Purchase College Information Security Program Charter January 2008

Transcription

1 January 2008 Introduction When an organization implements an information security program, it raises the question of what is to be written, and how much is sufficient. SUNY Information Security Initiative (ISI) recommends that the written portion of the program consist of an initial founding text that launches the program with sufficient definition to be as effective as possible right from start. The text controls the formation and ongoing definition of the program. The program itself, as it proceeds, needs much more documentation than would be appropriate to go into an initial controlling document. The full answer to what written documentation a program must have includes all information security policy related to the program, statements of accepted standards, written procedures, risk assessments, inventories of information and systems, audit schedules and results of audits, contractual controls being used, etc. The present document assumes that the program is a chief managerial function and does not include the set of operational programs used to implement information and cyber security. This assumption is built into the structure of this document and also dictates what is written in the mission, action, charge, and functional roles defined in this text. The text is intended to be the first formal information security program to be created within the organization, where no such program exists. It assumes that the organization is large and complex enough to require certain common organizational processes be in place to make the program work. For example, a comprehensive program will not succeed without high-level authorization; so authorizing text should be built into the controlling document allowing the document to do effective work across the range of readers who will be looking at it. The readers of this document, once it is signed, will be the ones who are called upon to build and implement the new management function. Those readers need sufficient clarity regarding who is telling whom to do what. They also need to be able to find themselves within the document; to visualize how their own work will be changed by this program. The text is to be their initial guide. Prior to signing, the document serves as a backup detail to a proposal to management that such a program be authorized. It contains the kind of language management would subscribe to in doing that authorization. The General Statements give a definition of Program Mission, and the basic functions (Program Action). The way the program will be implemented is further described in Program Team and the type of people who will implement the program in Functional Roles of the Program Team. The signature of the authorizing officer and the designated responsible party are defined in Program Charge and Scope which also describes the range of power that is invested in the Team. The Role of Risk Assessment is explained in brief because it is hard to do and often gets postponed, yet is critical at every stage. A policy-like general statement on Program Standards requires the program to be open about the standards to which it aligns, while the actual standards are given later in Current Standards. Documents states that there are many other documents used by the program and states who is responsible for maintaining their security. Program Authorization explains the policy and regulatory basis for this program. It begins with proposed text for an authorizing policy. The Current Implementation & Standards section has important guiding details that will change over time as the program progresses. It names the standards that the program will use and names the members of the team that conducts the ongoing program, and it describes the areas of the organization and type of functions (collectively called the Field of Operations) in which the program will work. Other documents designed to work with the Controlling Document are: 1. A relatively short (a dozen pages) description of the components of an information security program to control sensitive information. It is an information-centric program, rather than IT-centric program and can be used by the Team to organize its work, starting with most urgent information protection. The text has an introduction, such as this, that explains its role and its origins. It is based in HIPAA s Security regulation and aligned to GLBA. 2. A relatively short information security policy for sensitive information that matches the control program and is based in an actual SUNY HIPAA policy. 3. A short description of the components of risk analysis for sensitive information. 4. A list of best practices assigned to SUNY by New York State Policy.

2 January 2008 Contents A: General Statements & Structures Program Mission... 1 Program Action... 1 Program Team... 1 Program Charge and Scope... 2 Role of Risk Assessment... 2 Functional Roles of the Program Team... 3 Program Standards... 4 Documents... 4 Program Authorization... 5 B: Current Implementation & Standards... 6 Current Standards... 6 Current Team Members...Error! Bookmark not defined. Field of Operations... 7 A. General Statements & Structures Information Security Program Mission Statement Actions Team Program Charge and Scope Role of Risk Assessment Functional Roles of the Program Team Program Standards Documents Program Authorization B. Current Implementations and standards Current Standards Team members Field of Operations

