Summary
Herding cats and campuses: addressing distributed security and compliance issues
Kathleen Kimball, Senior Director, ITS Security Operations and Services, PennState
David Lindstrom, Chief Privacy Office, PennState
2007 EDUCAUSE Security Professionals Conference
Thursday, April 12, 2007
Denver, CO
Notes:
Kimball and Lindstrom began their presentation with a quick overview of their statewide environment which serves 83,721 students plus more than 60K staff and faculty at 24 campuses, a medical school, agriculture extensions, and their World Campus online learning program. They have one backbone network statewide and push terabits of data.
Their distributed governance and other issues make the security problem more difficult. Many users aren’t doing the “traditional” things like teaching and many are “home users” and that’s the level of their skills as well. In addition, culturally there is a tradition of independence among the campuses and the emphasis on process by committee and consensus makes for a slow process.
They see their major security threats coming from constant hostile probes in a situation where security is often dependent on non-technical users.
What’s happening in the security arena?
Watching trends they note that there is
- growing sophistication of network attacks (bots, bots, and more bots)
- increasing complexity of detecting and removing residual malicious software
- growing number of vendor security updates to be handled
- Increasingly mobile population of Internet capable devices connecting to unmanaged networks and then returning to PennState nets.
At the same time they see
- decreasing amount of time for global spread of worms and other malware
- less ability to stop intruders at the network border
- less time available to keep up with vendor security updates
- Decreasing window of time to detect and deter network based attacks.
Legal and regulatory landscape
Lindstrom suggested that when in doubt, laws are passed, or policy is written, in an attempt to control what is increasingly becoming uncontrollable. He pointed out the 9 or so policies that PennState has produced relating to security and privacy.
Lindstrom and Kimball represent the two sides of the house: administrative and academic and find that they work together well in their respective institutional duties to reasonably secure sensitive data in their care.
At PennState, the network is distributed and so is the responsibility for data security. Each Dean or Administrative Officer is responsible for the data security policies and security implementations in their respective units. These local policies have the force of overall university policy and are intended to be guidelines for systems administrators.
In order for any unit to connect to the university network they must have a network administrative, technical, and security contact. These folks are key in incident notifications. There are financial officers in each unit and they help with compliance issues. Currently the biggest problem is that only a network address is generally knows for university systems when an incident response begins.
Lindstrom noted that units handing administrative data have additional requirements that are outlined in their “Trusted Network Specifications” and access to the net is not given unless they sign in ink that they’ll be responsible. Units with an exception to hold SSNs have even more requirements. In spite of these policies and security precautions--there is a perceived gap between policy and performance for a number of reasons. Those reasons are primarily the plethora of compliance issues such as FERPA, HIPPA, Graham Leach Bliley, Pennsylvania’s Breach of Personal Information Notification, PCI-DSS (credit card industry standards) and undoubtedly more coming.
PennState feels that they must do better.
- Improving the state of privacy and network security practices is essential and it is a distributed problem that needs a distributed solution
- Raising the bar with regard to security practices and policies, ability to comply with existing policies and laws, and increase their agility for responding to new laws that come along.
--and all of this across the 24+ fiefdoms that comprise PennState.
From this the PennState Information Privacy and Security (IPAS) project was born.
It developed from a joint effort between ITS and the Corporate Controller who sold university leadership on the gap between policy and practice. It is sponsored jointly by the Provost and CFO and the responsibility for oversight rests on the CIO and University Controller. Similarly, Kimball and Lindstrom represent the two sides of the house in their roles. It is a big enough central project that it was split 3 ways between budgets/budget executives. Audit, finance, corporate controller and firewall audit (small piece of the overall) was something they could all get their arms around.
IPAS
This is a multi-year, multi-phase, university-wide project with some overlap in the timing of the phases.
Phase 1 – evaluate and remediate if necessary PCI-DSS systems and networks
Phase 2 – take lessons learned and apply to systems and networks handling sensitive university information
Three project team members were drafted from existing staff for two year assignments to the project: Project Manager, Senior Network Analyst, and Project Technical Coordinator. Copies of the brochure for IPAS were distributed to the session attendees and it was noted that it includes these three staff members, their responsibilities, and their contact information. Leadership from distributed units provided the staff resources.
Lindstrom and Kimball listed the specifics of the two phases.
