Transcript ppt
The Impact of Evolving IT
Security Concerns On Cornell
Information Technology Policy
General Context
• Cornell is not unique – and remains plagued by
a growing spectrum of IT security concerns.
• In response Cornell has:
– Created a security program
– Is in the process of developing a suite of university
policies to better stanchion Cornell’s ability to
effectively address new security challenges.
The Cornell IT Policy – Past, Present and Future
Policy Review
• RESPONSIBLE USE OF ELECTRONIC COMMUNICATIONS
– Became policy in 1995
• Cornell University expects all members of its community to
use electronic communications in a responsible manner. The
university may restrict the use of its computers and network
systems for electronic communications, in response to
complaints presenting evidence of violations of other
university policies or codes, or state or federal laws.
• Parts of this policy are now reflected in new policy
development – it will likely be refined to focus on just issues
of abuse in the future.
Policies Under Development
• Reporting Electronic Security Incidents
– In Draft (August 29th 2003)
– Reason for Policy
• [To enable] prompt and consistent reporting of
electronic security incidents protects and
preserves these resources by enabling expeditious
action in the event of such an incident, and aids
the university in compliance with applicable law.
Reporting Electronic Security Incidents Procedures
• “If you suspect that an electronic security
incident may have occurred or may be imminent,
you are expected to take the actions detailed …”
– Contact local support provide or the Cornell Network
Operations Center
– Local support provide is obligated to collect relevant
information and report to Security.
– Security Office will open a problem report and has the
authority to “perform any action necessary …”
Security Of Information Technology
Resources
• Draft (August 29th 2003)
• Reason for Policy
– [As] the university must preserve its information
technology resources, comply with applicable laws
and regulations, comply with other university or unit
policy regarding protection and preservation of data,
and fulfill its missions. Toward these ends, faculty,
staff, and students must share in the responsibility for
the security of information technology devices.
Security Of Information Technology
Resources…
• Establishes the principle that every IT device
connected to the Cornell network must have at
least one individual managing the security of
that device.
• Defines roles (Users, Local Support Providers,
Security Liaison, Unit Heads, IT Security
Director)
Security Of Information Technology Resources Procedures
• Users
– If no support provider user is obligated to:
• Secure host (strong passwords, virus updates, etc)
• Allow access by Security office
– If there is a local support provider, then:
• Report all electronic security incidents to your local
support provider immediately, as detailed in
University Policy 5.4.2, Reporting Electronic
Security Incidents.
Security Of Information Technology Resources Procedures
• Support Providers Is Obligated To:
– Secure hosts under their control
– Report incidents and allow access
• Unit Security Liaison Is Obligated To:
– Act as the unit point of contact with IT Security
Director
– Implement a security program consistent with
requirements of this policy …
Security Of Information Technology Resources Procedures
• Unit Head
– Obligated to appoint Unit Security Liaison
• IT Security Director
– The IT Security Director is the university office
with the authority to coordinate campus
information technology security …
Network Registry
• Draft (Nov 4th 2003)
• Reason for Policy
– To enhance the maintenance and security of
the university network, and to alleviate
potential legal liability, the university supports
the creation of a central registry of devices
connected to the university network.
Network Registry –
Procedures
• All devices on the network must be
registered to a central database
– All applicable information for a given device,
such as MAC address, IP, responsible party,
location …
– Implied is the development of an online
registration service
Policy on Authentication and
Authorization
• Status: Impact Statement
• Policy goal is to facilitate a comprehensive
strategy for controlling electronic access and
coordinating deployment of university
authentication and authorization mechanisms.
– Define owner(s)
• Advisory board
– Authentication vs Authorization
– Exception process
NUBB
• Not a university policy – however …
– Users of the network are responsible for
network fees – even if their system is
compromised.*
• Defines a “responsible party.”
• Huge impact on system awareness
• Single most positive impact on securing systems at
Cornell to date.
Other Polices Worth Noting
• 1) Access to Electronic Mail. 2) Access to
Network Log Data.
– Both define “owner” and process for access to
information
– Trying to address the issue of “privacy”
• Escrow of Encryption Keys
– Approved Policy
• Focused on administrative data
Deployment Concerns
• Creation of the registration database
• Automation of the incident reporting and
tracking process
• Education (Users, Support Providers,
Security Liaisons)
• Campus participation
Closing Thoughts
• Policy development process is as important as
the finished product
• Key themes are:
–
–
–
–
Responsible party
Clearly understood processes for reporting
Formal authority of the Security Office
Development of tools to enable the smooth realization
of these new polices.
• URL:
– http://www.cit.cornell.edu/oit/policy/drafts/