May 17, 2004 Educause/Internet2 Security Professionals

Workshop

1

Information Security Program

The WVUInformation Security

Program~~~~~~~~~~

If You Build It,They Will Use It

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

2

Information Security Program

● Sue Ann LipinskiManagement Auditor, Internal Audit

● Tim MartonDirector, Information Systems

● Mark SixManager, Systems Administration

Introductions

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

3

Information Security Program

Abstract

WVU is building an institution-wide information security program to ensure the continued confidentiality, integrity & availability of mission critical information resources. This presentation discusses our

incremental implementation approach, including the development of policies /

standards / procedures, as well as efforts to include this program in current & future information-related activities & projects.

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

4

Information Security Program

Some WVU Facts

● Founded in 1867 in Morgantown, WV● Land Grant Institution● 13 colleges & schools, offering 170 bachelor’s,

masters, doctoral & professional degree programs● Medical Center● Doctoral Research Extensive Classification● Spread over 3 Morgantown & 3 regional

campuses● Enrollment of approximately 31,800● Faculty/Staff of 6,487

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

5

Information Security Program

Agenda

●Evolution of WVU’s Program

●Insight into Current Program

●Where Are We Going Next

●Words to the Wise

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

6

Information Security Program

●Drivers – Internal & External

●Champions Promoted, Promoted, Promoted …

●Defined Information Security for WVU

●Developed / Updated Policies / Standards – On-

going

● Identified Information Security Program Elements

Evolution of WVU’s Program

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

7

Information Security Program

●Internal Drivers− Recognized Need to Protect Information Resources− Impact of an Incident

●External Drivers − Gramm-Leach-Bliley Act (GLB)− Health Insurance Portability & Accountability Act (HIPAA)− Family Education Rights & Privacy Act (FERPA)− The Privacy Act − West Virginia Code 18-2-5f – Use of Student SSNs

●Demonstrate Due Diligence− Higher Education in the Headlines

Why? Why Now?

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

8

Information Security Program

● Information Resources as Vital Assets

●Definition / Purpose of Information Security

●Elements of WVU’s Program

●Structure, Composition & Responsibilities

WVU’s Security Policy

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

9

Information Security Program

WVU Information Resources

● WVU relies on numerous, diverse information resources to support the mission critical operations of administration, education, research & service.

● If these information resources were unavailable, unreliable or disclosed in an inappropriate manner, the University could suffer damage to its reputation & incur serious financial & operational losses.

● Accordingly, WVU acknowledges that information resources are vital assets requiring protection commensurate with their value.

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

10

Information Security Program

● The protection of information resources from unauthorized access, modification, destruction or harm

● The establishment of controls & measures to minimize the risk of loss or damage to information resources

● Inform users (students, staff and faculty) of essential requirements for protecting various assets including people hardware, software resources & data assets

● Provide a baseline from which to acquire, configure & audit computer systems & networks for compliance with the policy

Definition & Purpose

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

11

Information Security Program

●Confidentiality… addresses the protection of private, sensitive or trusted information resources from unauthorized access or disclosure

●Integrity… refers to the accuracy, completeness & consistency of information resources

●Availability… ensures reliable & timely access to information resources by appropriate personnel

Three Tenets

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

12

Information Security Program

●Defined Structure w/ Central Point of Coordination

●Risk Assessment & Management●Policies & Standards / Policy Management●Communication & Education●Compliance●Reporting & Enforcement●Procurement Oversight for Service Providers●Security-related Projects

Elements of WVU’s Program

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

13

Information Security Program

Structure

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

14

Information Security Program

Composition

● Reports to cabinet level authority● Member of AAIMS Executive Committee● Chairs the Information Security Council

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

15

Information Security Program

Responsibilities

● Risk management● Policies & standards● Communicate & educate● Compliance● Report & enforce●Service provider oversight●Security-related projects

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

16

Information Security Program

Composition

Chaired by Provost Office

includes VP (or Director) from

Academic AffairsFinance &

AdministrationHealth Sciences

Human ResourcesInformation Technology

Internal AuditLibrary

Student Affairs

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

17

Information Security Program

Responsibilities

● Sponsor the Information Security Program● Establish an Information Security Environment● Coordinate access to necessary support

