IT Security Policies and Campus Networks Translating security policy to practical campus networking...
-
date post
18-Dec-2015 -
Category
Documents
-
view
212 -
download
0
Transcript of IT Security Policies and Campus Networks Translating security policy to practical campus networking...
![Page 1: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/1.jpg)
IT Security Policies and Campus Networks
Translating security policy to practical campus networking
Sara McAneneyIT Security OfficerTrinity College Dublin16/11/2007
![Page 2: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/2.jpg)
Overview
• Creating the Security Policy
• The Implementation Dilemma
• What makes the Campus Environment Different?
• The Answer
• Trinity College Dublin Implementation…
![Page 3: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/3.jpg)
Campus Networks & Security
90’s 2002/3 2007 ??
Cultural Resistance
Gradual infiltration
Acceptance
Rapid Catch Up
Maturity!
![Page 4: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/4.jpg)
2003/04
• Sobig• Slammer• Lovgate• Fizzer• Blaster/Welchia/Mimail • Randex• Sasser
![Page 5: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/5.jpg)
2005/06• Yahoo Search Returns Faculty, Student Social Security Numbers -
Utah Valley State College • Student Information "Inadvertently" Left Exposed On Public
Website- Mississippi State University • UC-Boulder Web Site Exploit Exposes 17,500 Student Records-
University of Colorado, Boulder • University of Texas Breach Exposes Student and Staff
Information --University of Texas, Dallas• Thief Makes Off With Years Of Research Data - University of
Colorado, Boulder• University Research Information Exposes Participant Data -
University of Iowa• Stolen USB Drive Contained 18 Years of Student Information
University of Kentucky
![Page 6: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/6.jpg)
ECAR -Policies Implemented 2006
*ECAR – Educause Centre for Applied Research - 2006 IT Security Survey 492 Respondents
![Page 7: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/7.jpg)
Creating the Security Policy
• ISO 27001• Relevant Legislation• Organisational Environment• Identify Assets• Resources E.g. UCISA Information
Security Toolkit
![Page 8: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/8.jpg)
Policy
• Main Policy• Supporting policy areas:
– Email– Internet use– System development etc– Virus and Spam – Software Development – Data Backup – Disaster Recovery
![Page 9: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/9.jpg)
![Page 10: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/10.jpg)
Implementation….
• Governing Body Approval• Communication to Users• Translation to Operational Procedures• Enforcement
![Page 11: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/11.jpg)
Campus Implementation Difficulties
• Traditional ethos of free & open access to systems and information
• Diverse user base - Admin, teaching, research, grids, commerce, corporations, clubs, societies, college life, public guests
• Complex collaborative arrangements - institutions, individuals and industry
• Need to facilitate the rapid adoption of emerging & often immature technologies
• Diversity and decentralised management…
![Page 12: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/12.jpg)
Traditional Implementation
CEO
Area Head Area Head IT Function
Manager Manager
End User End User
Manager
End User
Policy Dissemination
![Page 13: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/13.jpg)
College Structure
• Governing Body
• Committees
• Schools/Faculties
• Admin Areas
• Student Representatives
• Commercial Entities
![Page 14: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/14.jpg)
Campus NetworkGoverning Body
Administration Campus Companies
Academic structure
Admin Area Committee
Academic Unit
End User
Committee
End User
Students
Clubs & Societies
End User
End User
User Groups
User Groups
Research
Research Group
End User
Central IT Function
IT Function
![Page 15: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/15.jpg)
Similarities with all Large Networks
• Provide High Quality, Flexible Services
• Protect Confidential data
• Protect against Internal and External Security Threats
• Comply with Legislation
• Contingency and Disaster Recovery Planning
![Page 16: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/16.jpg)
• Despite/Because of complexity & diversity it is vital to implement an IT Security Management system.
• Risk Assessment & Mitigation
• Framework which facilitates as well as protects
Goal
![Page 17: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/17.jpg)
The Answer?
