Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer,...
-
Upload
rudolph-kelly -
Category
Documents
-
view
220 -
download
0
Transcript of Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer,...
![Page 1: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/1.jpg)
Security Policy Resources and Models
Educause Security Conference, Denver 2007
William L. Custer, Miami UniversityJack McCoy, University of Colorado
Connie Marie Popp, Eastern Michigan University
Wednesday, April 11, 2007 1:00PM in Colorado I/J
Session I2
![Page 2: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/2.jpg)
Security Policy Models
Copyright William L. Custer, Jack McCoy, Connie M. Popp, 2007.
This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author
![Page 3: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/3.jpg)
Security Policy Models
Presentation Overview
Part I: Introducing the Model Security Policy Committee (William Custer)
Part II: Demonstrating The Wiki (Connie Popp) Wiki Sections 2.0, 3.0, 4.0 Drill Down - Data Classification https://wiki.internet2.edu/confluence/display/secguide/Security+Policies+and+Procedures
Part III: Demonstrating The Wiki (Jack McCoy) Wiki Sections 5.0, 6.0 Drill Down - Incident Response
Part IV: Demonstrating The Wiki (William Custer) Wiki Sections 7.0, 8.0, 9.0 Drill Down - Security Management, Security Plan
Part V: Conclusions, Questions, and A Plea For Help
![Page 4: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/4.jpg)
Security Policy Models
Related Presentations
Wed 10:45 Track 1 – Communications, Process, and Resources for Computer Incident Response
Wed 4:30 Track 2 – Security Standards in Higher Education
Wed 4:30 Track 4 – Developing a University System Wide Information Security Roadmap
![Page 5: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/5.jpg)
Security Policy Models
Part I
Introducing
The Model Security Policy Committee
William L Custer
![Page 6: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/6.jpg)
Security Policy Models Part I: Introduction
Educause Policy Conference – Washington, April 2005
A helpful “circle” of professionals
![Page 7: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/7.jpg)
Security Policy ModelsPart I: Introduction
William CusterBob KalalJack McCoyKim MilfordConnie PoppDave Weil
Leslie MaltzTammy ClarkRodney Peterson, EducauseValerie Vogel, Educause
![Page 8: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/8.jpg)
Security Policy ModelsPart I: Introduction
A. History and Philosophy of the Committee
B. The Need For Model Policy
C. Bibliography of Model Policy
D. Four Needed Models
E. Overview of Policy Development Lifecycle
F. Future Directions
G. Institutional Variants In Policy
![Page 9: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/9.jpg)
Security Policy ModelsPart I: Introduction
A. History and Philosophy of the Committee1. Project Overview2. Project Deliverables3. Methodology4. Assignments5. Milestones
![Page 10: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/10.jpg)
Security Policy ModelsPart I: Introduction
A. History and Philosophy of the Committee1. Project Overview
A body of model security policy for Educause member schools
Emphasize help to small & medium sized schools who generally lack resources.
Policy on all aspects of security, not simply crisis based
![Page 11: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/11.jpg)
Security Policy ModelsPart I: Introduction
A. History and Philosophy of the Committee 2. Project Deliverables
October 2006: A list of model policies • and/or policy parts useful to schools interested in writing or
revising policy. To publish on the Educause site for Fall 2006
conference. Annotations on why a particular policy model is being
recommended. October 2007 Write model policy when none can be
found.
![Page 12: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/12.jpg)
Security Policy ModelsPart I: Introduction
A. History and Philosophy of the Committee3. Methodology
Adopt a standard of policy completeness. Topics
Adopt a taxonomy of security policy. Sub-topics
Find an existing policy/or part for each of the sub-topics in the taxonomy.
Comments to explain why each was chosen
![Page 13: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/13.jpg)
Security Policy ModelsPart I: Introduction
A. History and Philosophy of the Committee3. Methodology (cont.)
Topics
3.0 Asset Classification and Control Sub-topics
3.1 Accountability of assets – inventory
3.2 Information classification
![Page 14: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/14.jpg)
Security Policy ModelsPart I: Introduction
A. History and Philosophy of the Committee 4. Assignments
Committee divided into three sub teams. • Each responsible to find model policy for 3 of the ten policy
topics in the taxonomy. Eight schools selected for “look here first”.
