departmental security framework rutgers university office of information technology presented...
Post on 21-Dec-2015
216 views
TRANSCRIPT
Departmental Security FrameworkRutgers University Rutgers University Office of Information TechnologyOffice of Information Technology
Presented By: Bruce RightsSystems Programmer / AdministratorInformation Protection and [email protected]
IT Certificate Program – Departmental Security Framework Fall, 2008
Housekeeping
Hours Bathrooms Fire exits Telephones Recycling Smoking Contact information
IT Certificate Program – Departmental Security Framework Fall, 2008
Departmental Security Framework
Welcome Introduction
IT Certificate Program – Departmental Security Framework Fall, 2008
Agenda
Expectations and Objectives
Office of Information Technology Organization
Introduction to Security
Terms & Definitions
IPS Security Services
Other Services
Rutgers Policies and Procedures
Department Responsibilities
Conclusion
IT Certificate Program – Departmental Security Framework Fall, 2008
Expectations and Objectives
What would you like to get out of this?
What are your past experiences What has happened in the last
month?
http://www.rci.rutgers.edu/~brights/it_cert_ips/bbc.mpeg
IT Certificate Program – Departmental Security Framework Fall, 2008
Office of Information Technology
http://www.rci.rutgers.edu/~brights/it_cert_ips/oit_org_chart.htm
IT Certificate Program – Departmental Security Framework Fall, 2008
Introduction to Security
Why is security important? What do you want protected about yourself? Is confidentiality possible in today’s electronic
world??
IT Certificate Program – Departmental Security Framework Fall, 2008
More intro. to Security What is the security threat at Rutgers?
Problems:Limited internet handoff firewallLimited firewall from ResNetLimited firewall from Administrative functionsLots of data stored locallyNo historical security awarenessLimited local subnet firewallsNo authoritarian security directivesRoutine pass thru of information so original data custodian does not
know the full extent of data sharingNo data classificationNo identification of what to keep confidentialNo money for security
IT Certificate Program – Departmental Security Framework Fall, 2008
Even more intro. to Security
What protection is already here?
Solutions in place: Universal managed anti-virus Local patching repository RUSecure web pages
(including cirt, infoprotect, netsecurity, nppi, ruscan)
IT Certificate Program – Departmental Security Framework Fall, 2008
Terms & Definitions
Authentication Authorization Best Practices Critical Host Data Custodian / Owner / User Defense in Depth Network Contact (NC) Network Liaison (NL)
IT Certificate Program – Departmental Security Framework Fall, 2008
Rutgers Terms & Definitions
Microcomputer Support Services Group (MSSG)
Rutgers University Computing Services (RUCS) (prior name for OIT)
Administrative Computing Services (ACS) (prior name for ESO and ADDM)
http://ucstoolkit.rutgers.edu/general/acronyms.html
IT Certificate Program – Departmental Security Framework Fall, 2008
IPS Services
Security Awareness Compliance Training Abuse Handling
IT Certificate Program – Departmental Security Framework Fall, 2008
IPS ServicesSecurity Awareness
Webpages http://rusecure.rutgers.edu
Online security survey: https://webhost3.rutgers.edu/security_int
erview/
IT Certificate Program – Departmental Security Framework Fall, 2008
IPS ServicesSecurity Awareness
Q&A webpage for Directors http://rusecure.rutgers.edu/department/a
dministration/it-security-questions-you-should-be-asking/
Mailing lists https://email.rutgers.edu/mailman/listinfo
/ (Security_Admins and Security_Alerts)
IT Certificate Program – Departmental Security Framework Fall, 2008
IPS ServicesCompliance
http://rusecure.rutgers.edu/department/techstaff/compliance/
HIPAA, GLBA, SEVIS, FERPA, SOX, FACTA, PCI NJ ID Theft Prevention Act
http://infoprotect.rutgers.edu/compl/njid.php
http://www.rci.rutgers.edu/~brights/it_cert_ips/0304_desk.jpghttp://www.rci.rutgers.edu/~brights/it_cert_ips/0304_desk_answer.jpg
IT Certificate Program – Departmental Security Framework Fall, 2008
IPS Services Training
NBCS Education classes Introduction to Security Awareness ID Theft http://edseries.rutgers.edu
Camden Education classes http://edseries.camden.rutgers.edu
Newark Education series http://www.ncs.rutgers.edu/helpdesk/edseries/index.h
tm Other specialized/on demand
IT Certificate Program – Departmental Security Framework Fall, 2008
IPS ServicesAbuse Handling
http://rusecure.rutgers.edu/department/techstaff/ih
RIAA, IFPI, MPAA, DMCA
Subject: DMCA Notice (Ref: RZZZZ)
28 June 2005 Ref: RZZZZRe: http://www.eden.rutgers.edu/~XXXXXXX/Music/ Dear Lance D Jordan, I am contacting you on behalf of the International Federation of the Phonographic Industry (IFPI) and its
member record companies. The IFPI is a trade association whose member companies are some 1,450 major and independent record companies in the US and internationally who create, manufacture and distribute sound recordings. Under penalty of perjury, we submit that the IFPI is authorized to act on behalf of its member companies in matters involving the infringement of their sound recordings, including enforcing their copyrights and common law rights on the Internet.
