Policy and IT Security Awareness
-
Upload
darrel-sims -
Category
Documents
-
view
66 -
download
7
description
Transcript of Policy and IT Security Awareness
![Page 1: Policy and IT Security Awareness](https://reader030.fdocuments.net/reader030/viewer/2022020111/56813348550346895d9a4520/html5/thumbnails/1.jpg)
Policy and IT Security Awareness
Amy Ginther
Policy Develoment Coordinator
University of Maryland
Information Technology Security Workshop
April 2, 2004
![Page 2: Policy and IT Security Awareness](https://reader030.fdocuments.net/reader030/viewer/2022020111/56813348550346895d9a4520/html5/thumbnails/2.jpg)
Agenda
Discussion throughout session on:• Model policy development process • Influences on security policy • Security policy taxonomy • Model security policies• Awareness programs
![Page 3: Policy and IT Security Awareness](https://reader030.fdocuments.net/reader030/viewer/2022020111/56813348550346895d9a4520/html5/thumbnails/3.jpg)
Model Policy Development Process
• http://www.inform.umd.edu/ACUPA/projects/process
• Predevelopment– Identify Issues– Conduct Analysis
• Development– Draft Language– Get Approvals– Determine Distribution/Education
• Maintenance– Solicit Evaluation and Review– Plan Measurement and Compliance
![Page 4: Policy and IT Security Awareness](https://reader030.fdocuments.net/reader030/viewer/2022020111/56813348550346895d9a4520/html5/thumbnails/4.jpg)
Policy Development ProcessACUPA
![Page 5: Policy and IT Security Awareness](https://reader030.fdocuments.net/reader030/viewer/2022020111/56813348550346895d9a4520/html5/thumbnails/5.jpg)
Traits of Sound Policy Processes
Setting the Stage
Writing Approving Distributing Educating Enforcing Reviewing
Consistency with University values and mission
Identification and involvement of stakeholders
Informed participants
Assess cost-benefit
Preventing reinvention of the wheel
Use a common format
Agree on common definitions & terms
Allow for user feedback
Discussion and consensus building
Wide review and input
Approval from senior administrative levels
Ease of access to resources
Online
Accessible from one location
Allow for text and other searches
Send email to official distribution lists
Include contacts to answer questions
Hold a policy day
Have traveling road shows!
Have signed user agreements
Require policies to be read before services granted
Create policy enforcement office
Assess liability/ feasibility
Respond to complaints
Identify an owner for each policy
Develop a plan for active maintenance
Archive, date, and notify constituencies of major changes
![Page 6: Policy and IT Security Awareness](https://reader030.fdocuments.net/reader030/viewer/2022020111/56813348550346895d9a4520/html5/thumbnails/6.jpg)
Identifying Policy Stakeholders
![Page 7: Policy and IT Security Awareness](https://reader030.fdocuments.net/reader030/viewer/2022020111/56813348550346895d9a4520/html5/thumbnails/7.jpg)
Higher Education Values
• Higher Education environment…tends to be more open than corporate or gov’t environments; reality of student residential environments
• Measures taken to improve security must protect and not impede the expression of these values.
• Balance need for security with important aspects of higher education environment.
![Page 8: Policy and IT Security Awareness](https://reader030.fdocuments.net/reader030/viewer/2022020111/56813348550346895d9a4520/html5/thumbnails/8.jpg)
Core Academic ValuesOblinger, 2003. In Computer and Network Security in Higher
Education, Luker & Petersen, editors.• Community: shared decision making; outreach to connected communities
(access to affiliates or other patrons)
• Autonomy: academic and intellectual freedom; distributed computing
• Privacy: “the right to open inquiry without having the subject of one’s interest examined or scrutinized by others” (American Library Association, 2002)
• Fairness: due process
![Page 9: Policy and IT Security Awareness](https://reader030.fdocuments.net/reader030/viewer/2022020111/56813348550346895d9a4520/html5/thumbnails/9.jpg)
Influences on Security PolicyEDUCAUSE/Internet2 six principles to guide policy development:• Civility and Community• Academic and Intellectual Freedom• Privacy and Confidentiality• Equity, Diversity and Access• Fairness and Process• Ethics, Integrity and Responsibility
![Page 10: Policy and IT Security Awareness](https://reader030.fdocuments.net/reader030/viewer/2022020111/56813348550346895d9a4520/html5/thumbnails/10.jpg)
What to Include? Security Policy Taxonomy
• Security Architecture• Security Awareness• Security Implementation• Security Management• Data Security • Identity Theft • Incident Handling/Incident Response • Information Assurance • Network Vulnerability Assessment • Physical Security • Privacy • Security Planning• Security Policies• Security Risk Assessment and Analysis
![Page 11: Policy and IT Security Awareness](https://reader030.fdocuments.net/reader030/viewer/2022020111/56813348550346895d9a4520/html5/thumbnails/11.jpg)
Writing Policy: Elements of Institutional Policies
• Policy Name
• Scope
• Purpose
• Policy Statement
• Roles/Responsibilities
• Definitions
• References
• Supporting Procedures?
• Consequences/Sanctions for Non-Compliance
![Page 12: Policy and IT Security Awareness](https://reader030.fdocuments.net/reader030/viewer/2022020111/56813348550346895d9a4520/html5/thumbnails/12.jpg)
Model security policies
• EDUCAUSE/Cornell Institute for Computer Policy and Law, http://www.educause.edu/ICPL/
• http://www.educause.edu/ICPL/library_resources.asp
• http://www.sans.org/resources/policies/ includes security policy primer, sample policies and templates
![Page 13: Policy and IT Security Awareness](https://reader030.fdocuments.net/reader030/viewer/2022020111/56813348550346895d9a4520/html5/thumbnails/13.jpg)
Awareness Programs
• Target Audiences: faculty, staff, students, IT professionals
• Delivery Methods: presentations, ads, articles, quizzes, handouts, videos
• Message Framework– Knowledge: what to do– Skills: how to do– Attitudes: want to do
• National Initiatives:– EDUCAUSE Security Education and Awareness– www.staysafeonline.info
![Page 14: Policy and IT Security Awareness](https://reader030.fdocuments.net/reader030/viewer/2022020111/56813348550346895d9a4520/html5/thumbnails/14.jpg)
Awareness Programs
• Communication tips (Payne, 2003. In Luker/Petersen.)– Take the message to the people– Be consistent in the message– Write to short attention spans– Make the message real to each target audience– Make it fun– Repeat, repeat, repeat
• Some examples:http://www.cit.buffalo.edu/security/caught.htmlhttp://www.itc.virginia.edu/pubs/ads/fightback/
http://www.udel.edu/codeoftheweb/
![Page 15: Policy and IT Security Awareness](https://reader030.fdocuments.net/reader030/viewer/2022020111/56813348550346895d9a4520/html5/thumbnails/15.jpg)
Resources
• Computer and Network Security in Higher Education, 2003. Mark Luker and Rodney Petersen, editors. http://www.educause.edu/asp/doclib/abstract.asp?ID=PUB7008
• Collection of policies and policy development resources: www.educause.edu/security
![Page 16: Policy and IT Security Awareness](https://reader030.fdocuments.net/reader030/viewer/2022020111/56813348550346895d9a4520/html5/thumbnails/16.jpg)
Contact Information
Office of Information Technology
University of Maryland, College Park
Amy Ginther, Policy Development Coordinator,
[email protected]; phone: 301.405.2619
Gerry Sneeringer, Security Officer,
[email protected]; phone: 301.405.2996