• Cornell, Georgetown, Indiana, Minnesota, Stanford, Iowa, SUNY Buffalo, Temple
• Branch out to other schools from here Review by full committee of all proposed models
before inclusion on the wiki.
![Page 15: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/15.jpg)
Security Policy ModelsPart I: Introduction
A. History and Philosophy of the Committee 5. Milestones
Dec 2005 Form the Committee, explore methodology Feb 2006 Begin trial write of a policy by committee Mar 2006 Decide on taxonomy of ten major categories Jun 2006 Assignment groups of two find models for each sub-
topics of ten categories Aug 2006 Critique proposed models & select items for the wiki Aug 2006 Three priorities from parent committee Sep 2006 Format the work & enter into wiki Oct 2006 Draft available for Educause. Plea for conference
members to contribute Dec 2006 Solicit contributions to the wiki through individual
contacts
![Page 16: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/16.jpg)
Security Policy ModelsPart I: Introduction
B. The Need For Model Policy
1. Previous work
2. Measure of completeness
3. Measure of maturity
4. State of Security Policy in Education
![Page 17: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/17.jpg)
Security Policy ModelsPart I: Introduction
B. The Need For Model Policy
1. Previous work Spreadsheet of 80 Educational Security Policy sites
• “College and University Security Resources”
Methodology for policy development written by Rodney Peterson and others
NIST Special Publication 800-53, “Recommended Security Controls for Federal Information Systems”, February 2005. Appendix G contains a mapping table comparing NIST controls to ISO 17799
![Page 18: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/18.jpg)
Security Policy ModelsPart I: Introduction
B. The Need For Model Policy
2. Measure of completeness Do I have all the policy that I need?
• How do I know?• A taxonomy or list of policy topics – Many ways to organize
policy, what standards are there
Does my policy say all that it should say?• How do I know?• A standard of complete coverage in a particular policy
![Page 19: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/19.jpg)
Security Policy ModelsPart I: Introduction
B. The Need For Model Policy
2. Measure of completeness (cont.) Do I have all the policy that I need?
• How do I know?• Some standards ISO 17799, SANS, CISSP • Ten high level topics were similar in all three• Committee adopted a working taxonomy• You will see these topics in the wiki
![Page 20: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/20.jpg)
Security Policy ModelsPart I: Introduction
B. The Need For Model Policy
2. Measure of completeness (cont.) Does my policy say all that it should say?
• How do I know?• Standard of completeness in particular policy?• We did not find a standard at the time• Led to next slide – Policy Maturity
![Page 21: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/21.jpg)
Security Policy ModelsPart I: Introduction
B. The Need For Model Policy
3. Measure of policy maturity Maturity not indicated by budget Maturity not indicated by number of staff Maturity not indicated by size of institution
![Page 22: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/22.jpg)
Security Policy ModelsPart I: Introduction
B. The Need For Model Policy
3. Measure of policy maturity (cont) Connected to industry standard & well defined
vocabulary: Confidentiality, Integrity, Availability Flows from a Security Plan Acted upon rather than written to satisfy an audit
comment and shelved. Indications of action. Relates to standard such as ISO 17799
![Page 23: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/23.jpg)
Security Policy ModelsPart I: Introduction
B. The Need For Model Policy4. State of Security Policy in Education Impressions of the Committee Much good policy work available Few have complete body of policy as judged by our
taxonomy Many write policy reactively in response to some
incident Many plan policy work but have an incomplete body
of policy Many have little or no security policy
![Page 24: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/24.jpg)
Security Policy ModelsPart I: Introduction
C. A Bibliography of Model Policy
Bibliography is familiar territory
Selected yet contributed
A Wiki
A wiki is a website that allows visitors to add, remove, edit and change content, typically without the need for registration.
