Download Information Assurance Policy - Indiana University of Pennsylvania

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
Document related concepts

Open data in the United Kingdom wikipedia , lookup

Business intelligence wikipedia , lookup

Information privacy law wikipedia , lookup

Information security wikipedia , lookup

Computer security wikipedia , lookup

Do Not Track legislation wikipedia , lookup

Transcript 
INFORMATION ASSURANCE
POLICY
Information Assurance
Information operations that protect and defend
information and information systems by
ensuring their availability, integrity,
authentication, confidentiality, and
nonrepudiation. This includes providing for
restoration of information systems by
incorporating protection, detection, and
reaction capabilities
Information Assurance Objectives
• Confidentiality - assurance that information is not disclosed to
unauthorized persons, processes, or devices
• Availability - timely, reliable access to data and information services
for authorized users;
• Integrity - protection against unauthorized modification or
destruction of information;
• Authentication - security measure designed to establish the validity
of a transmission, message, or originator, or a means of verifying
an individual’s authorization to receive specific categories of
information
• Non-repudiation - assurance the sender of data is provided with
proof of delivery and the recipient is provided with proof of the
sender’s identity, so neither can later deny having processed the
data
U.S. National IT Security Strategy
T H E N A T I O N A L S T R A T E G Y T O SECURE
CYBERSPACE
FEBRUARY2003
Reasons for not being concerned
with security policy
● “Data doesn’t need protecting because it isn’t sensitive”
● “Risk must be accepted as a part of doing business”
● Technical personnel would rather work with the technical system than
perform the mundane tasks associated with policy
● Security impedes productivity (efficiency and costs time and money)
● Policy is measure to control behavior
● Policy will be difficult to adhere to all the time
Reasons for Establishing
Security Policy
● Provides comprehensive, integrated plan
● Defines appropriate behavior for all consumers/managers of system
● Defines the tools and procedures needed to meet the determined
security requirements
●Communicates a consensus of what should be done
● Provides authority for response to inappropriate behavior
INDIANA UNIVERSITY OF
PENNSYLVANIA
INFORMATION PROTECTION POLICY
December 1, 2005
Approved for implementation by Dr. Tony Atwater
and President’s Cabinet
October 31, 2005
IUP POLICIES
(from ATS Homepage)















ATS also provides guidelines on:
IUP Computer Account Retention Policy
Student Computing Rights
Student Computing Responsibilities
Guidelines for the IUP
Computing Lab Facilities
Computing Resources Policy
Computer Software Policy
E-mail Privacy Policy
IUP Policy Pages
New Information Protection Policy
IMPORTANT NEW INFORMATION!!
IUP Use of E-mail Policy
Academic Affairs Policies
Student Affairs Policies
The Source: Student Handbook
Technology Services Center Policies
HIERARCHICAL POLICY MODEL
VALUES
+
INTERESTS
GOALS OR OBJECTIVES (POLICY)
+
VULNERABILITIES
+
THREATS
+
CAPABILITIES
STRATEGY
VALUES
INTERESTS
POLICY
It is the policy of IUP that all information be used in a
manner that maintains an appropriate and relevant
level of confidentiality and that provides sufficient
assurance of its integrity in compliance with existing
laws and PASSHE and University Policies. While
the elimination of all risk is impossible, the goal of
the policy is to minimize the possibility of information
misuse, corruption, and loss through adoption of
reasonable procedures for the University community
to follow
1st Step – Define policy makers
● should represent all users (students/faculty/administrators)
● decide what will be the scope and goals of the policy
●● Who and what is covered?
●● How specific?
● Use vision statements from Academic, Administrative, and Library
computing as to what they would like to be able to do with the IT
system to assist in guiding policy development
IUP IT Security Policy
Chain of Responsibility
Information System
Security Officer
Academic Computing
Policy Advisory
Committee
&
Academic Technology
Operating Group
College Deans
College
Technology
Managers
Administrative
Computing Oversight
Committee
Technolog
y Services
Center
2nd Step – Document IT system
(Vulnerabilities & Capabilities)
● in order to protect have to know
●● What it is
●● What it does
●● What its weaknesses are
●● What potential threats to it exist
●● What has or is being done to mitigate the risks to your data
and system
● Provides institutional data about system
● Documenting controls in place, or the planned controls, identifies
specifics about a system’s security
Higher Ed vs Others


requirement to protect data and data
systems is present in today’s world; security
issues same
“open” academic environment vs
requirement to protect data and data
systems


paramount to faculty
no barriers to flow of information either coming into or
going out from the institution
Higher Ed vs Others

Administrative Domain:





-- Academic Domain



Restricted access to financial data
Restricted access to student/administrative data
Restricted access to alumni data
Restricted access to marketing data
Access to instructional programs
Remote access (students and faculty)
-- Commonalities (but may require different security
requirements)



E-mail
Internet access
Access to state and federal agencies
3rd Step – Assessments
(Capabilities)
● Examine current policies
● Determine security requirements for all users based on
●● sensitivity and criticality of data processed/stored,
●● relationship of the IT system to the organization’s mission
●●economic value of system’s data and components
● Examine network infrastructure and operating system(s)
● Security requirements show developers, managers, and auditors what
the system should be allowed to do or not do
● Define other security-related policies to fully implement institution’s IT
security policy
4th Step – Develop Strategy
● Specify security controls to be implemented and maintained
● Define access between authorized users and the networking
environment
● Define duties and authorization levels
● Define chain of command responsibility for execution and
authorization levels
●● Ensure personnel given responsibility have the authority to
carry out their responsibilities
● Address data ownership, confidentiality, availability, integrity,
authentication, & non-repudiation standards
● Define system’s transmission accuracy, integrity, and recoverability
requirements to be met
● specify a process for detection and reporting of errors
● Have to approval of institution’s administration
5th Step - Specific Issues All
Institutions Should Address
● Physical Security
● Login Name Standards
● Password Standards
● Virus Protection
● Auditing
● Disaster Recovery/Contingency Planning
● Training
Conclusions
● Important as many ideas or requirements from as many different types of users
as possible
● Important to win administration’s support for policy process and resulting policy
● Policy documents
●● The system’s basic security requirements
●● The controls in place
●● Planned controls
●● The responsibility of system users
●● Expected user behavior
● Strive for industry “best practices” security
● Resulting policy has to be implemented and enforceable to be effective
● Training
●Document is dynamic
Related documents
Week 1: Course Notes
Week 1: Course Notes
Chapter 1
Chapter 1
Document
Document
Regional Plan for Regulatory System For Blood, Blood Components
Regional Plan for Regulatory System For Blood, Blood Components
How can you spot a marketing orientated business?
How can you spot a marketing orientated business?
Security Controls
Security Controls
MICRO MOTORS, INC. - Pro-Dex
MICRO MOTORS, INC. - Pro-Dex
Alison Mount
Alison Mount
COBIT
COBIT
Quality Management Slides
Quality Management Slides
One Decade of SO2 measurements from Space - IUP
One Decade of SO2 measurements from Space - IUP
Dendritic cells are equally distributed in intrauterine - RWTH
Dendritic cells are equally distributed in intrauterine - RWTH
Attachment I - Project Priority Ranking System
Attachment I - Project Priority Ranking System
The Unconscious Mind as a Means for Authentication - E
The Unconscious Mind as a Means for Authentication - E