20071 uga role-based security/ accountability model baaf quarterly meeting 2007
TRANSCRIPT
20072007 11
UGA Role-based UGA Role-based Security/Security/
AccountabilityAccountability Model Model
BAAF Quarterly MeetingBAAF Quarterly Meeting20072007
2220072007
“The University of Georgia cannot protect the confidentiality, integrity, and availability of sensitive information and information systems in today’s highly networked systems environment without ensuring that each person (student, faculty and staff) understands their roles and responsibilities, and is adequately trained to perform these roles”.
UGA Chief Information Security
Officer UGA Security Committee
3320072007
The The visionvision for the University of Georgia is a for the University of Georgia is a campus environment where the protection of campus environment where the protection of sensitive and critical data, and information sensitive and critical data, and information technology resources, is a shared responsibility technology resources, is a shared responsibility among administrators, faculty, staff, students, and among administrators, faculty, staff, students, and IT professionals.IT professionals.
This responsibility will be addressed campus-wide This responsibility will be addressed campus-wide by implementing information security by implementing information security best best practicespractices based on individual based on individual rolerole and and level of level of accountability, accountability, and will beand will be supported through supported through building increased awareness and participation in building increased awareness and participation in training and educational opportunities.training and educational opportunities.
4420072007
2005 Campus Memo
“Securing Sensitive Data Initiative”Phase I: UGA Auditor/CISO high risk Assessment (19 campus units)Phase II: Inventory of all assets (i.e., servers, databases, personnel) through ASSETs Online software application, Version 1 (350 campus units)
2006 President’s Retreat “Securing UGA Sensitive Data: Current Status, Challenges and Future Directions”Atten: Issue #5 — Acceptance of shared responsibility for institutional data and information security…campus-wide
2007 Senior VP Campus Memo “Role/Accountability” Campus-wide Plan…accountability for implementation of University security standards, policies, processes and procedures based on individual position and level of responsibility
2006-2007 Securing Sensitive Data“Defense-in-Depth”
Processes, People, Core Technology Tools
5520072007
Processes
People
•Virtual Private Network (VPN)•Intrusion Prevention System (IPS)•Centrally managed end-point security (i.e., anti-virus; anti-spy ware)•24x7 monitoring via Secure Operations Center (SOC)•Central Hosting facility/Boyd•Campus-wide Licenses (e.g.,F-Secure; Absolute Track)•Vulnerability management•Risk Management tools (e.g.,ASSETs Self Assessment)•Access Control (e.g., Blue SocketAuthentication)
Dept/Unit/Div Heads
CISO
Campus Security Liaisons
Database Administrators
Systems Administrators
Campus IT
Personnel
Network Administrators
2007 Mandatory Standards/Policies•UGA Policy on Use of Computers•UGA Electronic Mail Policy•UGA Minimum Security Standards-Networked Devices Policy•UGA Password Policy and Standards•UGA Telecommunications Policy•Georgia Surplus Policy•Certification of compliance•Mandatory Completion of ASSETs Version 1.1•Spot Audit – UGA Auditor Office•Mandatory Hiring Practices/Background Check
Required Risk Mgt Tools Implementation•End-Point/desktop Security (e.g. F-Secure Enterprise)•Computer Associates Vulnerability Manager•Vulnerability Scanning (periodic and/or on-demand•Absolute Track software for laptop tracking•ASSETs tool for development of unit Business Continuity Plan and Disaster Recovery Plan•Intrusion Prevention System (IPS)•Incident Response protocol
Education, Awareness & TrainingSATE – Security Awareness, Training and Education•Required SANS online training•Requested SANS On-site training•Staff training and development courses (T&D)•Staff Certification•Video/Print materials
•ASSETs Mass/Hands-on Training•HIPAA and Security training•Risk Management•Payment Card Industry – A Primer•UGA InfoSec Handbook
Brochures/PowerPoint (e.g.)•Absolute Track+/Asset Tracking Mgt•Protecting Your Good Name: ID Theft and ID Fraud•DMCA: The History•GLBA In a Nutshell
USG ChancellorBoard of Regents
UGA President
Vice Presidents, CIODeans, Vice Provost
Assoc VP’s, Assoc Provosts
Senior Vice Presidents
Other Titles/Classifications
OtherCyber Security Awareness MonthWebsites/url (e.g., UGA InfoSec; Federal Trade Commission June 2007
