Policy and IT Security Awareness

Amy Ginther Policy Develoment Coordinator University of Maryland

Information Technology Security Workshop April 2, 2004

Agenda

Discussion throughout session on: • Model policy development process • Influences on security policy • Security policy taxonomy • Model security policies • Awareness programs

Model Policy Development Process

• http://www.inform.umd.edu/ACUPA/projects/process • • • Predevelopment – Identify Issues – Conduct Analysis Development – Draft Language – Get Approvals – Determine Distribution/Education Maintenance – Solicit Evaluation and Review – Plan Measurement and Compliance

Policy Development Process ACUPA

Traits of Sound Policy Processes

Setting the Stage Writing Approving Distributing Educating Enforcing Reviewing

Consistency with University values and mission Preventing reinvention of the wheel Discussion and consensus building Identification and involvement of stakeholders Informed participants Use a common format Agree on common definitions & terms Wide review and input Approval from senior administrative levels Assess cost benefit Allow for user feedback Ease of access to resources Online Accessible from one location Allow for text and other searches Send email to official distribution lists Include contacts to answer questions Hold a policy day Have traveling road shows!

Have signed user agreements Require policies to be read before services granted Develop a plan for active maintenance Create policy enforcement office Assess liability/ feasibility Identify an owner for each policy Archive, date, and notify constituencies of major changes Respond to complaints

Identifying Policy Stakeholders

Higher Education Values

• Higher Education environment…tends to be more open than corporate or gov’t environments; reality of student residential environments • Measures taken to improve security must protect and not impede the expression of these values. • Balance need for security with important aspects of higher education environment.

Core Academic Values

• • • • Oblinger, 2003. In Computer and Network Security in Higher Education, Luker & Petersen, editors.

Community: shared decision making; outreach to connected communities (access to affiliates or other patrons) Autonomy: academic and intellectual freedom; distributed computing Privacy: “the right to open inquiry without having the subject of one’s interest examined or scrutinized by others” (American Library Association, 2002) Fairness: due process

Influences on Security Policy

EDUCAUSE/Internet2 six principles to guide policy development: • Civility and Community • Academic and Intellectual Freedom • Privacy and Confidentiality • Equity, Diversity and Access • Fairness and Process • Ethics, Integrity and Responsibility

What to Include? Security Policy Taxonomy

• • • • • • • • • • • • • • Security Architecture Security Awareness Security Implementation Security Management Data Security Identity Theft Incident Handling/Incident Response Information Assurance Network Vulnerability Assessment Physical Security Privacy Security Planning Security Policies Security Risk Assessment and Analysis

Writing Policy: Elements of Institutional Policies

• Policy Name • Scope • Purpose • Policy Statement • Roles/Responsibilities • Definitions • References • Supporting Procedures?

• Consequences/Sanctions for Non-Compliance

Model security policies

• EDUCAUSE/Cornell Institute for Computer Policy and Law, http://www.educause.edu/ICPL/ • http://www.educause.edu/ICPL/library_resources.asp

• http://www.sans.org/resources/policies/ security policy primer, sample policies and templates includes

Awareness Programs

• Target Audiences: faculty, staff, students, IT professionals • Delivery Methods: presentations, ads, articles, quizzes, handouts, videos • Message Framework – Knowledge: what to do – Skills: how to do – Attitudes: want to do • National Initiatives: – EDUCAUSE Security Education and Awareness – www.staysafeonline.info

Awareness Programs

• • Communication tips (Payne, 2003. In Luker/Petersen.) – Take the message to the people – Be consistent in the message – Write to short attention spans – Make the message real to each target audience – Make it fun – Repeat, repeat, repeat Some examples: http://www.cit.buffalo.edu/security/caught.html

http://www.itc.virginia.edu/pubs/ads/fightback/ http://www.udel.edu/codeoftheweb/

Resources

• Computer and Network Security in Higher Education, 2003. Mark Luker and Rodney Petersen, editors.

http://www.educause.edu/asp/doclib/abstract.asp?ID=PUB7008 • Collection of policies and policy development resources: www.educause.edu/security

Contact Information

Office of Information Technology University of Maryland, College Park Amy Ginther, Policy Development Coordinator, [email protected]

; phone: 301.405.2619

Gerry Sneeringer, Security Officer, [email protected]

; phone: 301.405.2996