220 likes | 231 Views
UGA Role-based Security/ Accountability Model BAAF Quarterly Meeting 2007.
E N D
UGA Role-based Security/ Accountability ModelBAAF Quarterly Meeting2007
“The University of Georgia cannot protect the confidentiality, integrity, and availability of sensitive information and information systems in today’s highly networked systems environment without ensuring that each person (student, faculty and staff) understands their roles and responsibilities, and is adequately trained to perform these roles”. UGA Chief Information Security OfficerUGA Security Committee
The vision for the University of Georgia is a campus environment where the protection of sensitive and critical data, and information technology resources, is a shared responsibility among administrators, faculty, staff, students, and IT professionals. This responsibility will be addressed campus-wide by implementing information security best practices based on individual role and level of accountability, and will besupported through building increased awareness and participation in training and educational opportunities.
2007 Senior VP Campus Memo “Role/Accountability” Campus-wide Plan …accountability for implementation of Universitysecurity standards, policies, processes and procedures based on individual position and level of responsibility 2006-2007 Securing Sensitive Data “Defense-in-Depth” Processes, People, Core Technology Tools 2006 President’s Retreat “Securing UGA Sensitive Data: Current Status, Challenges and Future Directions” Atten: Issue #5 — Acceptance of shared responsibility for institutional data and information security…campus-wide 2005 Campus Memo “Securing Sensitive Data Initiative” Phase I: UGA Auditor/CISO high risk Assessment (19 campus units) Phase II: Inventory of all assets (i.e., servers, databases, personnel) through ASSETs Online software application, Version 1 (350 campus units)
Securing Sensitive Data Defense in Depth Processes Technology People • Virtual Private Network (VPN) • Intrusion Prevention System (IPS) • Centrally managed end-point • security (i.e., anti-virus; anti-spy ware) • 24x7 monitoring via Secure • Operations Center (SOC) • Central Hosting facility/Boyd • Campus-wide Licenses (e.g., • F-Secure; Absolute Track) • Vulnerability management • Risk Management tools (e.g., • ASSETs Self Assessment) • Access Control (e.g., Blue Socket • Authentication) USG Chancellor Board of Regents USG Chancellor Board of Regents • 2007 Mandatory Standards/Policies • UGA Policy on Use of Computers • UGA Electronic Mail Policy • UGA Minimum Security Standards-Networked Devices Policy • UGA Password Policy and Standards • UGA Telecommunications Policy • Georgia Surplus Policy • Certification of compliance • Mandatory Completion of ASSETs Version 1.1 • Spot Audit – UGA Auditor Office • Mandatory Hiring Practices/Background Check UGA President UGA President Senior Vice Presidents CISO Vice Presidents, CIO Deans, Vice Provost Assoc VP’s, Assoc Provosts Campus IT Personnel Dept/Unit/Div Heads Network Administrators • Required Risk Mgt Tools Implementation • End-Point/desktop Security (e.g. F-Secure Enterprise) • Computer Associates Vulnerability Manager • Vulnerability Scanning (periodic and/or on-demand • Absolute Track software for laptop tracking • ASSETs tool for development of unit Business Continuity Plan • and Disaster Recovery Plan • Intrusion Prevention System (IPS) • Incident Response protocol Systems Administrators • Education, Awareness & Training • SATE – Security Awareness, Training and • Education • Required SANS online training • Requested SANS On-site training • Staff training and development courses (T&D) • Staff Certification • Video/Print materials • ASSETs Mass/Hands-on Training • HIPAA and Security training • Risk Management • Payment Card Industry – A Primer • UGA InfoSec Handbook Database Administrators Campus Security Liaisons Other Titles/Classifications • Brochures/PowerPoint (e.g.) • Absolute Track+/Asset Tracking Mgt • Protecting Your Good Name: ID Theft and • ID Fraud • DMCA: The History • GLBA In a Nutshell Other Cyber Security Awareness Month Websites/url (e.g., UGA InfoSec; Federal Trade Commission June 2007
Security is everyone’s responsibility……“under existing federal and state legislation, universities are responsible for the confidentiality and integrity of data originating from, and managed through, a campus environment. For the University of Georgia, over 41,000 network devices (e.g., computers, printers, fax machines, scanners) are used. Universities are also required to be a responsible custodian of personal data stored on computers, servers, and other communication devices. In 2006, more than 2.2 million records were stolen from colleges and universities, an increase of 17% over 2005”.NOTE: Ponemon Institute Survey $182.00 for every breached recordComputer Science Institute/FBI Computer Security Survey$89,000 average cost for computer theft
