Table of Contents

brokenroomNetworking and Communications

Nov 21, 2013 (3 years and 8 months ago)

68 views

University of California
, Santa Barbara







Information
Security Program












Table of Contents


Introduction

................................
................................
................................
..................

2

1.

Application Level Information Security Program
................................
................................
.

3

a.

Risk Assessment, Asset Inventory and Classification

................................
.......................

3

b.

Goals of Security Assessment and Plans: Confidentiality, Integrity, and Availability

.....

4

2.

Security
Plans, Projects and Processes


Central

................................
................................
..

4

a. Incident Management Response Implementation Plan

................................
........................

4

b. Critical Positions
................................
................................
................................
..................

5

c. Identity Management Systems

................................
................................
.............................

6

d. Business Recovery Planning


The UC Ready Project

................................
........................

7

e. Network Security

................................
................................
................................
.................

8

f. PGP Encryption Project
................................
................................
................................
........

8

g. Security Awareness Training Project

................................
................................
..................

8

h. Red Flags

................................
................................
................................
.............................

9

i. Payment Card Industry (PCI) data security standards

................................
..........................

9

j. Physical Access Project

................................
................................
................................
........

9

k. Financial System
Security (existing and new)

................................
................................
...

10

l.

Disposition of Equipment

................................
................................
................................

10

m. Health Records / HIPAA Controls

................................
................................
...................

11

n. Potential Future Projects wit
h Merit

................................
................................
..................

11

Appendix A. Checklist

12

Appendix B. References

15

University of California, Santa Barbara


Information Security Plan

December 1, 2011


2

of
15

Introduction


The Universi
ty of California is committed to high standards of excellence for
the protection of

its confidential

information and
information technology

that
support the University. The implementation of appropriate controls and
security measures plays a critical role
in assuring information retain
s

its

integrity, availability, and where appropriate their confidentiality.
S
ecurity
measures
also
protect information technology from damage or compromise
and assure the University’s operations
will
continue without
interruption.


Security and
i
nformation security

is the condition of information being
protected from or not exposed to unintended access, loss of availability or
corruption.
In addition, security also includes
the
methods, process
es and
techniques neces
sary to e
nsure the availability, correct operation of systems,
and protection of data from unauthorized access. The magnitude of security
controls should be commensurate with the magnitude of the potential loss or
seriousness
in the
event

controls fail.

A
lthough the type of security controls
may vary, the proper security of information is
important
, regardless of the
medium in which the information is stored.


To assure compliance with the high standards expected, the
UCSB
Chief
Information Security Offic
er has developed this plan to document the existing
controls and to document plans for the coming year to improve the security.
While the scope of the information security applies to all University of
California Santa Barbara (UCSB) departments, members o
f the university
community (faculty, staff, and students), contractors, consultants, and
organizations or individuals
,

this plan focus
es

on applications containing
confidential or restricted information. Restricted information is defined by
UC Policy BFB
IS
-
2.


The information security program plan consists two major parts. The first part
of the security plan is focused on individual applications that contain
confidential and restricted information. Each of these applications will be
evaluated for thr
eats and risks. The existing controls for each application will
be considered and where needed, additional controls will be implemented.
The second part of this plan reports the ongoing and planned security
processes and initiatives. These campus wide in
itiatives either meet a need of
many departments or are the response to specific legal and regulatory
requirements.






University of California, Santa Barbara


Information Security Plan

December 1, 2011


3

of
15

1.

Application Level Information Security Program

The security program includes
cost
-
effective
processes, projects and
strategies that are consistent with the organizational goals. The
processes include controls that are specific to an individual application
in addition to processes that are central and apply to all applications.
To insure the sec
urity plan is cost
-
effective, the first step is to review
and perform a risk assessment.



a.

Risk Assessment, Asset Inventory and Classification


The risk assessment starts by determining
the
type of information that
is most subject to risk. In recent y
ears, the University of California’s
greatest costs associated with security failures are
those caused by
the
unauthorized disclosure of information. This has resulted in over 60
required notifications to hundreds of thousands of individuals. Based
on a
recent study by the Ponemon Institute LLC, a data breach costs an
average of $214 per record. While the University does not gather data
related to the costs for these breaches, anecdotal evidence suggest
s

that
this is the greatest and most expensive infor
mation security risk to the
University.


As a result, the current plan focus
es

on information that would require
notification in the event of a breach of security. Within the
University’s classification system (BFB IS
-
2) this data is classified as
Res
tricted. This data includes personal information including social
security numbers, driver licenses, health information and health
insurance information. For the purposes of this year’s plan, only data
requiring a notification in event of a breach will b
e within the

scope;

other applications, systems and data may be considered in the future.


