INFORMATION ASSURANCE POLICY

1
INFORMATION ASSURANCE POLICY
2
Information Assurance

• Information operations that protect and defend
  information and information systems by ensuring
  their availability, integrity, authentication,
  confidentiality, and nonrepudiation. This
  includes providing for restoration of information
  systems by incorporating protection, detection,
  and reaction capabilities

3
Information Assurance Objectives

• Confidentiality - assurance that information is
  not disclosed to unauthorized persons, processes,
  or devices
• Availability - timely, reliable access to data
  and information services for authorized users
• Integrity - protection against unauthorized
  modification or destruction of information
• Authentication - security measure designed to
  establish the validity of a transmission,
  message, or originator, or a means of verifying
  an individuals authorization to receive specific
  categories of information
• Non-repudiation - assurance the sender of data
  is provided with proof of delivery and the
  recipient is provided with proof of the senders
  identity, so neither can later deny having
  processed the data

4
U.S. National IT Security Strategy

• T H E N A T I O N A L S T R A T E G Y T O
  SECURE
• CYBERSPACE
• F E B R U A R Y 2 0 0 3

5
Reasons for not being concerned with security
policy

• ? Data doesnt need protecting because it isnt
  sensitive
• ? Risk must be accepted as a part of doing
  business
• ? Technical personnel would rather work with the
  technical system than perform the mundane tasks
  associated with policy
• ? Security impedes productivity (efficiency and
  costs time and money)
• ? Policy is measure to control behavior
• ? Policy will be difficult to adhere to all the
  time

6
Reasons for Establishing Security Policy

• ? Provides comprehensive, integrated plan
• ? Defines appropriate behavior for all
  consumers/managers of system
• ? Defines the tools and procedures needed to meet
  the determined security requirements
• ?Communicates a consensus of what should be done
• ? Provides authority for response to
  inappropriate behavior

7
INDIANA UNIVERSITY OF PENNSYLVANIA

• INFORMATION PROTECTION POLICY
• December 1, 2005
• Approved for implementation by Dr. Tony Atwater
• and Presidents Cabinet
• October 31, 2005

8
IUP POLICIES(from ATS Homepage)

• ATS also provides guidelines on
• IUP Computer Account Retention Policy
• Student Computing Rights
• Student Computing Responsibilities 
• Guidelines for the IUPComputing Lab Facilities
• Computing Resources Policy
• Computer Software Policy
• E-mail Privacy Policy
• IUP Policy Pages
• New Information Protection PolicyIMPORTANT NEW
  INFORMATION!!
• IUP Use of E-mail Policy
• Academic Affairs Policies
• Student Affairs Policies
• The Source Student Handbook
• Technology Services Center  Policies

9
HIERARCHICAL POLICY MODEL

• VALUES
• INTERESTS
• ??
• GOALS OR OBJECTIVES (POLICY)
• VULNERABILITIES
• THREATS
• CAPABILITIES
• ??
• STRATEGY

10
VALUES
11
INTERESTS
12
POLICY

• It is the policy of IUP that all information be
  used in a manner that maintains an appropriate
  and relevant level of confidentiality and that
  provides sufficient assurance of its integrity in
  compliance with existing laws and PASSHE and
  University Policies. While the elimination of
  all risk is impossible, the goal of the policy is
  to minimize the possibility of information
  misuse, corruption, and loss through adoption of
  reasonable procedures for the University
  community to follow

13
1st Step Define policy makers

• ? should represent all users (students/faculty/adm
  inistrators)
• ? decide what will be the scope and goals of the
  policy
• ?? Who and what is covered?
• ?? How specific?
• ? Use vision statements from Academic,
  Administrative, and Library computing as to what
  they would like to be able to do with the IT
  system to assist in guiding policy development

14
IUP IT Security Policy Chain of Responsibility
Information System Security Officer
Academic Computing Policy Advisory
Committee Academic Technology Operating Group
Administrative Computing Oversight Committee
Technology Services Center
College Deans
College Technology Managers
15
2nd Step Document IT system(Vulnerabilities
Capabilities)

• ? in order to protect have to know
• ?? What it is
• ?? What it does
• ?? What its weaknesses are
• ?? What potential threats to it exist
• ?? What has or is being done to mitigate the
  risks to your data and system
• ? Provides institutional data about system
• ? Documenting controls in place, or the planned
  controls, identifies specifics about a
  systems security

16
Higher Ed vs Others

• requirement to protect data and data systems is
  present in todays world security issues same
• open academic environment vs requirement to
  protect data and data systems
• paramount to faculty
• no barriers to flow of information either coming
  into or going out from the institution

17
Higher Ed vs Others

• Administrative Domain
• Restricted access to financial data
• Restricted access to student/administrative data
• Restricted access to alumni data
• Restricted access to marketing data
• -- Academic Domain
• Access to instructional programs
• Remote access (students and faculty)
• -- Commonalities (but may require different
  security requirements)
• E-mail
• Internet access
• Access to state and federal agencies

18
3rd Step Assessments(Capabilities)

• ? Examine current policies
• ? Determine security requirements for all users
  based on
• ?? sensitivity and criticality of data
  processed/stored,
• ?? relationship of the IT system to the
  organizations mission ??economic value of
  systems data and components
• ? Examine network infrastructure and operating
  system(s)
• ? Security requirements show developers,
  managers, and auditors what the system should be
  allowed to do or not do
• ? Define other security-related policies to fully
  implement institutions IT security policy

19
4th Step Develop Strategy

• ? Specify security controls to be implemented and
  maintained
• ? Define access between authorized users and the
  networking environment
• ? Define duties and authorization levels
• ? Define chain of command responsibility for
  execution and authorization levels
• ?? Ensure personnel given responsibility have
  the authority to carry out their responsibilities
• ? Address data ownership, confidentiality,
  availability, integrity, authentication,
  non-repudiation standards
• ? Define systems transmission accuracy,
  integrity, and recoverability requirements to be
  met
• ? specify a process for detection and reporting
  of errors
• ? Have to approval of institutions administration

20
5th Step - Specific Issues All Institutions
Should Address

• ? Physical Security
• ? Login Name Standards
• ? Password Standards
• ? Virus Protection
• ? Auditing
• ? Disaster Recovery/Contingency Planning
• ? Training

21
Conclusions

• ? Important as many ideas or requirements from as
  many different types of users as possible
• ? Important to win administrations support for
  policy process and resulting policy
• ? Policy documents
• ?? The systems basic security requirements
• ?? The controls in place
• ?? Planned controls
• ?? The responsibility of system users
• ?? Expected user behavior
• ? Strive for industry best practices security
• ? Resulting policy has to be implemented and
  enforceable to be effective
• ? Training
• ?Document is dynamic