Crafting IT Security Policy

Community IT Innovators Webinar Series

April 23, 2015

Crafting IT Security Policy

Community IT Innovators Webinar Series

April 23, 2015

Webinar Tips

• InteractAsk questions via chat

Connect on Twitter

• Focus Avoid multitasking. You may just miss

the best part of the presentation

• Webinar PowerPoint & RecordingPowerPoint and recording links will be

shared after the webinar

About Community IT

Our skilled and certified team of IT professionals

serves the greater Washington nonprofit community,

helping organizations of all sizes and capacities to…

Advance mission through the effective use of

technology.

Invested

Work exclusively with nonprofit organizations, serving over 900

since 1993.

Strategic

Help our clients make IT decisions that support mission.

Collaborative

Team of over 30 staff who empower you to make informed IT

choices.

Presenter

Johan Hammerstrom

President

jhammerstrom@communityit.com

@hammerstromj

• IT Threat landscape in 2015

• CIA Security Framework

• Security as IT Policy

• IT Policy Guidelines

Agenda

• Target & Home Depot

• Celebrity iCloud hack

• Sony Pictures, “Dark Hotel”

• Heartbleed, Sandworm, Wirelurker

• Superfish

Record year for breaches

• Firewalls only protect the data that stays

behind them

• Passwords are no longer secure

• Anyone can be a hacker

Times have changed

Security

Frameworkhttp://commons.wikimedia.org/wiki/File:Seattle_library_framework_inside.jpg

CIA Security Framework

• Who can read the data?

• Controlling access to the data

Risk: Disclosure of information

Confidentiality

LOW MODERATE HIGH

Disclosure of

information could

be expected to

have a limited

adverse effect

Disclosure of

information could

be expected to

have a serious

adverse effect

Disclosure of

information could

be expected to

have a severe or

catastrophic effect

• Who can edit data?

• Ensuring accuracy of the data

Risk: Modification or destruction of data

Integrity

LOW MODERATE HIGH

Modification or

destruction of data

could be expected

to have a limited

adverse effect

Modification or

destruction of data

could be expected

to have a serious

adverse effect

Modification or

destruction of data

could be expected

to have a severe or

catastrophic effect

• Is data accessible?

• Ensuring access to the data when needed

Risk: Disruption of access to information

Availability

LOW MODERATE HIGH

Disruption of access to

or use of information

could be expected to

have a limited

adverse effect

Disruption of access

to or use of

information could

be expected to

have a serious

adverse effect

Disruption of access

to or use of

information could be

expected to have a

severe or catastrophic effect

CIA Security Framework

Inventory

Your Data

http://commons.wikimedia.org/wiki/File:Modern_warehouse_with

_pallet_rack_storage_system.jpg

• Exhaustive list of all organizational data

• Analyze it from the 3 CIA Perspectives

• Assign a Low, Moderate, High Risk

Inventory your Data

• PDF of signed Annual Performance Review

• Confidentiality: Limit to HR and Supervisor (this may

be a regulatory issue) - HIGH

• Integrity: Data should not change and must have

utmost confidence file is not altered - HIGH

• Availability: Needed only upon request, 2-3 days -

LOW

CIA analysis

• Accounting System

• Confidentiality: Limit to Finance Department and

President - MODERATE

• Integrity: Constantly updated. Roll back last thirty days’

activity. Must have record of who changed what. - HIGH

• Availability: Downtime 8 hrs acceptable. - MODERATE

CIA analysis

CIA Inventory

Confidentiality Integrity Availability

Sensitive Data

Medical Records High High High

Donor Contacts Moderate High Moderate

Financial System Moderate High Moderate

HR Records High Moderate Low

Less Sensitive

Email Moderate High High

Grant Proposals Low Moderate High

Program Mgmt Low Moderate Moderate

Security as IT Policy

http://commons.wikimedia.org/wiki/File:Stipula_fountain_pen.jpg

Agreed upon system of principles

to guide IT decision making

and achieve certain IT outcomes.