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

18

Information Security Program

Composition

Chaired by the ISO

includesInformation

Security Representatives

from the administration, faculty & staffwith support

fromInternal AuditIT SpecialistsLegal Counsel

Purchasing

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

19

Information Security Program

● Serve as senior management sponsors of the WVU Information Security Program

● Provide management & coordination of a University-wide information security program

● Review & revise information security policies, standards and procedures

● Establish & maintain a comprehensive risk management program

● Establish & maintain an information security compliance program ● Recommend & sponsor information security awareness,

communication & education programs ● Provide a forum to discuss & assess pending regulations

& requirements ● Perform periodic reviews of information security incidents /

violations● Govern contractual relationships with vendors, consultants &

other 3rd parties

ISC Charter

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

20

Information Security Program

Composition/Responsibilities

Senior level

University officials

● Assist development of data definitions● Assign data elements to categories● Provide framework for classifying data● Authorize access to information resources● Implement controls to secure resources

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

21

Information Security Program

Composition/Responsibilities

Representatives of:● Each major application/system● Each academic college● Each business unit● Primary units of IT

● Disseminate policy● Assist in detection / reporting of violations● Departmental point-of-contact

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

22

Information Security Program

Composition/Responsibilities

Any user authorized to access

data and/or

systems

● Protect information resources per 3 tenets● Use information responsibly / appropriately● Comply with policy

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

23

Information Security Program

Composition

Independent, objective appraisal function

Reporting to the WVU President’s Office

& the Board of Governors’ Audit

Committee

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

24

Information Security Program

Responsibilities

Assist WVU administration in the effective implementation of internal controls:● Safeguarding of University assets● Integrity & reliability of information systems & related resources● Compliance with University, State & Federal regulations● Effective & efficient use & management of University resources● Accomplishment of University goals

● Risk assessment● Evaluation of controls● Determine compliance with regulations, policy, etc.● Issue recommendations

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

25

Information Security Program

●Identify & Classify Resources

●Identify Threats & Vulnerabilities

●Determine & Prioritize Risks

●Determine Response:−Prevent, Mitigate or Accept

●Risk Assessment:−Periodic: ISO & ISC− Independent: Internal Audit

Risk Management

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

26

Information Security Program

● Contain senior management directives to create an information security program, establish its goals & measures, & assign responsibilities; define an organization’s information security philosophy

● Mandatory activities, rules, measures of minimal performance or achievement, designed to provide support & structure; intended for universal application throughout the organization; used to implement the general policies/standards

Policies/Standards

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

27

Information Security Program

● Recently Developed / Updated−Acceptable (Appropriate) Use −Anti-Spam, Anti-Virus−Data Center Access −e-Commerce Management −Electronic Mail −End-User Accountability−Network Security

● Under Development−Data Ownership / Classification /

Security−Security Awareness / Education−Security Incident Reporting / Response

Policies/Standards (cont’d)

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

28

Information Security Program

Policy Management

● Posted on the ISO Web Site

● Formal Protocol for Policy Evolution

● Policy Waivers

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

29

Information Security Program

Communication & Education

●Student, Faculty & Employee Orientation●e-News – Tips for the Day●Web Site

−Simple but informative−Intranet version debuted April 2004−Internet version @ http://oit.wvu.edu/iso

●Posters ●Classes and/or Mini-Workshops – Planning

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

30

Information Security Program

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

31

Information Security Program

●Measures to Prevent & Detect

●Response to Compromise or Violations

●Continually Evaluate Regulations, Policies & Standards

●ISC plus Management, Providers & Users

●Internal Audit−Critical role in evaluation of compliance &

recommendation of measures to help ensure compliance

Compliance Program

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

32

Information Security Program

●Vanity e-Mail Account− Information_Security@mail.wvu.edu−For submitting “general” inquiries or reporting

potential violations or concerns

●Developing Formal Reporting / Response Protocol

● Information Security Liaisons● ISC “Action Team”

−Fore-runner to an incident response team

●Consequences for Non-compliance

Reporting & Enforcement

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

33

Information Security Program

●Service Providers Held to Same Standard as Staff

●Confidential Information [Contract] Addendum− Definitions of covered data & information− Acknowledgement of required access− Safeguard standards− Reporting

●Audit Standards for Service Provider Contracts

Procurement Oversight

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

34

Information Security Program

●Business Continuity Plan−Disaster Recovery Plan – In Place−Business Resumption Plan – In Planning