Securing Sensitive Data Defense in Depth Technology
USG ChancellorBoard of Regents
UGA President
20072007 66
Security is everyone’s responsibility…Security is everyone’s responsibility……“…“under existing federal and state legislation, under existing federal and state legislation, universities are responsible for the confidentiality universities are responsible for the confidentiality and integrity of data originating from, and managed and integrity of data originating from, and managed through, a campus environment. For the University through, a campus environment. For the University of Georgia, over 41,000 network devices (e.g., of Georgia, over 41,000 network devices (e.g., computers, printers, fax machines, scanners) are computers, printers, fax machines, scanners) are used. Universities are also required to be a used. Universities are also required to be a responsible custodian of personal data stored on responsible custodian of personal data stored on computers, servers, and other communication computers, servers, and other communication devices. In 2006, more than 2.2 million records were devices. In 2006, more than 2.2 million records were stolen from colleges and universities, an increase of stolen from colleges and universities, an increase of 17% over 2005”.17% over 2005”.
NOTE: NOTE: Ponemon Institute Survey Ponemon Institute Survey $182.00 for every breached record$182.00 for every breached record
Computer Science Institute/FBI Computer Security Computer Science Institute/FBI Computer Security SurveySurvey
$89,000 average cost for computer theft$89,000 average cost for computer theft
7720072007
UGA FactsUGA Facts
• 4.9 million total incoming e-mail messages daily; 4.3 million = 4.9 million total incoming e-mail messages daily; 4.3 million = number of SPAM and virus messages deleted and/or eliminated number of SPAM and virus messages deleted and/or eliminated out of the 4.9 million leaving est. 600,000 deliveredout of the 4.9 million leaving est. 600,000 delivered
• 19.9 Mainframe transactions – monthly average; 19.9 Mainframe transactions – monthly average; 23.5 million monthly average during 23.5 million monthly average during drop/adddrop/add period period• 183,278 research jobs submitted to the Research Computing 183,278 research jobs submitted to the Research Computing
Center (RCC) requiring high performance computing CPUsCenter (RCC) requiring high performance computing CPUs• 24,000 user-capacity of PAWS, campus-wide wireless network24,000 user-capacity of PAWS, campus-wide wireless network• Average of 41,000 logins daily to Average of 41,000 logins daily to MyUGAMyUGA• 10.4 million page hits monthly on 10.4 million page hits monthly on www.uga.eduwww.uga.edu• >1,000 Web sites hosted on >1,000 Web sites hosted on www.uga.eduwww.uga.edu• 8,677 online courses = 60,577 individual students enrolled in 8,677 online courses = 60,577 individual students enrolled in
WebCT classesWebCT classes• University Cablevision provides 12,600 hours of programming University Cablevision provides 12,600 hours of programming
per weekper week• >99.9 = percentage of uptime for critical production systems >99.9 = percentage of uptime for critical production systems
(e.g., Network, UGA Mail, WebCT, Mainframe)(e.g., Network, UGA Mail, WebCT, Mainframe)
8820072007
Senior Vice Presidents… May 6, 2007 Senior Vice Presidents… May 6, 2007 campus memocampus memo indicating specific actions indicating specific actions by campus entities shall include:by campus entities shall include:
a)a) Accountability for implementation of University security Accountability for implementation of University security standards, policies, processes and procedures based on standards, policies, processes and procedures based on individual position and level of responsibility individual position and level of responsibility
d)d) Identification of individual(s) serving as department, unit or Identification of individual(s) serving as department, unit or division security liaison(s) held responsible for system or division security liaison(s) held responsible for system or network management, information, incident response…network management, information, incident response…
e)e) Inclusion at all levels of participation in formal and/or Inclusion at all levels of participation in formal and/or informal awareness, training and educational opportunities informal awareness, training and educational opportunities as part of the annual performance appraisal process.as part of the annual performance appraisal process.
