Presentation is loading. Please wait.

Presentation is loading. Please wait.

Policy and IT Security Awareness Amy Ginther Policy Develoment Coordinator University of Maryland Information Technology Security Workshop April 2, 2004.

Published byLeo Watkins Modified over 9 years ago

Similar presentations

Presentation on theme: "Policy and IT Security Awareness Amy Ginther Policy Develoment Coordinator University of Maryland Information Technology Security Workshop April 2, 2004."— Presentation transcript:

1 Policy and IT Security Awareness Amy Ginther Policy Develoment Coordinator University of Maryland Information Technology Security Workshop April 2, 2004

2 Agenda Discussion throughout session on: Model policy development process Influences on security policy Security policy taxonomy Model security policies Awareness programs

3 Model Policy Development Process http://www.inform.umd.edu/ACUPA/projects/process Predevelopment –Identify Issues –Conduct Analysis Development –Draft Language –Get Approvals –Determine Distribution/Education Maintenance –Solicit Evaluation and Review –Plan Measurement and Compliance

4 Policy Development Process ACUPA

5 Traits of Sound Policy Processes Setting the Stage WritingApprovingDistributingEducatingEnforcingReviewing Consistency with University values and mission Identification and involvement of stakeholders Informed participants Assess cost- benefit Preventing reinvention of the wheel Use a common format Agree on common definitions & terms Allow for user feedback Discussion and consensus building Wide review and input Approval from senior administrative levels Ease of access to resources Online Accessible from one location Allow for text and other searches Send email to official distribution lists Include contacts to answer questions Hold a policy day Have traveling road shows! Have signed user agreements Require policies to be read before services granted Create policy enforcement office Assess liability/ feasibility Respond to complaints Identify an owner for each policy Develop a plan for active maintenance Archive, date, and notify constituencies of major changes

6 Identifying Policy Stakeholders

7 Higher Education Values Higher Education environment…tends to be more open than corporate or gov’t environments; reality of student residential environments Measures taken to improve security must protect and not impede the expression of these values. Balance need for security with important aspects of higher education environment.

8 Core Academic Values Oblinger, 2003. In Computer and Network Security in Higher Education, Luker & Petersen, editors. Community: shared decision making; outreach to connected communities (access to affiliates or other patrons) Autonomy: academic and intellectual freedom; distributed computing Privacy: “the right to open inquiry without having the subject of one’s interest examined or scrutinized by others” (American Library Association, 2002) Fairness: due process

9 Influences on Security Policy EDUCAUSE/Internet2 six principles to guide policy development: Civility and Community Academic and Intellectual Freedom Privacy and Confidentiality Equity, Diversity and Access Fairness and Process Ethics, Integrity and Responsibility

10 What to Include? Security Policy Taxonomy Security Architecture Security Awareness Security Implementation Security Management Data Security Identity Theft Incident Handling/Incident Response Information Assurance Network Vulnerability Assessment Physical Security Privacy Security Planning Security Policies Security Risk Assessment and Analysis

11 Writing Policy: Elements of Institutional Policies Policy Name Scope Purpose Policy Statement Roles/Responsibilities Definitions References Supporting Procedures? Consequences/Sanctions for Non-Compliance

12 Model security policies EDUCAUSE/Cornell Institute for Computer Policy and Law, http://www.educause.edu/ICPL/http://www.educause.edu/ICPL/ http://www.educause.edu/ICPL/library_resources.asp http://www.sans.org/resources/policies/ includes security policy primer, sample policies and templateshttp://www.sans.org/resources/policies/

13 Awareness Programs Target Audiences: faculty, staff, students, IT professionals Delivery Methods: presentations, ads, articles, quizzes, handouts, videos Message Framework –Knowledge: what to do –Skills: how to do –Attitudes: want to do National Initiatives: –EDUCAUSE Security Education and Awareness –www.staysafeonline.info

