ITS/CLO Partnership

1

• ITS/CLO Partnership
• In IT Security Implementation
• By
• Kent Leung
• Chief Computing Officer
• Information Technology Services office

2
ITS/CLO Partnership

• CLO CLO/DSO
• CLO Computer Liaison Officer
• DSO Departmental Security Officer

3
Recommendations on IT Security from IAU

• IAU recommendations in April 2002
• Establish and enforce an Institutional Computer
  Security Policy
• Establish Security Incident Handling Procedures

4
Recommendations on IT Security from IAU

• IAU recommendations in April 2002
• Assist Departments to develop Departmental
  Security Policy, Guidelines and Procedures
• Conduct security awareness and training
  programs

5
Establish an Institutional Computer Security
Policy

• ITS promulgated the PolyU Computer Systems
  Security Policy in 1999
• It is not only for ITS but for ALL users in PolyU
• Department has the responsibility to compliant
  with
• Endorsed by the internal and external auditors in
  2000
• Endorsed by ITSC in April 2002
• Available on the PolyU Security Website

6
Establish an Institutional Computer Security
Policy

• ITS promulgated the network policy for student
  hostel in 2002
• http//www.polyu.edu.hk/its/services_facilities/HA
  LL_Reg.html

7
Enforcement of the PolyU Systems Security Policy

• ITS reviews the PolyU Systems Security Policy
  annually to cope with changing circumstances
• Departments should also review departmental
  system security policy annually to cope with
  changing circumstances

8
Enforcement of the PolyU Systems Security Policy

• Ensure all service providers comply with PolyU
  SSP and departmental SSP
• New services should comply with SSP before put
  into production

9
Establish Security Incident Handling Procedures

• ITS has in place security incident handling
  procedures
• ITS security team handles all security related
  incidents, e.g., Virus infection, Hacking and etc
• Lead by Mr. P.F. Chan
• Users only need to report IT Security related
  incidents via HOTS
• All cases kept confidential

10
ITS assists Departments to develop Departmental
Computer Security Policy, Guidelines and
Procedures
11
Departmental Computer Security Policy, Guidelines
and Procedures

• Establish the scope of the Policy by identifying
  the extent of IT assets
• Information, service, software and hardware
• Perform risk and threat analysis on each
  identified asset

12
Risk Analysis
Information/Services Confident-iality Integrity Availability Max Tolerable Downtime (hours)
Network Infrastructure Network Infrastructure Network Infrastructure Network Infrastructure Network Infrastructure
Backbone Core 3 5 5 0
Internet Link 3 5 5 1
Network Management Network Management Network Management Network Management Network Management
Network Management 4 5 3 4
Internet Firewall and DMZ Servers Internet Firewall and DMZ Servers Internet Firewall and DMZ Servers Internet Firewall and DMZ Servers Internet Firewall and DMZ Servers
Webmail 4 4 4 1
Operation Services Operation Services Operation Services Operation Services Operation Services
Backup 4 4 3 24
Academic LAN Services Academic LAN Services Academic LAN Services Academic LAN Services Academic LAN Services
GroupWise 5 5 4 4
13
Risk Levels
Rating Likelihood Level Description
5 Very High Expected to occur in most circumstances
4 High Should occur quite frequently but intermittently
3 Medium Should occur occasionally
2 Low Could occur at a few specific time
1 Very Low Could occur in exceptional circumstances
0 Not occur No occurrence probability
14
Threat Analysis Summary
THREATS HIGH (H), MEDIUM (M) THREATS HIGH (H), MEDIUM (M) THREATS HIGH (H), MEDIUM (M) THREATS HIGH (H), MEDIUM (M) THREATS HIGH (H), MEDIUM (M) THREATS HIGH (H), MEDIUM (M) THREATS HIGH (H), MEDIUM (M) THREATS HIGH (H), MEDIUM (M)
INFORMATION / SERVICES Masquerading System Compromise Communication Interception Denial of Service Virus or Malicious Code / Damaging or Disruptive SW Misuse of System Resources Improper Access to information Technical Failure of Services
Backbone Core Distribution M M
Internet Link H H M
Network Management M H
Internet Email and WebMail H H M H H
15
Departmental Computer Security Policy, Guidelines
and Procedures

• Helps available from
• ITS (contact Mr. P.F. Chan)
• NetDefence
• Your own choice of vendor

16
Departmental Computer Security Policy, Guidelines
and Procedures

• Decide in joint consultative meetings if the
  PolyU Systems Security Policy is sufficient to
  protect the perceived risks in the Department
• If Yes, adopt and enforce the PolyU Systems
  Security Policy
• If No, add additional rules and guidelines for
  department

17
Departmental Computer Security Policy, Guidelines
and Procedures

• File copy of the Departmental Policy, Guidelines
  and Procedures in ITS and IAU for record
• The PolyU Systems Security Policy is the
  minimum security standard that must be complied
  by Departments

18
Security Awareness and Training

• ITS/CLO shall conduct and encourage departmental
  staff to attend security briefings regularly
• ITS/CLO shall regularly brief their staff and
  students of prevailing external threats, virus
  attacks and the security update of the software
  they are using

19
What Has ITS Done?

• Access Control on Routers
• Use switches instead of hub in Campus Network
• Provide VPN Service
• Provide transparent proxy
• Maintain an IT Security Website
• Dedicated team on IT Security

20
What Has ITS Done?

• Implement firewalls
• Require users to register their Web servers,
  e-mail servers etc
• Firewall Bypass Registration
• Firewall bypass requests effective from 29 Nov
  2002
• If your department has not registered, all
  firewall bypass rules will be removed
• Remind and encourage users to change passwords
  regularly

21
What Has ITS Done?

• Provide anti-virus software on PC client to all
  users
• Implement virus filtering on GroupWise and Campus
  E-mail
• Require remote user to authenticate before using
  PolyU E-mail servers
• Send virus alert notices to all users

22
The Role of CLO/DSO

• Advisor to the Department Head
• Partner of ITS
• Mentor on IT security issues in Department
• Departmental Representative on IT security issues
• Oversees Departmental IT security related matters

23
The Role of CLO/DSO

• Oversees Departmental IT security matters
• Manage IP assignment
• Assign IP address within the departmental VLAN
• Keep an up-to-date list of the location, owner
  and contact person of each IP address

24
The Role of CLO/DSO

• Oversees Departmental IT security matters
• Coordinate departmental firewall registrations
• Examine and authorize firewall bypass
  requirements
• Maintain an up-to-date firewall bypass records
• Renew firewall bypass applications annually

25
The Role of CLO/DSO

• Keep abreast of security updates on various OS
  platforms
• Alert departmental users on new virus attacks and
  the latest anti-virus tools
• Coordinate replies to security related queries on
  attacks originated from the department

26
The Role of CLO/DSO

• Provide information and assist in the
  investigation of security incidents
• Work closely with ITS on all security and IT
  related issues
• Report IT security incidents to ITS