Chapter 13 Policies, standards and guidelines Overview Understand

Chapter 13 Policies, standards and guidelines Overview Understand

Chapter 13 Policies, standards and guidelines Overview Understand the difference between security and compliance requirements Distinguish between policies, standards, and procedures Understand the life-cycle of a policy Identify a set of policies considered a must for any organization 2 Guiding principles Administrative mechanisms used in the industry to guide end user behaviors

These mechanisms help obtain executive level endorsement for information security objectives within the organization Policies - document that records a high-level principle or course of action that has been decided on Standards - defined set of rules, accepted and adopted by several organizations Guidelines recommendations for operations And translate these objectives to specific actionable items for all organizational members Workflow Security administrators recognize need for change regarding information security Suggested changes brought to the attention of top management for review Change allowed by top management if warranted Resulting information security practices released as policies 3 Top management also concerned with usability and training costs Standards and guidelines emanate from these policies

Guiding principles Policies, Standards and Guidelines need to be targeted Important to understand basic principles of information security 4 And have clear objectives Principles valued by organizations Use these principles as underlying support of information security policy Basic principles of information security - 1 Organization must comprehend that security affects the organization and its employees and customers on a daily basis Cannot do security today, skip tomorrow, and then try it again next week 5

Sound principles of security must be embedded in any and all activities in the organization Basic principles of information security - 2 Layers of security No one size fits all solution for security problems No single solution that solves all security problems Repeated incidents of virus outbreaks, data leaks, and web defacements Useful to implement multiple security systems Hope that one of these systems with catch a threat action E.g. to protect data in a file server 6 login system

with complex passwords biometric scans Firewall EPP encryption Basic principles of information security 3 Understand other positions of the firm Different approaches may bring up different policy requirements Helps with the writing of policies, e.g. Does the company prefer open source or commercial software? Does the company adopt one of the industry standards across the board? Does the firm hire temporary consultants? 7 Or is it more selective on what it adopts? Or, does it strive to keep knowledge in-house?

Policy COBIT framework A policy is a document that records a high-level principle or course of action that has been decided on Emphasis is on high-level Policies reflect principles endorsed at the highest levels of the organization Executive time at these levels is very expensive Therefore policies are written in general terms These executives try very hard not to revisit an issue a second time Without need to revisit as a result of routine developments in business and technology Other administrative mechanisms emanating from policies Provide specific actionable directions to all employees

Written by experts such as system administrators 8 Standards, guidelines and procedures Can change as the specific circumstances within the organization change Policy Specifies a general direction for the organization to follow For instance, USF policy 0-516 Without concerns for how to get there Standards, guidelines and procedures focus on how to get where the policy desires to go SSN Appropriate Use Policy Paper and electronic files containing Social Security Numbers will be disposed of in a secure fashion in accordance with state and federal retention and disposal policies. No detail on how to dispose of paper containing SSN

Only that it is done in a secure fashion according to the law Focus is that records are disposed, not how disposal is implemented That would depend on technology available, cost, etc 9 Will be described in standards, procedures and guidelines Standards Defined set of rules, accepted and adopted by several organizations Some standards are referred to as industry standards Activities, settings, and measurements etc. that are accepted by all firms in an industry Should be considered the norm for operations. NIST (National Institute for Standards and Technology) One of the foremost sources for standards in terms of IT security

NIST documents usually labeled only as recommendations or guidelines 10 At least for organizations within the United States Yet, seen as de facto standards for all organizations in the United States Seen throughout this text, including Guidelines for Conducting Risk Assessments Standards contd. ISO (International Organization for Standardization) Another organization accepted worldwide to produce standards with international scope Widely used ISO standard is ISO 17799/27002 Deals with information security ISO web site

11 ISO 27002 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management Standards contd. ISO web site contd. ISO/IEC 27002:2005 contains best practices of control objectives and controls in the following areas of information security management 12 security policy organization of information security asset management human resources security physical and environmental security communications and operations management

access control information systems acquisition, development and maintenance information security incident management business continuity management compliance Standards contd. Mandatory once accepted by the organization E.g. ISO 27002-compliant organization Symantec IT controls reference Maps requirements among various security standards Organization must adhere to all regulations put forth by the standard No such thing as partial compliance E.g. ISO 27002, COBIT, Sarbanes-Oxley, HIPAA, PCI, GLB Of course, relates firm product offerings to these requirements

