Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Standards in Higher Education Presented by: Karen Eft, IT Policy Manager University of California, Berkeley Robert Ono, IT Security Coordinator.

Published byRoland Day Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Standards in Higher Education Presented by: Karen Eft, IT Policy Manager University of California, Berkeley Robert Ono, IT Security Coordinator."— Presentation transcript:

1 Security Standards in Higher Education Presented by: Karen Eft, IT Policy Manager University of California, Berkeley Robert Ono, IT Security Coordinator University of California, Davis Copyright Karen Eft and Robert Ono 2007. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the authors.

2 Session Focus As consumers, we see evidence of and benefit from operational standards every day. The University of California promotes the use of information security standards within each of its 10 campuses. This presentation will review the different approaches UC Berkeley and UC Davis use to develop, maintain, and enforce information security standards. 2

3 Session Agenda 3 Institutional Information Development of Security Standards UC Berkeley UC Davis Differences Between Two Programs Common Program Features

4 Institutional Highlights UC Berkeley  34,000 students  degree programs: 108 bachelor’s, 66 masters, 98 doctoral, 24 concurrent, 13 other  $516 million in research awards in 2005-2006  34 Professional School degree programs UC Davis  30,500 students  100 academic majors and 86 graduate programs  $544 million in research awards in 2005-06  UCD Medical Center  Law, Medicine, Education, Management and Veterinary Medicine 4

5 Session Agenda 5 Development of UC Berkeley Security Standards Policy & procedures Organization Marketing Informing users What’s next?

6 UCB Policy & procedures 1.Departmental Security Contact Policy To implement this policy, each department needs to appoint a security contact and one or more backup contacts. Departments may agree to share contacts for efficiency. … Contacts need to have some familiarity with the computers in their department and be able to determine who a responsible technical person is; it is not necessary for the contact to have extensive security expertise. 6University of California, Berkeley

7 UCB Policy & procedures 2.Campus IT Security Policy Each member of the campus community is responsible for the security and protection of electronic information resources over which he or she has control. Resources to be protected include networks, computers, software, and data. The physical and logical integrity of these resources must be protected against threats such as unauthorized intrusions, malicious misuse, or inadvertent compromise. 7University of California, Berkeley

8 UCB Policy & procedures 3.Guidelines and Procedures for Blocking Network Access When computers pose a serious risk to campus information system resources or the Internet, their network connection may be blocked. If the threat is immediate, the offending computer(s) will be blocked immediately and notification will be sent to the departmental security contact(s) via email that the block has occurred 8University of California, Berkeley

9 UCB Policy & procedures 3.blocking (continued): If the threat is not immediate, notification of the threat will be sent to the departmental security contact(s) via email. If a response is not received within 4 hours indicating that the department is taking action to mitigate the threat, the offending computer(s) will then be blocked Requires use of a good incident tracking system 9University of California, Berkeley

10 UCB Policy & procedures 3.blocking (continued): In either case, central campus network and security personnel will work with the departmental security contact(s) and/or the system administrator(s) to ensure that the computer(s) are properly re-secured. If a block has been put in place it will be removed when both the department and central campus security personnel agree that the problem causing the incident has been sufficiently addressed. 10University of California, Berkeley

11 UCB Policy & procedures and finally … 4.Minimum Standards for Security of Berkeley Campus Networked Devices ( Appendix A to the “IT Security Policy” :) http://security.berkeley.edu/MinStds/AppA.min.htm 11University of California, Berkeley

12 UCB Policy & procedures The Minimum Security Standards: 1.Keep software patches current 2.Run approved anti-virus software 3.Run approved host-based firewall software 4.Use secure passwords 5.No unencrypted authentication 6.No unauthenticated email relays 7.No unauthenticated proxy services 8.Ensure physical security 9.Don’t run unnecessary services 12University of California, Berkeley

13 UCB Policy & procedures 5.Implementing Guidelines to assist system administrators and end-users to configure their networked devices to comply with the Minimum Standards. Include: clarifying information about the Standards configuration details for many situations They do not include: step-by-step instructions for every existing device or operating system 13University of California, Berkeley

14 UCB organization 14 Key groups: Campus Information Security and Privacy Committee (CISPC) IT Policy Services (Office of the CIO) System and Network Security Campus security operations group. Policy enforcement through blocking hosts from accessing the campus network Data Stewardship Council Security SIG

15 UCB organization 15 SNS assists campus users with securing information assets. Risk assessment for network connected hosts: Operation of host vulnerability scanner to identify hosts that are at risk. Longitudinal analysis of campus risk for attack. Inventory of systems containing restricted data and assessment of these systems security position. Assist departments with developing systems and processes to handle information securely: Assist in the development of plans for securing personal information like credit-card data. Review systems security plans for departments and assist with the creation of these plans. Incident response: Notify users or departmental security contacts of systems at risk or that have been compromised. Assist law enforcement agencies with security requests while protecting privacy. Enforce campus minimum standards where necessary. Coordinate and assist with campus security efforts: Participate in user community security training. Assist central campus organizations, like the CISPC, where needed. Represent UCB security both to external and internal organizations. (Michael Green, March 2007)

