Embed Size (px)
Citation preview
Getting Started With Information Security
An Overview
Cedric Bennett
EDUCAUSE Western Regional Conference
March 3, 2004
Cedric Bennett © 2004
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 2
The Internet Provides Increasing Value for Higher Education
Direct valueTeaching
Learning
Research
Public Service Support value
Help to manage and administer the business of higher education
Communications
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 3
The Cost of the Internet for Higher Education is Growing
Increase in Cyber-Threat Speed
MS SQL Slammer worm traversed entire Internet in only 15 minutes
Privacy BugBear virus/worm grabbed and sent out private files
Sophistication SoBig email delivered virus/worm evaded anti-virus
Time-to-exploit MS RPC [Blaster] exploits appeared only two weeks after
vulnerability announcement
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 4
The Cost of the Internet for Higher Education is Growing (continued)
Increase in regulation Federal Law
Older laws FERPA (1974), ECPA (1986), CFAA (1986)
Newer laws HIPAA (1996), DMCA (1998), GLBA (1999), USA PATRIOT
Act (2001), TEACH Act (2002)
State and local California Information Practices Act [SB 1386] (2003)
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 5
Information Security Function Often required to deal with one or more of these
issues Policy development Recommendations for protecting resources Incident prevention Incident response Risk assessment And other related issues (?)
Information Security Confidentiality Integrity Availability
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 6
Good News
Information Security Efforts Are Improving Move toward pro-activity Realization that it is not just a technology issue Growing executive awareness of issues
How to go about it?
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 7
Staffing the function
Different models exist Specific, dedicated individuals
Sometimes small teams Collateral duties of one or more individuals
Often network engineers or system administrators
Consider higher-level, management oriented Dedicated model Collateral duty
Create and leverage strategic alliances with others across the institution
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 8
Build Alliances…
…with other institutional (policy and compliance) offices… …that are responsible for aspects of
Compliance, protection of data, development of policy, interpretation of law
Usual functions are Internal audit, general counsel, compliance, risk management,
public safety Also faculty, staff, or student advisory committees Can be useful in providing answers or interpretations
Can also become partners in helping to present or support solutions to others
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 9
Identify key data owners…
…both academic and administrative Key data owners of administrative information
Human resources, student, financial, fund-raising, investment, compliance
Also owners of research data, course data, other intellectual property Usually much less centrally managed
Care a great deal about the information and its protection Need your help to understand cyber risks Will provide you help in presenting and implementing
information security measures
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 10
Create Partnerships… …with other technical enterprises
Both central and distributed Others with responsibility for, and expertise in, information security
Probably limited to their own areas of responsibility Other parts of central IT organization or in widely distributed parts of the
institution Establish liaison with these experts
Can extend the knowledge and influence of central information security Develop them into a peer group
Share information Deal with serious emergencies
Become part of Incident Response Team (IRT) Review ideas and plans for information security improvement
Can overcome boundaries that prevent dialog and cooperation
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 11
Create Partnerships… (continued)
…with other information security practitionersAt other institutions
Difficult questions can be considered from a variety of perspectives
Join online discussion listshttp://www.educause.edu/security/
Attend specialized conferencesEDUCAUSE / Internet 2 Security Professionals Workshop
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 12
Develop Institutional Policies
Policies create The context and foundation for the application of
practices and procedures To protect information resources
Often very time consuming process Benefits –
The policy gets written and published Process helps to raise awareness
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 13
Raise Awareness
Aimed at raising information security consciousness
Everyone understanding that they play an important role
Develop simple and effective habits Understand, accept, and support information
security measures
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 14
Broaden Security Expertise
Information Security organization cannot single-handedly raise the level of campus information security Education aimed at technical staff
System administrators, programmers, database administrators, help desk, analysts
Helping them understand how to implement with greater attention to information security
Gaining their assistance in teaching others Information security organization becomes experts to the
experts Helping them secure their systems
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 15
Deploy Technology With Care
Technology is necessary and helpful It can also consume large amounts of effort Beware the “silver bullets”
Choose with care Look for what’s missing Consider maintenance and support effort Talk to colleagues on and off campus Exchange opinions on lists Test before committing
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 16
Lead a Security Dialog Not easy to start or to do
Atmosphere of intolerance toward “unnecessary” restrictions Tension between fundamental mission and requirement for security
Very important to get a dialog started soonest Examine underlying assumptions
Reconsider decisions made in the past Confront “conventional wisdom” regarding requirements Develop institutional information security policies Recognize that sensitive information is widely distributed Allow for differing levels of security Act from the understanding that information security is more a
people issue –education and awareness– than technical Seek to minimize dependence upon individual conformity and
overly oppressive controls
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 17
Lead a Security Dialog (continued)
Each institution will need to find its own balance Solutions which best suit
Its own culture, values, and goals Its own view of acceptable risk, budget, other constraints
Discussions can be guided by a set of principlesPrinciples to Guide Efforts to Improve Computer and Network Security for
Higher Education – NSF Workshop
Civility and community Academic and intellectual freedom Privacy and confidentiality Equity, diversity, and access Fairness and process Ethics, integrity, and responsibility
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 18
Questions?
