Introduction...3. Conclusion...8. 2 White paper: IT SECURITY FOR SMART SCHOOLS



Similar documents
Basics of Internet Security

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Evaluate the Usability of Security Audits in Electronic Commerce

Four Top Emagined Security Services

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

How To Manage Security On A Networked Computer System

IT Security. Securing Your Business Investments

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Network Security Policy

How To Protect Your Network From Attack

Guideline on Auditing and Log Management

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

What s happening in the area of E-security for the Financial Transactions in China

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Cisco Advanced Services for Network Security

Walton Centre. Document History Date Version Author Changes 01/10/ A Cobain L Wyatt 07/01/ L Wyatt Update to procedure

University System of Maryland University of Maryland, College Park Division of Information Technology

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

How To Audit The Minnesota Department Of Agriculture Network Security Controls Audit

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

Information Blue Valley Schools FEBRUARY 2015

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

CTS2134 Introduction to Networking. Module Network Security

INFORMATION SECURITY California Maritime Academy

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Cyber Security Risk Mitigation Checklist

Looking at the SANS 20 Critical Security Controls

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Becoming PCI Compliant

Maruleng Local Municipality

Security Considerations for DirectAccess Deployments. Whitepaper

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

TABLE OF CONTENTS INTRODUCTION... 1

Data Security Incident Response Plan. [Insert Organization Name]

Access control policy: Role-based access

Risk Management Guide for Information Technology Systems. NIST SP Overview

EA-ISP-012-Network Management Policy

Understanding SCADA System Security Vulnerabilities

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

ICANWK406A Install, configure and test network security

Altius IT Policy Collection Compliance and Standards Matrix

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

Running the SANS Top 5 Essential Log Reports with Activeworx Security Center

Achieving SOX Compliance with Masergy Security Professional Services

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Remote Services. Managing Open Systems with Remote Services

Lesson 5: Network perimeter security

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How

CHIS, Inc. Privacy General Guidelines

CISCO IOS NETWORK SECURITY (IINS)

FIREWALL POLICY November 2006 TNS POL - 008

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Unified Security Anywhere SOX COMPLIANCE ACHIEVING SOX COMPLIANCE WITH MASERGY SECURITY PROFESSIONAL SERVICES

SANS Top 20 Critical Controls for Effective Cyber Defense

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

CHAPTER 1 INTRODUCTION

Critical Controls for Cyber Security.

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

1B1 SECURITY RESPONSIBILITY

PCI DSS Requirements - Security Controls and Processes

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

BKDconnect Security Overview

LogRhythm and NERC CIP Compliance

Network Security. Outlines: Introduction to Network Security Dfii Defining Security Zones DMZ. July Network Security 08

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

HIPAA Compliance Evaluation Report

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Fig : Packet Filtering

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

Evaluation Report. Office of Inspector General

Firewalls, Tunnels, and Network Intrusion Detection

IT Governance: The benefits of an Information Security Management System

Current and Future Research into Network Security Prof. Madjid Merabti

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

CMPT 471 Networking II

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Information Security Basic Concepts

How to Develop a Log Management Strategy

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Security Controls for the Autodesk 360 Managed Services

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Information Technology Security Review April 16, 2012

Data Management Policies. Sage ERP Online

ΕΠΛ 674: Εργαστήριο 5 Firewalls

FIREWALL POLICY DOCUMENT

Information Technology Cyber Security Policy

Designing a security policy to protect your automation solution

How To Protect Your School From A Breach Of Security

Chapter 1 The Principles of Auditing 1

Transcription:

White Paper IT Security for Smart Schools msc trustgate.com (478231-X) (CA License No.: LK0022000) G / F, Belatuk Block, Cyberview Garden, 63000 Cyberjaya, Selangor Darul Ehsan, Malaysia. Tel: + 603 8318 1800 Fax: + 603 8319 1800 http:// www.msctrustgate.com

Introduction......3 Outside Attack...4 Internal Security...4 Control of Content...4 A matter of trust...4 Security Culture...5 Security Technology: A Multi-layered Approach...6 Security operations...6 Summary of process...7 Conclusion...8 2 White paper: IT SECURITY FOR SMART SCHOOLS

Introduction The purpose of this document is to outline the security strategy for the Smart Schools project. IT security will be crucial to its ability to provide secure and wellmanaged services, and to ensure that students are provided with the appropriate content. The Smart Schools network is a national network, operating across private and public communications channel. When fully operational, it will support hundreds of thousands of students, teachers, administrators and parents. The sheer size of the user population will mean that the users will unfortunately include curious, careless, or malicious users who may not share the security goals and values of the network operators. The network contains a mix of information assets, some of which are highly sensitive, and others that will be critical to the day-to-day activities of the education system. Each element of the network must be protected from attack or inappropriate access from outside the network, and from within its boundaries. Further, the network is connected to the Internet with its rich variety of content, both appropriate and inappropriate for students. The security requirements of Smart Schools network can be categorized into three groups; Requirements to protect the network from outside attack, including attacks from the Internet, and attacks from other users of the national network. Requirements to apply appropriate access control within the network, and to ensure the network continues to operate free from the effects of malicious code. Requirements to control the content that is made available to students and staff. 3 White paper: IT SECURITY FOR SMART SCHOOLS

