its/clo partnership in it security implementation by kent leung chief computing officer
DESCRIPTION
ITS/CLO Partnership In IT Security Implementation By Kent Leung Chief Computing Officer Information Technology Services office. ITS/CLO Partnership. CLO = CLO/DSO CLO = Computer Liaison Officer DSO = Departmental Security Officer. Recommendations on IT Security from IAU. - PowerPoint PPT PresentationTRANSCRIPT
ITS
Off
sit
e W
ork
sh
op
2002
ITS/CLO PartnershipIn IT Security Implementation
By
Kent LeungChief Computing Officer
Information Technology Services office
ITS
Off
sit
e W
ork
sh
op
2002
CLO = CLO/DSO
CLO = Computer Liaison OfficerDSO = Departmental Security
Officer
ITS/CLO Partnership
ITS
Off
sit
e W
ork
sh
op
2002
Recommendations on IT Security from IAU
IAU recommendations in April 2002:
1. Establish and enforce an Institutional Computer Security Policy
2. Establish Security Incident Handling Procedures
ITS
Off
sit
e W
ork
sh
op
2002
Recommendations on IT Security from IAU
IAU recommendations in April 2002:
3.Assist Departments to develop Departmental Security Policy, Guidelines and Procedures
4.Conduct security awareness and training programs
ITS
Off
sit
e W
ork
sh
op
2002
Establish an Institutional Computer Security Policy
• ITS promulgated the PolyU Computer Systems Security Policy in 1999– It is not only for ITS but for ALL users in PolyU– Department has the responsibility to
compliant with – Endorsed by the internal and external
auditors in 2000– Endorsed by ITSC in April 2002– Available on the PolyU Security Website
ITS
Off
sit
e W
ork
sh
op
2002
Establish an Institutional Computer Security Policy
• ITS promulgated the network policy for student hostel in 2002
– http://www.polyu.edu.hk/its/services_facilities/HALL_Reg.html
ITS
Off
sit
e W
ork
sh
op
2002
Enforcement of the PolyU Systems Security Policy
• ITS reviews the PolyU Systems Security Policy annually to cope with changing circumstances
•Departments should also review departmental system security policy annually to cope with changing circumstances
ITS
Off
sit
e W
ork
sh
op
2002
Enforcement of the PolyU Systems Security Policy
•Ensure all service providers comply with PolyU SSP and departmental SSP
•New services should comply with SSP before put into production
ITS
Off
sit
e W
ork
sh
op
2002
Establish Security Incident Handling
Procedures• ITS has in place security
incident handling procedures– ITS security team handles all
security related incidents, e.g., Virus infection, Hacking and etc
– Lead by Mr. P.F. Chan
• Users only need to report IT Security related incidents via HOTS – All cases kept confidential
ITS
Off
sit
e W
ork
sh
op
2002
ITS assists Departments to develop Departmental Computer Security Policy,
Guidelines and Procedures
ITS
Off
sit
e W
ork
sh
op
2002
•Establish the scope of the Policy by identifying the extent of IT assets– Information, service,
software and hardware•Perform risk and threat
analysis on each identified asset
Departmental Computer Security Policy, Guidelines
and Procedures
ITS
Off
sit
e W
ork
sh
op
2002 Risk Analysis
Information/Services Confident-iality
Integrity Availability MaxTolerableDowntime
(hours)
Network Infrastructure
Backbone Core 3 5 5 0
Internet Link 3 5 5 1
Network Management
Network Management 4 5 3 4
Internet Firewall and DMZ Servers
Webmail 4 4 4 1
Operation Services
Backup 4 4 3 24
Academic LAN Services
GroupWise 5 5 4 4
ITS
Off
sit
e W
ork
sh
op
2002 Risk Levels
Rating Likelihood Level Description
5 Very High Expected to occur in most circumstances
4 High Should occur quite frequently but intermittently
3 Medium Should occur occasionally
2 Low Could occur at a few specific time
1 Very Low Could occur in exceptional circumstances
0 Not occur No occurrence probability
ITS
Off
sit
