CH2M HILL Communications Group
Download
Report
Transcript CH2M HILL Communications Group
The CSU System-wide Policy Project
Communications Materials
A Package for Project Advocates
August 2008
© 2008 CH2M HILL, Inc
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 1
What is an Information Security Program?
An organized effort across all domains (physical, logical, procedural) to
provide appropriate levels of confidentiality, integrity, availability, and
accountability for information regardless of format or representation.
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 2
Information Security Program Cycle
Strategy
Remediation
Policy
Monitoring
Awareness
Implementation
Stepping Through the InforSec Program,; ISACA
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 3
The Elements
Objectives – what needs to be protected and why
Strategy
Roles and Responsibilities
Structure – centralized or decentralized
Policy – high level statements
Policy
Standards – specific guidance
Procedures – step by step instructions
Guidelines – best practice recommendations
Orientations
Awareness
Training
Reminders
Forums, Working Groups, Wikis
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 4
The Elements (cont)
Administrative Controls – procedures and processes
Implementation
Technical Controls – firewalls, permissions, intrusion detection, etc.
Physical Controls – barriers limiting contact with protected resources
Asset Management
Monitoring
Change Control
Network Monitoring
Self Assessments
Incident Response
Remediation
Risk Management
Self Assessments
Compensating Controls
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 5
Information Security Program – Touches Everyone
Students
• Privacy acknowledged
• Protections provided
• Rules of the Road identified
• Consistency in expectations
Faculty
• Academic Freedom acknowledged
• Protection of research enhanced
• Not set in stone; will continue to evolve
• Consistency in expectations
Visitors
• Still has access to information
• Few noticeable impacts
• Privacy more clearly addressed
Administration
and Staff
• A sustainable program is established and a bar is set
• Implementation freedom preserved
• Efficiencies gained from eliminating guesswork
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 6
Auxiliaries
• Part of the integrated approach
• Responsibilities identified
Proposed Changes To Campus Practices
All IT-related audit submissions approved by ISO
Periodic review of department access lists and practices by ISO
IT security assessments required for some organizations
Many former “practices” documented as procedure
IT security governance structure strengthened
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 7
Student Affairs Impact - Examples
Data Classification (Standard 15)
Student Affairs will be required to identify applications and systems which access or store
protected data.
Some data may not be sent unless encrypted
Annual reviews of security permissions & practices.
Approval required to create “shadow” systems.
Mobile Devices (Standards 12.2 & 12.3)
No protected data store on mobile devices unless encrypted/protected. (Laptops, data phones,
memory sticks)
Info Security Awareness (Standard 10)
Required and tracked for every employee
Procurement/Contracts (Standards 6, 11)
Risk management process prior to procuring new systems
Third party contract changes
Personnel (Standard 8)
Exit process must include securing data and access.
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 8
System-wide Security Program Benefits
Supports Compliance Requirements
demands for personal privacy and data protection continue to increase
Demonstrates Leadership Commitment
a key to any successful program
Promotes Broad Discussion and Awareness of Information Security
increased awareness – consistently the most effective means for reducing security
incidents and data exposure
Promotes Consistency
common framework and expectations
Establishes a Benchmark
eliminates guessing about what needs to be done
Provides Evidence of Due Diligence
important in cases of litigation
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 9
Project Background
Timeline
September 2007 – Project Begins
October 2008 – Draft Policy and Standards Produced
Fall 2008 – Initiate Executive Order Coordination
From the RFP
The project proposal is to develop viable system-wide information security policies and standards for the
CSU System.
This information security policy project will provide means of furthering information
security education.
Instill more secure working habits for individuals and entities that deal with CSU
information assets.
Will position the University to be in compliance with privacy and security regulations.
Deliverables
System-Wide Security Policies
System-Wide Security Standards
Communication Materials
Sample Implementation Strategies
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 10
Policy Objectives
The CSU is committed to:
the ideals of academic freedom and freedom of expression.
protecting the confidentiality, integrity, and availability of information assets
entrusted to the University.
A delicate balancing act.
Policy:
A policy is a broad statement of principles that presents management’s position
for a defined subject.
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 11
Standards and Samples
Standard:
have been
A standard provides more specific guidance on a particular topic. They
written as standalone documents so that they can be more easily incorporated into
legal agreements where third parties are providing services.
Sample (Remote Access)
Policy Campuses must develop procedures that prevent unauthorized remote access to
critical information systems or protected data, while ensuring that authorized users have
appropriate remote access.
Standard All remote access to non-public campus information systems, data, and network
resources must be authenticated and authorized.
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 12
Security Program Components
Produced at the System Level
Policy
Produced at the Campus Level
Standards
Procedures
(as needed)
Guidelines
(as needed)
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 13
Policy Management and Updates
This policy will be updated to reflect changes in the CSU's academic, administrative,
or technical environments, or applicable state, federal, or international laws and
regulations.
The CSU's Senior Director for Information Security Management oversee an annual
review of this policy.
Regular opportunity for updates,
modifications, and adjustments!
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 14
Topics Addressed by Policy and Standards
Information Security Roles and
Responsibilities
Risk Management
Acceptable Use
Personnel Security
Privacy
Security Awareness and Training
Third Party Services Security
Information Technology Security
Configuration Management and
Change Control
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 15
Access Control
Asset Management
Management of Information Systems
Information Security Incident Management
Physical Security
Business Continuity and Disaster Recovery
Legal and Regulatory Compliance
Information Security Roles and Responsibilities
Key Policy Concepts Everyone (executives, managers, faculty, students, and staff) is
responsible for information security including:
the privacy of personally identifiable information (PII).
the integrity of data stored.
the maintenance of applications installed on CSU information systems.
the availability of information.
compliance with applicable local, state, federal, and international laws and regulations,
including intellectual property and copyright.