3 A: GENERAL STATEMENTS & STRUCTURES Program Mission Purchase College, SUNY (hereinafter referred to as the College) conducts an information security program (hereinafter referred to as the Program). The Program is a formal management function, with written goals and charges, that seeks to address the full range of information security issues that affect the College. The Program seeks to align College practices with applicable, laws, regulations, policies, and standards of practice, and commits enough resources to have a reasonable expectation of success, even if over an extended period of organizational and technological development. The Program is the chief managerial function for identifying and protecting the confidentiality, integrity, and availability of sensitive information for which the College is ethically and legally responsible, especially information bearing on the privacy of individuals in its community and the protection of its infrastructure. The Program is also the chief managerial function for raising throughout the community the level of personal and institutional safety related to information and cyber environments, balanced with the values of open communication essential to the mission of institutions of higher education. Program Action The Program, as a management function, is not just the set of security controls in place at the College at any given time. It is a separate function, embodied in a specifically assigned team of managers, that stands outside of the field of operations in order to address information security in a comprehensive manner that fully engages senior management and the entire College community. The Program generates management action in the following three categories: Planned Action: The Program ensures that reasonable and appropriate choices are made in the field of operations (see Field of Operations). The Program determines at a high level what should be done and helps ensure that it is accomplished effectively. It is a continuous process of assessment (of situations), selection (of actions), and implementation (of projects). Knowledge: The Program acquires, analyzes, and presents useful, professionally sound and up-to-date security information and awareness for College faculty, students, senior management, business leaders, and general workforce. Responsive Action: The Program prepares the College at all appropriate levels to respond effectively to contingencies (violations and disruptions) that would severely impact its information and information systems. Program Team The Program Team (see Information Security Program Team Assignments document) continuously addresses what the College should be doing to improve or maintain information security within the functions that fall within its charge and scope (see Program Charge and Scope). The Team plans, designs, and recommends projects and changes and monitors their effectiveness. 1

4 The Team contains members with sufficient power to make consistent progress in meeting its charge. It contains members capable of representing the full range of College units. The Team contains at least one member, and preferably two, from each of the major functional roles of the program (see Functional Roles of the Program Team). The Team is small enough to meet often enough to address issues in each functional area. The Team activity is part-time, but it continuously oversees projects in the field of operations and identifies next projects. The College has workers in the field of operations that continuously maintain ISec procedures and controls (see Current Team Members). Program Charge and Scope President Thomas J. Schwarz charges and authorizes the Information Security Program team with the responsibility and authority to monitor, document, analyze, and assess the security of information and information systems, both digital and physical, throughout the College. They also have the responsibility and authority to plan, design and recommend security-related projects and changes within any such functions. The Team will conduct ongoing information security assessments, including assessments of the Program s effectiveness, and report these assessments in writing to the College Cabinet. All supervisors and employees of the College have the duty and responsibility to assist the information Security Program Team in meeting the Program s mission. Role of Risk Assessment Assessments of risk give the impetus and the basis for Program actions. All formal recommendations made by the Team to the College for changes and projects are based in fresh, written assessments. These assessments become significant, highly sensitive College records which may bear significantly on the decisions of senior management and issues of legal compliance. Therefore, risk assessment is the single most important function of the Team. The accurate assessment of risk is essential to the efficient management of risk. The Team maintains and expresses in writing continuous concern, awareness, and professionally accurate positions regarding the types of information and information systems that may need refreshed assessments and either makes such assessments itself or advocates to senior management the need for such assessments. Risk assessments, in particular, must 1) identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of the class of information and information systems under review; 2) assess the likelihood and potential damage of identified threats, taking into consideration the class and sensitivity of the information; 3) assess the sufficiency of the policies, procedures, information systems, and other arrangements in place to control the identified risks. 2

5 Functional Roles of the Program Team Professional Information Security ( ISecurity ) This function gives the Program a root in the information security profession; it provides the Program direction based on professional standards and events in the world regarding information security and the management of ISec programs. This function also influences people throughout the College to support the Program s mission and to work on its projects. This role and the people working it may be referred to as ISecurity. Business Use of Information ( Business ) This function gives the Program a root in the College s business units, which are the owners/stewards of much institutionally declared sensitive information that drives the Program mission; it provides the Program direction based on the College mission and business functions. This function also creates and maintains the relationships and structures that are necessary for information ownership, classification, and authorization. It influences business managers to support the Program s mission and work on its projects. This role and the people working it may be referred to as Business. Cyber Protection of Information ( IT ) This function gives the Program a root in College IT-related units, which are the planners and operators of critical computer- and network-based protections; it provides the Program direction on how to protect people, information, and infrastructure from cyber-based attacks, violations, and disruptions. It provides current status, documentation, and cyber threat and risk status and guidance on the needs and capabilities of IT within the College. This function also creates and maintains the relationships and structures that are necessary for controlling logical (electronic, cyber) access to information and information systems based on identity and authorization; for backing up and restoring data; and for responding to malicious or illegal activity in computer and network systems. It influences supervisors throughout the College to understand and incorporate good computer and data practices in their units. This role and the people working it may be referred to as IT. Physical Protection of Information ( PSafety ) This function gives the Program a root in College security/safety units, which are the planners and operators of critical personnel, building, and room protections. It provides the Program direction on how to protect information and IT infrastructure from physical abuse, violations, and disruptions. It provides current status, documentation, and physical threat, hazard, and risk status and guidance on the needs and capabilities of security/safety in the College. This function also creates and maintains the relationships and structures that are necessary for controlling physical access to information and information systems based on identity and authorization and for responding to illegal activity in College computer and network systems. It influences supervisors throughout the College to understand and incorporate good building and room use practices in their units. This role and the people working it may be referred to as PSafety. Workforce Behavior with Information ( HR ) This function gives the Program a root in College HR-related units, which have a strong influence on human behavior in the workplace, which is a dimension of significant risk and 3

