Transcript Title Slide
Policy and IT Security Awareness
Amy Ginther Policy Develoment Coordinator University of Maryland
Information Technology Security Workshop April 2, 2004
Agenda
Discussion throughout session on: • Model policy development process • Influences on security policy • Security policy taxonomy • Model security policies • Awareness programs
Model Policy Development Process
• http://www.inform.umd.edu/ACUPA/projects/process • • • Predevelopment – Identify Issues – Conduct Analysis Development – Draft Language – Get Approvals – Determine Distribution/Education Maintenance – Solicit Evaluation and Review – Plan Measurement and Compliance
Policy Development Process ACUPA
Traits of Sound Policy Processes
Setting the Stage Writing Approving Distributing Educating Enforcing Reviewing
Consistency with University values and mission Preventing reinvention of the wheel Discussion and consensus building Identification and involvement of stakeholders Informed participants Use a common format Agree on common definitions & terms Wide review and input Approval from senior administrative levels Assess cost benefit Allow for user feedback Ease of access to resources Online Accessible from one location Allow for text and other searches Send email to official distribution lists Include contacts to answer questions Hold a policy day Have traveling road shows!
Have signed user agreements Require policies to be read before services granted Develop a plan for active maintenance Create policy enforcement office Assess liability/ feasibility Identify an owner for each policy Archive, date, and notify constituencies of major changes Respond to complaints
Identifying Policy Stakeholders
Higher Education Values
• Higher Education environment…tends to be more open than corporate or gov’t environments; reality of student residential environments • Measures taken to improve security must protect and not impede the expression of these values. • Balance need for security with important aspects of higher education environment.
Core Academic Values
• • • • Oblinger, 2003. In Computer and Network Security in Higher Education, Luker & Petersen, editors.
Community: shared decision making; outreach to connected communities (access to affiliates or other patrons) Autonomy: academic and intellectual freedom; distributed computing Privacy: “the right to open inquiry without having the subject of one’s interest examined or scrutinized by others” (American Library Association, 2002) Fairness: due process
Influences on Security Policy
EDUCAUSE/Internet2 six principles to guide policy development: • Civility and Community • Academic and Intellectual Freedom • Privacy and Confidentiality • Equity, Diversity and Access • Fairness and Process • Ethics, Integrity and Responsibility
What to Include? Security Policy Taxonomy
• • • • • • • • • • • • • • Security Architecture Security Awareness Security Implementation Security Management Data Security Identity Theft Incident Handling/Incident Response Information Assurance Network Vulnerability Assessment Physical Security Privacy Security Planning Security Policies Security Risk Assessment and Analysis
Writing Policy: Elements of Institutional Policies
• Policy Name • Scope • Purpose • Policy Statement • Roles/Responsibilities • Definitions • References • Supporting Procedures?
• Consequences/Sanctions for Non-Compliance
Model security policies
• EDUCAUSE/Cornell Institute for Computer Policy and Law, http://www.educause.edu/ICPL/ • http://www.educause.edu/ICPL/library_resources.asp
• http://www.sans.org/resources/policies/ security policy primer, sample policies and templates includes
Awareness Programs
• Target Audiences: faculty, staff, students, IT professionals • Delivery Methods: presentations, ads, articles, quizzes, handouts, videos • Message Framework – Knowledge: what to do – Skills: how to do – Attitudes: want to do • National Initiatives: – EDUCAUSE Security Education and Awareness – www.staysafeonline.info
Awareness Programs
• • Communication tips (Payne, 2003. In Luker/Petersen.) – Take the message to the people – Be consistent in the message – Write to short attention spans – Make the message real to each target audience – Make it fun – Repeat, repeat, repeat Some examples: http://www.cit.buffalo.edu/security/caught.html
http://www.itc.virginia.edu/pubs/ads/fightback/ http://www.udel.edu/codeoftheweb/
Resources
• Computer and Network Security in Higher Education, 2003. Mark Luker and Rodney Petersen, editors.
http://www.educause.edu/asp/doclib/abstract.asp?ID=PUB7008 • Collection of policies and policy development resources: www.educause.edu/security
Contact Information
Office of Information Technology University of Maryland, College Park Amy Ginther, Policy Development Coordinator, [email protected]
; phone: 301.405.2619
Gerry Sneeringer, Security Officer, [email protected]
; phone: 301.405.2996