The WVU Information Security Program: If You Build It, They Will Use It

1
The WVUInformation Security Program If
You Build It, They Will Use It
2
Introductions

• Sue Ann Lipinski
• Management Auditor, Internal Audit
• Tim Marton
• Director, Information Systems
• Mark Six
• Manager, Systems Administration

3
Abstract

• WVU is building an institution-wide
  information security program to ensure the
  continued confidentiality, integrity
  availability of mission critical information
  resources. This presentation discusses our
  incremental implementation approach, including
  the development of policies / standards /
  procedures, as well as efforts to include this
  program in current future information-related
  activities projects.

4
Some WVU Facts

• Founded in 1867 in Morgantown, WV
• Land Grant Institution
• 13 colleges schools, offering 170 bachelors,
  masters, doctoral professional degree programs
• Medical Center
• Doctoral Research Extensive Classification
• Spread over 3 Morgantown 3 regional campuses
• Enrollment of approximately 31,800
• Faculty/Staff of 6,487

5
Agenda

• Evolution of WVUs Program
• Insight into Current Program
• Where Are We Going Next
• Words to the Wise

6
Evolution of WVUs Program

• Drivers Internal External
• Champions Promoted, Promoted, Promoted
• Defined Information Security for WVU
• Developed / Updated Policies / Standards
  On-going
• Identified Information Security Program Elements

7
Why? Why Now?

• Internal Drivers
• Recognized Need to Protect Information Resources
• Impact of an Incident
• External Drivers
• Gramm-Leach-Bliley Act (GLB)
• Health Insurance Portability Accountability Act
  (HIPAA)
• Family Education Rights Privacy Act (FERPA)
• The Privacy Act
• West Virginia Code 18-2-5f Use of Student SSNs
• Demonstrate Due Diligence
• Higher Education in the Headlines

8
WVUs Security Policy

• Information Resources as Vital Assets
• Definition / Purpose of Information Security
• Elements of WVUs Program
• Structure, Composition Responsibilities

9
WVU Information Resources

• WVU relies on numerous, diverse information
  resources to support the mission critical
  operations of administration, education, research
  service.
• If these information resources were unavailable,
  unreliable or disclosed in an inappropriate
  manner, the University could suffer damage to its
  reputation incur serious financial
  operational losses.
• Accordingly, WVU acknowledges that information
  resources are vital assets requiring protection
  commensurate with their value.

10
Definition Purpose

• The protection of information resources from
  unauthorized access, modification, destruction or
  harm
• The establishment of controls measures to
  minimize the risk of loss or damage to
  information resources
• Inform users (students, staff and faculty) of
  essential requirements for protecting various
  assets including people hardware, software
  resources data assets
• Provide a baseline from which to acquire,
  configure audit computer systems networks for
  compliance with the policy

11
Three Tenets

• Confidentiality
• addresses the protection of private, sensitive
  or trusted information resources from
  unauthorized access or disclosure
• Integrity
• refers to the accuracy, completeness
  consistency of information resources
• Availability
• ensures reliable timely access to information
  resources by appropriate personnel

12
Elements of WVUs Program

• Defined Structure w/ Central Point of
  Coordination
• Risk Assessment Management
• Policies Standards / Policy Management
• Communication Education
• Compliance
• Reporting Enforcement
• Procurement Oversight for Service Providers
• Security-related Projects

13
Structure
14
Composition

• Reports to cabinet level authority
• Member of AAIMS Executive Committee
• Chairs the Information Security Council

15
Responsibilities

• Risk management
• Policies standards
• Communicate educate
• Compliance
• Report enforce
• Service provider oversight
• Security-related projects

16
Composition
Chaired by Provost Office includes VP (or
Director) from Academic Affairs Finance
Administration Health Sciences Human
Resources Information Technology Internal
Audit Library Student Affairs
17
Responsibilities

• Sponsor the Information Security Program
• Establish an Information Security Environment
• Coordinate access to necessary support

18
Composition
Chaired by the ISO includes Information Security
Representatives from the administration, faculty
staff with support from Internal Audit IT
Specialists Legal Counsel Purchasing
19
ISC Charter

• Serve as senior management sponsors of the WVU
  Information Security Program
• Provide management coordination of a
  University-wide information security program
• Review revise information security policies,
  standards and procedures
• Establish maintain a comprehensive risk
  management program
• Establish maintain an information security
  compliance program
• Recommend sponsor information security
  awareness, communication education programs
• Provide a forum to discuss assess pending
  regulations requirements
• Perform periodic reviews of information security
  incidents / violations
• Govern contractual relationships with vendors,
  consultants other 3rd parties

20
Composition/Responsibilities

• Assist development of data definitions
• Assign data elements to categories
• Provide framework for classifying data
• Authorize access to information resources
• Implement controls to secure resources

Senior level University officials
21
Composition/Responsibilities

• Representatives of
• Each major application/system
• Each academic college
• Each business unit
• Primary units of IT

• Disseminate policy
• Assist in detection / reporting of violations
• Departmental point-of-contact

22
Composition/Responsibilities

• Protect information resources per 3 tenets
• Use information responsibly / appropriately
• Comply with policy

Any user authorized to access data and/or systems
23
Composition
Independent, objective appraisal
function Reporting to the WVU Presidents
Office the Board of Governors Audit Committee
24
Responsibilities

