New and Upcoming IT
Security Policies at K-State
Harvard Townsend
Chief Information
Security Officer
harv@ksu.edu
Jan. 16, 2009
Agenda








Why so many policies now?!?
IT security incident reporting and response
Data classification and security
Media sanitization and disposal
Physical security
Others planned for the spring
State policy on security awareness and
training
New IT security threats blog
2
Why so many policies?!?







SSN breaches last year
Data classification in the works for four years
State media sanitization and disposal policy
Follow-up security audit by the state
More resources allocated to security and policy
writing
Growing, evolving threats
Policies, procedures, standards, guidelines
important in distributed, open environment
3
IT Security Incident Reporting
and Response Policy




Approved by IRMC in November, final
approval by CEC last week
Gist of the policy is that any incident or
suspected incident must be reported to
the CISO, especially incidents involving
confidential data
Defines severity of incident and who must
be notified
Also has extensive procedures
associated with the policy
4
Incident Categories

Defined in the procedures














Confidential personal identity data exposure
Criminal activity/investigation
Denial of Service
DMCA violation
Malicious code activity
Policy violation
Reconnaissance activity
Rogue server or service
Spam source
Spear phishing
Unauthorized access
Un-patched vulnerability
Web/BBS defacement
No Incident
5
Data Classification and
Security Policy




Four years in the works
Passed IRMC Dec. 18, 2008
Currently being reviewed by Faculty
Senate, Dean’s Council
CEC approval expected January 2009
6
Policy
“All University Data must be classified according
to the K-State Data Classification Schema
and protected according to K-State Data
Security Standards. This policy applies to data
in all formats or media.
The Vice Provost for Information Technology
Services or designee must approve any
exception to this policy. The Chief Information
Security Officer must approve any exceptions
to the Data Security Standards.”
7
Data Classification Schema

Public





Public web sites
Course catalog and semester course schedule
Extension publications
Press releases
Internal





Departmental intranet
Budget data
Purchase orders
Student education records
Transaction logs
8
Data Classification Schema

Confidential





SSNs, Credit Card Info
Personal Identity Information
Personnel records, medical records
Authentication tokens (passwords, biometric,
personal digital certificates)
Proprietary


“Data provided to or created by K-State on behalf
of a third party”
Fed data – Classified National Security Information
9
Data Security Standards







Access Controls
Copying/Printing
Network Security
System Security
Virtual
Environments
Physical Security
Remote Access






Storage
Transmission
Backup/DR
Media Sanitization
Training
Audit Schedule
10
Effective Dates




Dec. 18, 2008 – passed IRMC
January 2009 – expected approval
from CEC
Effective immediately, all new systems
being designed and implemented must
comply
January 1, 2010 – data stewards have
compliance plan for all systems with
confidential data
11
What does this mean for you?



Know your data and where it is
Focus on confidential data first
SSN awareness campaign this spring




New “Spider” tool will help with discovery
Whole disk encryption on laptops
Shred those old course rosters
Develop plans for compliance
12
Media Sanitization and
Disposal Policy



Draft presented to IRMC Dec. 18, 2008, 2nd
draft will be discussed Jan. 22
Based on state policy that mandates we
have a policy
Driven by audit of state surplus equipment




Sampled 15 computers
Recovered files from 10
7 contained confidential info (SSNs, Medicaid
info, passwords)
Also best practice, common sense
13
Media Sanitization and
Disposal Policy

Modeled after federal guidelines




NIST SP 800-88 “Guidelines for Media
Sanitization”
Internal re-use, purge data with 3 passes
before reformat/reinstall
Leaving the university, destroy the hard
drive (still open for debate)
Are guidelines for all media types,
including paper, in NIST 800-88
14
What Should You Do Now?



Internal re-use? Overwrite ALL data on
hard drive with 3 passes before
reformat/reinstall
If disposing of computers, purge ALL
data, remove the hard drive and give it to
Facilities recycling. They have a
contractor who destroys them for free
Get a micro-cut cross-cut shredder that
also does CDs, DVDs
15
Other policies this spring



Driven by follow-up audit to the IT
security audit performed by the state In
2005
Still have 18 areas where we have
inadequate or no policy
Will provide drafts to IRMC each
month, starting with physical security
16
Physical Security Policy





Prevent theft, damage, unauthorized
access
Locks on network wiring closets/cabinets
(already have this policy)
Keep office doors locked after hours
Store laptops and other portable devices
securely when unattended
UPSes on all critical equipment
17
Other Policies From the Audit





Access Controls, welcome banner on
login screen (Feb.)
System Development (Mar.)
Security Management (Apr.)
Operations (May)
We have to report on May 1, Sep. 1,
Jan. 1 2010; full compliance by Jan.
2010
18
New State Policy on Security
Awareness and Training



Passed state IT Security Council
(ITSEC) in the fall
Expected to pass ITEC in January
“Every state employee, contractor or
other third parties shall receive annual
training” in IT security.


ITSEC specifies requirements
Have to “implement processes to monitor
and track attendance at IT security
training”
19
New State Policy on Security
Awareness and Training





ITSEC specifies requirements
Have to “implement processes to monitor
and track attendance at IT security
training”
Requires IT security training as part of
new employee orientation
Document users’ acceptance of agency
security policies after receiving IT
security training
All these are good… but challenging in
our environment and un-funded
20
Future Policies



Finish what the audit started so have
comprehensive IT security policies
Take current disparate policies and
reorganize with these new policies into
structure based on ISO standard and
EDUCAUSE guidelines
12 sections:
21
Future Policy Categories












Security policy (Intro)
Organizational security
Asset classification
Personnel security
Physical and environmental security
Communications and operations management
Access control
System development and maintenance
Business continuity management
Compliance
Incident management
Security plans
22
Challenges




Implementing the data classification
policy is ominous and potentially very
expensive at a time of serious budget
challenges
Media sanitization a challenge for
departments w/o IT support staff
Balancing security best practices with
practical realities of K-State’s culture,
distributed IT environment, and budget
limitations
Unfunded mandates like the security
awareness and training policy
23
New Threats Blog




Post info on current threats, such as
vulnerabilities and patches, malware,
attacks, etc.
View blog, receive notices via email, or
subscribe via RSS
http://threats.itsecurity.k-state.edu
For email, subscribe to sirt-threats
LISTSERV mailing list
24
What’s on your mind?
25
Approval Process






IT security team drafts policy with SIRT
input
IRMC reviews draft, with Faculty Senate
input
IRMC votes to recommend adoption of the
policy to Vice Provost for IT Services
VP-ITS distributes to Faculty Senate,
Dean’s Council for review, signature
Final approval by Computing Executive
Committee
Publish in PPM
26