© 2008 CH2M HILL, Inc Data contained on this sheet is proprietary; use or disclosure is prohibited....

© 2008 CH2M HILL, IncData contained on this sheet is proprietary; use or disclosure is prohibited. Page 1

The CSU System-wide Policy ProjectCommunications MaterialsA Package for Project Advocates

August 2008

© 2008 CH2M HILL, Inc.Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 2

What is an Information Security Program?

An organized effort across all domains (physical, logical, procedural) to provide appropriate levels of confidentiality, integrity, availability, and accountability for information regardless of format or representation.


Information Security Program Cycle

Strategy

Remediation

Monitoring

Implementation

Awareness

Policy

Stepping Through the InforSec Program,; ISACA


The Elements

Strategy

Awareness

Policy

Objectives – what needs to be protected and why

Roles and Responsibilities

Structure – centralized or decentralized

Policy – high level statements

Standards – specific guidance

Procedures – step by step instructions

Guidelines – best practice recommendations

Orientations

Training

Reminders

Forums, Working Groups, Wikis


The Elements (cont)

Remediation

Monitoring

Implementation

Administrative Controls – procedures and processes

Technical Controls – firewalls, permissions, intrusion detection, etc.

Physical Controls – barriers limiting contact with protected resources

Asset Management

Change Control

Network Monitoring

Self Assessments

Incident Response

Risk Management

Self Assessments

Compensating Controls


Information Security Program – Touches Everyone

Administration and Staff

• A sustainable program is established and a bar is set• Implementation freedom preserved

• Efficiencies gained from eliminating guesswork

Students

• Privacy acknowledged• Protections provided

• Rules of the Road identified• Consistency in expectations

Faculty

• Academic Freedom acknowledged• Protection of research enhanced

• Not set in stone; will continue to evolve• Consistency in expectations

Auxiliaries

• Part of the integrated approach• Responsibilities identified

Visitors

• Still has access to information• Few noticeable impacts

• Privacy more clearly addressed


Proposed Changes To Campus Practices

All IT-related audit submissions approved by ISO Periodic review of department access lists and practices by ISO IT security assessments required for some organizations Many former “practices” documented as procedure IT security governance structure strengthened


Student Affairs Impact - ExamplesData Classification (Standard 15)

Student Affairs will be required to identify applications and systems which access or store protected data.

Some data may not be sent unless encrypted Annual reviews of security permissions & practices. Approval required to create “shadow” systems.

Mobile Devices (Standards 12.2 & 12.3) No protected data store on mobile devices unless encrypted/protected. (Laptops, data phones,

memory sticks) Info Security Awareness (Standard 10)

Required and tracked for every employee Procurement/Contracts (Standards 6, 11)

Risk management process prior to procuring new systems Third party contract changes

Personnel (Standard 8) Exit process must include securing data and access.


System-wide Security Program Benefits

Supports Compliance Requirements demands for personal privacy and data protection continue to increase

Demonstrates Leadership Commitment a key to any successful program

Promotes Broad Discussion and Awareness of Information Security increased awareness – consistently the most effective means for reducing security

incidents and data exposure Promotes Consistency

common framework and expectations Establishes a Benchmark

eliminates guessing about what needs to be done Provides Evidence of Due Diligence

important in cases of litigation


Project Background Timeline

September 2007 – Project Begins October 2008 – Draft Policy and Standards Produced Fall 2008 – Initiate Executive Order Coordination

From the RFP The project proposal is to develop viable system-wide information security policies and standards for the

CSU System. This information security policy project will provide means of furthering information

security education. Instill more secure working habits for individuals and entities that deal with CSU

information assets. Will position the University to be in compliance with privacy and security regulations.

Deliverables System-Wide Security Policies System-Wide Security Standards Communication Materials Sample Implementation Strategies


Policy Objectives

The CSU is committed to: the ideals of academic freedom and freedom of expression. protecting the confidentiality, integrity, and availability of information assets entrusted

to the University.

A delicate balancing act.

Policy: A policy is a broad statement of principles that presents management’s position for a defined subject.


Standards and Samples

Standard: A standard provides more specific guidance on a particular topic. They have been written as standalone documents so that they can be more easily incorporated into legal agreements where third parties are providing services.

Sample (Remote Access) Policy Campuses must develop procedures that prevent unauthorized remote access to

critical information systems or protected data, while ensuring that authorized users have appropriate remote access.

Standard All remote access to non-public campus information systems, data, and network resources must be authenticated and authorized.


Policy

Standards

Procedures(as needed)

Guidelines(as needed)

Security Program Components

Produced at the System Level

Produced at the Campus Level


Policy Management and Updates

This policy will be updated to reflect changes in the CSU's academic, administrative, or technical environments, or applicable state, federal, or international laws and regulations.

The CSU's Senior Director for Information Security Management oversee an annual review of this policy.

Regular opportunity for updates, modifications, and adjustments!


Topics Addressed by Policy and Standards

Information Security Roles and Responsibilities

Risk Management Acceptable Use Personnel Security Privacy Security Awareness and Training Third Party Services Security Information Technology Security Configuration Management and

Change Control

Access Control Asset Management Management of Information Systems

Information Security Incident Management Physical Security Business Continuity and Disaster Recovery Legal and Regulatory Compliance


Information Security Roles and Responsibilities

Key Policy Concepts Everyone (executives, managers, faculty, students, and staff) is responsible for information security including:

the privacy of personally identifiable information (PII). the integrity of data stored. the maintenance of applications installed on CSU information systems. the availability of information. compliance with applicable local, state, federal, and international laws and regulations,

including intellectual property and copyright.