These are further described as follows: Outside Attack Outside attacks include unauthorized attempts to enter the network, to deny service to the network s authorized users or to inflict damage on the network s users and systems with malicious code. The network must support remote access to its resources to both its own users, and to contractors or support personnel who will manage and maintain the network. The network must therefore be able to distinguish and provide secure access to legitimate external users. Internal Security Insider threats include unauthorized attempts to view, modify, or deny rightful users access to resources. Students viewing tests, modifying electronic versions of report cards, or accessing confidential human resource information concerning teachers are examples of potential problems here. As well, the administrative systems in the network may be used fro e-commerce or procurement purposes and these could be misused in a variety of ways. Control of Content This includes controlling of content that is retrieved from outside the network, ensuring content that is developed within the network is appropriate and wellprotected. A matter of trust Security s old paradigm of control and prevention where access was the exception, not the rule, does not suit the open, connected environment. In an open environment the new security model emphasizes trust enabling parents, educators and students to communicate and participate more openly and efficiently, supporting learning without fear of vandalism, loss of private or confidential information, spoofing and other forms of online security risks. 4 White paper: IT SECURITY FOR SMART SCHOOLS

Students and parents need to be able to trust those who dispense information and advice online. The field is open for unqualified, non-trusted parties to dispense information, advice or counseling to students seeking them. There will be those who claim to be qualified and those who would claim to be somebody whom they are not. If trust is to be built into smart schools processes, privacy confidentiality and integrity of its content must be at its core. PKI (Public Key Infrastructure) with its digital certificates is been regarded as today's de facto on-line security standard and provides the highest level of trust solution through its basic functionality for: Ensuring that parties, like students, teachers, administrators and parents, can be certain of each other s identity online. Privacy and confidentiality of information and messages. Integrity and non-repudiation of messages and transactions. Overcoming the inherent weaknesses of id/password access control. Security Culture Secure systems are the result of a security culture. This means that security must be a consideration in all major design decisions during the development of the network and the applications, and that security activities continue through out the life of the network. Just as design engineers cannot build a successful system without a target in mind, the security of the network cannot be designed without a high level Security Policy, which defines the will of the organization to protect its assets. This policy is the basis of all security activities through out the life of the network and systems. It identifies who is responsible for security and the processes that the organization follows to manage its risks. In every large project, responsibility for security must be ultimate assigned to a single person. This person must have the support of the organization s senior managers to oversee the security design, approve it, and accept any remaining risk on behalf of the organization. This security watchdog role is crucial during the system s development, and through out its operational life. 5 White paper: IT SECURITY FOR SMART SCHOOLS

Security Technology: A Multi-layered Approach Secure networks include layers of technology, which collectively reduce the risk to acceptable levels. The technology approach would be as follows: Dividing the network into security domains that have similar security postures (i.e. public areas, administrative segments, and dedicated segments (or virtual segments) for communities of interests). Separating the domains with perimeter security as appropriate. Perimeter security would be applied using a combination of firewalls, routers and witches. Connecting users across non-trusted networks using VPN technology Monitoring key interfaces using intrusion detection technology. Screening content at perimeters using content-aware filtering devices (blacklists and white lists). Automatically examining Web, email, FTP, and other content from viruses and inappropriate material. Integration of a Public Key Infrastructure (PKI) is crucial Installing access control and logging mechanisms on high risks systems Security-hardening critical servers Penetration testing security-critical systems. Security operations Technology alone will not ensure the security of this network. Security is a process. Just as network management is crucial to the ongoing success of the network, security management will also play a crucial role. 6 White paper: IT SECURITY FOR SMART SCHOOLS

A senior security architect will oversee the security development of the network, and a security officer will be responsible for the security of the network during operation. Security management activities will include: The management of users and accounts. The management of privileges and access, including firewalls. Content management. Review of security audit trails and logs. Response to security alarms and events (incident response). Other factors that will be important to the ongoing security of the network include: Training and security screening of staff. Configuration management of security critical devices. Business resumption planning in the event of natural or security related outages. Ongoing operational security audits Ongoing technical audits. Summary of processes To ensure that all of the above occurs, a methodical approach is required. The steps in this approach are as follows: Develop a Security Policy for Smart Schools. Develop Statement of Sensitivity to determine the sensitivity of the network s information and tangible assets to loss of confidentiality, integrity, and availability. Conduct a Threat and Risk Assessment to determine where the most likely attacks are, and the relative risks for these attacks. 7 White paper: IT SECURITY FOR SMART SCHOOLS

Based on this, develop a prioritized set of risks. Develop security requirements. Implement the requirements in the design. Conduct a pre-implementation review to determine if the security requirements were achieved, and the security policy has been respected. Develop security operating procedures for the network. Hire and train security staff to operate the network. Engage third-party auditors to review the security practices and technology of the network on a regular basis. Engage a third-party trust solution to authenticate thus authorize access to the network and allow the user to digitally sign for the transaction to ensure integrity and non-repudiation offering the smart school network the highest form of trust. Conclusion The preceding discussion shows that a combined technical and procedural effort is required to secure and maintain the security of Smart Schools network. The design and operations of the network should follow industry-wide best practices to provide the highest level of security at a reasonable cost. This will guarantee the network functions as it was intended and provides maximum benefit to its user community. 8 White paper: IT SECURITY FOR SMART SCHOOLS

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information