16 UCB marketing A revolutionary new concept: 16University of California, Berkeley “minimum” ≠ “minimal”

17 UCB marketing Get “real”:  One-year implementation period  Exception process 17University of California, Berkeley

18 UCB marketing Request for Exception to the Campus Minimum Security Standards If devices such as computers, printers, or other network appliances do not have at least a basic level of security, they are subject to being blocked from campus network connection. (See the Minimum Standards for Security of Berkeley Campus Networked Devices.) Departments, units, or individuals who believe their devices require configurations that do not comply with these Minimum Standards may request exceptions to the Policy*, using one of the following links: ( for a single device) (for multiple devices) http://security.berkeley.edu/MinStdsException.html 18 University of California, Berkeley

19 Minimum Security Standards Exception Request Form - Complex (To submit a Simple request, go back to http://security.berkeley.edu/MinStdsException.html ) Your Information: Your Name (Required) Your Department (Required) Your Position/Role Your E-mail (Required) Your Phone Security Contact E-mail (if known) Devices Requiring Exception Please describe in detail. Include IPs, hostnames and MACs (if available) For services, indicate which ports are used. UCB informing users University of California, Berkeley19

20 Representative IP (Required) (For determining/verifying security contact. This should be one of the IPs included in the request). From what standards are you requesting an exception? (Check all that apply and give a detailed explanation.) Software patch updates Anti-virus software Host-based firewall Passwords Explanation: UCB informing users University of California, Berkeley20 No unencrypted authentication No unauthenticated email relays No unauthenticated proxy services Physical security Unnecessary services

21 Correction and Mitigation Exceptions to the standards are expected to be temporary. For example, until needed resources can be acquired, changes can be made in the types of activities conducted, or new mitigating technology becomes available. What steps are you taking, or changes do you expect to occur, that will enable you to meet the minimum standards in the future? What is your timeframe for meeting the Minimum Standards? What are you doing to mitigate the situation until you come into full compliance with the minimum standards? UCB informing users University of California, Berkeley21

22 UCB informing users Keep the community fully informed. State as many places as possible that connections will be blocked for non-compliance with MSS. Send individual security event notices to security contact address. Provide look-up website: has my IP been blocked? Send current activity publicity. 22University of California, Berkeley

23 UCB informing users SAMPLE of specific email: “After a suspension of several months, SNS is now fully staffed and ready to resume enforcement of the campus Minimum Security Standards for Networked Devices (MSS) for unpatched Windows hosts and Windows hosts with blank admin passwords. Beginning Tuesday, March 13, we will ramp up our operations by beginning with campus hard-wired non-DHCP Ethernet hosts and dial-up modem hosts, then later add AirBears, VPN, and DHCP-based hosts over the next few months. 23University of California, Berkeley

24 UCB informing users sample (cont’d): The sequence of messages will be as follows: After an initial notification of non-compliance with the MSS, if no response is received within 5 working days, and if no active compromise or other security risk is noted, a second notice will be sent 2 working days before active blocking begins. The list of blocked IP addresses and SNS tracking numbers is available on this SNS web page: http://sec-info.berkeley.edu/cgi-bin/blockinfo-login.pl If you have any questions about the MSS or this notice, please write to the security@berkeley.edu address.” 24University of California, Berkeley

25 UCB what’s next? Procurement Requirements  BEFORE you buy … Minimum Standards for Applications Minimum Standards for Restricted Data 25University of California, Berkeley

26 UCD – Early Beginnings New Policies and Technology with Broad Campus Consultation  Intrusion Detection  Email Anti-Virus and Spam Controls  Central Vulnerability Scans and Reports Authentication and Daily Network Scans Honey-pot  Privacy Policy  Network Firewalls at Campus Border  Computer Forensics Capability 26University of California, Davis

27 UCD – Changing Program 2003: California Civil Code Revised to Require Notification After Unauthorized Access to Personal Information 2004: Internal Audit Concerns Campus-wide Program Needed to Enhance Campus Unit Security for Electronic Systems and Data Program Needed to Clearly Recognize Lines of Responsibility 27University of California, Davis

28 UCD: Cyber-safety Policy 2005: New Policy Requires Devices Connecting to Campus Network Meet Security Standards 16 Security Standards Exceptions Approved by Campus Executives Annual Compliance Reporting by Colleges, Schools and Units Annual State of Security Report to Campus Executives 28University of California, Davis

29 UCD: Security Standards Level 1  Software Patches  Anti-Virus Software  Non-Secure Services  Authentication Strong Passwords Encrypted Transmission Default Passwords Privileged Accounts  Personal Information  VLAN & Host-based Firewalls 29University of California, Davis Level 2  Physical Security  Open Email Relays  Web Proxy Services  Audit Logging  Backup & Recovery  Security Training  Anti-Spyware  Secure Media Disposal  Incident Response Plan  Web Application Security Evaluation