![Page 25: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/25.jpg)
Security Policy ModelsPart I: Introduction
D. Four Needed Models1. Incident Response 2. Data Classification3. Security Management4. A Security Plan(5). Risk Assessment
![Page 26: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/26.jpg)
Security Policy ModelsPart I: Introduction
D. Four Needed Models (cont.) 1. Incident Response 2. Data Classification 3. Security Management 4. A Security Plan (5). Risk AssessmentGet the 2007 edition Official (ISC)2 Guide to The CISSP CBK edited by Harold F. Tipton and Kevin Henry. Auerbach Publications, 2007. ISBN 0-8493-8231-9This title is similar to several other books published by Auerbach but by different authors.
![Page 27: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/27.jpg)
Security Policy ModelsPart I: Introduction
E. The Policy Development Lifecycle
What Is It? Normal set of steps to implement policy Often measured in terms of years Why mention it here? As a caution
You cannot simply take someone else’s policy and plug in your institution’s name.
Patrick Spellacy, U of Minnesota, Educause Web Cast, Aug 9, 2005
http://www.educause.edu/LibraryDetailPage/666?ID=LIVE0516
![Page 28: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/28.jpg)
Security Policy ModelsPart I: Introduction
E. The Policy Development Lifecycle – Best Practice
1. Identify Issues – Be proactive2. Conduct Analysis
Identify an “Owner”Determine the Path – eg. Regents, Board of Directors, AdministrativeAssemble Team – IT, Finance, Student
3. Draft LanguageAgree on termsUse Common format
4. Get Approvals5. Determine Distribution / Education
Plan communicationPut onlineMake is searchable
6. Solicit Evaluation and ReviewPlan for maintenanceEncourage feedbackArchive changes – they use a content management system for change control
7. Plan and measure outcomes
![Page 29: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/29.jpg)
Security Policy ModelsPart I: Introduction
F. Future Directions of the Committee Leverage industry progress on these
topics. Incorporate recently published standardsPrioritize next policy topics as focusStandards, procedures, and guidelinesEnlist contributions to the Wiki
![Page 30: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/30.jpg)
G. Institutional Variants in Policy
“Reasonable Security” Factors
Institution size and resources expectations and limitations
Organizational structure roles, responsibilities, and accountabilities
Institutional culture values, beliefs, processes
Security Policy ModelsPart I: Introduction
![Page 31: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/31.jpg)
Security Policy ModelsPart I: Introduction
A. History and Philosophy of the Committee
B. The Need For Model Policy
C. Bibliography of Model Policy
D. Four Needed Models
E. Overview of Policy Development Lifecycle
F. Future Directions
G. Institutional Variants In Policy
![Page 32: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/32.jpg)
Wiki Overview2.0 Organizational Security
3.0 Asset Classification4.0 Personnel Security
Connie M. Popp, M.S.W., SPHR
Eastern Michigan University
Security Policy Models Part II: Demonstrating The Wiki
![Page 33: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/33.jpg)
Security Policy ModelsPart II: Demonstrating The Wiki
http://www.educause.edu/security
![Page 34: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/34.jpg)
Security Policy ModelsPart II: Demonstrating The Wiki
![Page 35: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/35.jpg)
Security Policy ModelsPart II: Demonstrating The Wiki
![Page 36: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/36.jpg)
Security Policy ModelsPart II: Demonstrating The Wiki
![Page 37: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/37.jpg)
Security Policy ModelsPart II: Demonstrating The Wiki
![Page 38: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/38.jpg)
2.0 Organizational Security
![Page 39: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/39.jpg)
Security Policy ModelsPart II: Demonstrating The Wiki
2.0 Organizational Security Allocation of security roles State, university, and business unit levels Users, managers, IT security, oversight
committees
Allocation of security responsibilities Training Policy Incident handling and reporting
![Page 40: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/40.jpg)
Security Policy ModelsPart II: Demonstrating The Wiki
2.0 Organizational Security
Information Security Policy, Georgetown University. Responsibilities defined for roles, from
auditors to users. Managers train users Individual users shall report compromises
![Page 41: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/41.jpg)
Security Policy ModelsPart II: Demonstrating The Wiki
2.5 Risk Analysis and Assessment
Who is responsible?
What is expected?
