University of Guelph
IT Security Policy
Doug Blain
Manager, IT Security
ISC, April 27th
IT Security policy
• What is it?
– The IT Security policy defines the minimum
security posture needed to be maintained to
protect IT resources from compromise
(internal or external) or loss. It defines the
scope of the data and resources to be
protected. It also protects the members of the
University community when they need to
make decisions or take actions when handling
IT resources.
Why do we need it?
• Business risk management
– Protect assets
– Protect reputation
– Due diligence
• Risks increasing
– Virus, worms
– Phishing, email scams
– Social Engineering
– Spyware, Trojans
Famous names in the news
• Tufts, Boston College, Columbia,
Carnegie-Mellon
• ChoicePoint, Lexus Nexus, Polo Ralph
Lauren, Ameritrade, HSBC Holdings, Bank
of America, DSW Shoes, etc.
All have had compromises that have made
the evening news….this year
Additional factors
• Establishment of CIO position
• IT needs to move from technological to
business issues
• Security is not just a firewall (crunchy on
the outside, soft and chewy on the inside)
• External Security Audits
• Government legislation
Scope
•
•
•
•
•
•
University Wide
Departmental
Regional Colleges
Residences
Wireless, PDA, Cellphone
Home, Remote access
Elements of an IT Security
Policy
• Based on standards
–
–
–
–
ISO 17790
SANS
CERT
peers
Mission statement
– Organizational roles
•
•
•
•
•
•
•
Executive, HR, Board
CIO
Security officer
Technical staff
Campus Police
Legal, Audit
User community
– Definitions
Data handling Policy
•
•
•
Data sensitivity
Electronics records retention
Privacy
User Account management
• Accounts Management
• Password Management
• Acceptable Use Policy
Access Management
– Trust model
– Access Controls
– Data classification
Virus Protection Policy
• Perimeter (email, firewall)
• Desktop
• Actions based on detection
Networking
• Standards (protocols, ports)
• Authorized Access
• Remote Access
Intrusion Detection / Logging
Configurations / Backups
• Monitoring
• Log consolidation
• Incident Handling
– Incident Response team
– Reporting requirements
• Configuration management
• Backups / Archiving
– Business resumption (not disaster recovery)
Unique requirements of
University Environment
• Needs to be realistic for a University
environment
• Students, Faculty, Staff, 3rd parties
• Mix of research, educational, business and
personal data
• Open environment of collaboration and
learning
• Wide range of research and educational
issues
Development Process
• Develop Security Policy Team
– Security officer alone should not write the
policy
– Broad cross-section of community, but not too
big
– Involve major stakeholders
HR, Audit, Legal, IT staff
Risk Assessment (KISS)
•
•
•
•
Asset inventory
Asset values
Threats
Mitigations
– Provides guideline for priorities
Review Existing policies
•
•
•
•
•
Compare to standards
Revise as needed
Develop new policies to fill in gaps
Use templates (SANS)
Borrow from peers
Obtain approval
Establish audit & review
process
• Measurements
• Revisions based on results, problems
• Ensure standards and practices are
established
– Document how policy will be followed
– Defines technical elements to implementation
Communicate policy to
community
• Promote better understanding
• Encourage feedback
Time?
• ASAP
• Take small steps when possible
• Generally considered a long process in the
industry
• Consultants, products may speed up
process.