UGA Facts • 4.9 million total incoming e-mail messages daily; 4.3 million = number of SPAM and virus messages deleted and/or eliminated out of the 4.9 million leaving est. 600,000 delivered • 19.9 Mainframe transactions – monthly average; 23.5 million monthly average during drop/add period • 183,278 research jobs submitted to the Research Computing Center (RCC) requiring high performance computing CPUs • 24,000 user-capacity of PAWS, campus-wide wireless network • Average of 41,000 logins daily to MyUGA • 10.4 million page hits monthly on www.uga.edu • >1,000 Web sites hosted on www.uga.edu • 8,677 online courses = 60,577 individual students enrolled in WebCT classes • University Cablevision provides 12,600 hours of programming per week • >99.9 = percentage of uptime for critical production systems (e.g., Network, UGA Mail, WebCT, Mainframe)
Senior Vice Presidents… May 6, 2007 campus memo indicating specific actions by campus entities shall include: • Accountability for implementation of University security standards, policies, processes and procedures based on individual position and level of responsibility • Identification of individual(s) serving as department, unit or division security liaison(s) held responsible for system or network management, information, incident response… • Inclusion at all levels of participation in formal and/or informal awareness, training and educational opportunities as part of the annual performance appraisal process. See: Handout: May 6 Campus Memo re: Securing Sensitive Data Initiative
UGA Role-Based Security/Accountability Model • President: Ultimate responsibility for approval and submission of UGA Security Plan, policies, standards, and best practicesthat meet requirements of the University System of Georgia, state, and federal mandates. • Senior Vice Presidents • Implement policies, standards, guidelines • Verify role responsibilities of executive management • Require annual report of security progress and issues • Validate completion of required awareness, training, and education and/or participation by direct reports • Support development and implementation of crisis/risk management practices
UGA Role-Based Security/ Accountability Model • Executives (Vice Presidents, Deans, Vice Provosts, Assoc. Provosts, Dept./Unit/Division Heads) • Accountable for college, unit, and/or division adherence to UGA policies (e.g., Federal, State, USG policy, law, regulations) • Establish line of responsibility and authority for security-related functions within unit, division, dept (e.g. IT Director, Security Liaison, technical leadership for grant/project/etc.) • Report organization’s security status to Senior Executive(s) based on articulated timeline • Participate in required awareness, training and education opportunities based on role and University requirements • Provide resources for unit, division, dept protection of sensitive/critical data (i.e., budget, personnel, and/or technology)
UGA Role-Based Security/ Accountability Model • IT Leadership, Management and Unit Security Liaisons • Annual update of ASSETs online self-reporting tool • Serve as Primary/Secondary contact for IT security incident, Business Continuity and Disaster Recovery planning • Ensure that resources are applied for protecting sensitive and critical data (people, process, training, technology) • Participate in annual awareness, training and education opportunities • Require appropriate skills, education, and ongoing training for key IT professionals (network administrators, systems administrators, application developers, and programmers) • Require or provide appropriate skills and training for new hires responsible for protecting sensitive and critical data
UGA Role-Based Security/ Accountability Model • IT Administrators (Network, Systems, Database, Web Administrators and Programmers) • Understand and adhere to all relevant UGA IT/IS security policies, standards, and procedures • Understand and appropriately participate in UGA local and incident response policy and procedures • Maintain awareness, training, and education requirements • Implement best practices in systems administration and design (e.g., configuration of systems)
