| Date post: | 19-Dec-2015 |
| Category: |
Documents |
| View: | 213 times |
| Download: | 0 times |
August 9, 2005
UCCSC -- 2005
IT Security at the University of CaliforniaA New Initiative
Jacqueline Craig. Director of PolicyInformation Resources and Communications
UC Office of the President
August 9, 2005
UCCSC -- 2005
IT Security at the University of California
A New Initiative
Workgroup• Universitywide work group created to
recommend initiatives to:– reduce number and severity of future security
breaches– identify policy and best practices for
education, technology
August 9, 2005
UCCSC -- 2005
IT Security at the University of California
A New Initiative
Subgroups1. more effective handling of security
incidents
2. protection of sensitive data on desktops, laptops and portable devices
3. communications/ education
4. leadership / accountability
August 9, 2005
UCCSC -- 2005
IT Security at the University of California
A New Initiative
Final Report• Focus on “restricted data”
• Initiatives identified for:– Leadership - must ensure IT security
throughout UC– Management - must ensure the
safeguarding of restricted data
August 9, 2005
UCCSC -- 2005
IT Security at the University of California
A New Initiative
Roles and Responsibilities• leadership - initiate mandates to
campuses
• individuals – identifies requirements for accountability
• units – administering data access policies, permissions, enforcement with standards, conducting security audits …
August 9, 2005
UCCSC -- 2005
IT Security at the University of California
A New Initiative
Roles and Responsibilities
• units – assign responsibility for security programs, maintaining data inventories, setting departmental guidelines, procedures, proper handling of security incidents and implementing remediation
August 9, 2005
UCCSC -- 2005
IT Security at the University of California
A New Initiative
Roles and Responsibilities• campus-wide responsibilities
– campus guidelines and standards– infrastructure management, such as
networks and identity management– data stewardship, protection and
management organizations– engage controllers and risk managers
August 9, 2005
UCCSC -- 2005
IT Security at the University of California
A New Initiative
Roles and Responsibilities• university-wide responsibilities
– manage an insurance-like fund to reduce local liability costs
– provide clear guidelines for handling incidents
– pilot audit and forensics teams– data risk management program to support
campuses
August 9, 2005
UCCSC -- 2005
IT Security at the University of California
A New Initiative
Communication and Education• launch system-wide campaign to raise
awareness
• campus urged to send communications to their constituencies
• create training modules adaptable to campus learning environments
August 9, 2005
UCCSC -- 2005
IT Security at the University of California
A New Initiative
Policy and Compliance Programs• revise IS-3 to include
– minimum security requirements
– standards for allowable use of restricted data
– guidelines for security incident handling
August 9, 2005
UCCSC -- 2005
IT Security at the University of California
A New Initiative
Management Initiatives• conduct risk assessments
– identify all resources that store or transmit restricted data
– identify threats and vulnerabilities
• implement security plan appropriate to the environment
August 9, 2005
UCCSC -- 2005
IT Security at the University of California
A New Initiative
Security Plans• outline processes and controls needed to
enhance security– identify rights of access to data
– implement strategies to protect data
– train staff
• improve security incident procedures
August 9, 2005
UCCSC -- 2005
IT Security at the University of California
A New Initiative
Strategies for Securing Restricted Data• encryption must be used
– for transit
– storage on devices when physical security cannot be provided
• campuses must implement connectivity standards
August 9, 2005
UCCSC -- 2005
IT Security at the University of California
A New Initiative
Strategies for Securing Restricted Data• minimize storing on devices
• employ network management tools, such as firewalls, IDS system, vulnerability scanning, and VPNs
• focus on log management strategies
• employ appropriate authentication and access controls
August 9, 2005
UCCSC -- 2005
IT Security at the University of California
A New Initiative
Strategies for Securing Restricted Data• implement and test back up controls
• ensure robust systems management for applications and systems, such as anti-virus and security patch management, close ports, turn off unused services, operate change monitoring tools
• operate firewalls at both system and network
August 9, 2005
UCCSC -- 2005
IT Security at the University of California
A New Initiative
Effective Handling of Incidents• establish standard incident response
procedures
• conduct appropriate post-security breach investigations
• recommendations for forensics guidance
August 9, 2005
UCCSC -- 2005
IT Security at the University of California
A New Initiative
Recommendations• Leadership: develop systemwide and
campus guidelines
• University-wide– UC-wide communication campaign
– Create templates for communications
August 9, 2005
UCCSC -- 2005
IT Security at the University of California
A New Initiative
Recommendations• Training: create Web-based training
module for general purpose use
• Security Incidents: establish and communicate guidelines for log management
August 9, 2005
UCCSC -- 2005
IT Security at the University of California
A New Initiative
Recommendations• Contract for forensics tools and services
• Create University-wide security audit and forensics teams
• Update IS-3
August 9, 2005
UCCSC -- 2005
IT Security at the University of California
A New Initiative
Recommendations• Campus security programs
– identify responsible party for oversight
– develop campus security programs
• Encryption– promote campus-wide encryption services
– select and contract for tools and technologies
August 9, 2005
UCCSC -- 2005
IT Security at the University of California
A New Initiative
When will this happen?
• August - report distributed to Chancellors
• September - Council of Chancellor’s agenda for discussion and identification of next steps