See:See: Handout: May 6 Campus Memo re: Handout: May 6 Campus Memo re: Securing Sensitive Data Securing Sensitive Data InitiativeInitiative
9920072007
UGA Role-Based Security/UGA Role-Based Security/Accountability ModelAccountability Model
•President: Ultimate responsibility for approval and submission of UGA Security Plan, policies, standards, and best practices that meet requirements of the University System of Georgia, state, and federal mandates.
•Senior Vice PresidentsImplement policies, standards, guidelinesVerify role responsibilities of executive managementRequire annual report of security progress and issuesValidate completion of required awareness, training, and education and/or participation by direct reportsSupport development and implementation of crisis/risk management practices
101020072007
UGA Role-Based Security/ UGA Role-Based Security/ Accountability ModelAccountability Model
•Executives (Vice Presidents, Deans, Vice Provosts, Assoc. Provosts, Dept./Unit/Division Heads)
Accountable for college, unit, and/or division adherence to UGA policies (e.g., Federal, State, USG policy, law, regulations)Establish line of responsibility and authority for security-related functions within unit, division, dept (e.g. IT Director, Security Liaison, technical leadership for grant/project/etc.)Report organization’s security status to Senior Executive(s) based on articulated timelineParticipate in required awareness, training and education opportunities based on role and University requirementsProvide resources for unit, division, dept protection of sensitive/critical data (i.e., budget, personnel, and/or technology)
111120072007
UGA Role-Based Security/ UGA Role-Based Security/ Accountability ModelAccountability Model
•IT Leadership, Management and Unit Security Liaisons
Annual update of ASSETs online self-reporting tool Serve as Primary/Secondary contact for IT security incident, Business Continuity and Disaster Recovery planningEnsure that resources are applied for protecting sensitive and critical data (people, process, training, technology)Participate in annual awareness, training and education opportunitiesRequire appropriate skills, education, and ongoing training for key IT professionals (network administrators, systems administrators, application developers, and programmers)Require or provide appropriate skills and training for new hires responsible for protecting sensitive and critical data
121220072007
UGA Role-Based Security/ UGA Role-Based Security/ Accountability ModelAccountability Model
•IT Administrators (Network, Systems, Database, Web Administrators and Programmers)
Understand and adhere to all relevant UGA IT/IS security policies, standards, and proceduresUnderstand and appropriately participate in UGA local and incident response policy and proceduresMaintain awareness, training, and education requirementsImplement best practices in systems administration and design (e.g., configuration of systems)
131320072007
UGA Role-Based Security/ UGA Role-Based Security/ Accountability Model Accountability Model
•UGA Community – Students, Faculty, and Staff
Maintain a level of awareness and education of security policy and procedure including, but not limited to:
oPrivacy PolicyoAcceptable Use PolicyoSecurity Policy for Networked DevicesoEmail PolicyoPassword PolicyoIncident Response Policy
Recognition and appropriate response/accountability when role changes such as faculty role in supervising IT Professionals through a grant
Follow regulations regarding protection of data: GLBA, FERPA, HIPAA, etc. when using desktop and mobile devices
141420072007
re: Awareness, Training and Educationre: Awareness, Training and Education
Multiple opportunities for awareness, training and education on campus including, but not limited to:
InfoSecUGA Training and Development CenterElement-KSANS On-Demand and OnSite
A role-based training matrix is available on the UGA Securing Sensitive Data Website at:www.ssdi.uga.edu
151520072007
161620072007
UGA Role-Based Security/ UGA Role-Based Security/ Accountability ModelAccountability Model
•IT Professionals: The UGA Security Model will be integrated into the University of Georgia Human Resources IT Jobs Classification Model developed in 2004.
