May 17, 2004 Educause/Internet2 Security Professionals
Workshop
1
Information Security Program
The WVUInformation Security
Program~~~~~~~~~~
If You Build It,They Will Use It
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
2
Information Security Program
● Sue Ann LipinskiManagement Auditor, Internal Audit
● Tim MartonDirector, Information Systems
● Mark SixManager, Systems Administration
Introductions
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
3
Information Security Program
Abstract
WVU is building an institution-wide information security program to ensure the continued confidentiality, integrity & availability of mission critical information resources. This presentation discusses our
incremental implementation approach, including the development of policies /
standards / procedures, as well as efforts to include this program in current & future information-related activities & projects.
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
4
Information Security Program
Some WVU Facts
● Founded in 1867 in Morgantown, WV● Land Grant Institution● 13 colleges & schools, offering 170 bachelor’s,
masters, doctoral & professional degree programs● Medical Center● Doctoral Research Extensive Classification● Spread over 3 Morgantown & 3 regional
campuses● Enrollment of approximately 31,800● Faculty/Staff of 6,487
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
5
Information Security Program
Agenda
●Evolution of WVU’s Program
●Insight into Current Program
●Where Are We Going Next
●Words to the Wise
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
6
Information Security Program
●Drivers – Internal & External
●Champions Promoted, Promoted, Promoted …
●Defined Information Security for WVU
●Developed / Updated Policies / Standards – On-
going
● Identified Information Security Program Elements
Evolution of WVU’s Program
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
7
Information Security Program
●Internal Drivers− Recognized Need to Protect Information Resources− Impact of an Incident
●External Drivers − Gramm-Leach-Bliley Act (GLB)− Health Insurance Portability & Accountability Act (HIPAA)− Family Education Rights & Privacy Act (FERPA)− The Privacy Act − West Virginia Code 18-2-5f – Use of Student SSNs
●Demonstrate Due Diligence− Higher Education in the Headlines
Why? Why Now?
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
8
Information Security Program
● Information Resources as Vital Assets
●Definition / Purpose of Information Security
●Elements of WVU’s Program
●Structure, Composition & Responsibilities
WVU’s Security Policy
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
9
Information Security Program
WVU Information Resources
● WVU relies on numerous, diverse information resources to support the mission critical operations of administration, education, research & service.
● If these information resources were unavailable, unreliable or disclosed in an inappropriate manner, the University could suffer damage to its reputation & incur serious financial & operational losses.
● Accordingly, WVU acknowledges that information resources are vital assets requiring protection commensurate with their value.
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
10
Information Security Program
● The protection of information resources from unauthorized access, modification, destruction or harm
● The establishment of controls & measures to minimize the risk of loss or damage to information resources
● Inform users (students, staff and faculty) of essential requirements for protecting various assets including people hardware, software resources & data assets
● Provide a baseline from which to acquire, configure & audit computer systems & networks for compliance with the policy
Definition & Purpose
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
11
Information Security Program
●Confidentiality… addresses the protection of private, sensitive or trusted information resources from unauthorized access or disclosure
●Integrity… refers to the accuracy, completeness & consistency of information resources
●Availability… ensures reliable & timely access to information resources by appropriate personnel
Three Tenets
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
12
Information Security Program
●Defined Structure w/ Central Point of Coordination
●Risk Assessment & Management●Policies & Standards / Policy Management●Communication & Education●Compliance●Reporting & Enforcement●Procurement Oversight for Service Providers●Security-related Projects
Elements of WVU’s Program
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
13
Information Security Program
Structure
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
14
Information Security Program
Composition
● Reports to cabinet level authority● Member of AAIMS Executive Committee● Chairs the Information Security Council
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
15
Information Security Program
Responsibilities
● Risk management● Policies & standards● Communicate & educate● Compliance● Report & enforce●Service provider oversight●Security-related projects
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
16
Information Security Program
Composition
Chaired by Provost Office
includes VP (or Director) from
Academic AffairsFinance &
AdministrationHealth Sciences