The Chief Information Security Officer maintains an inventory of
restricted applications. In past years, this inventory was limited to
applications containing s
ocial security numbers. This year that
inventory will be expanded to include restricted applications that
contain health insurance numbers or health information.


For each application in the inventory, t
he CISO will
assist

the owner of
the application

t
o
assess

the risks using the guidance provided in policy

IS
-
3

(see checklist in Appendix
A
)
. This assessment will evaluate
existing controls and where needed develop specific plans and
processes for their applications
. These evaluations are planned for
completion January 31, 2012.

University of California, Santa Barbara


Information Security Plan

December 1, 2011


4

of
15

b.

Goals of Security Assessment and Plans: Confidentiality, Integrity,
and Availability


As stated above, the primary focus of this plan
is
to assure
the
controls
,

that

maintain the confidentiality of the information
,

are working

effectively.
A s
econdary
,

but still important focus of the plan is the
integrity and availability

of the application and data
.
As part of the
evaluation of each application
,

the owner will consider the threats
,

potential damages

and existing controls
.
Following IS
-
3 guidance
, t
his
evaluation will include the administrative workforce controls,
operational and technical controls and physical and environmental
controls.


2.

Security Plans, Projects and Processes


Central



Because security is a
continuing process, many of the security related
processes and project
s

started in prior years are either established or are
ongoing. These projects and processes were started based upon risks and
needs identified in the past and provide support for many
departments or
applications. It is intended that these security processes provide leverage
of limited security resources available and enabling the owner of the
application to improve the security of their application. The security
projects and processes
that have a centralized component will be
discussed below. The central processes are intended to assist, not replace
,

the actions of the application owners.


This list below of central security processes, procedures and controls
should not be considered

comprehensive. There are many other programs,
processes and procedures that also contribute to good information security.


a. Incident Management Response Implementation Plan

During 2010 and 2011 (to the date of this report) there have been no
reportab
le incidents on the UCSB campus. While the campus
experiences security breaches and other problems on a regular basis,
none of these breaches have leaked the restricted information and thus
would have required notification. However, to prepare for the ev
ent of
such a breach, there was an effort led by UCOP to document and
standardize the incident response process.


During 2011, UCOP
,

in coordination with the campus HIPAA and
security officers including the UCSB CISO
,

developed a new standard
incident re
sponse plan. This plan was reviewed and adopted as the
University of California, Santa Barbara


Information Security Plan

December 1, 2011


5

of
15

standard response plan and has been incorporated in the Information
Security Policy IS
-
3.



Current Status:


The existing UCSB incident response practices are similar to the new
standard plan practi
ces. However, the new plan needs to be formally
adopted with the minor changes properly reflected in the campus
incident response documentation.


Plans:
The
UC
incident response guide was released fall of 2010
and
provides guidance
for

respond
ing

to an incident. Because this
guidance is relatively new, the following steps are planned for the
coming year:



Update existing
UCSB
guidance on incident response to
conform with the new
UC
guidance



Update the web sites
.



Include within the
security awarene
ss
training the proper way
to respond to a suspected security breach.


b. Critical Positions

Some positions with job responsibilities directly

related

to the
applications containing restricted information are deemed to be
C
ritical Positions
. (
The term "Critical Positions" is used here as
defined in University Personnel policies, and is not to be confused
with the use of the term "critical" as used with respect to in
formation
resources.
) It is important that the hiring process include appropriate
background checks to assure the honesty and reliability of these
individual
s
.

Current

Practic
e:



UCSB hiring
procedures ensure that candidates
requiring
access

to
restricted

data
undergo applicable background checks
as part of the
hiring
process
.




For staff requiring access

to
restricted

or
essential

r
esources,
procedures
have been

established

to immediately
restrict,
suspend or terminate acc
ess
in the event of
disciplinary action
or termination
.




During an investigatory leave, access privileges
are

revo
ked or
restricted, as appropriate.


When a job posting is requested, HR works with the department to
determine if the
position is

deemed a Critical Position. If
the position
is deemed Critical, then an HR specialist will do/order the background
check on the individual. The results are shared with the department
University of California, Santa Barbara


Information Security Plan

December 1, 2011


6

of
15

when the background check is completed. The official record of the
background checks are maintained by

HR.