6 significant protection of information assets. It provides the Program direction on how to educate and influence the workforce, enforce policy, and handle inside violations and disruptions. This function also creates and maintains the relationships between the Program and the workforce. It influences workers throughout the College to understand and incorporate good handling of sensitive and personal information in their work and at home. This role and the people working it may be referred to as HR. Organizational Information Risk Management ( Management ) This function gives the Program a root in senior management, which are the owners/stewards of the College mission and therefore of its strategies and the management of institutional risk. It provides the Program direction on how to set policy, direction, expenditures, and levels of risk acceptance. This function creates and maintains the relationships and structures that are necessary for achieving comprehensive and mature security processes for the College. This role and the people working it may be referred to as Management. Academic Issues in Information ( Faculty ) This function gives the Program a root in the teaching and research functions, which are core missions of the College. Faculty are also the owners/stewards of much institutionally sensitive information, especially that related to students. This function provides the Program direction on the impact of policies and procedures on the flow of information within the community and helps the Program preserve traditional values of academic environments. This function creates and maintains the relationships between the Program and the faculty and students. Program Standards As part of its planned action, the Program ensures that policy is comprehensive and complete. But policy is itself based on principles, regulations, logic, and standards. Therefore, the Program identifies these influences and the standards to which it seeks alignment. It also adopts, or creates, and makes public the general standard(s) to which the Program applies itself in directing planned information security actions. See Current Statement of Standards. Documents Formal documents, such as this, are significant components of the Program. Program documents provide specific policy and procedures and provide controls and documentation of key actions and positions of the Team, such as: statements of standards; risk assessments planned and completed; training programs planned and completed; oversight of service providers and contracts; Team evaluations of the Program. These documents must be controlled as highly sensitive information with limited authorizations. These documents locations and security is maintained by the Director of CTS (the Team Leader). 4

7 Program Authorization The Program is authorized by the following formal rulings: (1) Purchase College Policy: The Purchase College Information Security Program is an essential management function helping ensure the confidentiality, integrity, and availability of sensitive information we formally own or handle (create, receive, modify, maintain, or transmit). The Program protects against reasonably anticipated threats and hazards to the security and integrity of such information and protects against reasonably anticipated unauthorized uses and disclosures of such information, especially those that are prohibited by law and regulation. The Program helps all members of our community, especially our workforce, understand and effectively handle their responsibility for sensitive information. Chief forms of such responsibility are: Individual Responsibility: Each person having authorized access to information owned and deemed sensitive by authorities of SUNY is individually responsible for handling such information in accordance with policy and procedures established by SUNY authorities. Supervisory Responsibility: In addition, each person having supervisory responsibility for people having authorized access to information owned and deemed sensitive by authorities of SUNY is individually responsible for implementing procedures for appropriate handling of such information in accordance with principles and policy established by SUNY authorities. Institutional Responsibility: The College maintains an effective, comprehensive information security program with assigned, individual responsibility, for securing information owned and deemed sensitive by authorities of SUNY in accordance with applicable laws, regulations, policies, and standards of practice established by SUNY authorities. (2) Gramm-Leach-Bliley Act, 1999 GLBA states: You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. Note: In 2003, SUNY System Administration Counsel agreed with the general finding that GLBA applies to institutions of higher education that lend money to students. Therefore, GLBA applies to Purchase College. and requires that the College have an information security program to protect all nonpublic customer information it collects from students to whom it lends money. (3) New York State Cyber Security Policy, 2003 The Cyber Security policy of New York State states, Each state entity will establish a framework to initiate and control the implementation of information security within the state entity. This wording maps directly to the definition of information security programs in the widely influential international standard, ISO 17799, upon which the state s policy is based. In effect, the state policy requires state entities to follow international standards by establishing information security programs. Although the policy only serves as best practice guidance for 5

