Departmental Security FrameworkRutgers University Rutgers University Office of Information TechnologyOffice of Information Technology

Presented By: Bruce RightsSystems Programmer / AdministratorInformation Protection and Securitybrights@rutgers.edu

IT Certificate Program – Departmental Security Framework Fall, 2008

Housekeeping

Hours Bathrooms Fire exits Telephones Recycling Smoking Contact information

IT Certificate Program – Departmental Security Framework Fall, 2008

Departmental Security Framework

Welcome Introduction

IT Certificate Program – Departmental Security Framework Fall, 2008

Agenda

Expectations and Objectives

Office of Information Technology Organization

Introduction to Security

Terms & Definitions

IPS Security Services

Other Services

Rutgers Policies and Procedures

Department Responsibilities

Conclusion

IT Certificate Program – Departmental Security Framework Fall, 2008

Expectations and Objectives

What would you like to get out of this?

What are your past experiences What has happened in the last

month?

http://www.rci.rutgers.edu/~brights/it_cert_ips/bbc.mpeg

IT Certificate Program – Departmental Security Framework Fall, 2008

Office of Information Technology

http://www.rci.rutgers.edu/~brights/it_cert_ips/oit_org_chart.htm

IT Certificate Program – Departmental Security Framework Fall, 2008

Introduction to Security

Why is security important? What do you want protected about yourself? Is confidentiality possible in today’s electronic

world??

IT Certificate Program – Departmental Security Framework Fall, 2008

More intro. to Security What is the security threat at Rutgers?

Problems:Limited internet handoff firewallLimited firewall from ResNetLimited firewall from Administrative functionsLots of data stored locallyNo historical security awarenessLimited local subnet firewallsNo authoritarian security directivesRoutine pass thru of information so original data custodian does not

know the full extent of data sharingNo data classificationNo identification of what to keep confidentialNo money for security

IT Certificate Program – Departmental Security Framework Fall, 2008

Even more intro. to Security

What protection is already here?

Solutions in place: Universal managed anti-virus Local patching repository RUSecure web pages

(including cirt, infoprotect, netsecurity, nppi, ruscan)

IT Certificate Program – Departmental Security Framework Fall, 2008

Terms & Definitions

Authentication Authorization Best Practices Critical Host Data Custodian / Owner / User Defense in Depth Network Contact (NC) Network Liaison (NL)

IT Certificate Program – Departmental Security Framework Fall, 2008

Rutgers Terms & Definitions

Microcomputer Support Services Group (MSSG)

Rutgers University Computing Services (RUCS) (prior name for OIT)

Administrative Computing Services (ACS) (prior name for ESO and ADDM)

http://ucstoolkit.rutgers.edu/general/acronyms.html

IT Certificate Program – Departmental Security Framework Fall, 2008

IPS Services

Security Awareness Compliance Training Abuse Handling

IT Certificate Program – Departmental Security Framework Fall, 2008

IPS ServicesSecurity Awareness

Webpages http://rusecure.rutgers.edu

Online security survey: https://webhost3.rutgers.edu/security_int

erview/

IT Certificate Program – Departmental Security Framework Fall, 2008

IPS ServicesSecurity Awareness

Q&A webpage for Directors http://rusecure.rutgers.edu/department/a

dministration/it-security-questions-you-should-be-asking/

Mailing lists https://email.rutgers.edu/mailman/listinfo

/ (Security_Admins and Security_Alerts)

IT Certificate Program – Departmental Security Framework Fall, 2008

IPS ServicesCompliance

http://rusecure.rutgers.edu/department/techstaff/compliance/

HIPAA, GLBA, SEVIS, FERPA, SOX, FACTA, PCI NJ ID Theft Prevention Act

http://infoprotect.rutgers.edu/compl/njid.php

http://www.rci.rutgers.edu/~brights/it_cert_ips/0304_desk.jpghttp://www.rci.rutgers.edu/~brights/it_cert_ips/0304_desk_answer.jpg

IT Certificate Program – Departmental Security Framework Fall, 2008

IPS Services Training

NBCS Education classes Introduction to Security Awareness ID Theft http://edseries.rutgers.edu

Camden Education classes http://edseries.camden.rutgers.edu

Newark Education series http://www.ncs.rutgers.edu/helpdesk/edseries/index.h

tm Other specialized/on demand

IT Certificate Program – Departmental Security Framework Fall, 2008

IPS ServicesAbuse Handling

abuse@rutgers.edu

http://rusecure.rutgers.edu/department/techstaff/ih

RIAA, IFPI, MPAA, DMCA

Subject: DMCA Notice (Ref: RZZZZ)

28 June 2005 Ref: RZZZZRe: http://www.eden.rutgers.edu/~XXXXXXX/Music/ Dear Lance D Jordan, I am contacting you on behalf of the International Federation of the Phonographic Industry (IFPI) and its

member record companies.  The IFPI is a trade association whose member companies are some 1,450 major and independent record companies in the US and internationally who create, manufacture and distribute sound recordings. Under penalty of perjury, we submit that the IFPI is authorized to act on behalf of its member companies in matters involving the infringement of their sound recordings, including enforcing their copyrights and common law rights on the Internet.

 We have learned that your service is hosting infringing files on its network (see above-referenced

directory).  These files contain sound recordings by the artists known as Basement Jaxx, Jackson 5, Gorillaz and Kiss.  These sound recordings are owned by some of our member companies and have not been authorized for this kind of use.  We have a good faith belief that the above-described activity is not authorized by the copyright owner, its agent, or the law.  We assert that the information in this notification is accurate, based upon the data available to us.