Who is authorized to accept risk?
![Page 42: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/42.jpg)
Security Policy ModelsPart II: Demonstrating The Wiki
2.5 Risk Analysis and Assessment
SANS Risk Assessment policy (www.sans.org)
Who is authorized to accept risk?
OCTAVE
STARS
![Page 43: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/43.jpg)
3.0 Asset Classification
![Page 44: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/44.jpg)
Security Policy ModelsPart II: Demonstrating The Wiki
![Page 45: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/45.jpg)
Security Policy ModelsPart II: Demonstrating The Wiki
3.1 Accountability and Inventory of Assets
Description of assets
Acquiring, managing and disposal of assets.
![Page 46: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/46.jpg)
Security Policy ModelsPart II: Demonstrating The Wiki
3.2 Information ClassificationPublic or private Governing laws
Reason to classify Disposal, archiving, and storage Data protection
![Page 47: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/47.jpg)
Security Policy ModelsPart II: Demonstrating The Wiki
![Page 48: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/48.jpg)
Security Policy ModelsPart II: Demonstrating The Wiki
Protection and Security of Records, University System of Georgia
Data Stewardship Policy, George Mason University
Data Classification Guidelines, Stanford University
![Page 49: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/49.jpg)
Security Policy ModelsPart II: Demonstrating The Wiki
Drill Down onData Classification Policy
University of South Carolina: Data Access
![Page 50: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/50.jpg)
Security Policy ModelsPart II: Demonstrating The Wiki
University of South Carolina: Data Access
Purpose Information is an “asset”…to preserve and protect
OwnershipClarity of definition “..stored on paper, digital text, graphic, images, sound
or video.”
Classifications General, Limited, and Restricted access
![Page 51: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/51.jpg)
4.0 Personnel Security
![Page 52: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/52.jpg)
Security Policy ModelsPart II: Demonstrating The Wiki
4.0 Personnel SecurityBackground investigation of personnel Criminal
• Local, state, federal• Frequency
Professional conduct
Training and awareness
![Page 53: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/53.jpg)
Security Policy ModelsPart II: Demonstrating The Wiki
![Page 54: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/54.jpg)
Security Policy ModelsPart II: Demonstrating The Wiki
![Page 55: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/55.jpg)
5.0 Physical & Environ Security6.0 Com & Operations Mgmt
With Drill Down On Incident Response
Jack McCoy, CISM
ISO - University of Colorado System
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 56: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/56.jpg)
“Reasonable Security” Factors
Institution size and resources expectations and limitations
Organizational structure roles, responsibilities, and accountabilities
Institutional culture values, beliefs, processes
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 57: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/57.jpg)
5.0 Physical and Environmental Security
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 58: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/58.jpg)
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 59: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/59.jpg)
Security Policy ModelsPart III: Demonstrating The Wiki
5.1 Secure Area: security perimeters, entry controls, offices & facilities, delivery areas
Protecting core IT services vs. all valuable data
Physical security vs. personal safety
An IT responsibility vs. shared responsibility with HR, PS, business units, compliance, legal, etc.
![Page 60: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/60.jpg)
5.1 Secure AreaOld Dominion U. - IT Physical Security Policy
Policy scope beyond IT security and central ITFire extinguishers in officesOffices with desktops to have AC, door locksOff campus equipment (e.g., at home) the responsibility of the employeeEmployees to report unauthorized access or suspicious activity
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 61: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/61.jpg)
5.2 Equipment Security: equip siting protection, maint, cabling security, disposal, off-premises
Dedicated and shared equipment space
Cabled and wireless net services on contiguous campus, and non-campus properties
Responsibilities and involvement of HR, public safety, asset management, etc.
