IT Retreat 2009

IT Security Controls and Initiatives

2

IT Retreat 2009Agenda

• Intentional IT Security Culture – Awareness, Education, and Training– Attitudes and Perceptions– Behavior and Actions

• IT Security Initiatives– Mandatory Security Training and Awareness– Remote Access Security Controls – Mobile Device Security Controls– Worksite Security Controls

• Summary– Changing Attitudes and Behavior– Successfully implementing Initiatives and Controls– Everlasting Change

3

Intentional Security Culture

• Justifying and Informing– Awareness of Threats and Risks Link

– On-going Education and Training

• Shaping Attitudes and Perspectives– Changing perceptions around security as

obstacles and onerous

• Influencing Behavior and Actions– Secure practices

4

Security Initiatives

• Mandatory Training and Awareness– Prerequisite to activating CCID for all

faculty/staff/student/affiliates– Online and available at the user’s discretion– Succinct and Focussed on Critical and Key

Security Items

5

Security Initiatives

• Remote Access Security Controls– U of A Standard Build Machines Only– Strong Authentication when accessing sensitive

data– No local saving, caching, or printing

6

Security Initiatives

• Mobile Device Security– Encryption– Rules specifying network drives as the default

and standard for storage – No local storage – especially of sensitive data– Password PDA’s– “Remote Kill”

7

Security Initiatives

• Worksite Security– Visible Photo ID required in staff only areas– Clear Desktop and Clear Screen Policy– Files and hard copy materials must be physically

secured– Cable locks and locking cabinets for laptops– Secure Fax

8

Summary

• Changing Attitudes and Behaviors

• Successfully Implemented Initiatives

• Everlasting Change

Ongoing Breaches

2005 - $89K avg cost to comp from a single laptop theft. (2005 FBI/CSI Comp Crime Survey)

LINK