UGA Role-Based Security/ Accountability Model • UGA Community – Students, Faculty, and Staff • Maintain a level of awareness and education of security policy and procedure including, but not limited to: • Privacy Policy • Acceptable Use Policy • Security Policy for Networked Devices • Email Policy • Password Policy • Incident Response Policy • Recognition and appropriate response/accountability when role changes such as faculty role in supervising IT Professionals through a grant • Follow regulations regarding protection of data: GLBA, FERPA, HIPAA, etc. when using desktop and mobile devices
re: Awareness, Training and Education • Multiple opportunities for awareness, training and education on campus including, but not limited to: • InfoSec • UGA Training and Development Center • Element-K • SANS On-Demand and OnSite • A role-based training matrix is available on the UGA Securing Sensitive Data Website at: • www.ssdi.uga.edu
UGA Role-Based Security/ Accountability Model • IT Professionals: The UGA Security Model will be integrated into the University of Georgia Human Resources IT Jobs Classification Model developed in 2004. • Job descriptions are located on the Human Resources web site: https://jobapp.humanres.uga.edu/classification/ • IT Matrix and IT Leadership Matrix are located at the website • Information about IT Jobs can be found at http://www.coe.uga.edu/itjobs
UGA Role-Based Security/ Accountability Model • (cont.) IT Professionals:The UGA Security Model will be integrated into the IT Jobs classification model. • The Technical job descriptions have four levels: Assistant Associate Specialist, and Principal • Security skills requirements are identified at all levels above assistant • The entry level or assistant level may work under the supervision of senior IT Professionals but should not be solely accountable for the design or administration systems protection sensitive or critical data.
UGA Role-Based Security/ Accountability Model • (cont.) IT Professionals: The UGA Security Model will be integrated into the IT Jobs classification model. • The IT Leadership job descriptions will have security education and skills requirements. • Leadership positions maintain a role of accountability for management of resources and adherence to policy, standards, and procedure. Additionally, IT Leadership is responsible for completing or assigning the completion of the ASSETs tool. • IT Leadership must maintain annual awareness and training for incident response and disaster recovery.
Role-based Security/Accountability • The role-based accountability model is based on the relationship between two people: the supervisor and the supervisee. Resources, planning, and monitoring the success of training and skills acquisition are built into the performance evaluation process. • The IT Jobs Classification description including the IT Matrix and the security requirements will be used to determine what training is needed by current staff and what skills are needed in recruiting/hiring process for key staff.
UGA Role-Based Security/ Accountability Model • Implementation Timeline • The first phase of communication and training will begin in October/November 2007. • A project team will be created with representatives from ITMF, Training and Development, and UGANet. This team will deliver training to IT professionals, departments and units through beginning in January. • Multiple training opportunities will be created using web-based applications, video, and podcasting. • The UGA Securing Sensitive Data Website will be maintained to provide ongoing communication about resources, requirements, and calendar of events—www.ssdi.ua.edu
“Things to Remember” • Everyoneon campus has a role in security accountability • The Role-based Security/Accountability Model is built on industry best practice: Process, People, and Technology. • The Role-based/Accountability Model is based on the relationship between two people: the supervisor andthe supervisee. Resources, planning, and monitoring the success of training and skills acquisition are built into the performance evaluation process. • Awareness, training, and education materials already exist on campus and many are free-of-charge. • A communication and training schedule to implement this model is being created based on the successful approach used at UGA for the IT JOBS Initiative.
References • Information Systems Audit and Control Association (ISACA) – COBIT http://www.isaca.org/template.cfm?section=home • Information Technology - Security Techniques - Code of practice for information security management - ISO 1779922 • NIST Special Publication 800-16, "Information Technology Security Training Requirements: A Role- and Performance-Based Model."