Written as a Statement of intent

implemented as IT procedure or protocol.

IT Policy

http://en.wikipedia.org/wiki/Policy

Organization agrees on decisions and

outcomes related to IT Security.

Agreement is documented in writing.

IT Policy

IT Department

Policy

http://commons.wikimedia.org/wiki/File:Michael_Holley_Computer_1978_NWCN.jpg

Informs both Architecture and Process.

Should include:

• Identity and Access Management

• Endpoint Management

• Data Retention

IT Department Policy

• Segregate data based on inventory

• Restrict/remove remote access to sensitive

data

• Consider logging and monitoring

Confidentiality Applied

• Maintain anti-virus & anti-malware

• Restrict permissions as much as possible

• “Harden” servers

• Scan for vulnerabilities on a schedule

• Lock doors and install fire alarms

Integrity Applied

• Identify availability requirements

• Invest appropriately

• Backup rule: KISS!

• Keep extra hardware on hand

• Develop business continuity plan

Availability Applied

End user

Policy

http://commons.wikimedia.org/wiki/File:The_Park_Northpoint_-_Open_Plan_Office_Space.jpg

• Security Culture & End-User Training

• Password Policy

• BYOD (and BYOA) Policy

• written Appropriate Use Policy

End User Policy

If Putin gave you a USB charger…

http://www.worldcrunch.com/rss/default/m1c0s13958/#.VL_ExMaH044

would you use it?

• User awareness is best defense

• How do we engage users?

• Make it mandatory, but fun

• Training should be ongoing

• Must be embraced by all staff

End-User Training

Password

Policy

http://commons.wikimedia.org/wiki/File:Master_lock_with_root_password.jpg

• Should passwords be changed regularly?

• Can they be complex enough to be

secure?

• Where else are company passwords being

used?

Password Policy

• Password managers allow users to store

many passwords conveniently

• Best generate passwords and warn to

change after breaches

• Options: LastPass, 1Password

Secret Server, AuthAnvil

Password Management

• Adds physical security to password

• Much easier to use and deploy than it was

two years ago

• Google Authenticator

Dual Factor Authentication (2FA)

http://commons.wikimedia.org/wiki/File:EToken_PASS.jpg

BYOD

Policy

BYOD Security Risks

“Bring Your Own Device”

• Confidentiality – Data leakage

• Integrity – “Vector” into the company

• Availability – Malware, Targeted hacking

Legal Risks

• Legislated law is thin

• Case law is uncertain

• Exempt staff working without

compensation

• Personal device and data could be

subpoenaed

Financial Risks

• Stipends might cost more

• IT Support can become entangled

• Exempt staff need to be paid

• Mobile Device Management (MDM)

can be expensive

BYOD policy questions

• What level of access is provided?

• What level of support is provided?

And for which staff?

• Should devices be managed and

controlled? For which staff?

CIA Inventory

Data Confidentiality Integrity Availability Policy

Sensitive

Medical Records High High Highno BYOD,

segment wifi

Donor Contacts Mod High Mod Published App

Financial System Mod High Mod Published App

HR Records High Mod Low no BYOD

Less Sensitive

Email Mod Mod High BYOD

Grant Proposals Low Mod High BYOD

Program Mgmt Low Mod Mod BYOD

Write it Down

http://commons.wikimedia.org/wiki/File:Stipula_fountain_pen.jpg

Upcoming Webinar

Microsoft Ignite Recap

Thursday May 21

4:00 – 5:00 PM EST

Matthew Eshleman & Steve Longenecker

After the webinar

Connect with us

Provide feedback

Short survey after you exit the webinar. Be sure to

include any questions that were not answered.

Missed anything?

Link to slides & recording will be emailed to you.

Questions?

Author: DuMont Television/Rosen Studios, New York-photographer, Uploaded by We hope at en.wikipedia

http://commons.wikimedia.org/wiki/File:20_questions_1954.JPG