Plans:
This practice is considered to be working well,

and the plan is
to continue the current practices.


c. Identity Management Systems

The management of the identity is fundamental to the access controls
of a system. The central IT departm
ents at UCSB continue to support
central identity management.


The access control measures to an application should include

secure

and accountable

means of
authorization
and

authentication
.



Authorization

is the process of determining whether or not
an

identified individual
or class

has been granted access rights
to
an
i
nformation
r
esource, and determining what type of access
is allowed, e.g., read
-
only, create, delete, and/or modify.




Authentication

is the process of confirming that a known
individua
l is correctly associated with a given
electronic
credential
, for example, by use of passwords to confirm correct
association with a user or account name.
1



Current Status
Currently the

centralize
d

identity or authentication
is provided to the applications using the “AllN0One” system. This
system provides mechanisms to both authenticate and authorize the
individual to the application. This system is updated from the
payroll system daily to determin
e the individual continues to be
employed and the job classification has not changed. Quarterly,
each account is sent to the owner of the system to determine the
correctness of the system. Based on an audit observation in 2011,
the department must provid
e a positive confirmation back to the
administrator of the AllN0One system that management has
reviewed the access and there are or are not changes.


Plans
The UCSB campus is going through a transition to move its
applications off the mainframe, including
the AllN0One system.
There are currently two new identity projects, UC
Trust
/
InCommon Silver, and the Student Systems Microsoft
Forefront projects. The Campus has not selected a new financial
system, and the identity and authorization system for that fina
ncial
system will need to be considered as part of any financial system
project.





1

Authentication is a term that is also used to verify the
identity of network nodes, programs, or messages.

University of California, Santa Barbara


Information Security Plan

December 1, 2011


7

of
15

UCSB is moving to a new identity system, UC Trust. The UCSB
UC Trust system is a centralized identity system that enables
UCSB employees to identify themselves to applica
tions both inside
and outside UCSB. For these applications, UC Trust will validate
the identity of the individual to the application. The application
can then determine the authority or access provided based upon the
attributes of the individual provided
.



Another new identity system under development at UCSB is the
Student Identity System. The student system will be migrated
from the mainframe over the next year to a “Dot Net” environment.
As part of that project, the student systems will develop
the
authentication and authorization processes. The plan is to develop
a central security system based upon Microsoft Forefront software.
This application will provide both identity and authorization and
have the appropriate controls.


Both of these two

systems have different scope and purpose to fit
the needs of the applications they serve. However as development
continues,
it is expected that
both project teams
will
continue to
coordinate to enable integrations and sharing of data where
effective.


The future of individual authentication and authorization are still in
a process of development and change because the applications that
would use identity for authentication and authorization are
undefined. This transition will likely continue until
the
detail
plans
for the major application systems are clearly defined.

d. Business Recovery Planning


The UC Ready Project

Current Plans
:

Each department at UCSB is required to develop a business re
covery
plan. This plan includes

both computer and non
-
computer components.
The software UC Ready is being used to develop these business
recovery plans. This software,
UC Ready was developed
by UC
Berkeley
specifically for
developing business recovery plans for
University departments
.


To date, at UCSB, the UC Ready project has facilitated the
development of 40 plans. The remaining plans will be completed over
the next 3 years. The plan is for 50 percent of the department plans to
be completed by June 2012, 75 percent by June 2013,

and 100 percent
by June 2014. This project is led by Carrie Frandsen, assisted by Karl
Heins with Ron Cortez as executive sponsor.

University of California, Santa Barbara


Information Security Plan

December 1, 2011


8

of
15

e. Network Security

Network security is important to maintaining a secure working
environment.


Current Status:

Netwo
rk security and
operations

is
managed
centrally by the Office of
Information Systems and Technology. The tools used t
o protect the
networks include firewalls and intrusion detection/prevention s
ys
tems
(IDS/IPS) deployed at the c
ampus border
. In addition,

on request, the
firewall can be used to provide specific blocking and filtering for an
individual department or subnet. These are intended to

augment
, not
replace, the

system security measures
of the departments.


Plans:

Other than routine maintenance
and upgrades, there are no changes
planned for this year.




f. PGP Encryption Project

During the past year, the OIST office has been investigating encryption
solutions for use by the campus. The use of a centralized server for the
management of keys is an important component of this project. After
evaluating several products, the encrypti
on product offered by PGP
appeared to offer the best combination of encryption capability, key
management and cost. This project has recently moved from evaluation to
production. OIST now has a production key server, instruction for use and
support for
departments needing this capability.



