Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance for all information security is the responsibility of the (ISO). This document provides a broad overview of the FY2009/2010 information security program for your review and approval per the referenced statute. The IT security program plans for FY2009/2010 outlined below provide for the continuation of a mature, successful security program for the University of Texas at El Paso (UTEP). Program Highlights for FY2009/2010 Web Applications Vulnerability Scanning Configuration Management Laptop Encryption Data Leak Prevention Risk Assessments for UTEP Departments Mission Statement The mission of the (ISO) is to protect information acquired and found throughout the university by conducting risk assessments on all sensitive information, promoting security related training and awareness programs, monitoring university systems, and auditing and compliance in support of the university s missions and goals. Authority State Law: TAC 202.70 requires that each institution of higher education have an information security program: (2) All institutions of higher education are required to have an information resources security program consistent with these standards, and the institution of higher education head is responsible for the protection of information resources. University : UTS 165 Bulletin #2 - Baseline Standard for Programs. Bulletin Purpose: Each Entity of the University of Texas System is charged with establishing and maintaining a standards and risk based Program (Security Program) that: 1 Texas Administrative Code, Title 1, Part 10, Chapter 202, Subchapter B, Rule 202.71 (d)(2): The r shall document and maintain an up-to-date information security program. The information security program must be approved by the state agency or his or her designated representative(s).
secures the information assets under its stewardship against unauthorized use, disclosure, modification, damage or loss to reduce risk to acceptable levels; is documented and verifiable; and meets regulatory compliance requirements applicable to the Entity. Program Scope The program scope includes the identification of technologies utilized to minimize risk, establishment of training programs to ensure the protection and integrity of sensitive information, and establishment of procedures for enforcement by the institution. Please note that this program includes sensitive information that is entrusted to it, transmitted, processed, acquired, stored, transferred, and/or maintained by the University of Texas at El Paso. This program also applies to all individuals granted access privileges to any University Information Resources regardless of form, format, and/or affiliation. Major Accomplishments of the Previous Fiscal Year Major Accomplishments PCI environment created Systems Administrator training to meet guidelines Technical training for support staff for Laptop Encryption Compliance training for for all Faculty and Staff Launched the Awareness web site A Mock Pandemic Flu test was conducted in IT as part of the Disaster Recovery Plan Inventory of Confidential Information on business and mission critical systems Completed Risk Assessments for all servers located in the Information Technology datacenter
Action Plan The Action Plan identifies the strategies that the will pursue to address the prioritized program elements and the high risks that were identified during the risk assessment process. These are the general plans for mitigating risks. Action Plan Strategy # Strategy Addresses this Risk Source Responsible Party(s) A-1 Laptop Encryption Portability of laptops poses a risk to confidential information stored on them. Reduction of this risk can be achieved by encrypting all laptops at UTEP. UT System Security Bulletin #1 A-2 Quarterly Meetings with UTEP Sys tem Administrators A-3 Scanning of UTEP Servers to Inventory Sensitive Information A-4 Risk Assessment of UTEP Servers System Administrators are the first line defense in the protection of UTEP s information resources. Through sharing of information and providing targeted training, we can maintain information security at UTEP Effective protection and assignment of resources can only be accomplished by identifying those systems containing sensitive information Servers located throughout this campus play a valuable role in meeting the universities mission. As such, they must be assessed in order to identify threats and help allocated resources to protect these systems accordingly. Decentralized Server Audit Finding Decentralized Server Audit Finding Decentralized Server Audit Finding UTEP Sys tem Administrators
A-5 Configuration Management Implementing Configuration Management will significantly increase the ability to audit all workstations on campus for compliance with various policies and regulations. A-6 Identification of Confidential Information at rest and in motion also referred to as Data Leak Prevention. In order to prevent confidential information from being exposed, several programs will be designed and implemented to monitor network traffic. Additionally, data monitoring on university systems will be cataloged to assist in identification of confidential information at rest. A-7 Services Inventory Regular monitoring of computer system services will be performed to prevent malicious software from adding unauthorized services. This inventory service works by comparing authorized and newly introduced services, and then notifying the appropriate personnel. A-8 Network Statistics Proactively monitor network usage of all systems to identify individual systems that may be compromised or illegally downloading/sharing copyrighted material. A-9 2-Factor Authentication Implementation of an additional security measure to strengthen the security posture of all UTEP credit card processing systems. Security Program Elements FERPA HEOA A-10 Web Application Security As more applications are released on the web, it is imperative that all security risks and vulnerabilities are identified and Security Program Elements
