security and privacy policy the world has changed! common solutions group jack mccredie january 9,...
TRANSCRIPT
Security and Privacy PolicyThe World Has Changed!
Common Solutions GroupJack McCredie
January 9, 2004
AgendaShare Progress & Request HelpSecurity and privacy policy framework at UCRecommended policy structure & processSpecter of emerging legislation
- Illustration: CA SB-1386Security policy evolution at UC Berkeley
- Illustration: minimum security standards policy
Request for help – are we nuts?
Recommended structurePurposeScopePolicyRoles and responsibilitiesConsequencesRequests for exceptionAppendices that can be easily modifiedSet of standing committees to contribute and review, and approveCommunicate, communicate, communicate
University-wide policies
Campus-wide policies
Information technology policies
Security & Privacy Policies
System & campus-wide policies
• UC Electronic Communications Policyhttp://www.ucop.edu/ucophome/policies/ec/html/
• UC Business and Finance Bulletin IS-3http://www.ucop.edu/ucophome/policies/bfb/bfbis.html
• Guide to Administrative Responsibilitieshttp://controller-fs.vcbf.berkeley.edu/TableofContents. html
Information Technology Policies
• Requirements for Protection of Computerized Personal Information (Implementation of SB 1386)http://socrates.berkeley.edu:7015/protected.data.html
• Guide to Selected Privacy and Confidentiality Regulationshttp://socrates.berkeley.edu:7015/privacy/guidelines.html
• Guidelines for Use of Campus Network Data Reportshttp://security.berkeley.edu:2002/CISC/gdlns.net.data.html
Security and Privacy Policies
• Campus Information Technology Security Policyhttp://socrates.berkeley.edu:2002/IT.sec.policy.html
• Minimum Security Standardshttp://socrates.berkeley.edu:2002/MinStds/policy.htm
• SNS Scanning of the UC Berkeley Campus Networkhttp://sec-info.berkeley.edu/cgi-bin/scaninfo-login.pl/
Security and Privacy Policies
• Departmental Security Contact Policyhttp://socrates.berkeley.edu:2002/contacts.html
• Guidelines and Procedures for Blocking Network Accesshttp://socrates.berkeley.edu:2002/blocking.html
• IT Security “Best Practices”http://socrates.berkeley.edu:2002/bestpractices.html
Specter of emerging legislation
• Illustrative law: California SB 1386
• UC Berkeley incidents since July 1, 2003
• Campus and system-wide response
Policy Evolution:Have we gone over the top?
• UC electronic communications policy• Departmental security contact• Guidelines and procedures for blocking network access• Campus IT security policy• Requirements for protection of computerized personal information
• SNS Scanning of the UCB campus network
• Required minimum security standards
Required minimum security standards
• Software patch updates• Anti-virus software• Passwords• No unencrypted authentication• No unauthenticated email relays• No unauthenticated proxy servers• Physical security• Unnecessary services• HOST-BASED FIREWALL SOFTWARE REQUIRED
Are We Nuts?
• Questions and discussion