Job descriptions are located on the Human Resources web site: https://jobapp.humanres.uga.edu/classification/
IT Matrix and IT Leadership Matrix are located at the website
Information about IT Jobs can be found at http://www.coe.uga.edu/itjobs
171720072007
UGA Role-Based Security/ UGA Role-Based Security/ Accountability ModelAccountability Model
(cont.) IT Professionals: The UGA Security Model will be integrated into the IT Jobs classification model.
The Technical job descriptions have four levels: AssistantAssociateSpecialist, and Principal
Security skills requirements are identified at all levels above assistant
The entry level or assistant level may work under the supervision of senior IT Professionals but should not be solely accountable for the design or administration systems protection sensitive or critical data.
181820072007
UGA Role-Based Security/ UGA Role-Based Security/ Accountability ModelAccountability Model
(cont.) IT Professionals: The UGA Security Model will be integrated into the IT Jobs classification model.
The IT Leadership job descriptions will have security education and skills requirements.
Leadership positions maintain a role of accountability for management of resources and adherence to policy, standards, and procedure. Additionally, IT Leadership is responsible for completing or assigning the completion of the ASSETs tool.
IT Leadership must maintain annual awareness and training for incident response and disaster recovery.
191920072007
Role-based Security/Accountability
•The role-based accountability model is based on the relationship between two people: the supervisor and the supervisee. Resources, planning, and monitoring the success of training and skills acquisition are built into the performance evaluation process.
•The IT Jobs Classification description including the IT Matrix and the security requirements will be used to determine what training is needed by current staff and what skills are needed in recruiting/hiring process for key staff.
202020072007
UGA Role-Based Security/ UGA Role-Based Security/ Accountability ModelAccountability Model
Implementation Timeline
The first phase of communication and training will begin in October/November 2007.A project team will be created with representatives from ITMF, Training and Development, and UGANet. This team will deliver training to IT professionals, departments and units through beginning in January.Multiple training opportunities will be created using web-based applications, video, and podcasting.The UGA Securing Sensitive Data Website will be maintained to provide ongoing communication about resources, requirements, and calendar of events—www.ssdi.ua.edu
212120072007
““Things to Remember”Things to Remember” EveryoneEveryone on campus has a role in security on campus has a role in security
accountabilityaccountability The The Role-based Security/Accountability ModelRole-based Security/Accountability Model is built on is built on
industry industry best practicebest practice: Process, People, and : Process, People, and Technology.Technology.
The The Role-based/Accountability ModelRole-based/Accountability Model is based on the is based on the relationship between two people: therelationship between two people: the supervisor supervisor andand the the supervisee.supervisee. Resources, planning, and monitoring Resources, planning, and monitoring the success of training and skills acquisition are built the success of training and skills acquisition are built into the performance evaluation process.into the performance evaluation process.
Awareness, training, and education materials already Awareness, training, and education materials already exist on campus and many are free-of-charge.exist on campus and many are free-of-charge.
A communication and training schedule to implement A communication and training schedule to implement this model is being created based on the successful this model is being created based on the successful approach used at UGA for the approach used at UGA for the IT JOBS Initiative.IT JOBS Initiative.
222220072007
ReferencesReferences Information Systems Audit and Control Information Systems Audit and Control
Association (ISACA) – COBIT Association (ISACA) – COBIT http://www.isaca.org/template.cfm?section=http://www.isaca.org/template.cfm?section=homehome
Information Technology - Security Information Technology - Security Techniques - Code of practice for information Techniques - Code of practice for information security management - ISO 17799security management - ISO 177992222
NIST Special Publication 800-16, "NIST Special Publication 800-16, "Information Technology Security Training ReInformation Technology Security Training Requirements: A Role- and Performance-Based quirements: A Role- and Performance-Based ModelModel."."