University Information Security and Privacy Policy Framework

1
University Information Security and Privacy
Policy Framework

• Chris Kidd
• OIT Compliance Office

2
Information Security Privacy Policy

• Why are we presenting this to you?

3
Information Security Privacy Policy

• What is the problem with current framework?
• 68 different policies on campus dealing with
  Information Security and Privacy.
• Confusing and hard to identify what requirements
  apply to individual groups.
• Inconsistencies between policies.

4
Information Security Privacy Policy

• What is the problem with current framework?
• Gaps, may not address all current and future
  regulatory requirements.
• Current policy may be inadequate for those with
  confidential data but overly strict for those
  with less sensitive data.
• Some policy too specific.

5
Information Security Privacy Policy

• Goals of the Proposed Framework
• Single Consolidated Policy for Campus.
• Flexible - Will address various needs and
  requirements without burdening groups without
  similar requirements.
• Adaptable - Easily change requirements by
  reclassifying without rewriting policy.
• Measurable Consistently across Campus.
• Accountability Responsible parties clearly
  identified.
• Benchmarking Compare security and privacy
  posture with other entities.

6
Information Security Privacy Policy

• To meet these goals, the Policy will be based on
  ISO 27002 and OECD
• These are the most respected and recognized
  international standards for information security
  and privacy.  The adoption of these standards
  will facilitate future certification which will
  support trading of information and international
  research.

7
Step 1 Map Requirements

• Many regulations such as HIPAA, FERPA, GLBA, PCI,
  etc, can map directly to the elements of ISO
  27002 and OECD
• Rather than reinvent the wheel, map regulatory
  and other requirements to and base policy on ISO
  27002 and OECD
• We are at this phase, now.

8
Step 2 Data Classification Model

• Define a Data Classification Model that can be
  applied to any data set or service across the
  University

Label Classification Detail ( SAMPLE CLASSIFICATION MODEL )
Public Data which there is no expectation for privacy or confidentiality. Data owners have decided to publish or make public. Grama classification of public.
Sensitive Data which the Data Owners have not decided to publish or make public. Inappropriate Disclosure may noticeably affect the University's mission, reputation, or interest. Grama classification of private.
Confidential Data critical to the mission of the University and Personally identifiable information on Students, Faculty, or staff. Inappropriate disclosure of this class of data may violate, harm, or impede an organizations mission, reputation, or interest
Regulated Legally regulated or contractual obligation data, includes Protected Health Information.
9
Step 3 - Security Privacy Philosophy

• High Level Policy from Senior University
  Leadership that states
• Values and Support for Information Security and
  Privacy
• Delegates policy responsibilities to appropriate
  groups
• Will not contain details or requirements

10
Step 4 Policy Creation

• Create policy directly from ISO 27002 elements,
  with additional requirements if needed
• Add Data Classification Labels to policy elements
• Standards and Guidelines as needed to address
  specifics and ambiguities in requirements

11
Sample Access Control
ISO 27002 Section Controls Data Classification Responsible Party Quality/Metrics Quality/Metrics Quality/Metrics
ISO 27002 Section Controls Data Classification Responsible Party Low Medium High
11 Access Control  Access Control  Access Control  Access Control  Access Control  Access Control 
11.1 Business requirement for access control Business requirement for access control Business requirement for access control Business requirement for access control Business requirement for access control Business requirement for access control
11.1.2 Access control policyAn access control policy should be established, documented, and reviewed based on business and security requirements for access. SensitiveConfidential Regulated Data Steward No policy Has Policy Enforces Policy
11.2 User access management User access management User access management User access management User access management User access management
11.2.1 User registrationThere should be a formal user registration and de-registration procedure in place for granting and revoking access to all information systems and services. Confidential Regulated Data Custodian No Procedure Partially implemented procedure Fully implemented procedure
11.2.2 Privilege managementThe allocation and use of privileges should be restricted and controlled. Confidential Regulated Data Custodian Not implemented Partially implemented Fully implemented
11.2.3 User password managementThe allocation of passwords should be controlled through a formal management process. SensitiveConfidential Regulated Data Custodian Not implemented Partially implemented Fully implemented
12
Step 5 Approval

• Academic Senate for Philosophy Statement
• ITC For Policies

13
Step 6 Policy Requirements Training

• Lori Vuyk New Training Program Manager

14
Step 7 Policy Implementation

• Data Stewards classify their data and services
  using approved data classification model
• Create implementation plans for policy
  requirements
• Training, Audit, and Metrics will be derived
  directly from University Policy

15
Discussion Forums

• Discussion Forums
• Visit www.compliance.utah.edu for dates and times