Security Policy Development
      for College of IT

                 Rich Larsen
         UNC-Charlotte College of IT
   ...
Security Policy
Framework
  Policies define “appropriate behavior”
  Policies set the stage for developing
   procedures...
Who should be
concerned?
  Users- policies impact them the most
  Tech Support staff- they are required to
   implement,...
Security Policy Design Best
Practices
(from SANS Institute)
  A cross-section of people affected by the policy
   should ...
Security Policy
Requirements
  Policies must:
    Be enforceable and feasible to implement
    Be concise and understan...
Security Policy Structure

  Depends on size of the organization and its
   mission
  Some policies are appropriate for ...
COIT Policy Framework
Development
  Plan to use the ISO 17799 standard which is
   considered the current industry standa...
Proposed Research Lab
Security Policy
  COIT research labs are greatest potential
   security risks
  Nature of research...
Proposed Research Lab
Security Policy
  Roles:
     Lab Director/Manager
     Lab Administrator
     Primary User
  M...
Proposed Anti-virus Policy

  All Windows and Macintosh-based
   computers required to have approved
   anti-virus softwa...
COIT Tech Update

    Streaming Media/ E-LAT
    WebCT Upgrade
    COIT Modem Bank
    Reminder: ITS Migration
     Pr...
Upcoming SlideShare
Loading in …5
×

COIT.minutes.2004-04-22.Appendix.A.ppt

271 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
271
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

COIT.minutes.2004-04-22.Appendix.A.ppt

  1. 1. Security Policy Development for College of IT Rich Larsen UNC-Charlotte College of IT Information Security Administrator rlarsen@uncc.edu x4566
  2. 2. Security Policy Framework  Policies define “appropriate behavior”  Policies set the stage for developing procedures and standards  Policies communicate a consensus  Policies provide a basis for action in response to inappropriate behavior  Policies assist in prosecution of cases
  3. 3. Who should be concerned?  Users- policies impact them the most  Tech Support staff- they are required to implement, comply with and support policy  Management- concerned with the cost associated with implementing the policy  Lawyers/Auditors- they are concerned with the impact to the organization’s reputation as a result of an “incident”
  4. 4. Security Policy Design Best Practices (from SANS Institute)  A cross-section of people affected by the policy should have an opportunity to review/comment  Tech Support staff should be involved in development and should review policy  Policies should be discussed as part of orientation process and should be posted in accessible locations (e.g., Intranet)  Provide refresher training on policies periodically
  5. 5. Security Policy Requirements  Policies must:  Be enforceable and feasible to implement  Be concise and understandable  Balance protection with productivity  Policies should:  Clearly state the policy’s purpose  Describe the scope of the policy  Define roles and responsibilities  Discuss how violations will be handled  Provide a basis for audit
  6. 6. Security Policy Structure  Depends on size of the organization and its mission  Some policies are appropriate for all types of organizations; others are specific to a a particular environment  Some key policies for all organizations:  Acceptable use  Remote Access  Network security/perimeter security
  7. 7. COIT Policy Framework Development  Plan to use the ISO 17799 standard which is considered the current industry standard  Work in conjunction with ITS to ensure no conflicts  Proposed policies will be reviewed by the COIT Task Force on Information Security and Privacy before being submitted to all faculty  Standards/procedures will be discussed by COIT Task Force but will not be submitted to all faculty  “Top-down” approach
  8. 8. Proposed Research Lab Security Policy  COIT research labs are greatest potential security risks  Nature of research requires experimentation, formulation and testing  Security incident in a COIT lab could have detrimental effect on external funding and reputation of college  Balancing act
  9. 9. Proposed Research Lab Security Policy  Roles:  Lab Director/Manager  Lab Administrator  Primary User  Managed vs. Unmanaged computers  Each “network-capable device” associated with a primary user (single point accountability)  User is accountable for security issues occurring on their assigned device(s) as a result of willful disregard of policy and/or negligence  Labs cannot host “production” IT services
  10. 10. Proposed Anti-virus Policy  All Windows and Macintosh-based computers required to have approved anti-virus software loaded at all times  This includes laptops/home computers which are used for remote access to campus  Users required to check for updates daily (or setting automatic updates to run daily)  UNIX/Linux –based computers exempt
  11. 11. COIT Tech Update  Streaming Media/ E-LAT  WebCT Upgrade  COIT Modem Bank  Reminder: ITS Migration Presentation/Demo tomorrow 9-12 in 125 Atkins

×