• Management Structure - Establish IT Security Governance/Management Structure
• Involve Stakeholders - Identify key stakeholders and involve in creating policy, encourage ongoing communication.
• High Value Assets - Identify core IT Assets and prioritise
• Segregation - Appetite for Risk• Flexibility – make provision for high risk activity -
Research, new technology etc
![Page 18: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/18.jpg)
Trinity College Timeline
2003 2004 2005 2006 2007
IT Security Policy approved by Governing Body
User Awareness Campaign Email, Pamphlet, Website
Translation to Operational procedures
Identification of Stakeholders
Policy Review & Revision
Adoption of Security Technologies
![Page 19: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/19.jpg)
Implementation
• Governance - Internal Agreements - Central computing department & local IT interests.
• Regular Communication• Dissemination to IT Administration Staff &
End Users• Translation to Operational Practices• Adoption of Technologies
![Page 20: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/20.jpg)
IT Governance
Governing Body
Autonomous Network
End User
Autonomous Network
End User
Trinity College Data Network
Local Area Support Reps End User
End User
![Page 21: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/21.jpg)
Translation to operating procedures
![Page 22: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/22.jpg)
Translation to operating procedures
![Page 23: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/23.jpg)
Translation to operating procedures
![Page 24: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/24.jpg)
Adopting Technologies
• Network Security - VPN, VLANs, Firewall, IDS, NAC,802.1x, guest network services, Eduroam
• Host Security– Automatic Updates, Centrally Managed AV
• Enterprise Directory – Secure Authentication• Application Security – Encryption, Risk Analysis• Removal Insecure Protocols
![Page 25: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/25.jpg)
Defense in Depth
Firewall
Intrusion Detection
VPN
NAC
Firewall
Intrusion Detection
VPN
NAC
Malware Protection
Software updates
Audit Logs
Standardised Build
Malware Protection
Software updates
Audit Logs
Standardised Build
Malware Protection
Software updates
Audit Logs
Standardised Build
Malware Protection
Software updates
Audit Logs
Standardised Build
ServerServerHostsHosts NetworkNetwork
Standards
Audit
Encryption
Threat Modelling
Audit Logs
Standards
Audit
Encryption
Threat Modelling
Audit Logs
Application Application UserUser
Code of Conduct
Online Password change
Code of Conduct
Online Password change
![Page 26: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/26.jpg)
Teaching & General
Research
Student Services
Wireless Services Autonomous
Networks
Specialised Production cash
Registers etc
Specialised research
Risk Management
Central ServicesWeb, Mail, Proxy etc
![Page 27: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/27.jpg)
Focus on Key Assets
• Staff/Student Data• Financial Data• Medical Data• Research Data
![Page 28: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/28.jpg)
Assessing the Progress
• Improved communications – move away from duplication of service
• Improved focus – strategic planning• Improved Visibility• Incident Reporting• Internal Audit – systems, applications,• External Audit
![Page 29: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/29.jpg)
Was it Successful?
Disruptive Security Incidents
0
2
4
6
8
2002 2003 2004 2005 2006 2007
Year
No.
![Page 30: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/30.jpg)
Did it hurt?
• Time• Financial Cost• Complexity..
![Page 31: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/31.jpg)
Future Challenges
• Exploding User Numbers – students/public on network, Guests, Eduroam
• Non traditional networked devices - PDA’s, phones, Xboxes, cameras, CEPOS
• Disappearing Network Boundary• Rapid Adoption New technology • Changing Threat profile• Data privacy concerns – Help users protect their
personal/financial data• More important than ever to deal with these
challenges via a strong IT Security Framework
![Page 32: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/32.jpg)
Keeping Security on the Agenda
Security vs. Usability
![Page 33: IT Security Policies and Campus Networks Translating security policy to practical campus networking Sara McAneney IT Security Officer Trinity College Dublin.](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d235503460f949f996e/html5/thumbnails/33.jpg)
References:
http://www.tcd.ie/itsecurity/policies/index.php
http://www.educause.edu/ecar
http://www.ucisa.ac.uk/