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 62: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/62.jpg)
5.3 General Controls: clear desk and clear screen policy, removal of property
Policy scope - electronic data, paper, other
Distribution of oversight authority by data form (e.g., electronic, paper) data type (e.g., financial, HR) regulation (e.g., HIPAA, FERPA) function (e.g., privacy, legal)
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 63: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/63.jpg)
6.0 Communications & Operations Management
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 64: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/64.jpg)
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 65: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/65.jpg)
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 66: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/66.jpg)
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 67: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/67.jpg)
6.1 Operational Procedures and Responsibilities: procedures, change control, incident mgmt,
patches, segregation of duties, test/dev systems
Institution size, resources segregation of duties change controls, life cycle management separation of test and development systems
Balance of centralized & distributed computingDegree of engagement by other university areas
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 68: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/68.jpg)
6.2 System Planning and Acceptance: capacity planning, system acceptance
Existing committees for review and planning
Advisory vs. acceptance roles
Technical vs. functional assessments
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 69: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/69.jpg)
6.3 Protection Against Malware
U. of Chicago - Protection from Malicious Software
Technical: anti-virus on all desktops and servers
Process: formal, documented process for prevention, detection, reporting, and recovery
Education: regularly train and remind workforce members about their responsibilities
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 70: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/70.jpg)
6.4 Housekeeping: information back-up, operator logs, fault logging
Central IT and ISO’s responsibilities for DRP, BCP, other group efforts
Distributed computing responsibilities and resources cost vs. operational, business, compliance needs
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 71: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/71.jpg)
6.5 Network Management: network controls, air space, res hall bandwidth, ACL’s, firewalls, IDS
Authority for network standards, controls
Physical campus environment and impact on network management
Influence of network design on placement and use of network security devices
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 72: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/72.jpg)
6.5 Network ManagementUC Berkeley - Minimum Network Security Stds
Security and privacy committee provides policy, procedures, and standardsAdministrative officials ensure IT personnel capable of maintaining devices to standardsSystem admins maintain devices to standards System and network security office assists implementation, places network access blocks
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 73: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/73.jpg)
6.6 Media Handling and Security: media mgmt and disposal, data handling procedures, erasure
Procedures and pervasiveness of sensitive data
Regulatory and statutory requirements
Access to tools and expertise for data erasure
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 74: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/74.jpg)
6.7 Exchange of Information and Software: exchange agreements, media in transit, e-
commerce, e-mail, publicly available systems
Offsite storage location, data delivery
E-commerce systems, internal vs. outsourced
Central e-mail services, security assurances
Record retention, e-discovery requirements
Formal vendor arrangements
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 75: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/75.jpg)
6.8 Responding to Incidents & Malfunctions: reporting incidents, security weaknesses,
software malfunctions, learning from incidents
Accountability for breaches
Responsibility for incident response
Applicable regulations, laws, standards
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 76: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/76.jpg)
Drill Down onIncident Response Policies
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 77: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/77.jpg)
Incident Response Policy
Institutions often have one IR policy
Clear assignment of responsibilities
Clear guidance on how to respond
Resulting policies often a blend of policy, procedure, and general information
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 78: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/78.jpg)
Iowa State - IT Security Incident Reporting Policy
A balance of IR policy topics:
Definition of “IT security incident”
Responsibilities for incident response response team, IT support, individuals
Procedures for reporting and responding
Web link to incident report form
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 79: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/79.jpg)
Iowa State - IT Security Incident Reporting Policy
IT security incident defined
Any accidental or malicious act with potential: misappropriation / misuse of confidential data significantly imperils the functionality of IT unauthorized access to resources or information use of IT resources to attack other organizations
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 80: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/80.jpg)
Miami University - Critical Incident Response Plan
Incident severity level based on potential impact to operations or reputationCritical: successful penetration / DoS, significant operational impact and risk to fin resources or PRMedium: minimally successful penetration / DoS, limited operational impact and risk to fin resources or PRLow: significant number of probes and scans, a targeted reconnaissance activity. Penetration / DoS unsuccessful
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 81: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/81.jpg)
Baylor - Computer Technology Security
Incident Response
ITS security notified immediately of suspected or real Security Incident involving an IT asset
If unclear whether a situation is considered a Security Incident, contact security to evaluate
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 82: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/82.jpg)
Baylor - Computer Technology Security Incident Response Policy
In the mean time . . .
