New and Upcoming IT Security Policies at K-State Harvard Townsend Chief Information Security Officer harv@ksu.edu Jan. 16, 2009 Agenda Why so many policies now?!? IT security incident reporting and response Data classification and security Media sanitization and disposal Physical security Others planned for the spring State policy on security awareness and training New IT security threats blog 2 Why so many policies?!? SSN breaches last year Data classification in the works for four years State media sanitization and disposal policy Follow-up security audit by the state More resources allocated to security and policy writing Growing, evolving threats Policies, procedures, standards, guidelines important in distributed, open environment 3 IT Security Incident Reporting and Response Policy Approved by IRMC in November, final approval by CEC last week Gist of the policy is that any incident or suspected incident must be reported to the CISO, especially incidents involving confidential data Defines severity of incident and who must be notified Also has extensive procedures associated with the policy 4 Incident Categories Defined in the procedures Confidential personal identity data exposure Criminal activity/investigation Denial of Service DMCA violation Malicious code activity Policy violation Reconnaissance activity Rogue server or service Spam source Spear phishing Unauthorized access Un-patched vulnerability Web/BBS defacement No Incident 5 Data Classification and Security Policy Four years in the works Passed IRMC Dec. 18, 2008 Currently being reviewed by Faculty Senate, Dean’s Council CEC approval expected January 2009 6 Policy “All University Data must be classified according to the K-State Data Classification Schema and protected according to K-State Data Security Standards. This policy applies to data in all formats or media. The Vice Provost for Information Technology Services or designee must approve any exception to this policy. The Chief Information Security Officer must approve any exceptions to the Data Security Standards.” 7 Data Classification Schema Public Public web sites Course catalog and semester course schedule Extension publications Press releases Internal Departmental intranet Budget data Purchase orders Student education records Transaction logs 8 Data Classification Schema Confidential SSNs, Credit Card Info Personal Identity Information Personnel records, medical records Authentication tokens (passwords, biometric, personal digital certificates) Proprietary “Data provided to or created by K-State on behalf of a third party” Fed data – Classified National Security Information 9 Data Security Standards Access Controls Copying/Printing Network Security System Security Virtual Environments Physical Security Remote Access Storage Transmission Backup/DR Media Sanitization Training Audit Schedule 10 Effective Dates Dec. 18, 2008 – passed IRMC January 2009 – expected approval from CEC Effective immediately, all new systems being designed and implemented must comply January 1, 2010 – data stewards have compliance plan for all systems with confidential data 11 What does this mean for you? Know your data and where it is Focus on confidential data first SSN awareness campaign this spring New “Spider” tool will help with discovery Whole disk encryption on laptops Shred those old course rosters Develop plans for compliance 12 Media Sanitization and Disposal Policy Draft presented to IRMC Dec. 18, 2008, 2nd draft will be discussed Jan. 22 Based on state policy that mandates we have a policy Driven by audit of state surplus equipment Sampled 15 computers Recovered files from 10 7 contained confidential info (SSNs, Medicaid info, passwords) Also best practice, common sense 13 Media Sanitization and Disposal Policy Modeled after federal guidelines NIST SP 800-88 “Guidelines for Media Sanitization” Internal re-use, purge data with 3 passes before reformat/reinstall Leaving the university, destroy the hard drive (still open for debate) Are guidelines for all media types, including paper, in NIST 800-88 14 What Should You Do Now? Internal re-use? Overwrite ALL data on hard drive with 3 passes before reformat/reinstall If disposing of computers, purge ALL data, remove the hard drive and give it to Facilities recycling. They have a contractor who destroys them for free Get a micro-cut cross-cut shredder that also does CDs, DVDs 15 Other policies this spring Driven by follow-up audit to the IT security audit performed by the state In 2005 Still have 18 areas where we have inadequate or no policy Will provide drafts to IRMC each month, starting with physical security 16 Physical Security Policy Prevent theft, damage, unauthorized access Locks on network wiring closets/cabinets (already have this policy) Keep office doors locked after hours Store laptops and other portable devices securely when unattended UPSes on all critical equipment 17 Other Policies From the Audit Access Controls, welcome banner on login screen (Feb.) System Development (Mar.) Security Management (Apr.) Operations (May) We have to report on May 1, Sep. 1, Jan. 1 2010; full compliance by Jan. 2010 18 New State Policy on Security Awareness and Training Passed state IT Security Council (ITSEC) in the fall Expected to pass ITEC in January “Every state employee, contractor or other third parties shall receive annual training” in IT security. ITSEC specifies requirements Have to “implement processes to monitor and track attendance at IT security training” 19 New State Policy on Security Awareness and Training ITSEC specifies requirements Have to “implement processes to monitor and track attendance at IT security training” Requires IT security training as part of new employee orientation Document users’ acceptance of agency security policies after receiving IT security training All these are good… but challenging in our environment and un-funded 20 Future Policies Finish what the audit started so have comprehensive IT security policies Take current disparate policies and reorganize with these new policies into structure based on ISO standard and EDUCAUSE guidelines 12 sections: 21 Future Policy Categories Security policy (Intro) Organizational security Asset classification Personnel security Physical and environmental security Communications and operations management Access control System development and maintenance Business continuity management Compliance Incident management Security plans 22 Challenges Implementing the data classification policy is ominous and potentially very expensive at a time of serious budget challenges Media sanitization a challenge for departments w/o IT support staff Balancing security best practices with practical realities of K-State’s culture, distributed IT environment, and budget limitations Unfunded mandates like the security awareness and training policy 23 New Threats Blog Post info on current threats, such as vulnerabilities and patches, malware, attacks, etc. View blog, receive notices via email, or subscribe via RSS http://threats.itsecurity.k-state.edu For email, subscribe to sirt-threats LISTSERV mailing list 24 What’s on your mind? 25 Approval Process IT security team drafts policy with SIRT input IRMC reviews draft, with Faculty Senate input IRMC votes to recommend adoption of the policy to Vice Provost for IT Services VP-ITS distributes to Faculty Senate, Dean’s Council for review, signature Final approval by Computing Executive Committee Publish in PPM 26