30 UCD: Marketing the Program Campus Unit Technologists Participation in Policy and Standards Development Web and Print Communication Target Audience  Senior Campus Executives  Technologists  Administrators and Department Chairs 30University of California, Davis

31 UCD: Annual Survey Annual Survey Instrument  2005: Manual Compliance Questionnaire  2006: Detailed Campus Unit Online Survey Focusing on Compliance Characteristics with Summary Reports 2006 Report  Common Security Themes Identified – Metrics Available  One-on-one Meetings with Executives  State of Campus Security Presentation to Chancellor, Provost, Deans and Vice Chancellors 31University of California, Davis

32 UCD: Security Gaps Challenges for Selected Campus Areas  Academic Units  Residential Computing  Wireless & Public NAMs  Secure Remote Access (Virtual Private Network) Common Campus Unit Needs  AV License  VLAN Firewalls  Personal Identity Security  Update Servers 32University of California, Davis

33 UCD: Security Standards Benefits Enhanced Central Security Investments  Anti-Virus License for All Affiliates  Subsidy for Campus Unit VLAN Firewall Acquisition and Support  Scanning Tools and Whole-Disk Encryption for Mobile Devices  Deploy OS and AV Update Servers  Redesign of Intrusion Detection/Prevention Methods  Network Admission Control for Residential Computing, Wireless and VPN  Cyber-Safety Auditor Hired for Annual Campus Unit Surveys 33University of California, Davis

34 UCD: Cyber-safety Tools Dear System/Network Administrator, Please note that the numbers in the subject line of this message indicate the total number of scanner hits, honey pot hits and IDS hits, respectively, by all systems included in the following report. The link below will take you to a report displaying vulnerable or infected systems assigned to you on the VLAN: XXXXXX. We encourage you to inspect the systems identified in this report and correct problems immediately. Click on the link below for the results of the campus network scan that occurred on 2007-04-08 at 16:42:38. http://secalert.ucdavis.edu/xxxxxxxx CONTACT INFORMATION: To request access to the report page, contact itsecurity@ucdavis.edu.itsecurity@ucdavis.edu To notify us of problems with a report or to provide feedback about false positive notifications so that we can tune our rule sets, please contact the UC Davis Computer Security Team at cybersecurity@ucdavis.edu. cybersecurity@ucdavis.edu If you receive email notifications for a VLAN that is not yours, please contact the Network Operations Center (NOC) at noc@ucdavis.edu to request that the database be updated.noc@ucdavis.edu http://security.ucdavis.edu/digsig.cfm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (SunOS) iD8DBQFGGsyFpjhx/Mnq4fARAt2zAJ4vaQ941zigQSfkzFhd52v2Eh9o9gCeL1o4 QEPHSguAH/AnWOBPguOCBCQ= =DJop -----END PGP SIGNATURE----- 34University of California, Davis

35 UCD: Cyber-safety Tools 35University of California, Davis

36 UCD: Cyber-safety Tools 36University of California, Davis

37 UCD: Cyber-safety Tools 37University of California, Davis

38 Key Model Differences 38 Compliance Responsibility  Senior Executives vs Campus Unit Exception Approval Responsibility  Senior Executives vs Chief Information Officer Response to Non-compliance  Required Annual Compliance Plan and Network Disconnection vs Network Disconnection

39 Common Program Features 39 Policy-based Program Exceptions Available Campus Constituents Participate in Standards Development Compliance Monitoring Need to Respond to Gaps Between Standards and Reality Broad Communication/Marketing Strategies

40 References UCD Cyber-safety Policy http://manuals.ucdavis.edu/PPM/310/310-22.htm UCD Security References http://security.ucdavis.edu/ UCB Security Standards Policy http://security.berkeley.edu/MinStds/#sum UCB Security References http://security.berkeley.edu/ Proposed UC system-wide policy for minimum security requirements http://www.ucop.edu/irc/itsec/uc/documents/IS-3v51017.06.pdf 40

41 Questions 41

Download ppt "Security Standards in Higher Education Presented by: Karen Eft, IT Policy Manager University of California, Berkeley Robert Ono, IT Security Coordinator."

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
INDIANAUNIVERSITYINDIANAUNIVERSITY Automated Network Isolation at Indiana University David A. Greenberg Information Technology Security and Policy Office.

INDIANAUNIVERSITYINDIANAUNIVERSITY Automated Network Isolation at Indiana University David A. Greenberg Information Technology Security and Policy Office.
Mobile Computing and Security Authenticated Network Access (ANA) Jon Peters Associate Director Dave Packham Manager of Network Engineering NetCom University.

Mobile Computing and Security Authenticated Network Access (ANA) Jon Peters Associate Director Dave Packham Manager of Network Engineering NetCom University.

Similar presentations

Ads by Google