Standards are directly related and backed up by a policy E.g. standard specifies which EPP should be installed 13 Policy should declare that all computers in the organization must have an End Point Protection solution installed Standards contd. Separation of policy and standard Usually a policy is harder to modify than a standard Needs top management approval Allowing IT (or other designated unit) to maintain the EPP standard Allows delegated unit to make decisions 14 Without the burden of going through the entire policy lifecycle and approval

Standards contd. Standards make a policy meaningful Without a standard, EPP becomes vague EPP is a collection of applications Always include an antivirus solution Following are optional Without the standard 15 Host Based Intrusion Detection Firewall Scheduled virus scans or real time scans Vulnerability assessment Web site reputation Units would have a hodge-podge of solutions

Standard determines importance and forces implementation Guidelines Procedures that specify what would be nice in operation or accomplishment But not a requirement Some guidelines may evolve later to be standards 16 When management finds utility and grants authority for the guideline to become a standard Guiding principles - relationships Policy Mandatory Standa rd Guideli ne Mandatory

Voluntary adoption Sets General Direction Approved and Backed by Management 17 Pre-standard Builds on the policy with specifcs Outlines optional items Why so much paperwork? Typical complaint Students Stars in eyes Optimistic Technical personnel

Why cant we all just get along together Generally very hands on Poor documentation skills But documenting guiding principles can actually improve organizations functioning 18 Not just added red tape and bureaucracy Goes beyond compliance If done right Why so much paperwork contd. Benefit 1 Security Policies indicate to costumers, end users, and even employees, that the organization takes security seriously For example, City of Tampa, FL, security policy Providing you with a secure online experience is a high priority of the City of Tampa. We recognize that your information security is of the utmost importance, and we have devoted a great deal of

effort to ensure that your personal information is safeguarded. Indicates the importance the organization places on information security 19 Should be reassuring to concerned users Why so much paperwork contd. Benefit 2 Roadmap for employees Acceptable Use Policy or AUP Describes to users the dos and donts of the system, things that are acceptable to do as well as things that would cause an end to services or employment Sample of AT&Ts IP Services AUP Threatening Material or Content: IP Services shall not be used to host, post, transmit, or re-transmit any content or material (or to create a domain name or operate from a domain name), that harasses, or threatens the health or safety of others. In addition, for those IP Services that utilize AT&T provided web hosting, AT&T reserves the right to decline to provide such services if

the content is determined by AT&T to be obscene, indecent, hateful, malicious, racist, defamatory, fraudulent, libelous, treasonous, excessively violent or promoting the use of violence or otherwise harmful to others. Again, indicates the importance the organization places on information security 20 Again, should be reassuring to concerned users Why so much paperwork contd. Benefit - 3 Policies force organizations to determine the value of information they generate in support of actual assets Sometimes it may be advantageous to make this determination and document it in case of litigation For example, MIT has the following paragraph on their policy on retention of DHCP logs 21 The DHCP server is configured to provide dynamic addresses automatically as needed. The logs of information are

maintained on an IS&T-managed server. Each log is tagged with its creation date; once a day, the system deletes logs that are 30 days old Organizations tracking violation of copyright laws must notify the organization within 30 days (in the case of MIT) of the event detection Why so much paperwork contd. Benefit 4 Policies ensure consistency across the organization Can yield better pricing, knowledge acquisition Compare each college having their own EPP solution School of Architecture may decide EPP is a waste of funds and not purchase any College of Engineering may install a low quality EPP solution Trust its own expertise College of Fine Arts may pay exorbitant licensing fees Too few computers to negotiate good deal Each school may need consulting help for its own version of

the software Adds costs With standardization, one college may send an employee for training 22 Other colleges share some costs Why so much paperwork contd. Benefit - 5 Management backing If developed the right way, policy reflects concerns and inputs from all affected units and stakeholders Greatly improves acceptance of any constraints imposed by the policy Individuals cannot allege ignorance of the policy E.g. Organization has a policy that computers not updating their virus

definitions daily will be pulled off the network 23 User would have no recourse to complain if his computer is pulled off the network due to this reason Policy cycle Policies work in cycles Much like the Incident Response cycle In fact E.g. Late 90s 24 Incidents are often the driving force behind the creation of a new policy