Don’t troubleshoot the system or investigate
If the incident involves a compromised computer, do not alter the state of the computer
Disconnect the computer from the network
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 83: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/83.jpg)
UCSC Plan for Protection of PII
Response process initiated by a confirmed security breach of unencrypted PII
System steward creates Initial Report
IRT convenes to determine notification needs
Security and service provider restore service, preserving evidence
System steward submits Final Report
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 84: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/84.jpg)
UCSC Plan for Protection of PII
Notification Procedures:
Final Report and law enforcement authorization initiate notification procedures
VP-IT and IRT develops notification plan
General counsel approves plan
VP-IT and PIO work to issue notifications
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 85: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/85.jpg)
Discussion
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 86: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/86.jpg)
7.0 Access Control8.0 System Dev and Maint9.0 Business Continuity
With Drill Down On
Security Management & Security PlanWilliam L. Custer, MA, CISSP
Information Security Policy ManagerMiami University, Ohio
Security Policy ModelsPart IV: Demonstrating The Wiki
![Page 87: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/87.jpg)
7.0 Access Control
Security Policy ModelsPart IV: Demonstrating The Wiki
![Page 88: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/88.jpg)
7.0 Access Control 7.1 Business requirement for access control 7.2 Identity management 7.3 User responsibilities 7.4 Network access 7.5 Operating system 7.6 Application access control 7.7 Monitoring system access in use 7.8 Mobile computing and teleworking
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 89: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/89.jpg)
7.0 Access Control
Access control tends to be interleafed with other policy, see especially section 4.0
Several general policies are listed
The wiki perhaps needs more detail here
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 90: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/90.jpg)
7.0 Access ControlTitle:IndianaUniversity. http://datamgmt.iu.edu/CDS/da_guidelines.htmlPolicy value: These guidelines are fairly comprehensive and a good starting point. Based on documents from Virginia Polytechnic Institute. See especially the sections called Data Access, Data Availability, and Data Manipulation. Other sections are valuable as well. Title:Cornell: www.cit.cornell.edu/services/identity/netid-terms.htmlPolicy value: Focused on user responsibilities for campus identifier. Helpful information for a Responsible Use document.Title: DartmouthCollege Information Technology PolicyDartmouth. www.dartmouth.edu/comp/about/policies/general/itpolicyPolicy value: This brief policy includes statements on registration and review of access rights, account naming and allocation of resources. Also valuable as input to a general Responsible Use Policy.Title:UniversityofWisconsin. www.doit.wisc.edu/security/policies/Policy value: See especially Electronic Devices Policy, Guest NetID Policy, Password Policy, Draft Policy for UniversityofWisconsin Data Networkwhich will prohibit anonymous use.Title:Iowa. http://cio.uiowa.edu/ITsecurity/Infosec-Plan.shtmlPolicy value: An example of a rather complete policy site that is user friendly see section 4.0 for material on access control.
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 91: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/91.jpg)
8.0 System Developmentand Maintenance
Security Policy ModelsPart IV: Demonstrating The Wiki
![Page 92: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/92.jpg)
8.0 System DevelopmentAnd Maintenance
8.0 System Development & Maintenance
Title: Information Security Framework, “Information Integrity Controls”Iowa: http://cio.uiowa.edu/policy/policy-information-security-framework.shtml Policy Value: A brief statement on Information Integrity Controls is relevant to systemdevelopment and maintenance. Data classification is tied to system controls in section
4.3
Title: Guidelines for Systems and Network AdministratorsGeorgetown: http://uis.georgetown.edu/policies/technology/snaguidelines.htmlPolicy Value: A brief extension of their general responsible use statement. Applies
primarily to operations rather than development.
