UGA Role-based
Security/ Accountability
Model
BAAF Quarterly Meeting
2007
2007
1
“The University of Georgia cannot protect
the confidentiality, integrity, and
availability of sensitive information and
information systems in today’s highly
networked systems environment without
ensuring that each person (student, faculty
and staff) understands their roles and
responsibilities, and is adequately trained
to perform these roles”.
UGA Chief Information Security Officer
UGA Security Committee
2007
2
The vision for the University of Georgia is a campus
environment where the protection of sensitive and critical
data, and information technology resources, is a shared
responsibility among administrators, faculty, staff,
students, and IT professionals.
This responsibility will be addressed campus-wide by
implementing information security best practices based on
individual role and level of accountability, and will be
supported through building increased awareness and
participation in training and educational opportunities.
2007
3
2007 Senior VP Campus Memo
“Role/Accountability” Campus-wide Plan
…accountability for implementation of University security standards, policies,
processes and procedures based on individual position and level of responsibility
2006-2007 Securing Sensitive Data
“Defense-in-Depth”
Processes, People, Core Technology Tools
2006 President’s Retreat
“Securing UGA Sensitive Data: Current Status,
Challenges and Future Directions”
Atten: Issue #5 — Acceptance of shared responsibility for institutional
data and information security…campus-wide
2005 Campus Memo
“Securing Sensitive Data Initiative”
2007
Phase I: UGA Auditor/CISO high risk Assessment (19 campus units)
Phase II: Inventory of all assets (i.e., servers, databases, personnel) through
ASSETs Online software application, Version 1 (350 campus units)
4
Securing Sensitive Data
Defense in Depth
Processes
Technology
People
USG Chancellor
Board of Regents
UGA President
2007 Mandatory Standards/Policies
•UGA Policy on Use of Computers
•UGA Electronic Mail Policy
•UGA Minimum Security Standards-Networked Devices Policy
•UGA Password Policy and Standards
•UGA Telecommunications Policy
•Georgia Surplus Policy
•Certification of compliance
•Mandatory Completion of ASSETs Version 1.1
•Spot Audit – UGA Auditor Office
•Mandatory Hiring Practices/Background Check
Senior Vice Presidents
CISO
Vice Presidents, CIO
Deans, Vice Provost
Assoc VP’s, Assoc Provosts
Campus
IT
Personnel
Dept/Unit/Div Heads
•Virtual Private Network (VPN)
•Intrusion Prevention System (IPS)
•Centrally managed end-point
security (i.e., anti-virus; anti-spy ware)
•24x7 monitoring via Secure
Operations Center (SOC)
•Central Hosting facility/Boyd
•Campus-wide Licenses (e.g.,
F-Secure; Absolute Track)
•Vulnerability management
•Risk Management tools (e.g.,
ASSETs Self Assessment)
•Access Control (e.g., Blue Socket
Authentication)
Network Administrators
Systems Administrators
Required Risk Mgt Tools Implementation
•End-Point/desktop Security (e.g. F-Secure Enterprise)
•Computer Associates Vulnerability Manager
•Vulnerability Scanning (periodic and/or on-demand
•Absolute Track software for laptop tracking
•ASSETs tool for development of unit Business Continuity Plan
and Disaster Recovery Plan
•Intrusion Prevention System (IPS)
•Incident Response protocol
Education, Awareness & Training
SATE – Security Awareness, Training and
Education
•Required SANS online training
•Requested SANS On-site training
•Staff training and development courses (T&D)
•Staff Certification
•Video/Print materials
•ASSETs Mass/Hands-on Training
•HIPAA and Security training
•Risk Management
•Payment Card Industry – A Primer
•UGA InfoSec Handbook
Database Administrators
Campus Security Liaisons
Other Titles/Classifications
Brochures/PowerPoint (e.g.)
2007
•Absolute Track+/Asset Tracking Mgt
•Protecting Your Good Name: ID Theft and
ID Fraud
•DMCA: The History
•GLBA In a Nutshell
Other
Cyber Security Awareness Month
Websites/url (e.g., UGA InfoSec;
Federal Trade Commission
5
June 2007
Security is everyone’s responsibility…
…“under existing federal and state legislation, universities
are responsible for the confidentiality and integrity of data
originating from, and managed through, a campus
environment. For the University of Georgia, over 41,000
network devices (e.g., computers, printers, fax machines,
scanners) are used. Universities are also required to be a
responsible custodian of personal data stored on computers,
servers, and other communication devices. In 2006, more
than 2.2 million records were stolen from colleges and
universities, an increase of 17% over 2005”.
NOTE: Ponemon Institute Survey
$182.00 for every breached record
Computer Science Institute/FBI Computer Security Survey
$89,000 average cost for computer theft
2007
6
UGA Facts
•
•
•
•
•
•
•
•
•
•
4.9 million total incoming e-mail messages daily; 4.3 million = number of
SPAM and virus messages deleted and/or eliminated out of the 4.9 million
leaving est. 600,000 delivered
19.9 Mainframe transactions – monthly average;