We have learned that your service is hosting infringing files on its network (see above-referenced
directory). These files contain sound recordings by the artists known as Basement Jaxx, Jackson 5, Gorillaz and Kiss. These sound recordings are owned by some of our member companies and have not been authorized for this kind of use. We have a good faith belief that the above-described activity is not authorized by the copyright owner, its agent, or the law. We assert that the information in this notification is accurate, based upon the data available to us.
We are asking for your immediate assistance in stopping this unauthorized activity. Specifically, we request
that you remove the infringing files from your system or that you disable access to the infringing files. In addition, please inform the site operator of the illegality of his or her conduct.
You should understand that this letter constitutes notice to you that this site operator may be liable for the
infringing activity occurring on your service. In addition, under the Digital Millennium Copyright Act, if you ignore this notice, you and/or your company may also be liable for any resulting infringement. This letter does not constitute a waiver of any right to recover damages incurred by virtue of any such unauthorized activities, and such rights as well as claims for other relief are expressly retained.
You may contact me at IFPI Secretariat, 54 Regent Street, London W1B 5RE, United Kingdom or email
[email protected], to discuss this notice. We await your response.
IT Certificate Program – Departmental Security Framework Fall, 2008
Other OIT Services
Lan Support Services: http://lss.rutgers.edu/
ACL’s on Switches http://www.td.rutgers.edu/documentatio
n/Policies/Switch_Access_Guideline.pdf Web On-Line Payment
http://ua.rutgers.edu/unrestricted/CurrUnrestricted.php
IT Certificate Program – Departmental Security Framework Fall, 2008
Other OIT Services, pt 2.
Safeword http://rusecure.rutgers.edu/services/authenticati
on-token-cards/safeword/
SecureID http://rusecure.rutgers.edu/services/authenticati
on-token-cards/securid-authentication/
http://www.rci.rutgers.edu/~brights/it_cert_ips/password.gif
IT Certificate Program – Departmental Security Framework Fall, 2008
Services outside of OIT
ID Theft 911 http://
uhr.rutgers.edu/ben/AddBenIdentityTheft.htm
http://www.identitytheft911-sunj.com/home.htm
Credit Cards http://www.rci.rutgers.edu/~univcont/cre
ditsecurity/index.htm
IT Certificate Program – Departmental Security Framework Fall, 2008
Services outside of OIT (2)
Information Protection Evaluation Team (IPET) http://policies.rutgers.edu/PDF/Section50
/50.3.9-current.pdf http://policies.rutgers.edu/PDF/Section50/50.3.9-I
DTheftGuidelines-current.pdf RUID instead of SSN
http://studentaffairs.rutgers.edu/ruid.html
IT Certificate Program – Departmental Security Framework Fall, 2008
Rutgers Policies Rutgers Policies
http://policies.rutgers.edu/
Data destruction/disposal http://policies.rutgers.edu/PDF/Section20/20
.1.12-current.pdf Copyright
http://policies.rutgers.edu/PDF/Section50/50.3.7-current.pdf
Computer policies (All are under review) http://policies.rutgers.edu/contents70.shtml
IT Certificate Program – Departmental Security Framework Fall, 2008
Rutgers Procedures, etc Confidentiality
http://ruweb.rutgers.edu/oldqueens/employ.pdf Proper Use
http://ruweb.rutgers.edu/oldqueens/properuse.pdf
Acceptable Use Policy (AUP) http://oit.rutgers.edu/acceptable-use.html
Wireless http://wireless.rutgers.edu/policy.php http://oit.rutgers.edu/wireless-policy.html
IT Certificate Program – Departmental Security Framework Fall, 2008
Rutgers Procedures (cont.)
(computer security) http://rusecure.rutgers.edu/draft-policies-
and-standards/draft-information-security-classification-policy/
http://rusecure.rutgers.edu/draft-policies-and-standards/draft-minimum-security-standards-for-networked-devices/
IT Certificate Program – Departmental Security Framework Fall, 2008
Department Responsibilities
Policies and procedures
Security planning
Secure operations
http://www.rci.rutgers.edu/~brights/it_cert_ips/balance.jpg
IT Certificate Program – Departmental Security Framework Fall, 2008
DepartmentPolicies and Procedures
What are your departmental policies?
What are your departmental procedures?
What are your computer policies and procedures?
http://www.rci.rutgers.edu/~brights/it_cert_ips/to_catch_a_thief.mp3
IT Certificate Program – Departmental Security Framework Fall, 2008
Department Security Planning
Security planning http://rusecure.rutgers.edu/department/
administration/developing-an-it-security-plan/ Baseline security
http://oit.rutgers.edu/security-9-23-2003.html Advanced security
http://rusecure.rutgers.edu/draft-policies-and-standards/draft-minimum-security-standards-for-networked-devices/
IT Certificate Program – Departmental Security Framework Fall, 2008
DepartmentSecure Operations
Incident handling [email protected]
Incident detention and handling http://rusecure.rutgers.edu/department/
techstaff/ih
IT Certificate Program – Departmental Security Framework Fall, 2008
Questions
What questions do you have that I did not answer?
What does the future hold?
IT Certificate Program – Departmental Security Framework Fall, 2008
Thank you for coming
This course is a component of the IT Certificate Program, a collaborative effort of the Office of Information Technology, University Human Resources, and the Internal Audit Department
IT Certificate Program – Departmental Security Framework Fall, 2008
Information Protection & Security(A Division of the Office of Information Technology [OIT])
ASB Annex 1Room 102Busch campus56 Bevier roadPiscataway, NJ 08854 phone: (732) 445-8011fax: (732) 445-8023 [email protected]