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 93: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/93.jpg)
9.0 Business ContinuityManagement
(Disaster Recovery)
Security Policy ModelsPart IV: Demonstrating The Wiki
![Page 94: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/94.jpg)
9.0 Business Continuity Management
Management process
Impact analysis
Writing and implementing the plan
Planning framework
Testing, maintaining, and re-assessing
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 95: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/95.jpg)
9.0 Business Continuity Management
9.0 Business Continuity Management
Title: Backup and Recovery Policy
Indiana (School of Med): http://technology.iusm.iu.edu/security/iusm_policy_sec_03.aspx
Policy Value: Concise one page statement of minimum requirements
Title: MIT Business Continuity Plan
MIT: http://web.mit.edu/security/www/pubplan.htm
Policy Value: Comprehensive plan using industry standard categories and terminology
Title:
LSU: http://appl003.lsu.edu/itsweb/securityweb.nsf/$Content/State/$file/IT-POL-011.pdf
Policy Value: Concise outline of major components of a high level DR/BCP
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 96: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/96.jpg)
10.0 Compliance
Security Policy ModelsPart IV: Demonstrating The Wiki
![Page 97: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/97.jpg)
10.0 Compliance
10.1 Compliance with legal requirements
10.2 Review compliance of Security Policy and technical compliance
10.3 System audit considerations
10.4 Archiving explicit material
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 98: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/98.jpg)
10.0 Compliance
10.1 Compliance with legal requirements
Title: Campus Information Technology Security Policy
http://security.berkeley.edu/IT.sec.policy.html#comp
Policy Value: This is an example of a broader acceptable use policy that includes a statement on compliance with other laws and regulations (see Heading: COMPLIANCE WITH LAW AND POLICY).
Security Policy ModelsPart III: Demonstrating The Wiki
![Page 99: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/99.jpg)
Drill Down on
Security ManagementSecurity Plan
Security Policy ModelsPart IV: Demonstrating The Wiki
![Page 100: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/100.jpg)
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Management
“Organizational Security Policy” written by the committee listed in the wiki section 2.0
Alternate title for this policy is
“Information Security Policy”The committee’s first model document
![Page 101: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/101.jpg)
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Management
1.0 Management Commitment Protect the confidentiality, integrity, and availability
2.0 Information Security Infrastructure 2.1 Organization and Governance
• 2.1.1 Information Security coordination• 2.1.2 Roles and responsibilities. • 2.1.3 Advisory council• 2.1.4 Information processing facilities• 2.1.5 Security advice• 2.1.6 Cooperation between organizations• 2.1.7 Independent review
3.0 Third Party Access 4.0 Outsourcing 5.0 Risk analysis
![Page 102: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/102.jpg)
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Management
1.0 Management Commitment Protect the confidentiality, integrity, and availability 1.0 Management Commitment: Statement of Responsibility and
Commitment. The University considers information to be a strategic asset that is essential to its core mission and business operations.
Furthermore, the University values the privacy of individuals and is dedicated to protecting the information with which it is entrusted.
Therefore, the University is committed to providing the resources needed to ensure confidentiality, integrity, and availability of its information as well as reduce the risk of exposure that would damage the reputation of the university.
Information Technology Policy shall be established that supports the following core security values:
![Page 103: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/103.jpg)
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Management
1.0 Management Commitment core values Support University mission Consistent with institutional policies, contracts, and laws Privacy Appropriate and cost-effective Best practices Shared responsibility Accountability Flexible and adaptable Emergency preparedness Reassessment
![Page 104: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/104.jpg)
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Management
1.0 Management Commitment core values Each core value is elaborated, eg. Support University mission. The Policy is designed to
support the mission of the University, notably the creation and dissemination of new knowledge, by protecting the University’s resources, reputation, legal position, and ability to conduct its operations. It is intended to facilitate activities that are important to the University.
