150 likes | 169 Views
Information Security Policies. Larry Conrad September 29, 2009. The Need. University policies are needed to Mitigate risk of information security threats Meet compliance obligations
E N D
Information Security Policies Larry Conrad September 29, 2009
The Need • University policies are needed to • Mitigate risk of information security threats • Meet compliance obligations • Have comparable standards to the State as required by law, otherwise the university is subject to the State’s standards
Addressing Compliance Information Security Policies are needed to meet UNC’s compliance obligations: Legend: Policies required Policies or procedures implicated to establish compliance
An Expanding Definition of Sensitive Data Credit Card Information Public Safety Information Passwords Financial Donor Information File Encryption Keys Personal Information Information Security Records PHI Personnel Information Customer records Student Education Records Confidential Information Research Data PROTECTION REQUIREMENTS SET BY POLICY
Compliance • Policies are intended to set requirements to protect data and support the compliance requirements imposed on University operations by applicable federal and state laws and regulations. • Ranging from the Health Insurance Portability and Accountability Act of 1996 through the Family Educational Rights and Privacy Act and the recently passed Health Information Technology for Economic and Clinical Health Act (included in the American Recovery and Reinvestment Act of 2009), the compliance requirements keep changing and expanding. • University policies need to adapt to these changes to ensure that university operations meet the changing compliance requirements.
Alternatives • If UNC-Chapel Hill does not implement its own policies, it may be regulated by the North Carolina General Statutes that require comparable standards for information security to the standards required of the state agencies. • Therefore, even though not directly covered by the security standards set by the State CIO, the University of North Carolina must at minimum meet comparable standards as those set for state agencies.
State Standards in Comparison • UNC Proposed Information Security Policies • 52 Pages • 4 Standards • Designed with UNC in mind • UNC Input • State of NC Security Standards • 220 Pages • 40 Standards • Designed for state agencies • No University Input
What’s in a standard ? • Standards are set as requirements in policies. • More technical detail, which may be updated more frequently than a policy. • Example • Length of password • Acceptable encryption algorithms • Can be used as a technical “checklist”
Policy Content Two overarching policies: • Information Security Policy: Overarching information security policy that interfaces with all remaining information security-related policies as well as other University policies. • Data Governance Policy: Addresses classifications of data, roles and processes required to manage and protect the data. • Proposed policies can be found at: its.unc.edu/InfoSecurity/proposed-policies/index.htm
Policy Content Information Security Standards Policy: Lists the minimum requirements for computing devices owned or managed by UNC-Chapel Hill. Policy is intended to implement industry best practices and safeguard university data General User Password Policy: States the minimum requirements for password usage and incorporates the existing Onyen password guidelines Password Policy for System and Application Administrators: States the heightened requirements for password usage by administrators ; requires technical enforcement Policy on Transmission of Sensitive Information: Sets the requirements for transmitting sensitive information over public or wireless connections (encryption) Security Liaison Policy: Defines the role and responsibilities of dept security liaisons Vulnerability Management Policy: States the guidelines for managing web, database and operating system vulnerabilities. Incident Management Policy: Defines the incident management responsibilities, process for investigating possible or actual breaches of sensitive information or mission critical devices--Formally assigns cost of breach to department that has primary responsibility for the breach
Policy Implications University units will be required to bring servers/systems up to the minimum standards Failure to do so may result in disciplinary action against employees In general, these policies simply codify accepted best-practices Units with competent systems administrators managing their systems will have few problems complying Campus units will be responsible for the costs of bringing systems into compliance Most controversial will likely be: Policy on Transmission of Sensitive Information: encryption requirement Incident Management Policy: charges to units for the costs of incident management ($62/hr proposed rate)
Departmental Impact • Departmental resources and budgets will be impacted by policies and will vary depending on many factors including: • The number of systems in each department that process/store sensitive data or that are considered mission critical • The time frame set for compliance • How close current departmental practices and safeguards are to policy requirements • How many safeguards are implemented at a scalable enterprise level versus department by department • Degree of interdepartmental consolidation of systems that process/store sensitive data or have mission critical functions. • Departments and researchers may be impacted by processes and organizational changes necessary to facilitate greater security oversight, consolidation of IT assets and compliance to standards • In some cases when there has not been sufficient planning by project managers in integrating security requirements, projects could be delayed
Enterprise Impact • Enterprise Funding • Additional University investment is needed to provide cost effective security safeguards for University data • Additional investment (people, technology) in a “security bank” infrastructure is necessary to offer cost effective security by moving sensitive University data to the “banks” • The complete cost of protecting sensitive data cannot be accurately projected until an enterprise risk assessment has been completed • Formal Data Governance will become essential • To oversee collection of sensitive data and make sure security requirements are met for research and administrative data • A Data Governance coordinating committee is part of the new IT governance structure
Policy Benefits • Protection of data and stakeholder privacy with appropriate levels of security • Greater data security with regard to availability, integrity and confidentiality (for private data and University Intellectual Property). • Consistent risk management via formal security guidance and direction for all departments • Compliance with the many University security obligations (State, Federal, grant, contractual …) • Avoidance of breach costs and non-compliance fines • Fewer and less severe incidents • Protection for the University’s reputation • Ability to attract and provide more opportunities for (secure) research • Avoidance of a requirement to implement State security standards