Or the revision of an existing one Massive outbreaks of the Melissa and I Love You viruses Drove creation of centralized security policies for decentralized University organizations And naming of Information Security Officers for Universities Policy cycle contd. Audience for a policy Separate and distinct Ideally, policies address both audiences Employees and customers State or federal regulation Ideally, should share similar concerns Policy recommendations Dont use legal language unless you have to Employees and customers should clearly and quickly understand intent of policy

Unclear policy only addresses regulatory compliance Each policy should be targeted at a specific issue as far as possible E.g. one for data protection, another for user access, another for data backup 25 Becomes a policy for the sake of a policy No one reads it, everyone only has a vague idea of what is about Satisfies regulatory compliance, and Users will have an easier time finding what they are looking for Policy cycle contd. Policy requirements On one end, strong enough to protect the confidentiality, integrity, and availability of assets On other end, maintain productivity for competitiveness Realities Defensive stance of management

1. Many organizations err on the side of protection Aggressive stance of employees 2. Employees focus on careers Are aware of importance of productivity Will be dedicated to doing their job If a policy prohibits required activity or behavior Or achieving their goals Employees will find a way around it Make sure employees will actually abide by policy 26 Policy cycle contd. Stages of the policy cycle

Writing the policy Impact Assessment and Promulgation Review by stakeholders Review 27 Initial development by experts Periodic re-evaluation Writing the policy Follow organizational template if exists Else, search online for similar policies within the industry Will ensure you cover as many sub-topics as possible Generic template presented here

Components of a typical policy 28 Overview Scope Definitions Statement Enforcement Writing the policy contd. Overview First section in a policy Tells users why organization decided to have such a policy Example University of Arizona, General Security Policy 29

University resources, information and technology have become increasingly important to faculty, staff and students for academic and administrative purposes. At the same time, internal and external threats to the confidentiality, integrity, and availability of these resources have increased. Security breaches are commonplace and universities continue to be popular targets for attack. Critical university resources, such as research, patient care, business transaction, student, and employee nonpublic personal data, must be protected from intrusion and inappropriate use or disclosure. Devices must be set up and routinely maintained and updated so that they prevent intrusion and other malicious activities. The purpose of this policy is to ensure that all individuals within its scope understand their responsibility in reducing the risk of compromise and take appropriate security measures to protect university resources. Access to university resources is a privilege, not a right, and implies user responsibilities. Such access is subject to Arizona Board of Regents and University policies, standards, guidelines and procedures, and federal and state laws. Writing the policy contd. Overview What to look for First paragraph University outlines that they value their institutional data Glimpse of some of the issues covered on the policy Second paragraph Go back to some of the guiding principles we discussed earlier

Security is not the job of IT alone Securing personal data is the responsibility of every individual Also sets things up for the enforcement piece 30 Access is not a right due to the paying of their tuition But a privilege Abuses of these privileges can have consequences Writing the policy contd. Scope Tells the user what or who is covered by the policy Every policy has a scope associated with it Example 1 Workstation Security Policy at Emory College The workstation security policy is applicable to all workstations (Windows, Mac OS X, Linux) (including desktops, portables, and virtual machines) that fall under the administrative scope of ECCS Example 2

Incident Management Policy at Kansas State University 31 These procedures apply to all University personnel, units, and affiliates with responsibility to respond to security incidents involving University IT resources or data Writing the policy contd. Scope What to look for Emory college Organizations must be careful not to over-specify the target of the policy Solution Add and other Operating Systems at the end of the list KSU Includes data and very clear lines of responsibilities

32 Windows, Mac, OS X, Linux creates a loophole What about a faculty member running an older Solaris Desktop Workstation? Not covered by the policy Includes all employees and affiliates of the University Every time institutional data is involved Writing the policy contd. Definitions Particularly useful when the subject matter of the policy may be unclear to the audience Or if the organization needs a bit more clarification on the scope. Example 1: Georgetowns definition of ePHI (Electronic Protected Health Information) ePHI includes any computer data relating to the past, present or future physical or mental health, health care treatment, or payment for health care. ePHI includes information that can identify an individual, such as name, social security number, address, date of birth, medical history or medical record number, and includes such information transmitted or maintained in electronic format, but excluding certain education and student treatment records. Not included within ePHI are student education records, including medical records (which are protected under FERPA), medical records of employees received by Georgetown University in its capacity as an employer, and workers compensation records. Although these records are not covered under the HIPAA Privacy or Security Rules, other University Policies cover the confidentiality and security of these materials. There are special provisions in the law governing the release of psychotherapy records. Example 2: Marist Colleges definition of Information Resources

