Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Security and Policy Issues Mark Bruhn University IT Policy Officer Office of the Vice President for Information Technology Indiana University.

Published byCharla Hensley Modified over 9 years ago

Similar presentations

Presentation on theme: "IT Security and Policy Issues Mark Bruhn University IT Policy Officer Office of the Vice President for Information Technology Indiana University."— Presentation transcript:

1 IT Security and Policy Issues Mark Bruhn University IT Policy Officer Office of the Vice President for Information Technology Indiana University

2 Security Issues Distributed servers, data, authentication, authority. Wireless, mobile computing. Library authentication. Administrative systems reengineering. Probes. Viruses. To firewall or not to firewall. Intrusion detection. Desktop power. “System Administrator” fuzzy. Technician training. “Dictating” standards into departments. Security Officer (or lack thereof). Security staff (or lack thereof).

3 Data Distribution/Server Proliferation At our institutions, thousands of users in departments have formal authorization to extract confidential information from central databases. At large institutions, there are 10s-of-thousands of computers that are configured to provide access to files and programs. Servers are being managed by wide variety of individuals, from poorly trained undergraduates (“out of high school all day”) to veteran professional administrators. Servers are being maintained in a wide variety of facilities, from small dedicated machine rooms to beneath a staff member’s desk.

4 Wireless/Mobile Computing Laptop stations. Wireless zones. Current capabilities not scaleable: e.g., “CSG” for 40 people may work, but not for 1000. Is a big VLAN enough? A bunch of VLANs? Unauthenticated accesses remain a problem. To VPN or not to VPN (yes, at IU).

5 Library Authentication (or not) Differing opinions about what level of service our libraries must provide to the community. That doesn’t matter: permitting access to the public does not mean without authentication. University Counsel now concerned about this. Temporary credentials.

6 Admin System Reengineering Peoplesoft.

7 Reported Probes Against All IU Systems

8 Viruses

9 General Technology Misuse Incidents

10 Intrusions Into IU Systems

11 Security Organization Security Officers must be: –Technically savvy, with broad technical knowledge. –Able to cultivate trustworthy technical contacts. –Diplomats. –Negotiators. –Translators. –Able to talk others into accepting responsibility when appropriate. –Able to relinquish responsibility when appropriate. –Reasonable when risk is low. –Hardcases when risk is high.

12 Organizational Issues Issues related to conflict of interest dictate that Security Officers report to the CIO. Issues related to conflict of interest and consistency of approach dictate that dedicated security staff report to the Security Officer. Security Officers must have the visible support of the CIO. Security Officers can be more technical and less schmoozy if there is also a Policy Officer. Security Officers/staff should not be seen as the “police”. Security offices should be a resource for technicians. They should be helpful and interactions should be non- contentious. The “police” role should be reserved for an Internal Audit function or for the IT Policy Officer…

13 Responsibilities Service managers and technicians must retain primary responsibility for security of systems. Data “owners” or “stewards” must retain responsibility for security of data. Security Officers are responsible for adequately translating technical vulnerabilities to risk factors for data owners. Security Officers provide security toolkits and specialized knowledge in risk assessment. CIOs must be interested, and must have a sense of the overall security climate of their campus. (“Sleeplessness factor”).

14 Mark Bruhn Policy Officer Contracts & Agreements Officer Jason Abels Summer Ulrich Alix Sebesta Incident Response Coordinator Technical Investigators University Information Technology Policy Office Linda McNabb (Admin Asst) Stacie Wiegand Data Administrator Info Mgt Officer Tammy Grubb Rose Ann Hasty Melissa Silvers Barbara Hanes IUPUI Accts Coord Chris Conklin IUB Accts Coord Tom Davis Security Officer Michael McRobbie VP/CIO Information Technology Security Office Allan Strieb Sasha Haywood Terry Crowe (UIS) Milan Tasic (UIS) Laura Klein Andrew Korty Ben Boruff Marge Abels* Frank Nevers Sean Krulewitch Marge Abels Disaster Recovery Program Manager Recovery Planning Team Global Directory Services

15 IU IT Policy Office Scope is all campuses and all departments. IT policy development, dissemination, education, and interpretation (coordinating with many University offices and groups). Electronic information policy development and education (in conjunction with data management committees). Coordinating response to incidents of abuse or misuse use of information technology. Coordinating response or advising departments engaged in response to incidents of abuse or inappropriate use of electronic information. Global Directory Services: identification, authentication, authorization, and enterprise directories. Handles all non-security incidents, so the SO doesn’t have to.’

