180 likes | 332 Views
The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy. General Context. Cornell is not unique – and remains plagued by a growing spectrum of IT security concerns. In response Cornell has: Created a security program
E N D
The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy
General Context • Cornell is not unique – and remains plagued by a growing spectrum of IT security concerns. • In response Cornell has: • Created a security program • Is in the process of developing a suite of university policies to better stanchion Cornell’s ability to effectively address new security challenges.
Policy Review • RESPONSIBLE USE OF ELECTRONIC COMMUNICATIONS • Became policy in 1995 • Cornell University expects all members of its community to use electronic communications in a responsible manner. The university may restrict the use of its computers and network systems for electronic communications, in response to complaints presenting evidence of violations of other university policies or codes, or state or federal laws. • Parts of this policy are now reflected in new policy development – it will likely be refined to focus on just issues of abuse in the future.
Policies Under Development • Reporting Electronic Security Incidents • In Draft (August 29th 2003) • Reason for Policy • [To enable] prompt and consistent reporting of electronic security incidents protects and preserves these resources by enabling expeditious action in the event of such an incident, and aids the university in compliance with applicable law.
Reporting Electronic Security Incidents - Procedures • “If you suspect that an electronic security incident may have occurred or may be imminent, you are expected to take the actions detailed …” • Contact local support provide or the Cornell Network Operations Center • Local support provide is obligated to collect relevant information and report to Security. • Security Office will open a problem report and has the authority to “perform any action necessary …”
Security Of Information Technology Resources • Draft (August 29th 2003) • Reason for Policy • [As] the university must preserve its information technology resources, comply with applicable laws and regulations, comply with other university or unit policy regarding protection and preservation of data, and fulfill its missions. Toward these ends, faculty, staff, and students must share in the responsibility for the security of information technology devices.
Security Of Information Technology Resources… • Establishes the principle that every IT device connected to the Cornell network must have at least one individual managing the security of that device. • Defines roles (Users, Local Support Providers, Security Liaison, Unit Heads, IT Security Director)
Security Of Information Technology Resources - Procedures • Users • If no support provider user is obligated to: • Secure host (strong passwords, virus updates, etc) • Allow access by Security office • If there is a local support provider, then: • Report all electronic security incidents to your local support provider immediately, as detailed in University Policy 5.4.2, Reporting Electronic Security Incidents.
Security Of Information Technology Resources - Procedures • Support Providers Is Obligated To: • Secure hosts under their control • Report incidents and allow access • Unit Security Liaison Is Obligated To: • Act as the unit point of contact with IT Security Director • Implement a security program consistent with requirements of this policy …
Security Of Information Technology Resources - Procedures • Unit Head • Obligated to appoint Unit Security Liaison • IT Security Director • The IT Security Director is the university office with the authority to coordinate campus information technology security …
Network Registry • Draft (Nov 4th 2003) • Reason for Policy • To enhance the maintenance and security of the university network, and to alleviate potential legal liability, the university supports the creation of a central registry of devices connected to the university network.
Network Registry – Procedures • All devices on the network must be registered to a central database • All applicable information for a given device, such as MAC address, IP, responsible party, location … • Implied is the development of an online registration service
Policy on Authentication and Authorization • Status: Impact Statement • Policy goal is to facilitate a comprehensive strategy for controlling electronic access and coordinating deployment of university authentication and authorization mechanisms. • Define owner(s) • Advisory board • Authentication vs Authorization • Exception process
NUBB • Not a university policy – however … • Users of the network are responsible for network fees – even if their system is compromised.* • Defines a “responsible party.” • Huge impact on system awareness • Single most positive impact on securing systems at Cornell to date.
Other Polices Worth Noting • 1) Access to Electronic Mail. 2) Access to Network Log Data. • Both define “owner” and process for access to information • Trying to address the issue of “privacy” • Escrow of Encryption Keys • Approved Policy • Focused on administrative data
Deployment Concerns • Creation of the registration database • Automation of the incident reporting and tracking process • Education (Users, Support Providers, Security Liaisons) • Campus participation
Closing Thoughts • Policy development process is as important as the finished product • Key themes are: • Responsible party • Clearly understood processes for reporting • Formal authority of the Security Office • Development of tools to enable the smooth realization of these new polices. • URL: • http://www.cit.cornell.edu/oit/policy/drafts/