Key Standards Campus President – establishes campus program Campus Chief Information Officer Information Security Officer


Risk Management

Key Policy Concepts Campuses must conduct periodic risk assessments when security requirements change

or when significant changes occur in the campus environment.

Key Standards Risk Assessment Risk Management Plan


Personnel Security

Key Policy Concepts Employee information security related duties and responsibilities must be defined in the

employee position description. When employees separate from the University their access (physical and logical) must be

promptly disabled or removed.

Key Standards Position Change Background Checks


Security Awareness and Training

Key Policy Concepts Campuses must ensure that system administrators and managers are provided with

sufficient ongoing training to stay current with the best practices and technology.

Key Standards Content Awareness and Training Activities


Third Party Security Services

Key Policy Concepts Before third parties are granted access, a basic risk assessment must be performed. Contract terms and conditions must include appropriate information security safeguards.

Key Standards N/A


Information Technology Security

Key Policy Concepts Need procedures in place to effectively detect, prevent, and report malicious software. Networks (wired and wireless) need to be designed and segmented based on risk, data,

and access. Procedures must prevent unauthorized remote access to critical information systems or

protected data.

Key Standards Network Controls Management Remote Access Mobile Device Management Boundary Protection and Isolation Malicious Software Protection Wireless Access Points Logging Elements


Configuration Management and Change Control

Key Policy Concepts Must maintain a program designed to ensure that operating systems and applications are

routinely updated to correct flaws and close vulnerabilities. Must review changes to critical information systems, protected data, and network

resources.

Key Standards Change Control Configuration Management


Access Control

Key Policy Concepts Managers and data stewards define and approve access. A documented process is used to approve additions, changes, and terminations of access

rights. User rights must be regularly reviewed.

Key Standards User Credential and Privilege Management Password Management Encryption


Asset Management

Key Policy Concepts All information assets must be classified according to the CSU’s data classification standard. Critical systems and protected data must be appropriately controlled. Media and hardware must be securely dispositioned when no longer needed.

Key Standards Data Classification Data Handling Data Retention (see EO 1031) Data Disposal Clean Desk


Management of Information Systems

Key Policy Concepts A documented process for developing and procuring applications and information systems. Use of protected data for testing is to be avoided. Testing of security controls required prior to operations.

Key Standards Development Management Secure Web Application Coding Life Cycle Management


Information Security Incident Management

Key Policy Concepts Each campus must have a security incident response team (SIRT) and a incident

response plan. Training for response activities and testing response plans must occur regularly. Contracts should compel third parties to report security incidents involving campus

information.

Key Standards Evidence Collection and Handling Reporting


Physical Security

Key Policy Concepts Protected data must be physically secure. Credentials (e.g. badges, tokens) must be regularly reviewed.

Key Standards Definition of Protection Areas Access to Data Closets and Cabling Restricted Limit Casual Viewing of Private Information (e.g. health centers)


Business Continuity and Disaster Recovery

Key Policy Concepts Continuation essential functions and operations following a catastrophic event. Must be in compliance with the CSU Executive Order 1014.

Key Standards N/A


Legal and Regulatory Compliance

Key Policy Concepts CSU legal staff will help regularly identify and define the local, state, federal, and

international laws and regulations that apply to the CSU campuses. Campus-specific policies, standards or procedures must meet or exceed system-wide

policies and standards.

Key Standards N/A


System-wide Security Program Benefits Review

Supports Compliance Requirements demands for personal privacy and data protection continue to increase

Demonstrates Leadership Commitment a key to any successful program

Promotes Broad Discussion and Awareness of Information Security increased awareness – consistently the most effective means for reducing security

incidents and data exposure Promotes Consistency

common framework and expectations Establishes a Benchmark

eliminates guessing about what needs to be done Provides Evidence of Due Diligence

important in cases of litigation


Additional Benefits – Audits

Audit/Review Savings and Efficiencies Everyone graded against the same base criteria Information security integrated into campus operations

Routine self assessments Active risk management

Audit becomes verification not discovery verification of the controls that have been put into place


Additional Benefits Planning

Improved Planning and Coordination A common framework established Forums available for technical exchanges

ISOs ITAC ITRP II

Identification of joint or system efforts enabled Risk-driven priorities and justifications


Additional Benefits Continuous Improvement

Opportunity to Raise the Bar Standards can be enhanced or added to address changing threats. Campus or system guidelines can be used to try out proposed updates. Self assessments and audits can be used to identify gaps.

Trending and Analysis Risk-based approach supports decisions based on information not speculation. A metrics program (future) will track program effectiveness.


Possible Campus Rollout Activities

Respond to specific document requests by ISO Develop new internal processes to meet new requirements Engage in development process for implementing new policies & standards Establish division responsibility for annual reports and internal security audits (with ISO)


Sources for Additional Information

Campus CIO name e-mail number

Campus ISO name e-mail number

Senior Director for Information Security Management, Chancellor’s Office Cheryl Washington [email protected] 562-951-4190


Q&A

Date post:	25-Dec-2015
Category:	Documents
Upload:	charlene-gray
View:	214 times
Download:	2 times

© 2008 CH2M HILL, Inc Data contained on this sheet is proprietary; use or disclosure is prohibited....

Documents