Strategies for Crafting Effective IT Security

Policies

CIO Forum March 12, 2003

Dennis Maloney & Marin Stanek

The University of Colorado at Boulder

Why Now??Internal Drivers

• Telecommunications & wireless audit• Campus-wide IT Strategic Plan =

greater coordination & collaboration

External Drivers• 9/11 • Federal Laws & Agencies (FERPA,

HIPAA, NSF)• State Laws• Private Research Communities (NASA)

2002 – The Year of Policy Development

Established policies • Computing and Network Resources for all

Users (Rights and Responsibilities Doc)• Student Email as an Official Means of

Communication (FERPA, HIPAA, Confidential/Sensitive Information)

• Campus-wide Access & Authorization (Encrypted Authentication)

• Directories • Wireless

Policies still under development• Identity Management• Copyright• Antivirus

Policy RoadmapA great idea for a policy

Then a flurry of

communication occurs

CIO, ITS & IT Coordinators begin

drafting

ITC discusses & revises Legal

Counsel advisesAppropriate

constituencies involved

Endless revisions occur Life

looks bleak

A better policy emerges because of campus

input

Policy is reviewed

& approved by CECITC &

LC revie

w again

Policy is signed by the Chancellor

Policy is communicat

ed to campus and life is good!

Policy Development: Step One – Be Aware of Existing

Policies•Federal (Research requirements, FERPA, HIPPA, Copyright)

•State (Campaign Fair Practices Act, Conflict of Interest)

•University Policies •Current Campus Policies

Policy Development: Step Two – Conceptualizing High Priority

Policies/Basic Set of Policies (Our List)

• Accountability (Rights & Responsibilities/Acceptable Use, C&NR)

• Availability (Wireless)• Integrity (Server Security, Directories)• Access Control (Access & Authorization, Identity

Management)• Determination of Data Sensitivity (Copyright,

and Guidelines for Computer Users)• Security Management (Network Security,

Antivirus)• Policies managing flow of information (Web

Publishing Policy, Portal Policy)

Accountability (Rights & Responsibilities/Acceptable Use, C&NR)

Security Management (Network Security, Antivirus)

Integrity (Server Security, Directories)

Access Control (Access & Authorization, Identity Management)

Determination of Data Sensitivity (Copyright, & Guidelines for Computer Users)

Availability (Wireless)

E-Policies (Web Pub, Email, Portal)

Visualizing Your Policy/Practices Framework

Policy Development: Step Three – Policy Outline

(time saver or time sucker)

Develop a policy template – Introduction/Purpose of the Policy– Definitions– Scope of the Policy– Policy Statement (most important)– Sanctions– References– Responsible Office & Review Schedule– Date of implementation– Attachments (might include guidelines,

standards, procedures/processes)

Name

AudiencePolicy Emphasis

Technical Emphasis

Who handles the violation

Policy Development: Step Four – Discussion, Process, &

Approval• Review what other similar schools are doing (www.educause.edu) -- do your homework

• Gain support & approval from senior level –find a champion

• Contact key constituencies for informal input• Establish or recognize who will formally

approve policy• Establish buy-in• Provide information online & accessible from

one location• Provide an interim phase for feedback• Develop accompanying guidelines, standards,

process/procedures documentation

Educational Campaign

• Initial Announcement (from highest source possible)

•Accompanying website (includes policy, FAQ, guidelines, standards, procedures/process, AND who to contact!

•Tailor specific messages to audiences (faculty, students, staff)

•Listen to feedback!•Evaluate impact

Lessons Learned

1. Research & make connections w/other schools – build on what they’ve developed

2. Collaborate across campus3. Have patience – good policy

development is about building consensus and awareness

4. Maintenance = effectiveness; don’t let a policy become “dusty”

Good References

– http://www.sans.org/resources/policies/

– http://www.educause.edu

– http://www.inform.umd.edu/acupa/

– http://www.cit.cornell.edu/oit/policy/drafts/

Contact Information

•Marin Stanek, IT Initiatives Coordinator

– Marin.Stanek@colorado.edu

•Dennis Maloney, Executive Director, ITS

– Dennis.Maloney@colorado.edu

•CU-Boulder Policy website:– http://www.colorado.edu/policies/index.h

tml