1 / 24

Normative vs. Descriptive vs. Pragmatic

Normative vs. Descriptive vs. Pragmatic. Sad reality. Faculty, staff and students are using mobile devices today, with or without our help (probably without) Most of us are significantly under-resourced

riva
Download Presentation

Normative vs. Descriptive vs. Pragmatic

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Normative vs. Descriptive vs. Pragmatic

  2. Sad reality • Faculty, staff and students are using mobile devices today, with or without our help (probably without) • Most of us are significantly under-resourced • Our users have probably already lost mobile devices containing sensitive university data, we just weren’t told it happened • What do we tell our bosses when they ask about mobile device incidents?

  3. Policy • What is it? • Does one size fit all? • What will my organizational culture accept? • What can *I* do to address this?

  4. U. of S.C. Policy Framework Increasing rate of change Definition: Overall intention and direction as formally expressed by management. Characteristics of good policy: • Originates and maintained at the Trustee/Executive level • Requires revision only if university goals or mission change • Easy to understand, written for a broad audience • Avoids specifics subject to change • Links to detailed supporting documents • Stands the test of time Order of creation Definition: Basis with which to measure policy. Characteristics of good standards: • Support policy goals • Specific without implementation guidance • Originates and maintained by Data Steward • Changes more frequently than policy • Changes less frequently than procedures and guidelines Definition: A description that clarifies what should be done and how, to achieve the objectives set out in policies. Characteristics of good procedures: • Describes how to comply with Policy and Standards • Varies by business unit need or requirement • Created and maintained by business unit

  5. Framework in Action Increasing rate of change UNIV 1.50 “The purpose of this policy is to establish standards to manage, protect, secure and control system institutional data that will promote and support the efficient conduct of University business. The objective of this policy is to minimize impediment to access of this data, yet provide a secure environment.” Order of creation Future standards to be issued by Data Stewards • Potential University standards: • ISO 27002 • Sensitive Data Security • Logging Practices • Workstation Security • Server Security • Password Practices • Media Sanitization Current examples • Specific to University Technology Services: • Firewall Configuration Management (UTS 300.20.2) • Computer Room Protocol (UTS 300.30.1) • Operations Guide for VM Admins (UTS 300.70.1a) • General Information Security guidelines posted to the USC Information Security Program website: • security.sc.edu

  6. Information Security Related Policies (www.sc.edu/policies) Acceptable Use of Information Technology (IT 1.06) Information Security (IT 3.00) Data Access (UNIV 1.50) Other Related Policy Location of associated standards, procedures and guidelines security.sc.edu datawarehouse.sc.edu

  7. Keep it simple

  8. Give yourself the authority

  9. Make it happen

  10. Mobile device configuration guidelines coming soon! If all goes well, you now have the freedom to add new guidelines quickly and as needed. Very agile and flexible approach Likely compatible with your current environment… In the mean time, I like Carnegie Mellon’s mobile Internet device recommendations: http://www.cmu.edu/iso/governance/guidelines/mobile-device.html

  11. So how did I get this new policy published? Thanks, accreditation!

  12. Catalyst for InfoSec Program push?

  13. A wise person once said, “Never let a good crisis go to waste.” (or something to that effect!)

  14. “I rooted my device so that *I* am in control!” • Oh, really?

  15. You can keep an eye out for other indicators of “mobile malware.” So far, we are not aware of other mobile-flavored malware detections… which makes me awfully suspicious.

  16. Potential ways to implement Look for cross platform vendors, such as MobileIron Draw the line at the top 3(?) devices, but even still that might be too resource intensive

More Related