IT Security Policies and Campus Networks
Translating security policy to practical campus networking
Sara McAneneyIT Security OfficerTrinity College Dublin16/11/2007
Overview
• Creating the Security Policy
• The Implementation Dilemma
• What makes the Campus Environment Different?
• The Answer
• Trinity College Dublin Implementation…
Campus Networks & Security
90’s 2002/3 2007 ??
Cultural Resistance
Gradual infiltration
Acceptance
Rapid Catch Up
Maturity!
2003/04
• Sobig• Slammer• Lovgate• Fizzer• Blaster/Welchia/Mimail • Randex• Sasser
2005/06• Yahoo Search Returns Faculty, Student Social Security Numbers -
Utah Valley State College • Student Information "Inadvertently" Left Exposed On Public
Website- Mississippi State University • UC-Boulder Web Site Exploit Exposes 17,500 Student Records-
University of Colorado, Boulder • University of Texas Breach Exposes Student and Staff
Information --University of Texas, Dallas• Thief Makes Off With Years Of Research Data - University of
Colorado, Boulder• University Research Information Exposes Participant Data -
University of Iowa• Stolen USB Drive Contained 18 Years of Student Information
University of Kentucky
ECAR -Policies Implemented 2006
*ECAR – Educause Centre for Applied Research - 2006 IT Security Survey 492 Respondents
Creating the Security Policy
• ISO 27001• Relevant Legislation• Organisational Environment• Identify Assets• Resources E.g. UCISA Information
Security Toolkit
Policy
• Main Policy• Supporting policy areas:
– Email– Internet use– System development etc– Virus and Spam – Software Development – Data Backup – Disaster Recovery
Implementation….
• Governing Body Approval• Communication to Users• Translation to Operational Procedures• Enforcement
Campus Implementation Difficulties
• Traditional ethos of free & open access to systems and information
• Diverse user base - Admin, teaching, research, grids, commerce, corporations, clubs, societies, college life, public guests
• Complex collaborative arrangements - institutions, individuals and industry
• Need to facilitate the rapid adoption of emerging & often immature technologies
• Diversity and decentralised management…
Traditional Implementation
CEO
Area Head Area Head IT Function
Manager Manager
End User End User
Manager
End User
Policy Dissemination
College Structure
• Governing Body
• Committees
• Schools/Faculties
• Admin Areas
• Student Representatives
• Commercial Entities
Campus NetworkGoverning Body
Administration Campus Companies
Academic structure
Admin Area Committee
Academic Unit
End User
Committee
End User
Students
Clubs & Societies
End User
End User
User Groups
User Groups
Research
Research Group
End User
Central IT Function
IT Function
Similarities with all Large Networks
• Provide High Quality, Flexible Services
• Protect Confidential data
• Protect against Internal and External Security Threats
• Comply with Legislation
• Contingency and Disaster Recovery Planning
• Despite/Because of complexity & diversity it is vital to implement an IT Security Management system.
• Risk Assessment & Mitigation
• Framework which facilitates as well as protects
Goal
The Answer?
• Management Structure - Establish IT Security Governance/Management Structure
• Involve Stakeholders - Identify key stakeholders and involve in creating policy, encourage ongoing communication.
• High Value Assets - Identify core IT Assets and prioritise
• Segregation - Appetite for Risk• Flexibility – make provision for high risk activity -
Research, new technology etc
Trinity College Timeline
2003 2004 2005 2006 2007
IT Security Policy approved by Governing Body
User Awareness Campaign Email, Pamphlet, Website
Translation to Operational procedures
Identification of Stakeholders
Policy Review & Revision
Adoption of Security Technologies
Implementation
• Governance - Internal Agreements - Central computing department & local IT interests.
• Regular Communication• Dissemination to IT Administration Staff &
End Users• Translation to Operational Practices• Adoption of Technologies
IT Governance
Governing Body
Autonomous Network
End User
Autonomous Network
End User
Trinity College Data Network
Local Area Support Reps End User
End User
Translation to operating procedures
Translation to operating procedures
Translation to operating procedures
Adopting Technologies
• Network Security - VPN, VLANs, Firewall, IDS, NAC,802.1x, guest network services, Eduroam
• Host Security– Automatic Updates, Centrally Managed AV
• Enterprise Directory – Secure Authentication• Application Security – Encryption, Risk Analysis• Removal Insecure Protocols
Defense in Depth
Firewall
Intrusion Detection
VPN
NAC
Firewall
Intrusion Detection
VPN
NAC
Malware Protection
Software updates
Audit Logs
Standardised Build
Malware Protection
Software updates
Audit Logs
Standardised Build
Malware Protection
Software updates
Audit Logs
Standardised Build
Malware Protection
Software updates
Audit Logs
Standardised Build
ServerServerHostsHosts NetworkNetwork
Standards
Audit
Encryption
Threat Modelling
Audit Logs
Standards
Audit
Encryption
Threat Modelling
Audit Logs
Application Application UserUser
Code of Conduct
Online Password change
Code of Conduct
Online Password change
Teaching & General
Research
Student Services
Wireless Services Autonomous
Networks
Specialised Production cash
Registers etc
Specialised research
Risk Management
Central ServicesWeb, Mail, Proxy etc
Focus on Key Assets
• Staff/Student Data• Financial Data• Medical Data• Research Data
Assessing the Progress
• Improved communications – move away from duplication of service
• Improved focus – strategic planning• Improved Visibility• Incident Reporting• Internal Audit – systems, applications,• External Audit
Was it Successful?
Disruptive Security Incidents
0
2
4
6
8
2002 2003 2004 2005 2006 2007
Year
No.
Did it hurt?
• Time• Financial Cost• Complexity..
Future Challenges
• Exploding User Numbers – students/public on network, Guests, Eduroam
• Non traditional networked devices - PDA’s, phones, Xboxes, cameras, CEPOS
• Disappearing Network Boundary• Rapid Adoption New technology • Changing Threat profile• Data privacy concerns – Help users protect their
personal/financial data• More important than ever to deal with these
challenges via a strong IT Security Framework
Keeping Security on the Agenda
Security vs. Usability
References:
http://www.tcd.ie/itsecurity/policies/index.php
http://www.educause.edu/ecar
http://www.ucisa.ac.uk/
Top Related