Plans:



To deploy where needed to department
s

needing full disk
encryption.



The audit department became our first department to implement
PGP whole disk encryption.


g. Security Awareness Training Project

The campus developed a security awareness training on
-
line course two
years ago
,

which has been successful. However, security awareness
training needs to be refreshed as the threats and risks change. During
2010 and 2011, the UCOP initiated a project to

develop system wide
security awareness training. After significant contribution by the
UCSB campus
,
by the CISO in the RFP process, the customization
process and refinement process, this new on
-
line training is about to be
released.

University of California, Santa Barbara


Information Security Plan

December 1, 2011


9

of
15


Plans:

This CISO

will roll
-
out this new training to the campus as soon
as the training is available. It is likely that UCOP will provide
guidance to the campus in who will be expected to take the security
awareness training. The date for release is expected in November
or
December of 2011.


h. Red Flags

During 2011, UCOP provided guidance to the campuses regarding
revisions
to
the Red Flags program. As suggested in the guidance from
UCOP, the CISO has requested the

Office of General Counsel
to
advis
e
UCSB
on reducing the number of departments which must comply with
the Red Flags requirements. At UCSB, there will continue to be a few
departments which must comply with Red Flags requirements.


Plans:

The CISO plans to continue to monitor the departments f
or
compliance with Red Flags regulations. For these departments, Red
Flag training will be provided to refresh the employees on actions and
responsibilities when suspected transactions are presented. The CISO
will update the training continue to support
the Red Flags program.


i
. Payment Card Industry (PCI) data security standards

The UCSB campus must comply with the PCI data security standards
for all entities that process credit cards (merchants). Sandra Featherson
is responsible for managing the PCI

compliance program for the UCSB
campus. UC has engaged a firm to audit UC’s compliance with the
PCI program. The firm requires each merchant to complete a self
-
assessment checklist and provide the addresses for each computer used
in credit card processi
ng. The firm then scans these computers for
vulnerabilities. The results of this information are provided to Ms.
Featherson and UCOP. When new merchants are added or merchants
change their credit card systems, the CISO provides technical advice as
needed

by the Merchant and/or Ms. Featherson.


Plan
:


To continue to provide technical advice as needed.


j
. Physical Access Project

During 2011, a committee was formed to evaluate the physical access
controls to the buildings and rooms on campus. The goal
of this group
was to migrate toward using a single access control system for the
entire campus. By consolidating the access control systems, it would
provide better access by the police in

an

emergency and reduce the
number of cards, tokens, keys that an
individual would need to access
University of California, Santa Barbara


Information Security Plan

December 1, 2011


10

of
15

their building and office. Because of the expense of changing access
devices, the changes are expected to occur only when major building
renovations are implemented.


Plan:

The CISO plans to continue to participate and provide
consultation to this project.


k
. Financial System Security (existing and new)

During 2010 and 2011 the Campus investigated a new financial system.
The CISO led an effort to evaluate the security of
the new system and
consider the migration path from our existing systems. In this effort,
the CISO led a team of UCSB and UCLA individuals, documented the
existing financial system process and evaluated the feasibility of
migration to the new system. Thi
s project to move to UCLA was
abandon
ed in mid
-
2011. H
owever
,

it is expected the Campus will start
another financial systems project late in 2011 or early 2012.


Plan:

T
he CISO
is prepared to lead
a team to migrate the security data
and processes from
our existing systems to the new
financial systems as
part of a

new financial systems project.

l
.

Disposition of Equipment

Procedures should ensure implementation of c
ontrols to address the
re
-
assignment or
final disposition of hardware and electronic med
ia,
including requirements that ensure complete removal of
restricted

or
other sensitive information as appropriate, such as by shredding,
overwriting a disk, or employing professional data destruction services
as commensurate with risk
.

Sufficiently strong disk encryption may
be used as an alternative mitigation.


Current practice:

At UCSB, in 2010 a practice was established that instructs the
departments on the disposal of equipment. The instructions provide
how to remove restrict
ed data from hard drives by using approved
software to overwrite the disks. A certification, that the disk
h
as been
overwritten is attached to the computer or other equipment before
given to Central Stores. If certified, the equipment can be repurposed,
however if a certification is not attached to the equipment, Central
Stores arranges for the equipment to be shredded.



Plan:

This practice appears adequate and there are no plans for change.

