IT Security Policies and Campus Networks The dilemma

  • Slides: 25
Download presentation
IT Security Policies and Campus Networks The dilemma of translating good security policies to

IT Security Policies and Campus Networks The dilemma of translating good security policies to practical campus networking Sara Mc. Aneney IT Security Officer Trinity College Dublin 22/05/2007

Overview • Creating the Security Policy • The Implementation Dilemma • What makes the

Overview • Creating the Security Policy • The Implementation Dilemma • What makes the Campus Environment Different? • The Answer • Case Study: Trinity College Dublin

Campus Networks and Security Cultural Resistance Gradual infiltration Acceptance Period of rapid catch up

Campus Networks and Security Cultural Resistance Gradual infiltration Acceptance Period of rapid catch up Maturity?

Policies Implemented 2006 *ECAR – Educause Centre for Applied Research - 2006 IT Security

Policies Implemented 2006 *ECAR – Educause Centre for Applied Research - 2006 IT Security Survey 492 Respondents

Creating the Security Policy • • • ISO 27001 Relevant Legislation Organisational Environment Identify

Creating the Security Policy • • • ISO 27001 Relevant Legislation Organisational Environment Identify Assets Resources E. g. USICA Information Security Toolkit

Policy • Main Policy • Supporting policy areas: – Email – Internet use –

Policy • Main Policy • Supporting policy areas: – Email – Internet use – System development etc

Implementation…. • • Governing Body Approval Communication to Users Translation to Operational Procedures Enforcement

Implementation…. • • Governing Body Approval Communication to Users Translation to Operational Procedures Enforcement

Campus Implementation Difficulties • Traditional ethos of free & open access to systems and

Campus Implementation Difficulties • Traditional ethos of free & open access to systems and information • Diverse user base - Admin, teaching, research, grids, commerce, corporations, clubs, societies, college life, public guests • Complex collaborative arrangements institutions, individuals and industry • Need to facilitate the rapid adoption of emerging & often immature technologies • Diversity and decentralised management…

Traditional Implementation Policy Dissemination Management Area Head End User

Traditional Implementation Policy Dissemination Management Area Head End User

University Structure • • • Governing Body Committees Schools/Faculties Admin Areas Student Representatives Commercial

University Structure • • • Governing Body Committees Schools/Faculties Admin Areas Student Representatives Commercial Entities

Governing Body Admin Body Campus Company Research Affiliates End User Academic Body Committees Student

Governing Body Admin Body Campus Company Research Affiliates End User Academic Body Committees Student Body School/ Faculty Admin Areas End User Committees User Groups Student clubs Student Society

Helpful to Focus on Similarities with all Large Networks • Provide High Quality, Flexible

Helpful to Focus on Similarities with all Large Networks • Provide High Quality, Flexible Services • Protect Confidential data • Protect against Internal and External Security Threats • Comply with Legislation • Contingency and Disaster Recovery Planning

Goal • Despite/Because of complexity and diversity vital to implement IT Security Framework •

Goal • Despite/Because of complexity and diversity vital to implement IT Security Framework • Framework which facilitates & protects

The Answer? • Management Structure - Establish IT Security Governance/Management Structure • Involve Stakeholders

The Answer? • Management Structure - Establish IT Security Governance/Management Structure • Involve Stakeholders - Identify key stakeholders and involve in creating policy, encourage ongoing communication. High Value Assets - Identify core IT Assets and prioritise Segregation - Functional and Security Boundaries Flexibility – make provision for high risk activity - Research, new technology etc • • •

Case Study: Trinity College Dublin • July 2003 - IT Security Policy Approved by

Case Study: Trinity College Dublin • July 2003 - IT Security Policy Approved by College Governing Body • 2004 - Awareness Exercises - Email, Booklet, website • 2004 -2006 - Translation to Operational procedures • Ongoing - Adoption of Security Technologies

Security Management System

Security Management System

Implementation- College IT Security Governance Governing Committee Trinity College Data Network Local Area IT

Implementation- College IT Security Governance Governing Committee Trinity College Data Network Local Area IT Support reps End Users Autonomous Network End User

Implementation • Internal Agreements - Central computing department & local IT interests. • Regular

Implementation • Internal Agreements - Central computing department & local IT interests. • Regular Communication • Dissemination to IT Administration Staff & End Users • Adoption of Technologies

Supporting Documentation • • • Network Security Internet Use Email Use Authentication/Passwords Virus and

Supporting Documentation • • • Network Security Internet Use Email Use Authentication/Passwords Virus and Spam Software Development Data Backup Disaster Recovery Remote Access Third Party Access Legal Compliance Guidelines

Adopting Technologies • Network Security– VPN, VLANs, Firewall, IDS, NAC, 802. 1 x, guest

Adopting Technologies • Network Security– VPN, VLANs, Firewall, IDS, NAC, 802. 1 x, guest network services, eduroam • Host Security– Automatic Updates, Centrally Managed AV • Enterprise Directory – secure Authentication • Removal Insecure Protocols

Security Boundaries Teaching & General Research Student Services Wireless Services Central Services Web, Mail,

Security Boundaries Teaching & General Research Student Services Wireless Services Central Services Web, Mail, Proxy etc Specialized Research Autonomous Networks Specialized Production, Cash Registers etc

Assessing the Progress • Improved communications – move away from duplication of service •

Assessing the Progress • Improved communications – move away from duplication of service • Improved focus – strategic planning • Incident Reporting • Internal Audit – systems, applications, • External Audit • ISO 27001 Certification

Future Challenges • Exploding User Numbers – students/public on network, Guests, Eduroam • Non

Future Challenges • Exploding User Numbers – students/public on network, Guests, Eduroam • Non traditional networked devices - PDA’s, phones, Xboxes, cameras, CEPOS • Disappearing Network Boundary • Rapid Adoption New technology • Changing Threat profile • Data privacy concerns – Help users protect their personal/financial data • More important than ever to deal with these challenges via a strong IT Security Framework

References: http: //www. tcd. ie/itsecurity/policies/ind ex. php http: //www. educause. edu/ecar http: //www. ucisa.

References: http: //www. tcd. ie/itsecurity/policies/ind ex. php http: //www. educause. edu/ecar http: //www. ucisa. ac. uk/