1. Information Security Policies Larry Conrad September 29, 2009

2. its.unc.edu 2 The Need  University policies are needed to Mitigate risk of information security threats Meet compliance obligations Have comparable standards to the State as required by law, otherwise the university is subject to the State’s standards

3. its.unc.edu 3 Addressing Compliance Security Policies Health Information Portability and Accountability Act Payment Card Industry NC Identity Theft Family Educational Rights and Privacy Act Gramm Leach Bliley Act Legend:Policies required Policies or procedures implicated to establish compliance Information Security Policies are needed to meet UNC’s compliance obligations:

4. its.unc.edu 4 An Expanding Definition of Sensitive Data PHI Credit Card Information Credit Card Information Personal Information Customer records Student Education Records Research Data Public Safety Information Information Security Records Passwords Personnel Information Confidential Information Confidential Information Financial Donor Information File Encryption Keys PROTECTION REQUIREMENTS SET BY POLICY

5. its.unc.edu 5 Compliance  Policies are intended to set requirements to protect data and support the compliance requirements imposed on University operations by applicable federal and state laws and regulations. Ranging from the Health Insurance Portability and Accountability Act of 1996 through the Family Educational Rights and Privacy Act and the recently passed Health Information Technology for Economic and Clinical Health Act (included in the American Recovery and Reinvestment Act of 2009), the compliance requirements keep changing and expanding. University policies need to adapt to these changes to ensure that university operations meet the changing compliance requirements.

6. its.unc.edu 6 Alternatives  If UNC-Chapel Hill does not implement its own policies, it may be regulated by the North Carolina General Statutes that require comparable standards for information security to the standards required of the state agencies.  Therefore, even though not directly covered by the security standards set by the State CIO, the University of North Carolina must at minimum meet comparable standards as those set for state agencies.

7. its.unc.edu 7 State Standards in Comparison  UNC Proposed Information Security Policies 52 Pages 4 Standards Designed with UNC in mind UNC Input  State of NC Security Standards 220 Pages 40 Standards Designed for state agencies No University Input

8. its.unc.edu 8 What’s in a standard ?  Standards are set as requirements in policies.  More technical detail, which may be updated more frequently than a policy.  Example Length of password Acceptable encryption algorithms  Can be used as a technical “checklist”

9. its.unc.edu 9 Policy Content Two overarching policies:  Information Security Policy: Overarching information security policy that interfaces with all remaining information security-related policies as well as other University policies.  Data Governance Policy: Addresses classifications of data, roles and processes required to manage and protect the data.  Proposed policies can be found at: its.unc.edu/InfoSecurity/proposed-policies/index.htm

10. its.unc.edu 10 Policy Content  Information Security Standards Policy: Lists the minimum requirements for computing devices owned or managed by UNC-Chapel Hill. Policy is intended to implement industry best practices and safeguard university data  General User Password Policy: States the minimum requirements for password usage and incorporates the existing Onyen password guidelines  Password Policy for System and Application Administrators: States the heightened requirements for password usage by administrators ; requires technical enforcement  Policy on Transmission of Sensitive Information: Sets the requirements for transmitting sensitive information over public or wireless connections (encryption)  Security Liaison Policy: Defines the role and responsibilities of dept security liaisons  Vulnerability Management Policy: States the guidelines for managing web, database and operating system vulnerabilities.  Incident Management Policy: Defines the incident management responsibilities, process for investigating possible or actual breaches of sensitive information or mission critical devices--Formally assigns cost of breach to department that has primary responsibility for the breach

11. its.unc.edu 11 Policy Implications  University units will be required to bring servers/systems up to the minimum standards  Failure to do so may result in disciplinary action against employees  In general, these policies simply codify accepted best-practices  Units with competent systems administrators managing their systems will have few problems complying  Campus units will be responsible for the costs of bringing systems into compliance  Most controversial will likely be: Policy on Transmission of Sensitive Information: encryption requirement Incident Management Policy: charges to units for the costs of incident management ($62/hr proposed rate)

12. its.unc.edu 12 Departmental Impact  Departmental resources and budgets will be impacted by policies and will vary depending on many factors including: The number of systems in each department that process/store sensitive data or that are considered mission critical The time frame set for compliance How close current departmental practices and safeguards are to policy requirements How many safeguards are implemented at a scalable enterprise level versus department by department Degree of interdepartmental consolidation of systems that process/store sensitive data or have mission critical functions.  Departments and researchers may be impacted by processes and organizational changes necessary to facilitate greater security oversight, consolidation of IT assets and compliance to standards In some cases when there has not been sufficient planning by project managers in integrating security requirements, projects could be delayed

13. its.unc.edu 13 Enterprise Impact  Enterprise Funding Additional University investment is needed to provide cost effective security safeguards for University data Additional investment (people, technology) in a “security bank” infrastructure is necessary to offer cost effective security by moving sensitive University data to the “banks” The complete cost of protecting sensitive data cannot be accurately projected until an enterprise risk assessment has been completed  Formal Data Governance will become essential To oversee collection of sensitive data and make sure security requirements are met for research and administrative data A Data Governance coordinating committee is part of the new IT governance structure

14. its.unc.edu 14 Policy Benefits  Protection of data and stakeholder privacy with appropriate levels of security  Greater data security with regard to availability, integrity and confidentiality (for private data and University Intellectual Property).  Consistent risk management via formal security guidance and direction for all departments  Compliance with the many University security obligations (State, Federal, grant, contractual …)  Avoidance of breach costs and non-compliance fines  Fewer and less severe incidents  Protection for the University’s reputation  Ability to attract and provide more opportunities for (secure) research  Avoidance of a requirement to implement State security standards

15. its.unc.edu 15 Questions ?