1 / 16

Policy and IT Security Awareness

Policy and IT Security Awareness. Amy Ginther Policy Develoment Coordinator University of Maryland Information Technology Security Workshop April 2, 2004. Agenda. Discussion throughout session on: Model policy development process Influences on security policy Security policy taxonomy

darrel-sims
Download Presentation

Policy and IT Security Awareness

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Policy and IT Security Awareness Amy Ginther Policy Develoment Coordinator University of Maryland Information Technology Security Workshop April 2, 2004

  2. Agenda Discussion throughout session on: • Model policy development process • Influences on security policy • Security policy taxonomy • Model security policies • Awareness programs

  3. Model Policy Development Process • http://www.inform.umd.edu/ACUPA/projects/process • Predevelopment • Identify Issues • Conduct Analysis • Development • Draft Language • Get Approvals • Determine Distribution/Education • Maintenance • Solicit Evaluation and Review • Plan Measurement and Compliance

  4. Policy Development ProcessACUPA

  5. Traits of Sound Policy Processes

  6. Identifying Policy Stakeholders

  7. Higher Education Values • Higher Education environment…tends to be more open than corporate or gov’t environments; reality of student residential environments • Measures taken to improve security must protect and not impede the expression of these values. • Balance need for security with important aspects of higher education environment.

  8. Core Academic Values Oblinger, 2003. In Computer and Network Security in Higher Education, Luker & Petersen, editors. • Community: shared decision making; outreach to connected communities (access to affiliates or other patrons) • Autonomy: academic and intellectual freedom; distributed computing • Privacy: “the right to open inquiry without having the subject of one’s interest examined or scrutinized by others” (American Library Association, 2002) • Fairness: due process

  9. Influences on Security Policy EDUCAUSE/Internet2 six principles to guide policy development: Civility and Community Academic and Intellectual Freedom Privacy and Confidentiality Equity, Diversity and Access Fairness and Process Ethics, Integrity and Responsibility

  10. What to Include? Security Policy Taxonomy • Security Architecture • Security Awareness • Security Implementation • Security Management • Data Security  • Identity Theft  • Incident Handling/Incident Response  • Information Assurance   • Network Vulnerability Assessment    • Physical Security  • Privacy  • Security Planning • Security Policies • Security Risk Assessment and Analysis

  11. Writing Policy: Elements of Institutional Policies Policy Name Scope Purpose Policy Statement Roles/Responsibilities Definitions References Supporting Procedures? Consequences/Sanctions for Non-Compliance

  12. Model security policies • EDUCAUSE/Cornell Institute for Computer Policy and Law, http://www.educause.edu/ICPL/ • http://www.educause.edu/ICPL/library_resources.asp • http://www.sans.org/resources/policies/ includes security policy primer, sample policies and templates

  13. Awareness Programs • Target Audiences: faculty, staff, students, IT professionals • Delivery Methods: presentations, ads, articles, quizzes, handouts, videos • Message Framework • Knowledge: what to do • Skills: how to do • Attitudes: want to do • National Initiatives: • EDUCAUSE Security Education and Awareness • www.staysafeonline.info

  14. Awareness Programs • Communication tips (Payne, 2003. In Luker/Petersen.) • Take the message to the people • Be consistent in the message • Write to short attention spans • Make the message real to each target audience • Make it fun • Repeat, repeat, repeat • Some examples: http://www.cit.buffalo.edu/security/caught.html http://www.itc.virginia.edu/pubs/ads/fightback/ http://www.udel.edu/codeoftheweb/

  15. Resources • Computer and Network Security in Higher Education, 2003. Mark Luker and Rodney Petersen, editors.http://www.educause.edu/asp/doclib/abstract.asp?ID=PUB7008 • Collection of policies and policy development resources: www.educause.edu/security

  16. Contact Information Office of Information Technology University of Maryland, College Park Amy Ginther, Policy Development Coordinator, aginther@umd.edu; phone: 301.405.2619 Gerry Sneeringer, Security Officer, sneeri@umd.edu; phone: 301.405.2996

More Related