Security Policy Security Policy Development for College of Development for College of

ITIT

Rich LarsenUNC-Charlotte College of IT

Information Security Administratorrlarsen@uncc.edu

x4566

Security Policy Security Policy FrameworkFramework

Policies define “appropriate behavior”Policies define “appropriate behavior” Policies set the stage for developing Policies set the stage for developing

procedures and standardsprocedures and standards Policies communicate a consensusPolicies communicate a consensus Policies provide a basis for action in Policies provide a basis for action in

response to inappropriate behaviorresponse to inappropriate behavior Policies assist in prosecution of casesPolicies assist in prosecution of cases

Who should be Who should be concerned?concerned?

Users- policies impact them the mostUsers- policies impact them the most Tech Support staff- they are required to Tech Support staff- they are required to

implement, comply with and support policyimplement, comply with and support policy Management- concerned with the cost Management- concerned with the cost

associated with implementing the policyassociated with implementing the policy Lawyers/Auditors- they are concerned with the Lawyers/Auditors- they are concerned with the

impact to the organization’s reputation as a impact to the organization’s reputation as a result of an “incident”result of an “incident”

Security Policy Design Best Security Policy Design Best PracticesPractices(from SANS Institute)(from SANS Institute)

A cross-section of people affected by the policy A cross-section of people affected by the policy should have an opportunity to review/commentshould have an opportunity to review/comment

Tech Support staff should be involved in Tech Support staff should be involved in development and should review policydevelopment and should review policy

Policies should be discussed as part of Policies should be discussed as part of orientation process and should be posted in orientation process and should be posted in accessible locations (e.g., Intranet)accessible locations (e.g., Intranet)

Provide refresher training on policies Provide refresher training on policies periodicallyperiodically

Security Policy Security Policy RequirementsRequirements

Policies must:Policies must: Be enforceable and feasible to implementBe enforceable and feasible to implement Be concise and understandableBe concise and understandable Balance protection with productivityBalance protection with productivity

Policies should:Policies should: Clearly state the policy’s purposeClearly state the policy’s purpose Describe the scope of the policyDescribe the scope of the policy Define roles and responsibilitiesDefine roles and responsibilities Discuss how violations will be handledDiscuss how violations will be handled Provide a basis for auditProvide a basis for audit

Security Policy StructureSecurity Policy Structure

Depends on size of the organization and its Depends on size of the organization and its missionmission

Some policies are appropriate for all types of Some policies are appropriate for all types of organizations; others are specific to a a organizations; others are specific to a a particular environmentparticular environment

Some key policies for all organizations:Some key policies for all organizations: Acceptable useAcceptable use Remote AccessRemote Access Network security/perimeter securityNetwork security/perimeter security

COIT Policy Framework COIT Policy Framework DevelopmentDevelopment

Plan to use the Plan to use the ISO 17799 ISO 17799 standard which is standard which is considered the current industry standardconsidered the current industry standard

Work in conjunction with ITS to ensure no Work in conjunction with ITS to ensure no conflictsconflicts

Proposed policies will be reviewed by the COIT Proposed policies will be reviewed by the COIT Task Force on Information Security and Task Force on Information Security and Privacy before being submitted to all facultyPrivacy before being submitted to all faculty

Standards/procedures will be discussed by Standards/procedures will be discussed by COIT Task Force but will not be submitted to COIT Task Force but will not be submitted to all facultyall faculty

““Top-down” approachTop-down” approach

Proposed Research Lab Proposed Research Lab Security PolicySecurity Policy

COIT research labs are greatest potential COIT research labs are greatest potential security riskssecurity risks

Nature of research requires Nature of research requires experimentation, formulation and testingexperimentation, formulation and testing

Security incident in a COIT lab could Security incident in a COIT lab could have detrimental effect on external have detrimental effect on external funding and reputation of collegefunding and reputation of college

Balancing actBalancing act

Proposed Research Lab Proposed Research Lab Security Policy Security Policy

Roles: Roles: Lab Director/ManagerLab Director/Manager Lab AdministratorLab Administrator Primary UserPrimary User

Managed vs. Unmanaged computersManaged vs. Unmanaged computers Each “network-capable device” associated with a Each “network-capable device” associated with a

primary user (single point accountability)primary user (single point accountability) User is accountable for security issues occurring on User is accountable for security issues occurring on

their assigned device(s) as a result of willful disregard their assigned device(s) as a result of willful disregard of policy and/or negligenceof policy and/or negligence

Labs cannot host “production” IT servicesLabs cannot host “production” IT services

Proposed Anti-virus Proposed Anti-virus PolicyPolicy

All Windows and Macintosh-based All Windows and Macintosh-based computers required to have approved computers required to have approved anti-virus software loaded at all timesanti-virus software loaded at all times This includes laptops/home computers This includes laptops/home computers

which are used for remote access to campuswhich are used for remote access to campus

Users required to check for updates daily Users required to check for updates daily (or setting automatic updates to run daily)(or setting automatic updates to run daily)

UNIX/Linux –based computers exemptUNIX/Linux –based computers exempt

COIT Tech UpdateCOIT Tech Update

Streaming Media/ E-LATStreaming Media/ E-LAT WebCT UpgradeWebCT Upgrade COIT Modem BankCOIT Modem Bank Reminder: ITS Migration Reminder: ITS Migration

Presentation/Demo tomorrow 9-12 in Presentation/Demo tomorrow 9-12 in 125 Atkins125 Atkins