University IT Policy Office http:www'itpo'iu'edu

1
Critical Nature of Security at IU
Mark Bruhn University IT Policy Officer Tom
Davis University IT Security Officer Office of
the Vice President for Information Technology
2
Agenda

• IT Policy Office (ITPO) Services
• ITPO Summary
• IT Security Office (ITSO) Overview
• ITSO Services
• Top 10 Security Mistakes
• LSP Responsibilities
• Policy and Security Contacts

3
ITPO Services

• Scope is all campuses and all departments.
• IT policy development, dissemination, education,
  and interpretation (coordinating with many
  University offices and groups).
• Electronic information policy development and
  education (in conjunction with data management
  committees).
• Coordinating response to incidents of abuse or
  misuse use of information technology.
• Coordinating response or advising departments
  engaged in response to incidents of abuse or
  inappropriate use of electronic information.
• Global Directory Services identification,
  authentication, authorization, and enterprise
  directories.

4
ITPO Summary

• Function dedicated to developing and maintaining
  consistent IT Appropriate Use Policy (AUP).
• Education on common issues, appropriate use, and
  University IT policy.
• Assistance in reviewing specific situations and
  analyzing and determining appropriate IT policy.
• Assistance in coordinating appropriate technical
  investigation for violations of law or policy.

5
ITPO Summary (continued)

• Assistance in packaging technical information for
  IU governance agencies, IU legal counsel, law
  enforcement, prosecutors, University
  administration, etc.
• Common and consistent incident response.
• Incident statistics collection and reporting.
• Assistance in determining incident cost, valuable
  in determining appropriate safeguards.
• Formal on-line incident tracking and archiving. 
• http//www.itpo.iu.edu

6
ITSO Overview

• Report jointly to the Vice President for
  Information Technology (VPIT) and the IT Policy
  Office (ITPO)
• University-wide office
• Six security engineers/analysts located at IUB
  and IUPUI
• Staff knowledgeable in a wide range of
  technologies (Unix, Windows, MVS, Networks,
  Encryption, etc.)

7
ITSO Services

• Provide IT security awareness and education
• Provide IT security guidelines and standards
• Provide security consulting and review
• Maintain production services
• Investigate and document IT security incidents

8
Services - Security Awareness and Education

• General education and/or presentations on common
  security issues
• http//www.itso.iu.edu/staff/ajk/
• Comprehensive resource for information on
  security alerts, bulletins, and patches
• http//www.itso.iu.edu/
• https//www.itso.iu.edu/services/alerts/

9
Services - Security Guidelines and Standards

• Function dedicated to developing and maintaining
  consistent security standards.
• Comprehensive resource for security information,
  resources, etc.
• http//www.itso.iu.edu/howto/
• Resource for security related software
• https//www.itso.iu.edu/services/
• http//iuware.indiana.edu

10
Services - Security Consulting and Review

• Assistance in reviewing specific situations and
  analyzing exposures.
• Technical architecture diagram required
• Data flow diagram beneficial

11
Services - Production Services

• Security scanning in support of system
  administrators and audit activities
• https//www.itso.iu.edu/scanner/
• Central Kerberos authentication servers
• Central SafeWord token authentication servers

12
Services - IT Security Incidents

• Assistance in coordinating appropriate technical
  investigation of security breaches.
• Assistance in packaging technical security
  information for IU governance agencies, IU legal
  counsel, law enforcement, prosecutors, university
  administration, etc.
• Common and consistent incident response.

13
Top 10 Security Mistakes

• Installing unnecessary programs and services.
• Not keeping current on software patches,
  especially security related ones.
• Not installing anti-virus software and keeping
  its virus patterns current.
• Opening e-mail attachments from unknown people.
• Bringing up lab (test) machines and forgetting
  about them.

14
Top 10 Security Mistakes (continued)

• Lack of adequate training to administer the
  system.
• Inadequate handling of sensitive data (gathering
  more than what they need, keying files off of
  SSN, etc.)
• Not deploying encryption where available.
• Propagating virus hoax and chain mail.
• Sharing passwords.

15
LSP Action Items

• Stay current on security issues
• subscribe to ITSO Alerts service
• monitor security related mailing lists (e.g.
  ntbugtraq, bugtraq)
• routinely visit ITSO web site
• Secure all systems before attaching to network
• apply all security related patches
• turn off unneeded services

16
LSP Action Items (continued)

• Perform vulnerability assessment scans
• when newly installed
• after operating system or software upgrades
• every 30 days
• Install software to armor systems
• Norton AntiVirus (update virus patterns weekly)
• TCPWrappers, sudo
• SSH

17
LSP Action Items (continued)

• Know your systems and data
• create a technical architecture diagram
• hardware
• operating systems
• services running
• criticality
• create a data flow diagram
• location
• sensitivity level

18
Policy and Security Contacts

• For IT incidents involving threats to personal
  safety/physical property or illegal activities,
  immediately contact campus police.
• For IT security or abuse incidents requiring
  immediate attention, call your local Support
  Center or Network Operations Center. 
• To report IT security or abuse incidents
• it-incident_at_iu.edu
• For IT policy assistance itpo_at_iu.edu
• For IT security assistance itso_at_iu.edu

19
Questions?