23.5 million monthly average during drop/add period
183,278 research jobs submitted to the Research Computing Center (RCC)
requiring high performance computing CPUs
24,000 user-capacity of PAWS, campus-wide wireless network
Average of 41,000 logins daily to MyUGA
10.4 million page hits monthly on www.uga.edu
>1,000 Web sites hosted on www.uga.edu
8,677 online courses = 60,577 individual students enrolled in WebCT
classes
University Cablevision provides 12,600 hours of programming per week
>99.9 = percentage of uptime for critical production systems (e.g.,
Network, UGA Mail, WebCT, Mainframe)
2007
7
Senior Vice Presidents… May 6, 2007 campus
memo indicating specific actions by campus
entities shall include:
a)
Accountability for implementation of University security
standards, policies, processes and procedures based on individual
position and level of responsibility
d)
Identification of individual(s) serving as department, unit or
division security liaison(s) held responsible for system or network
management, information, incident response…
e)
Inclusion at all levels of participation in formal and/or informal
awareness, training and educational opportunities as part of the
annual performance appraisal process.
See: Handout: May 6 Campus Memo re: Securing Sensitive Data Initiative
2007
8
UGA Role-Based Security/
Accountability Model
•President: Ultimate responsibility for approval and
submission of UGA Security Plan, policies, standards, and best
practices that meet requirements of the University System of
Georgia, state, and federal mandates.
•Senior Vice Presidents
Implement policies, standards, guidelines
Verify role responsibilities of executive management
Require annual report of security progress and issues
Validate completion of required awareness, training, and
education and/or participation by direct reports
Support development and implementation of crisis/risk
management practices
2007
9
UGA Role-Based Security/
Accountability Model
•Executives (Vice Presidents, Deans, Vice Provosts,
Assoc. Provosts, Dept./Unit/Division Heads)
Accountable for college, unit, and/or division adherence to UGA
policies (e.g., Federal, State, USG policy, law, regulations)
Establish line of responsibility and authority for security-related
functions within unit, division, dept (e.g. IT Director, Security
Liaison, technical leadership for grant/project/etc.)
Report organization’s security status to Senior Executive(s)
based on articulated timeline
Participate in required awareness, training and education
opportunities based on role and University requirements
Provide resources for unit, division, dept protection of
sensitive/critical data (i.e., budget, personnel, and/or technology)
2007
10
UGA Role-Based Security/
Accountability Model
•IT Leadership, Management and Unit Security
Liaisons
Annual update of ASSETs online self-reporting tool
Serve as Primary/Secondary contact for IT security
incident, Business Continuity and Disaster Recovery
planning
Ensure that resources are applied for protecting sensitive
and critical data (people, process, training, technology)
Participate in annual awareness, training and education
opportunities
Require appropriate skills, education, and ongoing training
for key IT professionals (network administrators, systems
administrators, application developers, and programmers)
Require or provide appropriate skills and training for new
hires responsible for protecting sensitive and critical data
2007
11
UGA Role-Based Security/
Accountability Model
•IT Administrators (Network, Systems, Database,
Web Administrators and Programmers)
Understand and adhere to all relevant UGA IT/IS security
policies, standards, and procedures
Understand and appropriately participate in UGA local and
incident response policy and procedures
Maintain awareness, training, and education requirements
Implement best practices in systems administration and design
(e.g., configuration of systems)
2007
12
UGA Role-Based Security/
Accountability Model
•UGA Community – Students, Faculty, and Staff
Maintain a level of awareness and education of security policy
and procedure including, but not limited to:
oPrivacy Policy
oAcceptable Use Policy
oSecurity Policy for Networked Devices
oEmail Policy
oPassword Policy
oIncident Response Policy
Recognition and appropriate response/accountability when
role changes such as faculty role in supervising IT Professionals
through a grant
2007
Follow regulations regarding protection of data: GLBA, FERPA,
13
HIPAA, etc. when using desktop and mobile devices
re: Awareness, Training and Education
Multiple opportunities for awareness, training
and education on campus including, but not
limited to:
InfoSec
UGA Training and Development Center
Element-K
SANS On-Demand and OnSite
A role-based training matrix is available on the
UGA Securing Sensitive Data Website at:
www.ssdi.uga.edu
2007
14
2007
15
UGA Role-Based Security/
Accountability Model
•IT Professionals: The UGA Security Model will be
integrated into the University of Georgia Human
Resources IT Jobs Classification Model developed in
2004.

