- University of Colorado, Boulder University of Texas Breach Exposes Student and Staff Information --University of Texas, Dallas Thief Makes Off With Years Of Research Data - University of Colorado, Boulder University Research Information Exposes Participant Data - University of Iowa Stolen USB Drive Contained 18 Years of Student Information University of Kentucky

6 ECAR -Policies Implemented 2006 *ECAR – Educause Centre for Applied Research - 2006 IT Security Survey 492 Respondents

7 Creating the Security Policy ISO 27001 Relevant Legislation Organisational Environment Identify Assets Resources E.g. UCISA Information Security Toolkit

8 Policy Main Policy Supporting policy areas: –Email –Internet use –System development etc –Virus and Spam –Software Development –Data Backup –Disaster Recovery

9

10 Implementation…. Governing Body Approval Communication to Users Translation to Operational Procedures Enforcement

11 Campus Implementation Difficulties Traditional ethos of free & open access to systems and information Diverse user base - Admin, teaching, research, grids, commerce, corporations, clubs, societies, college life, public guests Complex collaborative arrangements - institutions, individuals and industry Need to facilitate the rapid adoption of emerging & often immature technologies Diversity and decentralised management…

12 Traditional Implementation Manager End User Policy Dissemination

13 College Structure Governing Body Committees Schools/Faculties Admin Areas Student Representatives Commercial Entities

14 Campus Network Governing Body Administration Admin Area End User Committee Campus Companies Academic structure Academic Unit End UserIT Function Committee User Groups Students Clubs & Societies End User User Groups Research Research Group End User Central IT Function

15 Similarities with all Large Networks Provide High Quality, Flexible Services Protect Confidential data Protect against Internal and External Security Threats Comply with Legislation Contingency and Disaster Recovery Planning

16 Despite/Because of complexity & diversity it is vital to implement an IT Security Management system. Risk Assessment & Mitigation Framework which facilitates as well as protects Goal

17 The Answer? Management Structure - Establish IT Security Governance/Management Structure Involve Stakeholders - Identify key stakeholders and involve in creating policy, encourage ongoing communication. High Value Assets - Identify core IT Assets and prioritise Segregation - Appetite for Risk Flexibility – make provision for high risk activity - Research, new technology etc

18 Trinity College Timeline 200320042005 20062007 IT Security Policy approved by Governing Body User Awareness Campaign Email, Pamphlet, Website Translation to Operational procedures Identification of Stakeholders Policy Review & Revision Adoption of Security Technologies

19 Implementation Governance - Internal Agreements - Central computing department & local IT interests. Regular Communication Dissemination to IT Administration Staff & End Users Translation to Operational Practices Adoption of Technologies

20 IT Governance Governing Body Autonomous Network End User Autonomous Network End User Trinity College Data Network Local Area Support Reps End User

21 Translation to operating procedures

22

23

24 Adopting Technologies Network Security - VPN, VLANs, Firewall, IDS, NAC,802.1x, guest network services, Eduroam Host Security– Automatic Updates, Centrally Managed AV Enterprise Directory – Secure Authentication Application Security – Encryption, Risk Analysis Removal Insecure Protocols

25 Defense in Depth Firewall Intrusio n Detectio n VPN NAC Firewall Intrusio n Detectio n VPN NAC Malware Protectio n Software updates Audit Logs Standard ised Build Malware Protectio n Software updates Audit Logs Standard ised Build Malware Protectio n Software updates Audit Logs Standar dised Build Malware Protectio n Software updates Audit Logs Standar dised Build Server Hosts Network Standards Audit Encryptio n Threat Modelling Audit Logs Standards Audit Encryptio n Threat Modelling Audit Logs Application User Code of Conduct Online Passwor d change Code of Conduct Online Passwor d change

26 Teaching & General Research Student Services Wireless Services Autonomous Networks Specialised Production cash Registers etc Specialised research Risk Management Central Services Web, Mail, Proxy etc

27 Focus on Key Assets Staff/Student Data Financial Data Medical Data Research Data

28 Assessing the Progress Improved communications – move away from duplication of service Improved focus – strategic planning Improved Visibility Incident Reporting Internal Audit – systems, applications, External Audit

29 Was it Successful?

30 Did it hurt? Time Financial Cost Complexity..

31 Future Challenges Exploding User Numbers – students/public on network, Guests, Eduroam Non traditional networked devices - PDA’s, phones, Xboxes, cameras, CEPOS Disappearing Network Boundary Rapid Adoption New technology Changing Threat profile Data privacy concerns – Help users protect their personal/financial data More important than ever to deal with these challenges via a strong IT Security Framework

32 Keeping Security on the Agenda Security vs. Usability

33 References: http://www.tcd.ie/itsecurity/policies/ind ex.php http://www.educause.edu/ecar http://www.ucisa.ac.uk/ http://www.tcd.ie/itsecurity/policies/ind ex.php http://www.educause.edu/ecar http://www.ucisa.ac.uk/

Download ppt "IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin."

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.

AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.
RISK ADVISORY SERVICES Green State IT Strictly Private and Confidential 29 September 2014 An initiative towards higher maturity for managing software.

RISK ADVISORY SERVICES Green State IT Strictly Private and Confidential 29 September 2014 An initiative towards higher maturity for managing software.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
HIPAA Security Standards What’s happening in your office?

HIPAA Security Standards What’s happening in your office?
Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor

Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

Similar presentations

Ads by Google