Key Standards
Campus President – establishes campus program
Campus Chief Information Officer
Information Security Officer
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 16
Risk Management
Key Policy Concepts
Campuses must conduct periodic risk assessments when security requirements
change or when significant changes occur in the campus environment.
Key Standards
Risk Assessment
Risk Management Plan
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 17
Personnel Security
Key Policy Concepts
Employee information security related duties and responsibilities must be defined in the
employee position description.
When employees separate from the University their access (physical and logical) must be
promptly disabled or removed.
Key Standards
Position Change
Background Checks
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 18
Security Awareness and Training
Key Policy Concepts
Campuses must ensure that system administrators and managers are provided with
sufficient ongoing training to stay current with the best practices and technology.
Key Standards
Content
Awareness and Training Activities
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 19
Third Party Security Services
Key Policy Concepts
Before third parties are granted access, a basic risk assessment must be performed.
Contract terms and conditions must include appropriate information security safeguards.
Key Standards
N/A
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 20
Information Technology Security
Key Policy Concepts
Need procedures in place to effectively detect, prevent, and report malicious software.
Networks (wired and wireless) need to be designed and segmented based on risk, data,
and access.
Procedures must prevent unauthorized remote access to critical information systems or
protected data.
Key Standards
Network Controls Management
Remote Access
Mobile Device Management
Boundary Protection and Isolation
Malicious Software Protection
Wireless Access Points
Logging Elements
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 21
Configuration Management and Change Control
Key Policy Concepts
Must maintain a program designed to ensure that operating systems and applications are
routinely updated to correct flaws and close vulnerabilities.
Must review changes to critical information systems, protected data, and network
resources.
Key Standards
Change Control
Configuration Management
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 22
Access Control
Key Policy Concepts
Managers and data stewards define and approve access.
A documented process is used to approve additions, changes, and terminations of access
rights.
User rights must be regularly reviewed.
Key Standards
User Credential and Privilege Management
Password Management
Encryption
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 23
Asset Management
Key Policy Concepts
All information assets must be classified according to the CSU’s data classification standard.
Critical systems and protected data must be appropriately controlled.
Media and hardware must be securely dispositioned when no longer needed.
Key Standards
Data Classification
Data Handling
Data Retention (see EO 1031)
Data Disposal
Clean Desk
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 24
Management of Information Systems
Key Policy Concepts
A documented process for developing and procuring applications and information systems.
Use of protected data for testing is to be avoided.
Testing of security controls required prior to operations.
Key Standards
Development Management
Secure Web Application Coding
Life Cycle Management
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 25
Information Security Incident Management
Key Policy Concepts
Each campus must have a security incident response team (SIRT) and a incident
response plan.
Training for response activities and testing response plans must occur regularly.
Contracts should compel third parties to report security incidents involving campus
information.
Key Standards
Evidence Collection and Handling
Reporting
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 26
Physical Security
Key Policy Concepts
Protected data must be physically secure.
Credentials (e.g. badges, tokens) must be regularly reviewed.
Key Standards
Definition of Protection Areas
Access to Data Closets and Cabling Restricted
Limit Casual Viewing of Private Information (e.g. health centers)
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 27
Business Continuity and Disaster Recovery
Key Policy Concepts
Continuation essential functions and operations following a catastrophic event.
Must be in compliance with the CSU Executive Order 1014.
Key Standards
N/A
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 28
Legal and Regulatory Compliance
Key Policy Concepts
CSU legal staff will help regularly identify and define the local, state, federal, and
international laws and regulations that apply to the CSU campuses.
Campus-specific policies, standards or procedures must meet or exceed system-wide
policies and standards.
Key Standards
N/A
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 29
System-wide Security Program Benefits Review
Supports Compliance Requirements
demands for personal privacy and data protection continue to increase
Demonstrates Leadership Commitment
a key to any successful program
Promotes Broad Discussion and Awareness of Information Security
increased awareness – consistently the most effective means for reducing security
incidents and data exposure
Promotes Consistency
common framework and expectations
Establishes a Benchmark
eliminates guessing about what needs to be done
Provides Evidence of Due Diligence
important in cases of litigation
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 30
Additional Benefits – Audits
Audit/Review Savings and Efficiencies
Everyone graded against the same base criteria
Information security integrated into campus operations
Routine self assessments
Active risk management
Audit becomes verification not discovery
verification of the controls that have been put into place
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 31
Additional Benefits Planning
Improved Planning and Coordination
A common framework established
Forums available for technical exchanges
ISOs
ITAC
ITRP II
Identification of joint or system efforts enabled
Risk-driven priorities and justifications
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 32
Additional Benefits Continuous Improvement
Opportunity to Raise the Bar
Standards can be enhanced or added to address changing threats.
Campus or system guidelines can be used to try out proposed updates.
Self assessments and audits can be used to identify gaps.
Trending and Analysis
Risk-based approach supports decisions based on information not speculation.
A metrics program (future) will track program effectiveness.
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 33
Possible Campus Rollout Activities
Respond to specific document requests by ISO
Develop new internal processes to meet new requirements
Engage in development process for implementing new policies & standards
Establish division responsibility for annual reports and internal security audits (with ISO)
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 34
Sources for Additional Information
Campus CIO
name
e-mail
number
Campus ISO
name
e-mail
number
Senior Director for Information Security Management, Chancellor’s Office
Cheryl Washington
[email protected]
562-951-4190
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 35
Q&A
© 2008 CH2M HILL, Inc.
Data contained on this sheet is proprietary; use or
disclosure is prohibited. Page 36