Normative vs. Descriptive vs. Pragmatic

Sad reality

• Faculty, staff and students are using mobile devices today, with or without our help (probably without)

• Most of us are significantly under-resourced• Our users have probably already lost mobile

devices containing sensitive university data, we just weren’t told it happened

• What do we tell our bosses when they ask about mobile device incidents?

Policy

• What is it?• Does one size fit all?• What will my organizational culture accept?• What can *I* do to address this?

Policy

Standards

Procedures and Guidelines

Increasing rate of change

•Originates and maintained at the Trustee/Executive level•Requires revision only if university goals or mission change•Easy to understand, written for a broad audience•Avoids specifics subject to change•Links to detailed supporting documents•Stands the test of time

U. of S.C. Policy Framework

Characteristics of good policy:

•Support policy goals•Specific without implementation guidance•Originates and maintained by Data Steward•Changes more frequently than policy•Changes less frequently than procedures and guidelines

Characteristics of good standards:

•Describes how to comply with Policy and Standards•Varies by business unit need or requirement•Created and maintained by business unit

Characteristics of good procedures:

Order of creation

Definition: Overall intention and direction as formally expressed by management.

Definition: Basis with which to measure policy.

Definition: A description that clarifies what should be done and how, to achieve the objectives set out in policies.

Policy

Standards

Procedures and Guidelines

Increasing rate of change

Framework in Action

Order of creation

UNIV 1.50

“The purpose of this policy is to establish standards to manage, protect, secure and control system institutional data that will promote and support the efficient conduct of University business. The objective of this policy is to minimize impediment to access of this data, yet provide a secure environment.”

Future standards to be issued by Data Stewards

Potential University standards:

•ISO 27002•Sensitive Data Security•Logging Practices•Workstation Security

•Server Security•Password Practices•Media Sanitization

Current examples

Specific to University Technology Services:• Firewall Configuration Management (UTS 300.20.2) • Computer Room Protocol (UTS 300.30.1) • Operations Guide for VM Admins (UTS 300.70.1a)

General Information Security guidelines posted to the USC Information Security Program website:

• security.sc.edu

Information Security(IT 3.00)

Data Access(UNIV 1.50)

Information Security Related Policies (www.sc.edu/policies)

Acceptable Use of Information Technology

(IT 1.06)

Other Related Policy

datawarehouse.sc.edusecurity.sc.edu

Location of associated standards, procedures and guidelines

Keep it simple

Give yourself the authority

Make it happen

Mobile device configuration guidelines coming soon!

If all goes well, you now have the freedom to add new guidelines quickly and as needed.

Very agile and flexible approachLikely compatible with your current environment…

In the mean time, I like Carnegie Mellon’s mobile Internet device recommendations:

http://www.cmu.edu/iso/governance/guidelines/mobile-device.html

So how did I get this new policy published?

Thanks, accreditation!

Catalyst for InfoSec Program push?

A wise person once said, “Never let a good crisis go to waste.”

(or something to that effect!)

“I rooted my device so that *I* am in control!”– Oh, really?

You can keep an eye out for other indicators of “mobile malware.”

So far, we are not aware of other mobile-flavored malware detections…

which makes me awfully suspicious.

Potential ways to implement

Look for cross platform vendors, such as MobileIron

Draw the line at the top 3(?) devices, but even still that might be too resource intensive