![Page 105: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/105.jpg)
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Management
2.1 Organization and GovernanceIn order to promote the security mandate of the university, (fill in some governing
body) shall:1. Oversee risk management and compliance programs pertaining, to information
security such as Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, and PCI.2. Approve and adopt broad information security program principles and approve
assignment of key managers responsible for information security.3. Strive to protect the interests of all stakeholders dependent on information
security.4. Review information security policies regarding strategic partners and other third-
parties.5. Strive to ensure business continuity.6. Review provisions for internal and external audits of the information security
program.7. Collaborate with management to specify the information security metrics to be
reported to the board.Notes: These points taken from www.educause.edu/ir/library/word/SWR0514.doc
![Page 106: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/106.jpg)
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Management
2.1.1 Information Security coordination. In order to promote the security mandate of the university, management shall:
1. Establish information security management policies and controls and monitor compliance.2. Assign information security roles, responsibilities, requires skills, and enforce role-base
information access privileges.3. Assess information risks, establish risk thresholds and actively manage risk mitigation.4. Ensure implementation of information security requirements for strategic partners and other
third-parties.5. Identify and classify information assets.6. Implement and test business continuity plans.7. Approve information systems architecture during acquisition, development, operations, and
maintenance.8. Protect the physical environment.9. Ensure internal and external audits of the information security program with timely follow-up.10. Collaborate with security staff to specify the information security metrics to be reported to
management.Notes: These points taken from www.educause.edu/ir/library/word/SWR0514.doc
![Page 107: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/107.jpg)
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Management
2.12 Roles and Responsibilities Chief Information Security Officer (CISO) Chief Information Officer (CIO Chief Security Officer Information Security Officer Information Privacy Officer Auditor Office of Counsel Data Stewards
![Page 108: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/108.jpg)
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Management
2.12 Roles and Responsibilities Chief Information Security Officer (CISO) responsibility for the design, implementation, and management of
the university's Information Security Program. promotes a strategic vision for information security, oversees information security policy development and compliance, provides direction on user awareness and education programming, manages large-scale projects and initiatives as needed, and advises senior management on the risks to university information in
the context of regulatory, legal, audit, contractual, and other applicable requirements.
provides direction to security policy. The CISO role does not usually include …
![Page 109: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/109.jpg)
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Management
2.12 Roles and Responsibilities Chief Security Officer coordinates (or oversees) all security programs
and staff for the entire organization. includes physical security and almost always
includes information security. some recent security programs have been made
part of a broader risk management program and could include business continuity as well.
![Page 110: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/110.jpg)
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Management
Notes are included
Policy: Office of Counsel – Responsible to offer legal advice to the University. Some counsels manage risk compliance and also security policy.
Notes: Many policy experts recommend that the Office of Counsel not have final authority on what policy is adopted. This is because the goal of good policy may not be coincident with policy that avoids the fewest legal actions.
![Page 111: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/111.jpg)
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Management
Resources Information Security Governance Self Assessment Tool for Higher Education,
items 4.9 - 4.34 http://www.educause.edu/ir/library/pdf/SEC0421.pdf “Sources for Developing Information Security Policies” in Appendix D
• http://www.educause.edu/ir/library/pdf/CSD3661.pdf• Corporate Information Security Working Group (CISWG)• Report of the Best Practices and Metrics Teams• Subcommittee on Policy, Information Technology, Intergovernmental Relations and the
Census• Government Reform Committee United States House of Representatives• “Sources for Developing Information Security Policies” in Appendix D
“Establish Information Security Management Policies and Controls and Monitor Compliance” is on page 16 of the CISWG document above
![Page 112: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/112.jpg)
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Plan
Two resources Draft Special Publication 800-18. Revision 1, Guide for
Developing Security Plans for Federal Information Systems(http://csrc.nist.gov/publications/nistpubs/index.html)
Georgia State University http://www.educause.edu/LibraryDetailPage/666?ID=CSD4889
![Page 113: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/113.jpg)
Security Policy Models Part IV: Demonstrating The Wiki
Drill Down on Security Plan
Features of the Georgia State Plan
![Page 114: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/114.jpg)
Security Policy ModelsPart V: Conclusion
Part V
Future Directions of the Committee
Questions and Answers
Questionnaire
![Page 115: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/115.jpg)
Security Policy ModelsPart V: Conclusion
Future Directions of the Committee Leverage industry progress on these
topics. Incorporate recently published standardsPrioritize next policy topics as focusStandards, procedures, and guidelinesEnlist contributions to the Wiki
![Page 116: Security Policy Resources and Models Educause Security Conference, Denver 2007 William L. Custer, Miami University Jack McCoy, University of Colorado Connie.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649db65503460f94aa7f46/html5/thumbnails/116.jpg)
Security Policy ModelsPart V: Conclusion
Questions and Answers
Questionnaire