Job descriptions are located on the Human Resources web
site: https://jobapp.humanres.uga.edu/classification/

IT Matrix and IT Leadership Matrix are located at the
website
 Information about IT Jobs can be found at
http://www.coe.uga.edu/itjobs
2007
16
UGA Role-Based Security/
Accountability Model
(cont.) IT Professionals: The UGA Security Model
will be integrated into the IT Jobs classification model.
The Technical job descriptions have four levels:
Assistant
Associate
Specialist, and
Principal
Security skills requirements are identified at all levels above
assistant
The entry level or assistant level may work under the
supervision of senior IT Professionals but should not be solely
accountable for the design or administration systems
protection sensitive or critical data.
2007
17
UGA Role-Based Security/
Accountability Model
(cont.) IT Professionals: The UGA Security Model will
be integrated into the IT Jobs classification model.
 The IT Leadership job descriptions will have security
education and skills requirements.
 Leadership positions maintain a role of
accountability for management of resources and
adherence to policy, standards, and procedure.
Additionally, IT Leadership is responsible for completing
or assigning the completion of the ASSETs tool.
2007
 IT Leadership must maintain annual awareness and
training for incident response and disaster recovery.
18
Role-based Security/Accountability
•The role-based accountability model is based on the
relationship between two people: the supervisor and the
supervisee. Resources, planning, and monitoring the success
of training and skills acquisition are built into the
performance evaluation process.
•The IT Jobs Classification description including the IT Matrix
and the security requirements will be used to determine what
training is needed by current staff and what skills are needed
in recruiting/hiring process for key staff.
2007
19
UGA Role-Based Security/
Accountability Model
Implementation Timeline
2007
The first phase of communication and training will
begin in October/November 2007.
A project team will be created with representatives
from ITMF, Training and Development, and UGANet.
This team will deliver training to IT professionals,
departments and units through beginning in January.
Multiple training opportunities will be created using
web-based applications, video, and podcasting.
The UGA Securing Sensitive Data Website will be
maintained to provide ongoing communication about
resources, requirements, and calendar of events—
www.ssdi.ua.edu
20
“Things to Remember”





Everyone on campus has a role in security accountability
The Role-based Security/Accountability Model is built on
industry best practice: Process, People, and Technology.
The Role-based/Accountability Model is based on the
relationship between two people: the supervisor and the
supervisee. Resources, planning, and monitoring the
success of training and skills acquisition are built into the
performance evaluation process.
Awareness, training, and education materials already exist
on campus and many are free-of-charge.
A communication and training schedule to implement this
model is being created based on the successful approach
used at UGA for the IT JOBS Initiative.
2007
21
References

Information Systems Audit and Control Association
(ISACA) – COBIT
http://www.isaca.org/template.cfm?section=home

Information Technology - Security Techniques Code of practice for information security
management - ISO 1779922

NIST Special Publication 800-16, "Information
Technology Security Training Requirements: A
Role- and Performance-Based Model."
2007
22