●e-Commerce Review Committee●Ethics & Confidentiality Notice / Certification

−University-wide coverage – Replacement under Review

−Departmental / project specific – Some in Place

●SSN Replacement ●Identity Management / Central

Authentication

Security-related Efforts

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

35

Information Security Program

● Charter… to define and/or recommend a central

(i.e., University-wide) identity management and authentication solution

● Multi-Phase Project−Phase I – Unique ID [WVUID]

√ Completed

−Phase II – ID Management√ Proof of Concept – Completed√ Tool Kit – Plan under Review (1/31/05 completion

date)

−Phase III – Central Authentication√ Campus-wide wireless access

ID Management Project

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

36

Information Security Program

Project Pyramid

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

37

Information Security Program

WVU-ID “ToolKit”

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

38

Information Security Program

Uniqueness Elements

Ap

plic

ati

on

1

Ap

plic

ati

on

2

Ap

plic

ati

on

3

Ap

plic

ati

on

4

Ap

plic

ati

on

5

Co

ns

en

su

s

1 Y 1,2,3,4 Y Y (30%) Y Y (3.3%) Y

2 Y 1,2,3,4 Y Y (15%) Y Y (3.3%) Y

3 Y 1 Y Y (15%) Y Y (3.3%) Y

4 Y Y N Y (2.5%) Y

5 (string vs. multi - segments) N N N N N N

6 (string vs. multi - segments) N N N N N audit only

7 Y Y N Y (2.5%) Y

8 N N N N N N

9 Y 3,4 Y N Y (10%) Y

10 N10a Y 3,4 Y10b N10c Y 3 Y10d Y 4 Y10e N

11 Y N N N N N

12 N Y (50%) N N N Y

13 Y 1,2 Y (50%) Y (40%) Y Y (75%) Y

14 N Y N N N N

15 N N N N

16 ID Number Y N N N ?

17 Y Y Y (40%) N Y

^ Each scenario (i.e., 1,2,3, or 4) represents a 100% confirmation on identity

Not maintainedconsistently

across applications

First NameLast Name

Address 1

CityStateZIP

Address 2

Gender

Population Sources / Data Maintained

E-mail Address

Previous Last Name(s)Birth NameGeneration ( Sr, Jr, III)Middle Name

Permanent Address

Place of Birth

Uniqueness Elements

Date of Birth

Other IDs

VisaDrivers LicenseSocial Security NumberEmployee NumberStudent Number

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

39

Information Security Program

● Establish the Information Security Office(r)● Develop Risk Assessment “Plan of Attack”

− Job of the Information Security Council− Initial Focus on Electronic Resources− Risk Assessment Algorithms

● Classify Information Resources● Continue to Address the Use of SSN at WVU● Complete the ID Management / Authentication

Project● Continue to Spread the Word● Continue to Review Current Policies / Procedures● Implement Compliance, Reporting & Enforcement

Where Are We Going Next

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

40

Information Security Program

● Terminology− Information Security vs. Computer Security

● Cost & Benefits−Determine risk algorithms early in the process

● Consider Current Security Environment−Whenever possible, use existing elements−Can have reasonable plan by connecting dots

A Word To The Wise

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

41

Information Security Program

● If Policy is Too Relaxed or Non-Existent−Little or no enforcement

● If Policy is Too Strict−Nobody pays attention to it (“hope I don’t get caught!”)

−Too complicated, too cumbersome

● Flexibility / Adaptability is Key−Should be independent of specific HW/SW−Policy update mechanisms should be clearly

spelled out

A Word To The Wise (cont’d)

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

42

Information Security Program

Resource Examples

● Federal / State laws, regulations, statutes− WV State Information Security Policy Guidelines

● Other Colleges & Universities

● “Information Security Policies Made Easy”− by Charles Wood

● Information Systems Audit & Control (ISACA)

● CERT, NIST, NSA, SANS, …

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

43

Information Security Program

Risk Assessment

Management: ● Compliance● Reporting● Enforcement

Education, Communications & Awareness Programs

Policies/Standards/Procedures

- Update / Create

Never-Ending Cycle

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

44

Information Security Program

Questionsand/or

Comments

May 17, 2004 Educause/Internet2 Security Professionals

Workshop

45

Information Security Program

●http://oit.wvu.edu/iso

●Information_Security@mail.wvu.edu

●SueAnn.Lipinski@mail.wvu.edu●RTMarton@mail.wvu.edu●Mark.Six@mail.wvu.edu

Contacts