Human ResourcesInformation Technology
Internal AuditLibrary
Student Affairs
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
17
Information Security Program
Responsibilities
● Sponsor the Information Security Program● Establish an Information Security Environment● Coordinate access to necessary support
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
18
Information Security Program
Composition
Chaired by the ISO
includesInformation
Security Representatives
from the administration, faculty & staffwith support
fromInternal AuditIT SpecialistsLegal Counsel
Purchasing
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
19
Information Security Program
● Serve as senior management sponsors of the WVU Information Security Program
● Provide management & coordination of a University-wide information security program
● Review & revise information security policies, standards and procedures
● Establish & maintain a comprehensive risk management program
● Establish & maintain an information security compliance program ● Recommend & sponsor information security awareness,
communication & education programs ● Provide a forum to discuss & assess pending regulations
& requirements ● Perform periodic reviews of information security incidents /
violations● Govern contractual relationships with vendors, consultants &
other 3rd parties
ISC Charter
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
20
Information Security Program
Composition/Responsibilities
Senior level
University officials
● Assist development of data definitions● Assign data elements to categories● Provide framework for classifying data● Authorize access to information resources● Implement controls to secure resources
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
21
Information Security Program
Composition/Responsibilities
Representatives of:● Each major application/system● Each academic college● Each business unit● Primary units of IT
● Disseminate policy● Assist in detection / reporting of violations● Departmental point-of-contact
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
22
Information Security Program
Composition/Responsibilities
Any user authorized to access
data and/or
systems
● Protect information resources per 3 tenets● Use information responsibly / appropriately● Comply with policy
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
23
Information Security Program
Composition
Independent, objective appraisal function
Reporting to the WVU President’s Office
& the Board of Governors’ Audit
Committee
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
24
Information Security Program
Responsibilities
Assist WVU administration in the effective implementation of internal controls:● Safeguarding of University assets● Integrity & reliability of information systems & related resources● Compliance with University, State & Federal regulations● Effective & efficient use & management of University resources● Accomplishment of University goals
● Risk assessment● Evaluation of controls● Determine compliance with regulations, policy, etc.● Issue recommendations
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
25
Information Security Program
●Identify & Classify Resources
●Identify Threats & Vulnerabilities
●Determine & Prioritize Risks
●Determine Response:−Prevent, Mitigate or Accept
●Risk Assessment:−Periodic: ISO & ISC− Independent: Internal Audit
Risk Management
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
26
Information Security Program
● Contain senior management directives to create an information security program, establish its goals & measures, & assign responsibilities; define an organization’s information security philosophy
● Mandatory activities, rules, measures of minimal performance or achievement, designed to provide support & structure; intended for universal application throughout the organization; used to implement the general policies/standards
Policies/Standards
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
27
Information Security Program
● Recently Developed / Updated−Acceptable (Appropriate) Use −Anti-Spam, Anti-Virus−Data Center Access −e-Commerce Management −Electronic Mail −End-User Accountability−Network Security
● Under Development−Data Ownership / Classification /
Security−Security Awareness / Education−Security Incident Reporting / Response
Policies/Standards (cont’d)
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
28
Information Security Program
Policy Management
● Posted on the ISO Web Site
● Formal Protocol for Policy Evolution
● Policy Waivers
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
29
Information Security Program
Communication & Education
●Student, Faculty & Employee Orientation●e-News – Tips for the Day●Web Site
−Simple but informative−Intranet version debuted April 2004−Internet version @ http://oit.wvu.edu/iso
●Posters ●Classes and/or Mini-Workshops – Planning
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
30
Information Security Program
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
31
Information Security Program
●Measures to Prevent & Detect
●Response to Compromise or Violations
●Continually Evaluate Regulations, Policies & Standards
●ISC plus Management, Providers & Users
●Internal Audit−Critical role in evaluation of compliance &