For the purpose of this policy, information resources refer to: 1. 2. 3. 4. 5. 33 All Marist College owned computer hardware, software, communications equipment, networking equipment, networking and telecommunications protocols, associated storage and peripherals; All computer hardware, software, communications equipment, networking equipment, associated storage and peripherals that are connected to any Marist College information resource; All computer hardware, software, communications equipment, networking equipment, associated storage and peripherals that store or transmit information that belongs to Marist College; All data, information and intellectual property that may be transmitted over or stored on any Marist College information resource; Any paper reports, microfilm, microfiche, books, films or any media containing information, data or intellectual property that is the property of Marist College Writing the policy contd. Definitions What to look for Georgetown Specifies what is considered ePHI Also provides some clear examples of what is not

considered ePHI Marist College A popular term used in IT policies is Information Resources 34 E.g. student records. But what exactly is an information resource? Include an employees smartphone? A students laptop? A departmental fax machine? A facultys telephone? From now on in the policy, the words Information Resources unquestionably refer to the defined assets Writing the policy contd. Statement of policy Formulates how the organization will deal with a particular situation. Example 1 University of Massachusetts Bostons Wireless Requirements and Procedures

Purdues Data Security Incident Response Policy 35 All WAPs connected to university infrastructure must be registered with IT and must comply with the technical standards and naming conventions specified by IT. The registration process requires information including the responsible university unit and designated liaison, as well as the location, purpose, and technical and operational information about the WAP. Registration can be accomplished using the online form located at the IT website. Such registration is intended for the identification of the WAP, to facilitate communications between all parties responsible for wireless network support and operation, and to ensure compliance with all applicable UMass policies, standards, and guidelines, as well as federal, state, and local rules and regulations The Coordinator of Incident Response upon receiving a report is responsible for assessing its veracity, determining whether or not the event constitutes an IT Incident and classifying the IT Incident, and initiating handling procedures Writing the policy contd. Statement of policy What to look for University of Massachusetts Addresses problem of rogue Wireless Access Points Individuals walking around campus could associate with WAP accidently Purdue

As much as possible, the statement of policy should also outline the responsibilities for implementing the policy Example is one of several statements specifying the responsibilities of the Coordinator of Incident Response Statements of Policy vary in length Depend on subject matter And organizations choice of grouping multiple issues into one policy 36 Sniffing attacks possible A la T J Maxx Or, splitting them up into multiple policies Writing the policy contd. Enforcement Specifies penalties for violation of policy Usually the last section of the policy

May refer to other policies for penalties Rarely specific in penalty Usually mentions a range of possible measures 37 Using phrases such as up to and including and appropriate measures Also tends to use may instead of the more absolute shall or must shall or must are commonly used in the rest of the policy Writing the policy contd. Enforcement Example 1: Carnegie Mellon Example 2: USDA

38 Violations of this Policy may result in suspension or loss of the violators use privileges, with respect to Institutional Data and University owned Information Systems. Additional administrative sanctions may apply up to and including termination of employment or contractor status with the University. Civil, criminal and equitable remedies may apply. Exceptions to this Policy must be approved by the Information Security Office, under the guidance of the Executive Steering Committee on Computing (ESCC), and formally documented. Policy exceptions will be reviewed on a periodic basis for appropriateness. Violations of standards, procedures, or practices in support of this policy will be brought to the attention of management officials for appropriate action which will result in disciplinary action, that could include termination of employment Writing the policy contd. Enforcement What to look for Carnegie Mellon Mentions exceptions to the policy Means by which a user would be able to apply for an exception of the policy Promises review from time to time to make

