Strategies for Crafting Effective IT Security Policies CIO Forum March 12, 2003 Dennis Maloney &...
-
Upload
alicia-dawson -
Category
Documents
-
view
214 -
download
1
Transcript of Strategies for Crafting Effective IT Security Policies CIO Forum March 12, 2003 Dennis Maloney &...
Strategies for Crafting Effective IT Security
Policies
CIO Forum March 12, 2003
Dennis Maloney & Marin Stanek
The University of Colorado at Boulder
Why Now??Internal Drivers
• Telecommunications & wireless audit• Campus-wide IT Strategic Plan =
greater coordination & collaboration
External Drivers• 9/11 • Federal Laws & Agencies (FERPA,
HIPAA, NSF)• State Laws• Private Research Communities (NASA)
2002 – The Year of Policy Development
Established policies • Computing and Network Resources for all
Users (Rights and Responsibilities Doc)• Student Email as an Official Means of
Communication (FERPA, HIPAA, Confidential/Sensitive Information)
• Campus-wide Access & Authorization (Encrypted Authentication)
• Directories • Wireless
Policies still under development• Identity Management• Copyright• Antivirus
Policy RoadmapA great idea for a policy
Then a flurry of
communication occurs
CIO, ITS & IT Coordinators begin
drafting
ITC discusses & revises Legal
Counsel advisesAppropriate
constituencies involved
Endless revisions occur Life
looks bleak
A better policy emerges because of campus
input
Policy is reviewed
& approved by CECITC &
LC revie
w again
Policy is signed by the Chancellor
Policy is communicat
ed to campus and life is good!
Policy Development: Step One – Be Aware of Existing
Policies•Federal (Research requirements, FERPA, HIPPA, Copyright)
•State (Campaign Fair Practices Act, Conflict of Interest)
•University Policies •Current Campus Policies
Policy Development: Step Two – Conceptualizing High Priority
Policies/Basic Set of Policies (Our List)
• Accountability (Rights & Responsibilities/Acceptable Use, C&NR)
• Availability (Wireless)• Integrity (Server Security, Directories)• Access Control (Access & Authorization, Identity
Management)• Determination of Data Sensitivity (Copyright,
and Guidelines for Computer Users)• Security Management (Network Security,
Antivirus)• Policies managing flow of information (Web
Publishing Policy, Portal Policy)
Accountability (Rights & Responsibilities/Acceptable Use, C&NR)
Security Management (Network Security, Antivirus)
Integrity (Server Security, Directories)
Access Control (Access & Authorization, Identity Management)
Determination of Data Sensitivity (Copyright, & Guidelines for Computer Users)
Availability (Wireless)
E-Policies (Web Pub, Email, Portal)
Visualizing Your Policy/Practices Framework
Policy Development: Step Three – Policy Outline
(time saver or time sucker)
Develop a policy template – Introduction/Purpose of the Policy– Definitions– Scope of the Policy– Policy Statement (most important)– Sanctions– References– Responsible Office & Review Schedule– Date of implementation– Attachments (might include guidelines,
standards, procedures/processes)
Name
AudiencePolicy Emphasis
Technical Emphasis
Who handles the violation
Policy Development: Step Four – Discussion, Process, &
Approval• Review what other similar schools are doing (www.educause.edu) -- do your homework
• Gain support & approval from senior level –find a champion
• Contact key constituencies for informal input• Establish or recognize who will formally
approve policy• Establish buy-in• Provide information online & accessible from
one location• Provide an interim phase for feedback• Develop accompanying guidelines, standards,
process/procedures documentation
Educational Campaign
• Initial Announcement (from highest source possible)
•Accompanying website (includes policy, FAQ, guidelines, standards, procedures/process, AND who to contact!
•Tailor specific messages to audiences (faculty, students, staff)
•Listen to feedback!•Evaluate impact
Lessons Learned
1. Research & make connections w/other schools – build on what they’ve developed
2. Collaborate across campus3. Have patience – good policy
development is about building consensus and awareness
4. Maintenance = effectiveness; don’t let a policy become “dusty”
Good References
– http://www.sans.org/resources/policies/
– http://www.educause.edu
– http://www.inform.umd.edu/acupa/
– http://www.cit.cornell.edu/oit/policy/drafts/
Contact Information
•Marin Stanek, IT Initiatives Coordinator
•Dennis Maloney, Executive Director, ITS
•CU-Boulder Policy website:– http://www.colorado.edu/policies/index.h
tml