1 / 9

Improving Information Security at Carolina

Learn about the responsibilities and proposed plan by Larry Conrad, VC & CIO, and Stan Waddell, Exec. Dir. & ISO, to improve information security at Carolina. The plan includes compliance, network and server security, sys admin competency, and implications for faculty.

trung
Télécharger la présentation

Improving Information Security at Carolina

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Improving Information Security at Carolina Larry Conrad, VC and CIO Stan Waddell, Exec. Dir. and ISO May 18, 2011

  2. Info Security Responsibilities • The CIO is responsible for overall campus IT security • The Information Security Officer and the Information Security Office organizes and leads the defense • Information Security Liaisons assigned for each unit are the coordinating point for unit actions • “It takes a village” • Campus central IT staff • Unit distributed IT staff • Faculty, students and staff • It takes a commitment from all of us…

  3. Proposed Info Security Plan • How to best leverage the authority given to the CIO for campus info security • Are proposing a 5 point plan: • Work to bring the campus into compliance with the 10 existing Information Security policies—State Audit requires annual attestation of understanding the policies • Improve security for the campus network and servers from outside attacks • Ensure every campus server is supported/maintained by a competent systems administrator • Increased focus on research data and servers with sensitive data or support mission critical operations • Increased focus on encrypting laptops

  4. Info Security Policies • Need to establish a policy base to operate from in protecting the campus • Examples • Information Security policy • Information Security Standards policy • General User Password policy • Systems and Applications Administrator Password policy • Transmission of Sensitive Information policy • Security Liaison policy • Vulnerability Management policy • Incident Management policy • Data Governance policy • E-mail policy (2)

  5. Improve Network and Server Security • Example actions: • Enterprise firewalls: construct a workable strategy for enhancing security at the campus network border • Departmental firewalls: protect high-risk servers within units • Block certain problematic network traffic, e.g., remote control of desktops (from the Internet) • Block file-sharing protocols in the Residence Halls

  6. Ensuring Sys Admin Competency Proposed approach: • Develop and conduct an identification process of all campus systems and system administrators—with focus on servers with sensitive data and mission critical systems • Develop and conduct an on campus information security training program for Sys Admins • Develop and implement a systems administration effectiveness assessment, monitoring, and remediation referral process • Create a (fee-based) outsourced remediation process • Refer to a managed systems administration support cluster • Identify and solicit one or more third party systems administration support services

  7. Ensuring Sys Admin Competency • Systems storing sensitive information should be scanned for vulnerabilities at least monthly • Scans can identify missing patches and improperly configured services • Give guidance on how to remediate vulnerabilities • Identified vulnerabilities must be remediated • Critical: within 1 week • Medium: within a month of identification • “Three-strikes-and-you’re-out!” philosophy • After 3rd failure, sys admin function must be outsourced

  8. Implications For Faculty • Everyone on campus is responsible for protecting the University and its data—particularly sensitive data • Policies apply campus-wide • When in doubt ask (report issues) • Know where sensitive data resides…and why • Don’t surf the web on machines with sensitive data • Patch and configure correctly (scan to verify) • Encrypt sensitive data and only use when needed • Ensure servers have competent Sys Admins • Info security costs money and may impact grants…

  9. Questions?

More Related