• Assist WVU administration in the effective
  implementation of internal controls
• Safeguarding of University assets
• Integrity reliability of information systems
  related resources
• Compliance with University, State Federal
  regulations
• Effective efficient use management of
  University resources
• Accomplishment of University goals

• Risk assessment
• Evaluation of controls
• Determine compliance with regulations, policy,
  etc.
• Issue recommendations

25
Risk Management

• Identify Classify Resources
• Identify Threats Vulnerabilities
• Determine Prioritize Risks
• Determine Response
• Prevent, Mitigate or Accept
• Risk Assessment
• Periodic ISO ISC
• Independent Internal Audit

26
Policies/Standards

• Contain senior management directives to create an
  information security program, establish its goals
  measures, assign responsibilities define an
  organizations information security philosophy
• Mandatory activities, rules, measures of minimal
  performance or achievement, designed to provide
  support structure intended for universal
  application throughout the organization used to
  implement the general policies/standards

27
Policies/Standards (contd)

• Recently Developed / Updated
• Acceptable (Appropriate) Use
• Anti-Spam, Anti-Virus
• Data Center Access
• e-Commerce Management
• Electronic Mail
• End-User Accountability
• Network Security
• Under Development
• Data Ownership / Classification / Security
• Security Awareness / Education
• Security Incident Reporting / Response

28
Policy Management

• Posted on the ISO Web Site
• Formal Protocol for Policy Evolution
• Policy Waivers

29
Communication Education

• Student, Faculty Employee Orientation
• e-News Tips for the Day
• Web Site
• Simple but informative
• Intranet version debuted April 2004
• Internet version _at_ http//oit.wvu.edu/iso
• Posters
• Classes and/or Mini-Workshops Planning

30
(No Transcript)
31
Compliance Program

• Measures to Prevent Detect
• Response to Compromise or Violations
• Continually Evaluate Regulations, Policies
  Standards
• ISC plus Management, Providers Users
• Internal Audit
• Critical role in evaluation of compliance
  recommendation of measures to help ensure
  compliance

32
Reporting Enforcement

• Vanity e-Mail Account
• Information_Security_at_mail.wvu.edu
• For submitting general inquiries or reporting
  potential violations or concerns
• Developing Formal Reporting / Response Protocol
• Information Security Liaisons
• ISC Action Team
• Fore-runner to an incident response team
• Consequences for Non-compliance

33
Procurement Oversight

• Service Providers Held to Same Standard as Staff
• Confidential Information Contract Addendum
• Definitions of covered data information
• Acknowledgement of required access
• Safeguard standards
• Reporting
• Audit Standards for Service Provider Contracts

34
Security-related Efforts

• Business Continuity Plan
• Disaster Recovery Plan In Place
• Business Resumption Plan In Planning
• e-Commerce Review Committee
• Ethics Confidentiality Notice / Certification
• University-wide coverage Replacement under
  Review
• Departmental / project specific Some in Place
• SSN Replacement
• Identity Management / Central Authentication

35
ID Management Project

• Charter
• to define and/or recommend a central (i.e.,
  University-wide) identity management and
  authentication solution
• Multi-Phase Project
• Phase I Unique ID WVUID
• Completed
• Phase II ID Management
• Proof of Concept Completed
• Tool Kit Plan under Review (1/31/05 completion
  date)
• Phase III Central Authentication
• Campus-wide wireless access

36
Project Pyramid
37
WVU-ID ToolKit
38
Uniqueness Elements
39
Where Are We Going Next

• Establish the Information Security Office(r)
• Develop Risk Assessment Plan of Attack
• Job of the Information Security Council
• Initial Focus on Electronic Resources
• Risk Assessment Algorithms
• Classify Information Resources
• Continue to Address the Use of SSN at WVU
• Complete the ID Management / Authentication
  Project
• Continue to Spread the Word
• Continue to Review Current Policies / Procedures
• Implement Compliance, Reporting Enforcement

40
A Word To The Wise

• Terminology
• Information Security vs. Computer Security
• Cost Benefits
• Determine risk algorithms early in the process
• Consider Current Security Environment
• Whenever possible, use existing elements
• Can have reasonable plan by connecting dots

41
A Word To The Wise (contd)

• If Policy is Too Relaxed or Non-Existent
• Little or no enforcement
• If Policy is Too Strict
• Nobody pays attention to it (hope I dont get
  caught!)
• Too complicated, too cumbersome
• Flexibility / Adaptability is Key
• Should be independent of specific HW/SW
• Policy update mechanisms should be clearly
  spelled out

42
Resource Examples

• Federal / State laws, regulations, statutes
• WV State Information Security Policy Guidelines
• Other Colleges Universities
• Information Security Policies Made Easy
• by Charles Wood
• Information Systems Audit Control (ISACA)
• CERT, NIST, NSA, SANS,

43
Never-Ending Cycle
Risk Assessment
Policies/ Standards/ Procedures - Update / Create

• Management
• Compliance
• Reporting
• Enforcement

Education, Communications Awareness Programs
44

• Questions
• and/or
• Comments

45
Contacts

• http//oit.wvu.edu/iso
• Information_Security_at_mail.wvu.edu
• SueAnn.Lipinski_at_mail.wvu.edu
• RTMarton_at_mail.wvu.edu
• Mark.Six_at_mail.wvu.edu