 We are asking for your immediate assistance in stopping this unauthorized activity.  Specifically, we request

that you remove the infringing files from your system or that you disable access to the infringing files.  In addition, please inform the site operator of the illegality of his or her conduct.

 You should understand that this letter constitutes notice to you that this site operator may be liable for the

infringing activity occurring on your service. In addition, under the Digital Millennium Copyright Act, if you ignore this notice, you and/or your company may also be liable for any resulting infringement. This letter does not constitute a waiver of any right to recover damages incurred by virtue of any such unauthorized activities, and such rights as well as claims for other relief are expressly retained.

 You may contact me at IFPI Secretariat, 54 Regent Street, London W1B 5RE, United Kingdom or email

Notices@ifpi.org, to discuss this notice.  We await your response.

IT Certificate Program – Departmental Security Framework Fall, 2008

Other OIT Services

Lan Support Services: http://lss.rutgers.edu/

ACL’s on Switches http://www.td.rutgers.edu/documentatio

n/Policies/Switch_Access_Guideline.pdf Web On-Line Payment

http://ua.rutgers.edu/unrestricted/CurrUnrestricted.php

IT Certificate Program – Departmental Security Framework Fall, 2008

Other OIT Services, pt 2.

Safeword http://rusecure.rutgers.edu/services/authenticati

on-token-cards/safeword/

SecureID http://rusecure.rutgers.edu/services/authenticati

on-token-cards/securid-authentication/

http://www.rci.rutgers.edu/~brights/it_cert_ips/password.gif

IT Certificate Program – Departmental Security Framework Fall, 2008

Services outside of OIT

ID Theft 911 http://

uhr.rutgers.edu/ben/AddBenIdentityTheft.htm

http://www.identitytheft911-sunj.com/home.htm

Credit Cards http://www.rci.rutgers.edu/~univcont/cre

ditsecurity/index.htm

IT Certificate Program – Departmental Security Framework Fall, 2008

Services outside of OIT (2)

Information Protection Evaluation Team (IPET) http://policies.rutgers.edu/PDF/Section50

/50.3.9-current.pdf http://policies.rutgers.edu/PDF/Section50/50.3.9-I

DTheftGuidelines-current.pdf RUID instead of SSN

http://studentaffairs.rutgers.edu/ruid.html

IT Certificate Program – Departmental Security Framework Fall, 2008

Rutgers Policies Rutgers Policies

http://policies.rutgers.edu/

Data destruction/disposal http://policies.rutgers.edu/PDF/Section20/20

.1.12-current.pdf Copyright

http://policies.rutgers.edu/PDF/Section50/50.3.7-current.pdf

Computer policies (All are under review) http://policies.rutgers.edu/contents70.shtml

IT Certificate Program – Departmental Security Framework Fall, 2008

Rutgers Procedures, etc Confidentiality

http://ruweb.rutgers.edu/oldqueens/employ.pdf Proper Use

http://ruweb.rutgers.edu/oldqueens/properuse.pdf

Acceptable Use Policy (AUP) http://oit.rutgers.edu/acceptable-use.html

Wireless http://wireless.rutgers.edu/policy.php http://oit.rutgers.edu/wireless-policy.html

IT Certificate Program – Departmental Security Framework Fall, 2008

Rutgers Procedures (cont.)

(computer security) http://rusecure.rutgers.edu/draft-policies-

and-standards/draft-information-security-classification-policy/

http://rusecure.rutgers.edu/draft-policies-and-standards/draft-minimum-security-standards-for-networked-devices/

IT Certificate Program – Departmental Security Framework Fall, 2008

Department Responsibilities

Policies and procedures

Security planning

Secure operations

http://www.rci.rutgers.edu/~brights/it_cert_ips/balance.jpg

IT Certificate Program – Departmental Security Framework Fall, 2008

DepartmentPolicies and Procedures

What are your departmental policies?

What are your departmental procedures?

What are your computer policies and procedures?

http://www.rci.rutgers.edu/~brights/it_cert_ips/to_catch_a_thief.mp3

IT Certificate Program – Departmental Security Framework Fall, 2008

Department Security Planning

Security planning http://rusecure.rutgers.edu/department/

administration/developing-an-it-security-plan/ Baseline security

http://oit.rutgers.edu/security-9-23-2003.html Advanced security

http://rusecure.rutgers.edu/draft-policies-and-standards/draft-minimum-security-standards-for-networked-devices/

IT Certificate Program – Departmental Security Framework Fall, 2008

DepartmentSecure Operations

Incident handling Abuse@rutgers.edu

Incident detention and handling http://rusecure.rutgers.edu/department/

techstaff/ih

IT Certificate Program – Departmental Security Framework Fall, 2008

Questions

What questions do you have that I did not answer?

What does the future hold?

IT Certificate Program – Departmental Security Framework Fall, 2008

Thank you for coming

This course is a component of the IT Certificate Program, a collaborative effort of the Office of Information Technology, University Human Resources, and the Internal Audit Department

IT Certificate Program – Departmental Security Framework Fall, 2008

Information Protection & Security(A Division of the Office of Information Technology [OIT])

ASB Annex 1Room 102Busch campus56 Bevier roadPiscataway, NJ 08854 phone: (732) 445-8011fax: (732) 445-8023 rusecure@rutgers.edu