Exceptions will be reviewed periodically Not on a specified calendar So ISO does not break its own policy by not reviewing them on a specific time table If other pressing matters appear, the review can be delayed. USDA Instead of specifically stating that anyone does this will be fired immediately 39 e.g. yearly or monthly Softens the blow by saying up to termination of employment Allows management officials to determine penalties In fact, a simple slap on the wrist may be enough to comply with policy Impact assessment

Review of written policy by all affected stakeholders Strongly recommended Draft of policy is circulated through stakeholders One question posed to stakeholders Does the new policy or change in existing policy have an impact on their department Feedback is requested Beneficial or otherwise Allows comparison of impacts of failure to pass new policy, with passing policy 40 Impact assessment contd. Impact assessment requires governance

Hierarchy of decisions-making authority within the organization Governance reflects the committees or groups that have the ability to veto a policy before it becomes official Example University of Michigan The following identifies the different levels of governance review and vetting of policies, standards and guidelines (initially drafted by IT policy development working groups) 41 CISO/IIA Executive Director: Initial review of policies, guidelines, and standards IIA Council: First level of governance review for IT policies, standards, and guidelines CIO: Second level of governance review for IT policies; final approval of guidelines and standards before adoption and dissemination to campus IT Council: Third level of governance review for IT policies; new or substantially revised policies require IT Council approval IT Executive Committee: Final level of governance review for IT policies; policies recommended for adoption as a new or revised Standard Practice Guide require approval of the IT Executive Committee

Impact assessment contd. Other levels of approval may be involved before policy becomes official Example State University Therefore, some organizations have Policy Groups with cross-campus representation Faculty members may have a say on the policy Student organizations may also have a say Responsible for reviewing and approving or rejecting policies Other Universities handle policies within the Office of General Counsel Example Cornell University 42

With the responsible executives approval, the UPO will distribute the draft of the policy document to members of the Policy Advisory Group (PAG) in advance of a PAG review meeting. The responsible executive or the responsible office will present the draft policy to the meeting, where the document will be reviewed for practicality and clarity. After the PAG meeting, the UPO and responsible office will review and make accepted changes proposed by the PAG. Then, the PAG will recommend that the EPRG approve the reviewed document. With the responsible executives approval, the UPO will distribute the final draft of the policy to members of the EPRG in advance of the EPRG meeting. The responsible executive will present the final policy draft to this meeting, where the EPRG will deliberate on final approval of the policy, in particular its principles. The UPO and responsible office will make changes as directed by the EPRG. Once the EPRG and the responsible executive have approved the document, the UPO will note on the document the date of final approval as the date the policy was Originally Issued, and will promulgate the policy to the university community through a formal announcement. Impact assessment contd. Points to note Existence of UPO: University Policy Office Existence of PAG: Policy Advisory Group Cross-functional group responsible for policy approval At Cornell

UPO handles mechanics of policy promulgation process PAG meets from time to time to make policy decisions At other Universities Vetting process may be done over email 43 With deadline for comments to be brought forth Impact assessment contd. Delays Impact assessment may take several weeks Causes delays in policy promulgation and enforcement Hence Technical details should be left out of policies as much as possible E.g. refer to a standard

Put the IT organization in charge of the standard E.g. minimum password length, supported operating systems Dynamic IT items can be modified quickly with just internal reviews Benefits of impact assessment 44 Prevents policy revision to deal with employee resistance Prevents waste of time in policy promulgation Prevents erosion of credibility with top management Policy review Re-evaluation of benefits of policy Common triggers 45

Periodic review Technology changes Regulatory changes Policy review contd. Periodic review If a policy is 10 years old, Does it meet the current requirements of the institution? If not, does this reflect a systematic negligence on the part of IT? Rule of thumb Internal review of all policies, standards, and guidelines at least once a year Time to evaluate whether policy accounts for all situations Technology changes Ideally, policy was written in such a way that new technologies may be addressed in the standard

