virtual reality: cyber security issues presented to: legal issues in higher education conference...
TRANSCRIPT
VIRTUAL REALITY: CYBER SECURITY ISSUES
Presented to:
Legal Issues in Higher
Education ConferenceOctober 7, 2003
Burlington, VTBy:Rodney Peterson Computer & Network Security Task Force CoordinatorEDUCAUSEWashington, D.C. Rogers Davis Assistant Vice Chancellor, Human ResourcesUniversity of California, San DiegoLa Jolla, CA
Rodney Peterson and Rogers Davis, Copyright 2003.
Fall 2003 – Welcome Back! Orientation: Academics, Drugs &
Alcohol, Co-Curricular Activities, etc. Check-In: Keys, Meet Your RA, etc. In-Room: Goody Box, Instructions on
Port-to-Pillow Connection, etc. Computer Security: CD’s with
Patches and Anti-Virus Software, Computer Check-Up, and New Aggressive Policies
Threats, Vulnerabilities, & Risks Threats - an adversary that is motivated to
exploit a system vulnerability and is capable of doing so.
Vulnerabilities - error or weakness in the design, implementation, or operation of a system.
Risks - information loss or compromise, loss of research advantage, compromised or lost data, damage to reputation, legal liability, disruption of services, costs associated with recovery.
Policy of the United StatesIn the past few years, threats in cyberspace have risen dramatically. The policy of the United States is to protect against the debilitating disruption of the operation of information systems for critical infrastructures and, thereby, help to protect the people, economy, and national security of the United States. We must act to reduce our vulnerabilities to these threats before they can be exploited to damage the cyber systems supporting our Nation’s critical infrastructures and ensure that such disruptions of cyberspace are infrequent, of minimal duration, manageable, and cause the least damage possible.
Letter from President George W. Bush to The American People, The National Strategy to Secure Cyberspace (February 2003)
National Strategyto Secure Cyberspace Released February 2003 Available at www.securecyberspace.gov Purpose: To engage and empower
Americans to secure the portions of cyberspace that they own, operate, control, or with which they interact.
Implementation: National Cyber Security Division of the Information Assurance & Infrastructure Protection Directorate of the U.S. Department of Homeland Security
National Strategy & Higher Ed
The National Strategy to Secure Cyberspace encourages colleges and universities to secure their cyber systems by establishing some or all of the following as appropriate:
1. one or more Information Sharing and Analysis Centers to deal with cyber attacks and vulnerabilities;
2. an on-call point-of-contact to Internet service providers and law enforcement officials in the event that the school’s IT systems are discovered to be launching cyber attacks;
3. model guidelines empowering Chief Information Officers (CIOs) to address cybersecurity;
4. one or more sets of best practices for IT security; and,5. model user awareness programs and materials.
Coordinated Higher Ed Effort EDUCAUSE – Use of IT in Higher Education Internet2 – Advanced Networking & Next
Generation Higher Education Information Technology
Alliance http://www.heitalliance.org American Association of Community Colleges American Association of State Colleges and Universities American Council on Education Association of American Universities Association of Research Libraries EDUCAUSE Internet2 National Association of College and University Business Officers National Association of Independent Colleges and Universities National Association of State Universities and Land-Grant Colleges University Continuing Education Association
EDUCAUSE/Internet2 Computer and Network Security Task Force Co-chairs: Dan Updegrove, University of Texas at
Austin, & Gordon Wishon, University of Notre Dame
Resource on Computer and Network Security for the Higher Education Communitywww.educause.edu/security
Initiatives Outreach and Awareness Effective Practices and Solutions Professional Development for Security Professionals Risk Assessment Methods and Tools Legal Issues and Institutional Policies Federal/State Public Policy Vendor Engagement
Message to Presidents (Feb 2003) Set the tone: ensure that all campus stakeholders know that
you take Cybersecurity seriously. Insist on community-wide awareness and accountability.
Establish responsibility for campus-wide Cybersecurity at the cabinet level. At a large university, this responsibility might be assigned to the Chief Information Officer. At a small college, this person may have responsibility for many areas, including the institutional computing environment.
Ask for a periodic Cybersecurity risk assessment that identifies the most important risks to your institution. Manage these risks in the context of institutional planning and budgeting.
Request updates to your Cybersecurity plans on a regular basis in response to the rapid evolution of the technologies, vulnerabilities, threats, and risks.
