UW Information Systems Security Policy

1. UW Information Systems Security Policy Stephen Rondeau Institute of Technology Computing Labs Administrator 18 Nov 2005

2. Agenda • Components • Sampling of Laws • Complying with the Law • Consideration of Ethics • Consequences • References

3. Computing Device input output Hub Components • Computing Device • takes some input • processes it • OS, services, applications • provides some output • Network • connects device • Data • ?

4. Computing Devices: Reality In Human K/M/touch,etc. Out Human A/V Data Scanner/GPS In/Out Data Storage Device, PC Card, Network, Printer, Etc.

5. Computing Devices: Connections • removable media • floppy,CD/DVD,flash,microdrive • PC Card • wired • serial/parallel,USB,Firewire,IDE,SCSI,twisted pair • wireless • radio (802.11, cellular, Bluetooth) • Infrared (IR) • Ultrasound

6. Lab Network Environment H/S R C C C C AP H/S C Server C Time- Share C C Internet UW Net R C

7. Data Issues • Sensitivity: public or confidential • confidential • minimal, more sensitive, most sensitive • owned by someone • specific statements for access, distribution, storage, disposal and penalties for disclosure • Criticality: how important to function

8. Key Security Concepts • Must protect: • Services/Use • Functionality: perform function or use device • Availability: device or data is ready for use on demand and at operational speed and capacity • Data • Confidentiality: prevent disclosure to unauthorized people • Integrity: unaltered, intact

9. Sampling of Laws • International, federal, state, UW • statutes and regulations • Federal • privacy, wiretapping, fraud, disclosure, surveillance, counterterrorism • grant-related policy • WA State • privacy, malicious mischief, public records, spam, disclosure • UW Administrative Code • student and general conduct, records access

10. Complying with the Laws • Comply: take action to conform • Law => Policies + Standards + Guidelines • Policies state what needs to be done • Standards define how to implement the policy (via procedures) • Guidelines are strongly-recommended practices to assist in adhering to standards

11. Roles and Responsibilities • System owners and operators • comply with laws, policies, guidelines • maintain confidentiality of sensitive data • grant access based on “least privilege” and “separation of duties” principles • report security incidents and perform incident response • Data Custodians • Users

12. Policies • May monitor user accounts, files and access • Understand nature of data on systems, and manage it appropriately • Provide logical and physical access control and logging commensurate with sensitivity and criticality of computing devices, networks and data • Document procedures for issuing, altering and revoking access privileges • Implement minimum computer and network measures and practices

13. Consideration of Ethics • Ethics are the principles of conduct that are harmonious with society • arguably higher than policy • notable examples • whistleblowing • preventing conflicts of interest • protecting life • Use of university resources; data sensitivity

14. Consequences • Worm/Virus authoring and release • Trojans • Unauthorized wireless access • Keylogging • Botnets

15. References • UW Information Systems Security • http://www.washington.edu/admin/rules/APS/02.01TOC.html • UW Minimum Computing Security Standards • http://www.washington.edu/computing/security/pass/MinCompSec.html • UW Electronic Information Privacy Policy • http://www.washington.edu/computing/rules/privacypolicy.html • SANS Institute Policy Templates • http://www.sans.org/resources/policies/