New project deployments may require policy modifications 46 E.g. implicit references may exist to paper-based forms E.g. changes in workflows for approvals Policy review contd. Regulatory changes E.g., Higher Education Opportunity Act of 2008 Forced Universities to take stance against illegal sharing of copyrighted material, such as movies or songs Imposed three general requirements on all U.S. colleges and universities 47 An annual disclosure to students describing copyright law and

campus policies related to violating copyright law. A plan to "effectively combat the unauthorized distribution of copyrighted materials" by users of its network, including "the use of one or more technology-based deterrents". A plan to "offer alternatives to illegal downloading". Failure to comply could result in massive financial losses for the University in terms of Financial Aid funds Changes in compliances resulted in change in operations, which had to reflect on changes for existing policies Compliance Policies help organizations meet legal requirements Called compliance Compliance is not the same as security Compliance Following specifications put forth by policies or legal requirements Often do not clearly address the reason for the requirement Security

Being free from danger Possible to be secure without being compliant 48 Existing infrastructure and budget may prevent compliance Compliance contd. State Laws Customer Agreement s Organizatio nal Policies Internal Policies 49 Complian ce Federal Law Compliance Compliance helps meet the needs of all sources shown in Figure

Ideally should reflect best practices discovered in other organizations Can prevent wasted effort by IT Compliance useful if considered from the planning stages of any endeavor Various laws State Federal 50 e.g. California Breach Notification Law, Florida Record Retention Law E.g. SOX, HIPAA, GLB Compliance contd. Some laws are directly related to IT

E.g. California Breach Notification Law Others are indirectly related to IT E.g. Floridas Record Retention Laws Companies that collect personal information to notify each person in their database should there be a security breach involving personal information such as their Social Security number, driver's license number, account number, credit or debit card number, or security code or password for accessing their financial account Establish minimum periods of time for which the records must be retained based on the records administrative, fiscal, legal, and historical values Summary of important federal laws follows 51 Important federal laws HIPAA Health Insurance Portability and Accountability Act

52 Specifies a privacy rule Protections for personal health information held by covered entities Gives patients an array of rights with respect to that information Permits the disclosure of personal health information needed for patient care and other important purposes Specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information Important federal laws contd. Gramm-Leach-Bliley Act (GLB Act) A.k.a. Financial Modernization Act Requires financial institutions to protect the privacy of their customers Universities also deal with a variety of financial records from students and their parents

Including customers nonpublic, personal information Universities also have a responsibility to secure the personal records of its students Two rules Safeguards Rule Companies must develop a written information security plan that describes their program to protect customer information. The plan must be appropriate to the companys size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. As part of its plan, each company must 53 designate one or more employees to coordinate its information security program; identify and assess the risks to customer information in each relevant area of the companys operation, and evaluate the effectiveness of the current safeguards for controlling these risks; design and implement a safeguards program, and regularly monitor and test it; select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; and evaluate and adjust the program in light of relevant circumstances, including changes in the firms

business or operations, or the results of security testing and monitoring Privacy Rule Important federal laws contd. FERPA Family Educational Rights and Privacy Act Protects privacy of student education records 20 U.S.C. 1232g; 34 CFR Part 99 Law applies to all schools that receive funds under an applicable program of the U.S. Department of Education Schools may disclose, without consent, "directory" information such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them Schools must notify parents and eligible students annually of their rights under FERPA

54 Actual means of notification (special letter, inclusion in a PTA bulletin, student handbook, or newspaper article) is left to the discretion of each school Important federal laws contd. SOX Sarbanes-Oxley Act of 2002 Introduced significant changes to corporate reporting Passed in the wake of numerous corporate scandals Holds top executives personally responsible for the accuracy of companys financial data under threat of criminal prosecution. Popularized general information technology controls, e.g. 55 Thus, SOX compliance has become a top priority for publicly traded companies Security Administration Data Backup Change Control Access Control

Important federal laws contd. Export control laws E.g. International Traffic in Arms Regulations (ITAR) Prohibit unlicensed export of certain materials or information for reasons of national security or protection of trade Export controls usually arise for one or more of the following reasons Actual or potential military applications or economic protection issues Concerns about destination country, organization or individual Government concerns about declared or suspected end use or the end user of the export May also apply to temporary export of controlled University owned equipment 56 Hot topic for Research Universities around the country

Including laptops containing controlled software or technical data Shipment of research materials to foreign collaborators Key policy issues Common issues requiring a policy Acceptable use Information classification 57 One of the main policies for an organization Guidelines to users and customers on what can be done with IT resources May have different AUP for costumers and employees Outlines definitions of criticality and sensitivity of assets Examples are important to clarify the intent of the classification Definitions of data ownership and custodianship are also part of this policy Key policy issues