e W
ork
sh
op
2002
Threat Analysis Summary
THREATS [HIGH (H), MEDIUM (M)]
INFORMATION / SERVICES
Masq
uerad
ing
System
Co
mp
rom
ise
Co
mm
un
ication
Intercep
tion
Den
ial of S
ervice
Viru
s or M
aliciou
s Co
de / D
amag
ing
or D
isrup
tive SW
Misu
se of S
ystem R
esou
rces
Imp
rop
er Access to
info
rmatio
n
Tech
nical F
ailure o
f Services
Backbone Core & Distribution M M
Internet LinkH H M
Network ManagementM H
Internet Email and WebMail H H M H H
ITS
Off
sit
e W
ork
sh
op
2002
Departmental Computer Security Policy, Guidelines and Procedures
•Helps available from:– ITS (contact Mr. P.F. Chan)– NetDefence– Your own choice of vendor
ITS
Off
sit
e W
ork
sh
op
2002
Departmental Computer Security Policy, Guidelines
and Procedures• Decide in joint consultative
meetings if the PolyU Systems Security Policy is sufficient to protect the perceived risks in the Department– If ‘Yes’, adopt and enforce the
PolyU Systems Security Policy– If ‘No’, add additional rules
and guidelines for department
ITS
Off
sit
e W
ork
sh
op
2002
Departmental Computer Security Policy, Guidelines
and Procedures•File copy of the Departmental
Policy, Guidelines and Procedures in ITS and IAU for record
•The PolyU Systems Security Policy is the ‘minimum’ security standard that must be complied by Departments
ITS
Off
sit
e W
ork
sh
op
2002
Security Awareness and Training
• ITS/CLO shall conduct and encourage departmental staff to attend security briefings regularly
• ITS/CLO shall regularly brief their staff and students of prevailing external threats, virus attacks and the security update of the software they are using
ITS
Off
sit
e W
ork
sh
op
2002 What Has ITS Done?
•Access Control on Routers•Use switches instead of hub in
Campus Network•Provide VPN Service•Provide transparent proxy •Maintain an IT Security Website•Dedicated team on IT Security
ITS
Off
sit
e W
ork
sh
op
2002 What Has ITS Done?
• Implement firewalls– Require users to register their Web
servers, e-mail servers etc
• Firewall Bypass Registration– Firewall bypass requests effective from
29 Nov 2002– If your department has not registered,
all firewall bypass rules will be removed
• Remind and encourage users to change passwords regularly
ITS
Off
sit
e W
ork
sh
op
2002 What Has ITS Done?
• Provide anti-virus software on PC client to all users
• Implement virus filtering on GroupWise and Campus E-mail
• Require remote user to authenticate before using PolyU E-mail servers
• Send virus alert notices to all users
ITS
Off
sit
e W
ork
sh
op
2002 The Role of CLO/DSO
• Advisor to the Department Head
• Partner of ITS• Mentor on IT security issues in
Department• Departmental Representative
on IT security issues• Oversees Departmental IT
security related matters
ITS
Off
sit
e W
ork
sh
op
2002 The Role of CLO/DSO
Oversees Departmental IT security matters:–Manage IP assignment
•Assign IP address within the departmental VLAN
•Keep an up-to-date list of the location, owner and contact person of each IP address
ITS
Off
sit
e W
ork
sh
op
2002 The Role of CLO/DSO
Oversees Departmental IT security matters:– Coordinate departmental
firewall registrations•Examine and authorize firewall bypass requirements
•Maintain an up-to-date firewall bypass records
•Renew firewall bypass applications annually
ITS
Off
sit
e W
ork
sh
op
2002 The Role of CLO/DSO
•Keep abreast of security updates on various OS platforms
•Alert departmental users on new virus attacks and the latest anti-virus tools
•Coordinate replies to security related queries on attacks originated from the department
ITS
Off
sit
e W
ork
sh
op
2002 The Role of CLO/DSO
•Provide information and assist in the investigation of security incidents
•Work closely with ITS on all security and IT related issues
•Report IT security incidents to ITS