8 SUNY campuses, the formal adoption of this standard by the state sets a strong precedent that could have strong bearing on the legal interpretation of due diligence, due care, and negligence. Program Origin The Program began in November 2006 under the the Director of CTS. It was initiated in response to the SUNY wide Information Security Officer (ISO) Ted Phelps system-wide initiative to replace the campuses informal programs consisting of many controls, procedures and policies. This Program structure was initially designed by SUNY System Administration s Information Security Initiative in 2006 in collaboration with SUNY campus information security professionals. It was then modified locally by the Director of CTS, Bill Junor. The Program is based on prevailing information security standards and regulations, some internationally accepted and some generated by the United States government and the state of New York. B: CURRENT IMPLEMENTATION & STANDARDS Current Standards The Program accepts the international standard, ISO 17799, and the standards of practice and logic embodied in the New York State Cyber Security Policy of It seeks to apply the standards and logic of HIPAA, GLBA, FERPA, and New York State Technology Law and to apply them not only as required by law to the particular forms of information controlled by these laws, but to all forms of sensitive information identified by formal processes authorized by senior management and wherever a piece of information would reasonably be seen as having significant bearing on the privacy of individuals in the College community and the protection of its infrastructure. To bring the principles and standards of multiple sources into a single guide, the Program has adopted a text compiled by SUNY s Information Security Initiative (see Security Control Program for Sensitive Information: General Standards and Specifications). This text presents the standards and the implementation specifications defined by the United States government for the control of health and financial information under HIPAA and GLBA. The text advises reasonable, appropriate, and comprehensive control of institutionally identified sensitive information and uses the logic and language of HIPAA and GLBA, generalized to any institutionally identified sensitive information. To present an initial information security policy, the Program has adopted a draft policy compiled by SUNY s Information Security Initiative. (See Security Control Policy for Sensitive Information). This text is based in the HIPAA policy of Stony Brook Hospital. In order to align with the practices suggested by New York State Cyber Security Policy, the Program has adopted a set of practices based in that policy compiled by SUNY s Information Security Initiative (see ISec Practices Recommended by New York State ). 6

9 Funds The Program will make recommendations for funding to the College Cabinet as necessary to carry out its projects. Field of Operations The areas and types of functions in which the Program has interest are the Program s field of operations. The field of operations is viewed as Areas that have Functions. Areas are major components of an organization, such as buildings, workforce, computers, etc. and are not specific to ISec. Functions are the types of activity, such as access control, configuration, documentation, etc. that the program engages within one or more of the organizational areas. The Program manages planned action that reduces or controls risk through changes in the field of operations. It manages from one level above direct operations. The following definition of a field of operations for information security was envisioned and compiled by SUNY System Administration s Information Security Initiative in 2006 in collaboration with SUNY campus information security professionals. It has been cross-checked with NIST s 17 families for information system controls (FIPS 200), HIPAA, GLBA, and New York State s policy. The Program initiates and monitors security functions in the following areas: 1. Organization. Determining roles and responsibilities for the processes that protect information; maintaining communications and ability for strategic change. 2. Information. Identifying, documenting, classifying, assigning authority for key information assets. 3. Maps. Determining institutional direction for the processes that protect information, as expressed in policy, decisions, plans, documentation, analysis, project charges. 4. Computers. Defending devices and the information they store from unauthorized use and cyber attacks. 5. Networks. Defending network components, networked devices, and computer-based information from unauthorized use and cyber attacks through networks. 6. Services. Defending applications and the information they process, deliver and store from unauthorized use and cyber attacks. 7. Workforce. Hiring, training, identification & authentication, internal controls for people who handle key information. 8. Buildings. Controlling access to buildings, rooms, and cabinets that store key information. 9. Paper. Defending non-electronic documents and the information they contain from unauthorized use and attacks. 10. Products. Building good security into applications and devices that handle or protect information. Operational Functions. The Program initiates and monitors the following types of functions: 1. Access Control 2. Audit and Accountability 3. Certification, Accreditation 4. Configuration 7

10 5. Contingency Planning 6. Documentation 7. Incident Handling 8. Monitoring Vulnerability 9. Ownership & Classification 10. Policy 11. Protections, External Safeguards 12. Release/Disposal 13. Risk Analysis 14. Roles & Responsibilities 15. Secure Design & Build 16. Selection 17. Separate Environments 18. Siting 19. Skills, Expertise 20. Standards & Procedures 21. Training & Awareness 22. Updates The Areas and Functions can be presented more simply in a four-layer stack of work areas. This grouping is helpful in directing prioritized choices in the field of operations: Computer Security Protections and controls applied directly to computers, (i.e. any electronic informationbearing device) to protect the devices and the data stored in them. This includes "Computers" and "Products." Network Security Protections and controls applied directly to networking devices to protect the devices and the data accessed through networks. Application Security Protections and controls applied directly to computer applications, services, and content to protect these items and the information they affect. This includes "Services." Behavior with Information Protections and controls applied to information and people to protect people and the information they affect. This is a big field and includes "Workforce," "Maps," Information," "Organization," "Buildings," and "Paper." 8