Common issues requiring a policy Network access Spells out who is allowed to connect to network resources E.g. Students at resident halls may not have access to data center subnets Visiting Professors may go through special processes for network privileges Visitors may only access the guest wireless network Remote access Specifies acceptable means by which employees may access resources from outside the organization May include requirements on accessing data through smartphones and other personal devices E.g. 58

If cell number is used for registration Is Remote Desktop an acceptable option? Or, should the employee use a VPN connection? Key policy issues Common issues requiring a policy Encryption What type of data requires encryption? E.g. Contingency planning Specifies disaster recovery plans Establish clear line of command during localized or generalized disaster

59 When is a web server required to use SSL? Do test and development environments also require encryption? Can certificates be self-signed? Is it acceptable to send restricted information unencrypted over email? With reporting lines and alternatives in case someone cannot be reached Designates an executive as the appropriate person to be responsible for the declaration of a disaster Refers to other standards and procedures for the specifics on what to do with each system in case of disaster Key policy issues Incident response Describes general procedure in case of an incident with adverse effects on the organization Specifies who is supposed to lead the Incident Response team Specifies who will be in charge of communications Determines when an incident has to be escalated

In order to protect the organizations assets Authentication and authorization 60 And how to handle the escalation Provides chair of the IRT latitude to make quick one-sided decisions Both internal and external What are the accepted methods of authentication? What roles can an individual user take? How soon after terminating employment will users account be revoked? Are departments allowed to request an extension to this time period? Who has the right to receive an account on a system?

Recently Viewed Presentations

  • A Back-End Design Flow for Single Chip Radios

    A Back-End Design Flow for Single Chip Radios

    OpenAccess Gear David Papa1, Zhong Xiu2, Christoph Albrecht, Philip Chong, Andreas Kuehlmann3 Cadence Berkeley Labs 1University of Michigan, 2Carnegie Mellon University, 3University of California at Berkeley
  • Foster Care Bill of Rights - Missouri Department of Social ...

    Foster Care Bill of Rights - Missouri Department of Social ...

    Any Children's Division office, residential care facility, child placing agency, or other agency involved in the care and placement of foster children shall post the foster care bill of rights in the office, facility, or agency.
  • Themes - Winston-Salem/Forsyth County Schools

    Themes - Winston-Salem/Forsyth County Schools

    Themes. File containing color, font, layout, and effect settings that you can apply to a presentation to changes its appearance (John Wiley & Sons, Inc., 2012) Themes. Live Preview - When you move your mouse over a theme in the...
  • Virtual Private Network

    Virtual Private Network

    Virtual Private Networks ... Point-to-Point Tunneling Protocol (PPTP),Layer 2 Forwarding protocol (L2F), Layer 2 Tunneling Protocol (L2TP). VPN Tunneling Protocols Layer 3 tunneling protocols A layer 3 frame is placed into the payload of a protocol data unit(PDU) from some...
  • Biology Unit 1 - Revise 4 Science

    Biology Unit 1 - Revise 4 Science

    Biology Unit 1. A varied diet contains... Carbohydrates. Minerals and Vitamins. Protein. Fats and Fibre. Water. More exercise will require more energy! But if you don't use it all then you might become obese...
  • As he was praying in a certain place,

    As he was praying in a certain place,

    1 Cor 10:11-13 "these things happened unto them for ensamples…for our admonition…. Wherefore let him that thinketh he . standeth. take heed lest he fall. There hath no temptation taken you but such as is common to man:
  • 2007 NSLI FALL CONFERENCE The Increasing Globalization of

    2007 NSLI FALL CONFERENCE The Increasing Globalization of

    Even a few months/weeks from the decision of the Oulmers case by the ECJ, the outcome appears unknown. There may have been tremendous progress in the relations b/t UEFA/FIFA and the EC; nonetheless, there is more work to be done,...
  • Abstracts of Powerpoint Talks - - 4.

    Abstracts of Powerpoint Talks - - 4.

    - - 4. Messiah, the Light Isaiah 8-9 Robert C. Newman Abstracts of Powerpoint Talks Messiah For many centuries, the people Israel looked for the coming of a Messiah, one who was appointed by God to rescue them from...