14 Awareness Programs Communication tips (Payne, 2003. In Luker/Petersen.) –Take the message to the people –Be consistent in the message –Write to short attention spans –Make the message real to each target audience –Make it fun –Repeat, repeat, repeat Some examples: http://www.cit.buffalo.edu/security/caught.html http://www.itc.virginia.edu/pubs/ads/fightback/ http://www.udel.edu/codeoftheweb/

15 Resources Computer and Network Security in Higher Education, 2003. Mark Luker and Rodney Petersen, editors. http://www.educause.edu/asp/doclib/abstract.asp?ID=PUB7008 http://www.educause.edu/asp/doclib/abstract.asp?ID=PUB7008 Collection of policies and policy development resources: www.educause.edu/security www.educause.edu/security

16 Contact Information Office of Information Technology University of Maryland, College Park Amy Ginther, Policy Development Coordinator, aginther@umd.eduaginther@umd.edu; phone: 301.405.2619 Gerry Sneeringer, Security Officer, sneeri@umd.edusneeri@umd.edu; phone: 301.405.2996

Download ppt "Policy and IT Security Awareness Amy Ginther Policy Develoment Coordinator University of Maryland Information Technology Security Workshop April 2, 2004."

Similar presentations

A Presentation to the Cabinet A Presentation to Stakeholders

A Presentation to the Cabinet A Presentation to Stakeholders
The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.

The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.
Local Public Health System Assessment

Local Public Health System Assessment
Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.
Security, Privacy, Copyright, and Other Institutional Policy Implications of Online Learning Rodney J. Petersen, J.D. Policy Analyst & Security Task Force.

Security, Privacy, Copyright, and Other Institutional Policy Implications of Online Learning Rodney J. Petersen, J.D. Policy Analyst & Security Task Force.
Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.

Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.
Andrea Eastman-Mullins Information & Technology Coordinator University of North Carolina, Office of the President Teaching and Learning with Technology.

Andrea Eastman-Mullins Information & Technology Coordinator University of North Carolina, Office of the President Teaching and Learning with Technology.
Security, Privacy, and the Protection of Personally Identifiable Information Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.

Security, Privacy, and the Protection of Personally Identifiable Information Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
A Model for IT Policy Development Marilu Goodyear & Beth Forrest Warner University of Kansas Educause 2001October 29, 2001.

A Model for IT Policy Development Marilu Goodyear & Beth Forrest Warner University of Kansas Educause 2001October 29, 2001.
DO NO HARM IRRB Presentation Purposes Responsibilities Processes NLU IRRB Home page.

DO NO HARM IRRB Presentation Purposes Responsibilities Processes NLU IRRB Home page.
Security Controls – What Works

Security Controls – What Works
Open Library Environment Designing technology for the way libraries really work November 19, 2008 ~ ASERL, Atlanta Lynne O’Brien Director, Academic Technology.

Open Library Environment Designing technology for the way libraries really work November 19, 2008 ~ ASERL, Atlanta Lynne O’Brien Director, Academic Technology.
Information Security Policies and Standards

Information Security Policies and Standards
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
© 2003 IBM Corporation Privacy 12 th CACR Workshop Yim Y. Chan Chief Privacy Officer & CIO IBM Canada Ltd. w3.ibm.com/Privacy.

© 2003 IBM Corporation Privacy 12 th CACR Workshop Yim Y. Chan Chief Privacy Officer & CIO IBM Canada Ltd. w3.ibm.com/Privacy.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Head Start A to Z Communication This product was prepared under Grant #90HC0006 for the U.S. Department of Health and Human Services, Administration for.

Head Start A to Z Communication This product was prepared under Grant #90HC0006 for the U.S. Department of Health and Human Services, Administration for.
IT Strategic Planning Project – Hamilton Campus FY2005.

IT Strategic Planning Project – Hamilton Campus FY2005.
Data Management Awareness January 23, 2008 1 University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.

Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.

Similar presentations

Ads by Google