David WardPresident, American Council on Education
Guiding Principles Civility and Community Academic and Intellectual Freedom Privacy and Confidentiality Equity, Diversity, and Access Fairness and Process Ethics, Integrity, and Responsibility
Legal Issues “Negligent Security” & Privacy Torts Federal Statutes – Security & Privacy
USA PATRIOT Act of 2001 Gramm-Leach-Bliley Act of 1999 Health Information Portability and Accountability Act
(HIPAA) of 1996 Electronic Communications Privacy Act (ECPA) of
1986 Family Educational Rights and Privacy Act (FERPA) of
1974 The Privacy Act of 1974
State Statutes Maryland: Data Security & Privacy Policies California: Disclosure of Security Breaches
Proposed Public Policy Privacy
Personally Identifiable Information (PII) Privacy Policies: Opt-In, Opt-Out, and Plain Language Use of Social Security Number
Identity Theft Spam and Unsolicited Commercial Email
Security Notice of Security Breaches Information Sharing and Public Information
Limits
EDUCAUSE Legislative Tracking Chart is available at www.educause.edu/policy
Emerging Public Policy Issues Secure Software Development
Market Pressure Liability, Licensing Terms, and Warranties
Minimum Security Requirements Federal Information Security Management
Act Requirements in Federal Contracts & Grants
Allocation of Costs and Insurance
Administration
I. CRITICAL ISSUES
Various Location of Data
Systemwide systems of data Campuswide systems of data Central office systems of data Emails Shadow systems Paper files
CASE STUDY
Administration
Impact of Shadow Systems
Identifying locations Self audit Ability to impose standards Knowing whether standards are being
maintained
Administration
Decentralized Environment
Client server environment Repair of problems Skill set of those who manage computers Deciding who is involved in framing
E-solutions Applicability of certain services
Administration
Multiple Levels of Access/Accessibility to the Network
Internet vs. intranet Firewalls Controls, access and security
Administration
Technology-based Business Needs and Security
The IT perspective The operational perspective
Administration
Addressing Security Violations
Faculty Staff Students
Administration
II. STATUTORY & POLICY REQUIREMENTS
Statutory
CA Law SB-1386 CA Law SB-25 CA Law AB-46
Administration
UC & UCSD Policies
UCSD Standards for developing and maintaining computer applications
UC Electronic Communication Policy UCSD Email Policy
Administration
III. STRATEGY AND SOLUTIONS TO SECURITY & PRIVACY
Business Drivers
Using technology as a tool to manage solutions Aligning efforts with the organization’s goals Identifying champions within the organization Determining standards of excellence Defining the architecture Complying with legal and regulatory
requirements Managing risk
Administration
Business Strategy
Develop an electronic commerce solution Implement a common solution for electronic procurement Implement the Employee Systems Initiative (ESI) Identify self-service application opportunities Adopt industry technology architectures and standards for
Web-based applications, electronic data interchange and wireless and mobile technology
Eliminate paper-based processes and forms Ensure adequate authentication and security
Administration
Raising Awareness Within the
Organization
Training Accountability Information
Administration
Process Model for Assessment
Assessment strategy Culture change Substitute identifiers
Administration
Centralization vs. Decentralization
Internet vs. Intranet
Administration
IV. SECURITY GUIDELINES
Authentication and authorization Control Logging Backup Privacy
Administration
V. PHYSICAL SECURITY
Inventory Physical issues Disaster planning Decommissioned PCs
Administration
PRINCIPLES APPLICABLE TO NETWORK SECURITY
Security is everyone’s problem Manage data security Honor requests for central services Don’t steal software Apply patches Run anti-virus software Turn off unnecessary services Use strong passwords Don’t share your password
VIRTUAL REALITY: CYBER SECURITY ISSUES
Presented to:
Legal Issues in Higher
Education ConferenceOctober 7, 2003
Burlington, VT
By:Rodney PetersonComputer & Network Security Task Force CoordinatorEDUCAUSEWashington, D.C. Rogers DavisAssistant Vice Chancellor, Human ResourcesUniversity of California, San DiegoLa Jolla, CA
More information at www.educause.edu/conference/annual/2003
EDUCAUSE2003November 4-7, 2003Anaheim, California
• Pre-Conference Seminars– Risk Evaluation, Incident Response and Forensics, Security
Policy Development, Federal Policy• Featured Sessions
– PR Dimensions and Management Response, P2P Filesharing• Track Sessions
– Elimination of SSN’s as ID’s, Education and Awareness, Collaborations and Partnerships
• Featured Speaker– Richard Clarke, former White House Cybersecurity Czar