John Rasmussen

1
Security Policy How, Who, What? ACM
SIGUCCS Spring Management Symposium
John Rasmussen Oregon Health and Science
University March 21, 2005
2
In the old days the information technology field
was the Wild West, institutions could operate on
an ad hoc basis while exploring new technologies

• Limited proliferation of technology meant that
  there were less threats
• Rapid technological changes business practices
  could not keep up
• Focus on bringing business technology into the
  21st Century
• Firefighting prevented maturation of business
  practices
• Steep learning curve for technology
• Initially workforce was not capable to meet
  technological changes
• Y2K

3
What changed?

• Ubiquity of computer technology, the rapid
  expanse of technologies
• A rise in attacks on businesses
• Not limited to highly trained hackers
• Tools available for script kiddies and hackers to
  build their portfolio
• A rise in the number of avenues of attack
• Viruses
• Malware
• Denial of Service
• Phishing
• Federal Legislation
• Terrorist Attacks
• Financial Scandals
• Greater financial/mission impact on institutions
  if IT availability is affected
• The cost of the Sasser virus to business
  worldwide is thought to be as much as 500m
  MyDoom virus will have hit 4bn by the end of
  the year
• Cost of Sasser is 500m and counting Ron
  Coates. www.silicon.com, May 12, 2004

4
Now that we need to comply, who is responsible
for laying down the ground rules?

• Depending upon the type of organization this can
  be a large group of people
• CEOs Office
• Integrity Office
• IT Management
• Public Safety physical security
• Other stakeholders
• Users/Students
• IT line staff
• Federal Agencies
• Donors
• Legal
• An inclusive policy needs to include input from a
  variety of sources

5
What are the implications of poor policy
development and implementation?

• Poor development of policy can lead to
• Additional vulnerabilities and increased risk to
  the organization
• No organizational buy-in to policy
• Poor implementation of policy can lead to
• Weak security stance
• No central documentation for vulnerabilities
• Unable to determine risk for the organization
• Loss of status
• Sanctions/Penalties
• Loss of accreditation
• Litigation

6
What are the benefits of effective policy
implementation?

• Improved information security
• Documented procedures for mitigating weaknesses
  and reducing risk
• Tighter controls over information
• Optimization of security spending
• Organizational buy-in
• A better informed workforce
• A focused area for training
• Reduced organizational costs over long term

7
Can the usual (months long) policy adoption
process work when security needs change hourly?

• An effective policy needs to be an evolutionary
  entity that matures with the organization
• Technology changes fast but not at a rate that
  surpasses general policies
• When technologies reach a certain threshold the
  policy needs to be reexamined for effectiveness
• Amendments need to be applied to policy

8
Policy can meet the needs of the rest of the
institution if the process is open

• What are the goals of your policy?
• If goals of policy are clearly stated it is
  easier to bring stakeholders into the process
• Federal regulatory guidelines serve as a baseline
  for developing policies that comply with laws
• Stakeholder representation is necessary at the
  outset of policy planning process
• Stakeholder input should also be sought during
  modification of policy so they are not left behind

9
What are the most vexing policy issues?

• How to pay for policy
• Are some users more equal than others?
• How do you make exceptions to policy
• How much policy is enough?
• What exactly, do these regulations mean?
• Interpreting security rules

10
Can the IT organization successfully be the
policy wonk?

• The IT organization is looked upon as having the
  expertise to recommend better policy
• IT usually stands on the cutting edge of
  technology
• Daily experience
• Knowledge of threats
• Experienced workforce
• Awareness of existing and emerging technologies
  and their impact on the organization
• IT can guide the development and maturation of
  policy
• IT, through their knowledge, can contribute to a
  proactive policy

11
How is policy enforced?

• The most effective way to approach policy
  enforcement is through escalating steps
• Educating institution of existing and new
  policies
• Auditing for violations
• Initial warning for policy violators
• In extreme cases of policy violation an
  institution may be forced to take personnel
  actions
• Reprimands and sanctions
• Termination
• Involvement of law enforcement

12
Can IT enforce policy and still be viewed as a
service provider?

• IT can enforce policy by maintaining a background
  approach
• IT can monitor policy compliance without
  impacting service
• Policy needs to be in place to allow IT to
  monitor compliance
• What is a reasonable level of big brother?
• ITs role in enforcement must be inclusive of
  Public Safety and Corporate Integrity

13
Who pays for policy?

• How much does policy cost?
• Technology policy changes can be quite expensive
  for legacy systems
• Costs not only include upgrades in technology but
  costs for education, enforcement, policy
  documentation
• What are the documentation costs? These costs
  include controls such as written policy,
  effective practice documents, certification and
  accreditation of systems, and continuity of
  operations plans among others that may be
  required to meet regulatory compliance
• Everyone needs to pay for policy
• Policy costs need to be integrated into IT
  budgets
• In the case of security projects, costs for
  policy compliance must be defined at the
  conception of a project and budgeted for

14
Three things to take away

• For Policy to be effective it must be
• Evolutionary
• Inclusive/Cooperative must meet the needs of
  the organization
• Proactive

15
Questions for discussion

• Who writes policy? Who needs to be involved in
  the policy development process?
• Who determines the need for policy?
• Can the usual (months long) policy adoption
  process work when security needs change hourly?-
  Challenge leaders to think of policy as an
  organic entity, one that evolves with technology
• Who pays for policy?
• What are the implications of poor policy
  implementation?
• What are the benefits of effective policy
  implementation?
• What are the most vexing policy issues?
• Can the IT organization successfully be the
  policy wonk?
• How is policy enforced?
• Can IT enforce policy and still be viewed as a
  service provider?
• Can policy be flexible and adaptable enough to
  meet the needs of the institution?