Post on 02-Jan-2016
description
Policy and IT Security Awareness
Amy Ginther
Policy Develoment Coordinator
University of Maryland
Information Technology Security Workshop
April 2, 2004
Agenda
Discussion throughout session on:• Model policy development process • Influences on security policy • Security policy taxonomy • Model security policies• Awareness programs
Model Policy Development Process
• http://www.inform.umd.edu/ACUPA/projects/process
• Predevelopment– Identify Issues– Conduct Analysis
• Development– Draft Language– Get Approvals– Determine Distribution/Education
• Maintenance– Solicit Evaluation and Review– Plan Measurement and Compliance
Policy Development ProcessACUPA
Traits of Sound Policy Processes
Setting the Stage
Writing Approving Distributing Educating Enforcing Reviewing
Consistency with University values and mission
Identification and involvement of stakeholders
Informed participants
Assess cost-benefit
Preventing reinvention of the wheel
Use a common format
Agree on common definitions & terms
Allow for user feedback
Discussion and consensus building
Wide review and input
Approval from senior administrative levels
Ease of access to resources
Online
Accessible from one location
Allow for text and other searches
Send email to official distribution lists
Include contacts to answer questions
Hold a policy day
Have traveling road shows!
Have signed user agreements
Require policies to be read before services granted
Create policy enforcement office
Assess liability/ feasibility
Respond to complaints
Identify an owner for each policy
Develop a plan for active maintenance
Archive, date, and notify constituencies of major changes
Identifying Policy Stakeholders
Higher Education Values
• Higher Education environment…tends to be more open than corporate or gov’t environments; reality of student residential environments
• Measures taken to improve security must protect and not impede the expression of these values.
• Balance need for security with important aspects of higher education environment.
Core Academic ValuesOblinger, 2003. In Computer and Network Security in Higher
Education, Luker & Petersen, editors.• Community: shared decision making; outreach to connected communities
(access to affiliates or other patrons)
• Autonomy: academic and intellectual freedom; distributed computing
• Privacy: “the right to open inquiry without having the subject of one’s interest examined or scrutinized by others” (American Library Association, 2002)
• Fairness: due process
Influences on Security PolicyEDUCAUSE/Internet2 six principles to guide policy development:• Civility and Community• Academic and Intellectual Freedom• Privacy and Confidentiality• Equity, Diversity and Access• Fairness and Process• Ethics, Integrity and Responsibility
What to Include? Security Policy Taxonomy
• Security Architecture• Security Awareness• Security Implementation• Security Management• Data Security • Identity Theft • Incident Handling/Incident Response • Information Assurance • Network Vulnerability Assessment • Physical Security • Privacy • Security Planning• Security Policies• Security Risk Assessment and Analysis
Writing Policy: Elements of Institutional Policies
• Policy Name
• Scope
• Purpose
• Policy Statement
• Roles/Responsibilities
• Definitions
• References
• Supporting Procedures?
• Consequences/Sanctions for Non-Compliance
Model security policies
• EDUCAUSE/Cornell Institute for Computer Policy and Law, http://www.educause.edu/ICPL/
• http://www.educause.edu/ICPL/library_resources.asp
• http://www.sans.org/resources/policies/ includes security policy primer, sample policies and templates
Awareness Programs
• Target Audiences: faculty, staff, students, IT professionals
• Delivery Methods: presentations, ads, articles, quizzes, handouts, videos
• Message Framework– Knowledge: what to do– Skills: how to do– Attitudes: want to do
• National Initiatives:– EDUCAUSE Security Education and Awareness– www.staysafeonline.info
Awareness Programs
• Communication tips (Payne, 2003. In Luker/Petersen.)– Take the message to the people– Be consistent in the message– Write to short attention spans– Make the message real to each target audience– Make it fun– Repeat, repeat, repeat
• Some examples:http://www.cit.buffalo.edu/security/caught.htmlhttp://www.itc.virginia.edu/pubs/ads/fightback/
http://www.udel.edu/codeoftheweb/
Resources
• Computer and Network Security in Higher Education, 2003. Mark Luker and Rodney Petersen, editors. http://www.educause.edu/asp/doclib/abstract.asp?ID=PUB7008
• Collection of policies and policy development resources: www.educause.edu/security
Contact Information
Office of Information Technology
University of Maryland, College Park
Amy Ginther, Policy Development Coordinator,
aginther@umd.edu; phone: 301.405.2619
Gerry Sneeringer, Security Officer,
sneeri@umd.edu; phone: 301.405.2996