90 likes | 172 Views
Improving Information Security at Carolina. Larry Conrad, VC and CIO Stan Waddell, Exec. Dir. and ISO May 18, 2011. Info Security Responsibilities. The CIO is responsible for overall campus IT security
E N D
Improving Information Security at Carolina Larry Conrad, VC and CIO Stan Waddell, Exec. Dir. and ISO May 18, 2011
Info Security Responsibilities • The CIO is responsible for overall campus IT security • The Information Security Officer and the Information Security Office organizes and leads the defense • Information Security Liaisons assigned for each unit are the coordinating point for unit actions • “It takes a village” • Campus central IT staff • Unit distributed IT staff • Faculty, students and staff • It takes a commitment from all of us…
Proposed Info Security Plan • How to best leverage the authority given to the CIO for campus info security • Are proposing a 5 point plan: • Work to bring the campus into compliance with the 10 existing Information Security policies—State Audit requires annual attestation of understanding the policies • Improve security for the campus network and servers from outside attacks • Ensure every campus server is supported/maintained by a competent systems administrator • Increased focus on research data and servers with sensitive data or support mission critical operations • Increased focus on encrypting laptops
Info Security Policies • Need to establish a policy base to operate from in protecting the campus • Examples • Information Security policy • Information Security Standards policy • General User Password policy • Systems and Applications Administrator Password policy • Transmission of Sensitive Information policy • Security Liaison policy • Vulnerability Management policy • Incident Management policy • Data Governance policy • E-mail policy (2)
Improve Network and Server Security • Example actions: • Enterprise firewalls: construct a workable strategy for enhancing security at the campus network border • Departmental firewalls: protect high-risk servers within units • Block certain problematic network traffic, e.g., remote control of desktops (from the Internet) • Block file-sharing protocols in the Residence Halls
Ensuring Sys Admin Competency Proposed approach: • Develop and conduct an identification process of all campus systems and system administrators—with focus on servers with sensitive data and mission critical systems • Develop and conduct an on campus information security training program for Sys Admins • Develop and implement a systems administration effectiveness assessment, monitoring, and remediation referral process • Create a (fee-based) outsourced remediation process • Refer to a managed systems administration support cluster • Identify and solicit one or more third party systems administration support services
Ensuring Sys Admin Competency • Systems storing sensitive information should be scanned for vulnerabilities at least monthly • Scans can identify missing patches and improperly configured services • Give guidance on how to remediate vulnerabilities • Identified vulnerabilities must be remediated • Critical: within 1 week • Medium: within a month of identification • “Three-strikes-and-you’re-out!” philosophy • After 3rd failure, sys admin function must be outsourced
Implications For Faculty • Everyone on campus is responsible for protecting the University and its data—particularly sensitive data • Policies apply campus-wide • When in doubt ask (report issues) • Know where sensitive data resides…and why • Don’t surf the web on machines with sensitive data • Patch and configure correctly (scan to verify) • Encrypt sensitive data and only use when needed • Ensure servers have competent Sys Admins • Info security costs money and may impact grants…