The document summarizes a webinar about crafting IT security policy. It discusses how the threat landscape has changed in recent years with many high-profile data breaches. It introduces the CIA security framework of confidentiality, integrity and availability and how to assess risks to data based on these factors. It provides tips on inventorying organizational data and assigning risk levels. The presentation outlines how to develop IT policy by applying the CIA framework, including policies for IT departments, end users, passwords, and bring your own device. The goal is to have agreed upon security principles in writing to guide decision making and protocols.
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Community IT Webinar - Crafting IT Security Policy Apr 2015
1. Crafting IT Security Policy
Community IT Innovators Webinar Series
April 23, 2015
2. Crafting IT Security Policy
Community IT Innovators Webinar Series
April 23, 2015
3. Webinar Tips
• Interact
Ask questions via chat
Connect on Twitter
• Focus
Avoid multitasking. You may just miss
the best part of the presentation
• Webinar PowerPoint & Recording
PowerPoint and recording links will be
shared after the webinar
4. About Community IT
Our skilled and certified team of IT professionals
serves the greater Washington nonprofit community,
helping organizations of all sizes and capacities to…
Advance mission through the effective use of
technology.
Invested
Work exclusively with nonprofit organizations, serving over 900
since 1993.
Strategic
Help our clients make IT decisions that support mission.
Collaborative
Team of over 30 staff who empower you to make informed IT
choices.
11. • Who can read the data?
• Controlling access to the data
Risk: Disclosure of information
Confidentiality
LOW MODERATE HIGH
Disclosure of
information could
be expected to
have a limited
adverse effect
Disclosure of
information could
be expected to
have a serious
adverse effect
Disclosure of
information could
be expected to
have a severe or
catastrophic effect
12. • Who can edit data?
• Ensuring accuracy of the data
Risk: Modification or destruction of data
Integrity
LOW MODERATE HIGH
Modification or
destruction of data
could be expected
to have a limited
adverse effect
Modification or
destruction of data
could be expected
to have a serious
adverse effect
Modification or
destruction of data
could be expected
to have a severe or
catastrophic effect
13. • Is data accessible?
• Ensuring access to the data when needed
Risk: Disruption of access to information
Availability
LOW MODERATE HIGH
Disruption of access to
or use of information
could be expected to
have a limited
adverse effect
Disruption of access
to or use of
information could
be expected to
have a serious
adverse effect
Disruption of access
to or use of
information could be
expected to have a
severe or
catastrophic effect
16. • Exhaustive list of all organizational data
• Analyze it from the 3 CIA Perspectives
• Assign a Low, Moderate, High Risk
Inventory your Data
17. • PDF of signed Annual Performance Review
• Confidentiality: Limit to HR and Supervisor (this may
be a regulatory issue) - HIGH
• Integrity: Data should not change and must have
utmost confidence file is not altered - HIGH
• Availability: Needed only upon request, 2-3 days -
LOW
CIA analysis
18. • Accounting System
• Confidentiality: Limit to Finance Department and
President - MODERATE
• Integrity: Constantly updated. Roll back last thirty days’
activity. Must have record of who changed what. - HIGH
• Availability: Downtime 8 hrs acceptable. - MODERATE
CIA analysis
19. CIA Inventory
Confidentiality Integrity Availability
Sensitive Data
Medical Records High High High
Donor Contacts Moderate High Moderate
Financial System Moderate High Moderate
HR Records High Moderate Low
Less Sensitive
Email Moderate High High
Grant Proposals Low Moderate High
Program Mgmt Low Moderate Moderate
20. Security as IT Policy
http://commons.wikimedia.org/wiki/File:Stipula_fountain_pen.jpg
21. Agreed upon system of principles
to guide IT decision making
and achieve certain IT outcomes.
Written as a Statement of intent
implemented as IT procedure or protocol.
IT Policy
http://en.wikipedia.org/wiki/Policy
22. Organization agrees on decisions and
outcomes related to IT Security.
Agreement is documented in writing.
IT Policy
24. Informs both Architecture and Process.
Should include:
• Identity and Access Management
• Endpoint Management
• Data Retention
IT Department Policy
25. • Segregate data based on inventory
• Restrict/remove remote access to sensitive
data
• Consider logging and monitoring
Confidentiality Applied
26. • Maintain anti-virus & anti-malware
• Restrict permissions as much as possible
• “Harden” servers
• Scan for vulnerabilities on a schedule
• Lock doors and install fire alarms
Integrity Applied
27. • Identify availability requirements
• Invest appropriately
• Backup rule: KISS!
• Keep extra hardware on hand
• Develop business continuity plan
Availability Applied
29. • Security Culture & End-User Training
• Password Policy
• BYOD (and BYOA) Policy
• written Appropriate Use Policy
End User Policy
30. If Putin gave you a USB charger…
http://www.worldcrunch.com/rss/default/m1c0s13958/#.VL_ExMaH044
would you use it?
31. • User awareness is best defense
• How do we engage users?
• Make it mandatory, but fun
• Training should be ongoing
• Must be embraced by all staff
End-User Training
33. • Should passwords be changed regularly?
• Can they be complex enough to be
secure?
• Where else are company passwords being
used?
Password Policy
34. • Password managers allow users to store
many passwords conveniently
• Best generate passwords and warn to
change after breaches
• Options: LastPass, 1Password
Secret Server, AuthAnvil
Password Management
35. • Adds physical security to password
• Much easier to use and deploy than it was
two years ago
• Google Authenticator
Dual Factor Authentication (2FA)
http://commons.wikimedia.org/wiki/File:EToken_PASS.jpg
37. BYOD Security Risks
“Bring Your Own Device”
• Confidentiality – Data leakage
• Integrity – “Vector” into the company
• Availability – Malware, Targeted hacking
38. Legal Risks
• Legislated law is thin
• Case law is uncertain
• Exempt staff working without
compensation
• Personal device and data could be
subpoenaed
39. Financial Risks
• Stipends might cost more
• IT Support can become entangled
• Exempt staff need to be paid
• Mobile Device Management (MDM)
can be expensive
40. BYOD policy questions
• What level of access is provided?
• What level of support is provided?
And for which staff?
• Should devices be managed and
controlled? For which staff?
41. CIA Inventory
Data Confidentiality Integrity Availability Policy
Sensitive
Medical Records High High High
no BYOD,
segment wifi
Donor Contacts Mod High Mod Published App
Financial System Mod High Mod Published App
HR Records High Mod Low no BYOD
Less Sensitive
Email Mod Mod High BYOD
Grant Proposals Low Mod High BYOD
Program Mgmt Low Mod Mod BYOD
44. After the webinar
Connect with us
Provide feedback
Short survey after you exit the webinar. Be sure to
include any questions that were not answered.
Missed anything?
Link to slides & recording will be emailed to you.
45. Questions?
Author: DuMont Television/Rosen Studios, New York-photographer, Uploaded by We hope at en.wikipedia
http://commons.wikimedia.org/wiki/File:20_questions_1954.JPG
Notes de l'éditeur
GTM starts recording after the first slide advance, so hit record and then advance to the second copy of the title slide.