New and Upcoming IT Security Policies at KState

1
New and Upcoming IT Security Policies at K-State

• Harvard Townsend
• Chief Information Security Officer
• harv_at_ksu.edu
• Jan. 16, 2009

2
Agenda

• Why so many policies now?!?
• IT security incident reporting and response
• Data classification and security
• Media sanitization and disposal
• Physical security
• Others planned for the spring
• State policy on security awareness and training
• New IT security threats blog

3
Why so many policies?!?

• SSN breaches last year
• Data classification in the works for four years
• State media sanitization and disposal policy
• Follow-up security audit by the state
• More resources allocated to security and policy
  writing
• Growing, evolving threats
• Policies, procedures, standards, guidelines
  important in distributed, open environment

4
IT Security Incident Reporting and Response Policy

• Approved by IRMC in November, final approval by
  CEC last week
• Gist of the policy is that any incident or
  suspected incident must be reported to the CISO,
  especially incidents involving confidential data
• Defines severity of incident and who must be
  notified
• Also has extensive procedures associated with the
  policy

5
Incident Categories

• Defined in the procedures
• Confidential personal identity data exposure
• Criminal activity/investigation
• Denial of Service
• DMCA violation
• Malicious code activity
• Policy violation
• Reconnaissance activity
• Rogue server or service
• Spam source
• Spear phishing
• Unauthorized access
• Un-patched vulnerability
• Web/BBS defacement
• No Incident

6
Data Classification andSecurity Policy

• Four years in the works
• Passed IRMC Dec. 18, 2008
• Currently being reviewed by Faculty Senate,
  Deans Council
• CEC approval expected January 2009

7
Policy

• All University Data must be classified according
  to the K-State Data Classification Schema and
  protected according to K-State Data Security
  Standards. This policy applies to data in all
  formats or media.
• The Vice Provost for Information Technology
  Services or designee must approve any exception
  to this policy. The Chief Information Security
  Officer must approve any exceptions to the Data
  Security Standards.

8
Data Classification Schema

• Public
• Public web sites
• Course catalog and semester course schedule
• Extension publications
• Press releases
• Internal
• Departmental intranet
• Budget data
• Purchase orders
• Student education records
• Transaction logs

9
Data Classification Schema

• Confidential
• SSNs, Credit Card Info
• Personal Identity Information
• Personnel records, medical records
• Authentication tokens (passwords, biometric,
  personal digital certificates)
• Proprietary
• Data provided to or created by K-State on behalf
  of a third party
• Fed data Classified National Security
  Information

10
Data Security Standards

• Access Controls
• Copying/Printing
• Network Security
• System Security
• Virtual Environments
• Physical Security
• Remote Access

• Storage
• Transmission
• Backup/DR
• Media Sanitization
• Training
• Audit Schedule

11
Effective Dates

• Dec. 18, 2008 passed IRMC
• January 2009 expected approval from CEC
• Effective immediately, all new systems being
  designed and implemented must comply
• January 1, 2010 data stewards have compliance
  plan for all systems with confidential data

12
What does this mean for you?

• Know your data and where it is
• Focus on confidential data first
• SSN awareness campaign this spring
• New Spider tool will help with discovery
• Whole disk encryption on laptops
• Shred those old course rosters
• Develop plans for compliance

13
Media Sanitization and Disposal Policy

• Draft presented to IRMC Dec. 18, 2008, 2nd draft
  will be discussed Jan. 22
• Based on state policy that mandates we have a
  policy
• Driven by audit of state surplus equipment
• Sampled 15 computers
• Recovered files from 10
• 7 contained confidential info (SSNs, Medicaid
  info, passwords)
• Also best practice, common sense

14
Media Sanitization and Disposal Policy

• Modeled after federal guidelines
• NIST SP 800-88 Guidelines for Media
  Sanitization
• Internal re-use, purge data with 3 passes before
  reformat/reinstall
• Leaving the university, destroy the hard drive
  (still open for debate)
• Are guidelines for all media types, including
  paper, in NIST 800-88

15
What Should You Do Now?

• Internal re-use? Overwrite ALL data on hard drive
  with 3 passes before reformat/reinstall
• If disposing of computers, purge ALL data, remove
  the hard drive and give it to Facilities
  recycling. They have a contractor who destroys
  them for free
• Get a micro-cut cross-cut shredder that also does
  CDs, DVDs

16
Other policies this spring

• Driven by follow-up audit to the IT security
  audit performed by the state In 2005
• Still have 18 areas where we have inadequate or
  no policy
• Will provide drafts to IRMC each month, starting
  with physical security

17
Physical Security Policy

• Prevent theft, damage, unauthorized access
• Locks on network wiring closets/cabinets (already
  have this policy)
• Keep office doors locked after hours
• Store laptops and other portable devices securely
  when unattended
• UPSes on all critical equipment

18
Other Policies From the Audit

• Access Controls, welcome banner on login screen
  (Feb.)
• System Development (Mar.)
• Security Management (Apr.)
• Operations (May)
• We have to report on May 1, Sep. 1, Jan. 1 2010
  full compliance by Jan. 2010

19
New State Policy on Security Awareness and
Training

• Passed state IT Security Council (ITSEC) in the
  fall
• Expected to pass ITEC in January
• Every state employee, contractor or other third
  parties shall receive annual training in IT
  security.
• ITSEC specifies requirements
• Have to implement processes to monitor and track
  attendance at IT security training

20
New State Policy on Security Awareness and
Training

• ITSEC specifies requirements
• Have to implement processes to monitor and track
  attendance at IT security training
• Requires IT security training as part of new
  employee orientation
• Document users acceptance of agency security
  policies after receiving IT security training
• All these are good but challenging in our
  environment and un-funded

21
Future Policies

• Finish what the audit started so have
  comprehensive IT security policies
• Take current disparate policies and reorganize
  with these new policies into structure based on
  ISO standard and EDUCAUSE guidelines
• 12 sections

22
Future Policy Categories

• Security policy (Intro)
• Organizational security
• Asset classification
• Personnel security
• Physical and environmental security
• Communications and operations management
• Access control
• System development and maintenance
• Business continuity management
• Compliance
• Incident management
• Security plans

23
Challenges

• Implementing the data classification policy is
  ominous and potentially very expensive at a time
  of serious budget challenges
• Media sanitization a challenge for departments
  w/o IT support staff
• Balancing security best practices with practical
  realities of K-States culture, distributed IT
  environment, and budget limitations
• Unfunded mandates like the security awareness and
  training policy

24
New Threats Blog

• Post info on current threats, such as
  vulnerabilities and patches, malware, attacks,
  etc.
• View blog, receive notices via email, or
  subscribe via RSS
• http//threats.itsecurity.k-state.edu
• For email, subscribe to sirt-threats LISTSERV
  mailing list

25
Whats on your mind?
26
Approval Process

• IT security team drafts policy with SIRT input
• IRMC reviews draft, with Faculty Senate input
• IRMC votes to recommend adoption of the policy to
  Vice Provost for IT Services
• VP-ITS distributes to Faculty Senate, Deans
  Council for review, signature
• Final approval by Computing Executive Committee
• Publish in PPM