University of California, Santa Barbara


Information Security Plan

December 1, 2011


11

of
15


m
. Health Records / HIPAA Controls

UCSB has a number of de
partments that create and handle personal
health information. This health information is regulated by both state
and federal law.
The plan is for
departme
nts managing health records

to

assess
risk
s

and
identify
risk mitigation plans. Because of the
nat
ure of the regulation of the health information, the risk mitigation
strategies will incorporate the practices and procedures recommended
by the Federal department of Health and Human services and the
Federal department of Education.



Plan:

To assess r
isks, evaluate controls and consider additional controls.
With the
chang
e

to the ECP policy,
additional
testing for
confidentiality is
now
permitted.
These additional confidentiality
controls will be considered in the assessment.


n
. Potential Future
Projects with Merit

As part of developing the current plan, potential projects were
identified that would improve the security of information on the
campus. While these projects have not been started, as people,
technology and resources become available t
hese projects
will
be
evaluated and may move from a planned to active status. These
projects include:



Web Scanning Tools



Improved Vulnerability Scanning



Centralized log management and analysis system



LoJack type systems for laptops



Encrypted Email



Secu
re File transfer (using encryption)



Forensic equipment and training



Training for IT professionals


University of California


IS
-
3 Electronic Information Security

December 1, 2011


12

of
15

Appendix A
. Checklist



For each system:


Owners and Custodians




ID the Owner and Custodians




ID the process to provide logical or physical access to the data




ID process to modify the data




ID process to revoke access




Determine if/how data is disposed of




Review Violation practices with Owners and Custodians




Determine if any data is on litigation hold


Critical positions




ID individuals who have critical positions and determine if background checks have been
done


Normal access management for the
system




Authorization
-

determine if adequate




Authentication
-

determine if adequate




Determine the passwords are sufficient




Identify log files kept by access system




Determine the Owner has evaluated and established controls to create, update and
modify rights




Determine that all users have session protection (time outs)


Determine the users with Privilege access




Determine that privilege access users have
training re responsibilities




Determine the number of privilege access users is the minimum needed




Require privilege users to have non
-
privilege accounts when not performing
administrative tasks




Determine the use of privilege accounts are logged




Determine the logs of privilege account users are reviewed periodically


Systems personnel




Periodically evaluate the these system personnel




Determine duties are appropriately separated




Determine if systems personnel are knowledgeable




Determine that systems personnel understand proper protocol for incident response


Backup and Retention

University of California


IS
-
3 Electronic Information Security

December 1, 2011


13

of
15




Determine UC ready has been completed for departments related to system




Determine the frequency of backup copies




Determine if backup copies

are encrypted




Determine if backup copies are stored off site





System protection




For client system
-

determine if virus protection process maintains current virus protection




For client system
-

determine patches are applied regularly


Software development




Determine maintenance of systems consider information security




Determine Campus internal audit and campus controller are involved in development
process


Network security




Determine the use of firewalls and Intrusion
detection system are deployed


Change management




Changes are logged




Steps to detect unauthorized changes




Confirmation of testing




Authorization to move application to production




Tracking movement of hardware




Periodic review of logs




Back out plans exist




User training


Audit logs




Determine that logs are maintained




Determine logs are secure


Encryption




Determine if encryption is used/o or should be used In transit, in storage


Key management




Evaluate key
management plan




Decryption when needed




Compromised keys




Process to determine if keys have been compromised




Periodic review of encryption keys




Determine if users are aware of their roles

University of California


IS
-
3 Electronic Information Security

December 1, 2011


14

of
15


Physical and Environmental controls




Risk
mitigation measures (UC Ready)




Physical Access controls




Tracking movement of devices and stock inventories




Disposition of equipment




Portable devices and media






University of California


IS
-
3 Electronic Information Security

December 1, 2011


15

of
15

Appendix B.
References

Statement of Ethical Values and Standards of Ethical Conduct

Electronic Communications Policy

Policy on Reporting and Investigating Allegations of Suspected Improper Governmental
Activities

(the “Whistleblower Policy”)

IS
-
2, Inventory, Classificat
ion, and Release of University Electronic Information

IS
-
7, Guidelines for Maintenance of the University Payroll System

IS
-
10, Systems and Development Standards

IS
-
11, Identity and Access Management

IS
-
12, Continuity Planning and Disaster Recovery

PPSM: Personnel Policy for Staff Members
,
Section 21 Employment

RMP
-
2, Records Ret
ention and Disposition:

Principles, Processes, and Guidelines

RMP
-
8, Legal Re
quirements on Privacy of and Access to Information

Security at the University of California

Management Guide
for Information Security

UC Privacy and Data Security Incident Response Plan