recommendation of measures to help ensure compliance
Compliance Program
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
32
Information Security Program
●Vanity e-Mail Account− [email protected]−For submitting “general” inquiries or reporting
potential violations or concerns
●Developing Formal Reporting / Response Protocol
● Information Security Liaisons● ISC “Action Team”
−Fore-runner to an incident response team
●Consequences for Non-compliance
Reporting & Enforcement
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
33
Information Security Program
●Service Providers Held to Same Standard as Staff
●Confidential Information [Contract] Addendum− Definitions of covered data & information− Acknowledgement of required access− Safeguard standards− Reporting
●Audit Standards for Service Provider Contracts
Procurement Oversight
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
34
Information Security Program
●Business Continuity Plan−Disaster Recovery Plan – In Place−Business Resumption Plan – In Planning
●e-Commerce Review Committee●Ethics & Confidentiality Notice / Certification
−University-wide coverage – Replacement under Review
−Departmental / project specific – Some in Place
●SSN Replacement ●Identity Management / Central
Authentication
Security-related Efforts
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
35
Information Security Program
● Charter… to define and/or recommend a central
(i.e., University-wide) identity management and authentication solution
● Multi-Phase Project−Phase I – Unique ID [WVUID]
√ Completed
−Phase II – ID Management√ Proof of Concept – Completed√ Tool Kit – Plan under Review (1/31/05 completion
date)
−Phase III – Central Authentication√ Campus-wide wireless access
ID Management Project
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
36
Information Security Program
Project Pyramid
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
37
Information Security Program
WVU-ID “ToolKit”
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
38
Information Security Program
Uniqueness Elements
Ap
plic
ati
on
1
Ap
plic
ati
on
2
Ap
plic
ati
on
3
Ap
plic
ati
on
4
Ap
plic
ati
on
5
Co
ns
en
su
s
1 Y 1,2,3,4 Y Y (30%) Y Y (3.3%) Y
2 Y 1,2,3,4 Y Y (15%) Y Y (3.3%) Y
3 Y 1 Y Y (15%) Y Y (3.3%) Y
4 Y Y N Y (2.5%) Y
5 (string vs. multi - segments) N N N N N N
6 (string vs. multi - segments) N N N N N audit only
7 Y Y N Y (2.5%) Y
8 N N N N N N
9 Y 3,4 Y N Y (10%) Y
10 N10a Y 3,4 Y10b N10c Y 3 Y10d Y 4 Y10e N
11 Y N N N N N
12 N Y (50%) N N N Y
13 Y 1,2 Y (50%) Y (40%) Y Y (75%) Y
14 N Y N N N N
15 N N N N
16 ID Number Y N N N ?
17 Y Y Y (40%) N Y
^ Each scenario (i.e., 1,2,3, or 4) represents a 100% confirmation on identity
Not maintainedconsistently
across applications
First NameLast Name
Address 1
CityStateZIP
Address 2
Gender
Population Sources / Data Maintained
E-mail Address
Previous Last Name(s)Birth NameGeneration ( Sr, Jr, III)Middle Name
Permanent Address
Place of Birth
Uniqueness Elements
Date of Birth
Other IDs
VisaDrivers LicenseSocial Security NumberEmployee NumberStudent Number
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
39
Information Security Program
● Establish the Information Security Office(r)● Develop Risk Assessment “Plan of Attack”
− Job of the Information Security Council− Initial Focus on Electronic Resources− Risk Assessment Algorithms
● Classify Information Resources● Continue to Address the Use of SSN at WVU● Complete the ID Management / Authentication
Project● Continue to Spread the Word● Continue to Review Current Policies / Procedures● Implement Compliance, Reporting & Enforcement
Where Are We Going Next
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
40
Information Security Program
● Terminology− Information Security vs. Computer Security
● Cost & Benefits−Determine risk algorithms early in the process
● Consider Current Security Environment−Whenever possible, use existing elements−Can have reasonable plan by connecting dots
A Word To The Wise
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
41
Information Security Program
● If Policy is Too Relaxed or Non-Existent−Little or no enforcement
● If Policy is Too Strict−Nobody pays attention to it (“hope I don’t get caught!”)
−Too complicated, too cumbersome
● Flexibility / Adaptability is Key−Should be independent of specific HW/SW−Policy update mechanisms should be clearly
spelled out
A Word To The Wise (cont’d)
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
42
Information Security Program
Resource Examples
● Federal / State laws, regulations, statutes− WV State Information Security Policy Guidelines
● Other Colleges & Universities
● “Information Security Policies Made Easy”− by Charles Wood
● Information Systems Audit & Control (ISACA)
● CERT, NIST, NSA, SANS, …
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
43
Information Security Program
Risk Assessment
Management: ● Compliance● Reporting● Enforcement
Education, Communications & Awareness Programs
Policies/Standards/Procedures
- Update / Create
Never-Ending Cycle
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
44
Information Security Program
Questionsand/or
Comments
May 17, 2004 Educause/Internet2 Security Professionals
Workshop
45
Information Security Program
●http://oit.wvu.edu/iso
●[email protected]●[email protected]●[email protected]
Contacts