16 IU IT Security Office Scope is all campuses and all departments. IT security awareness and education IT security guidelines and standard Security consulting and review Maintain production services in support of policy and security operations (Kerberos, etc.) Investigate and document IT security incidents Six security engineers/analysts located at IUB and IUPUI Staff knowledgeable in a wide range of technologies (Unix, Windows, MVS, Networks, Encryption, etc.)

17 Services - Security Awareness and Education General education and/or presentations on common security issues –http://www.itso.iu.edu/staff/ajk/http://www.itso.iu.edu/staff/ajk/ Comprehensive resource for information on security alerts, bulletins, and patches –http://www.itso.iu.edu/http://www.itso.iu.edu/ –https://www.itso.iu.edu/services/alerts/https://www.itso.iu.edu/services/alerts/

18 Services - Security Guidelines and Standards Function dedicated to developing and maintaining consistent security standards. Comprehensive resource for security information, resources, etc. –http://www.itso.iu.edu/howto/http://www.itso.iu.edu/howto/ Resource for security related software –https://www.itso.iu.edu/services/https://www.itso.iu.edu/services/ –http://iuware.indiana.eduhttp://iuware.indiana.edu

19 Services - Security Consulting and Review Assistance in reviewing specific situations and analyzing exposures. –Technical architecture diagram required –Data flow diagram beneficial Requires departments and technicians to have a better understanding of their environment.

20 Services - Production Services Security scanning in support of system administrators and audit activities –https://www.itso.iu.edu/scanner/https://www.itso.iu.edu/scanner/ Central Kerberos authentication servers Central SafeWord token authentication servers

21 Services - IT Security Incidents Assistance in coordinating appropriate technical investigation of security breaches. Assistance in packaging technical security information for IU governance agencies, IU legal counsel, law enforcement, prosecutors, university administration, etc. Common and consistent incident response.

22 Top 10 Security Mistakes (Tom Davis, IU ITSO) 1.Installing unnecessary programs and services. 2.Not keeping current on software patches, especially security related ones. 3.Not installing anti-virus software and keeping its virus patterns current. 4.Opening e-mail attachments from unknown people. 5.Bringing up lab (test) machines and forgetting about them.

23 Top 10 Security Mistakes (continued) 6.Lack of adequate training to administer the system. 7.Inadequate handling of sensitive data (gathering more than what they need, keying files off of SSN, etc.) 8.Not deploying encryption where available. 9.Propagating virus hoax and chain mail. 10.Sharing passwords.

24 Trustees Resolution RESOLUTION WHEREAS, the advent of the Internet has significantly transformed the manner in which information is stored on interconnected servers throughout the world; and WHEREAS, the Internet is an information technology environment in which it is possible to have inadvertent or intentional unauthorized access to Internet sites and related servers; and WHEREAS, successful intrusions into Internet sites and servers can lead to the disclosure of sensitive personal and institutional information; and WHEREAS, it is critical that Indiana University protect its institutional information and information technology infrastructure so as to reduce the possibility of unauthorized access to servers holding sensitive information or running mission-critical applications. NOW THEREFORE BE IT RESOLVED that the Trustees direct the Office of the Vice President for Information Technology and CIO to develop and implement policies necessary to minimize the possibility of unauthorized access to Indiana University's information technology infrastructure regardless of the Indiana University office involved; and BE IT FURTHER RESOLVED that the Trustees direct the Office of the Vice President for Information Technology and CIO, which may draw upon the experience and expertise and resources of other University offices (including the Office of Internal Audit), to assume leadership, responsibility, and control of responses to unauthorized access to Indiana University's information technology infrastructure, unauthorized disclosure of electronic information and computer security breaches regardless of the Indiana University office involved. (Passed by the Indiana University Board of Trustees, 4 May, 2001)

Download ppt "IT Security and Policy Issues Mark Bruhn University IT Policy Officer Office of the Vice President for Information Technology Indiana University."

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Incident Response Managing Security at Microsoft Published: April 2004.

Incident Response Managing Security at Microsoft Published: April 2004.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Security and Personnel

Security and Personnel
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.

Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
INDIANAUNIVERSITYINDIANAUNIVERSITY Automated Network Isolation at Indiana University David A. Greenberg Information Technology Security and Policy Office.

INDIANAUNIVERSITYINDIANAUNIVERSITY Automated Network Isolation at Indiana University David A. Greenberg Information Technology Security and Policy Office.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.
1 Mark Bruhn Indiana University IT Policy Officer.

1 Mark Bruhn Indiana University IT Policy Officer.
Peer Information Security Policies: A Sampling Summer 2015.

Peer Information Security Policies: A Sampling Summer 2015.
User Services. Services Desktop Support Technical Support Help Desk User Services Customer Relationship Management.

User Services. Services Desktop Support Technical Support Help Desk User Services Customer Relationship Management.

Similar presentations

Ads by Google