mitigated. To assist with this, the ISO provides web application scanning and review services, also known as penetration testing, to identify sensitive information and ensure that any vulnerability identified is corrected. A-11 Update Security In an effort to minimize risk, the latest security practices will be incorporated into existing security policies. This will insure UTEP s continued efforts to either meet or exceed adherence to requirements and regulations. A-12 SSN Form Approval Insure that proper notification of any individual requested to disclose their SSN is available on all university generated forms. An approval process will be put in place to require all forms requesting this information are submitted and approved by the ISO. A-13 Time Synchronization To improve correlation of system log data, it is imperative that all systems synchronize to the same clock. This will allow for greater accuracy in generating historical timelines during investigations. Audit Finding
Training Plan This section identifies the Training Strategies (including topics, audiences, and delivery methods) to be used during the year to mitigate risk. Training Plan Strategy # Training or Strategy Target Audience Source Responsible Party(s) T-1 Handling of sensitive information: Give guidance on how to properly protect sensitive information T-2 Compliance Training: Yearly training on security areas that all faculty and staff must adhere to. T-3 PCI Training: Establish training for all users that handle and process credit card information T-4 SANs training push for all ISA's T-5 New Employee Orientation: Provide guidance on UTEP s information security policies and protecting confidential information. T-6 Student Orientation: Introduction to safe computing practices; overview of UTEP s information security policies. T-7 Acceptable Use : An effort to notify all users regarding authorized/ unauthorized use of information resources Faculty, Staff, and Student Employees Faculty, Staff, and Student Employees Faculty, Staff, and Student Employees System Administrators Faculty and Staff Students Faculty, Staff, Students, Third- Party Vendors/Consultants etc Security Security Security Security Security Security
T-8 Security Bulletins to Community: Provide timely notification of potential security risks or threats facing the community. T-9 Data Leak Prevention: Training to provide security practices to mitigate or prevent data exposure during normal work activities. Faculty, Staff, and Students Faculty, Staff, and Students Security Security Monitoring Plan The Monitoring Plan identifies all the Monitoring Strategies the institution plans to use in the coming year to identify security vulnerabilities or actual security incidents so that corrective actions are possible. Results will be reported in the quarterly reports to UT System. Monitoring Plan Strategy # Monitoring Strategy Addresses this Risk Source Responsible Party(s) M-1 Monitoring daily transmissions of sensitive information leaving UTEP s network unencrypted Prevent the disclosure of sensitive information to external parties. FERPA M-2 Daily review of system logs where credit card information is processed Detection of threats to credit card processing systems.
M-3 Security scanning of all UTEP web applications that accept credit card information Detection of security vulnerabilities in applications developed to accept credit cards. M-4 Daily monitoring of the intrusion detection system Detection of network security threats against critical systems located in the Information Technology Datacenter. FERPA M-5 Monthly monitoring of access to central database s ys t em s Review of access controls of the central databases. Prevents unauthorized users from accessing sensitive information. M-6 Monitoring of open shares on network M-7 Review of central datacenters physical security controls M-8 Vulnerability scanning of critical servers Detection of computer systems on UTEP s network that may inadvertently share sensitive information without access controls in place, Review physical security access controls to IT Datacenter and assure that unauthorized personnel cannot enter without detection. Timely detection of vulnerabilities on our servers to prevent external; threats for accessing or interrupting services. Decentralized Server Audit Finding M-9 Monitoring of permissions on open shares within the IT datacenter. M-10 Review of quarantined email messages for false positives Validation of access control permissions on server shares is paramount to preventing unauthorized access to confidential information. Allows for fine-tuning of email filtering system to minimize the amount of legitimate email blocked by our spam filtering solution. FERPA
M-11 Monitor and respond to notification of virus and confidential information exposure M-12 Respond to Copyright Infringements Complaints Timely remediation of potential data exposure to outside entities as well as altering business practices to further minimize threats or exposure. Prevent the use of state resources to download, share, or redistribute copyrighted material that is not owned by the party involved. HEOA M-13 Confidential Information Inventory Generate an accurate catalog of confidential information stored on university owned resources so that better access control measures may be placed on those systems. M-14 Account Disabling Prevents users no longer affiliated with the university to access systems they were previously authorized to use. M-15 Intrusion Prevention System (IPS) Monitoring Timely notification of threats to the PCI environment so that remediation steps can be taken. M-16 Mission Critical Systems Discover vulnerabilities on university mission-critical systems so that remediation can be accomplished before the vulnerability can be exploited. M-17 Operating System Patches and Updates Insure that operating systems within the miners domain receive critical patches whereby reducing the risk of compromise.
M-18 Administrator (ISA) Training Insure UTEP s systems administrators are receiving appropriate training in the area of information security. M-19 Change Management Validate that all business and mission critical systems follow a change management process thus reducing the risk of unauthorized system changes. M-20 Incident Resolution Follow-up on incidents to insure any security requirements have been implemented. Program Exceptions The Chief r has not granted any security element exceptions to UTEP departments.