Main Nav

EDUCAUSE Security Professionals Conference 2006. Summary:System-wide Strategies for Achieving IT Security at Univ. of California

System-wide Strategies for Achieving IT Security at the University of California
Jacqueline Craig, Director of Policy, University of California Office of the President
David H. Walker, Director of Advanced Technology, University of California Office of the President
How do you effectively achieve appropriate stewardship of both personal and restricted information which is used across an institution’s academic, administrative, and other operations?  This session took a close look at the efforts of the University of California system efforts.
UC has experienced a number of serious security breaches across the 18 campuses, centers and labs.  In 2003, California passed legislation requiring notification if there is a reasonable belief that unauthorized access of information has occurred and there is reason to believe that privacy of individuals has been compromised.  UC responded by instituting a university-wide security workgroup to come up with solutions.  The workgroup was comprised of faculty, deans, vice-chancellors, general counsel, security officers, CIOs and directors.
The working group agreed upon a number of recommendations:
  • Leadership actions to achieve accountability
  • University-wide communication and security education & training
  • Stronger IT security policies
  • Risk assessment guidelines and mitigation with focus on both academic and administrative strategies.
  • Campus-based encryption strategies
  • Improved security incident guidelines
This session emphasized encryption and forensic decisions.
Encryption at the UC will include:
Encryption for data when stored in a location that does not have appropriate physical security and access controls.  This includes whole disk encryption including mobile devices, file encryption for data that will be “carried” or transmitted, and database encryption.   Encrypted backups are also under consideration.  UC is setting up appropriate infrastructure and working on contracts with vendors at this time.  Note that all copies of restricted data are being assessed.
Encryption for data transmission at “all” times.  This will include file transfers, email, network printer communication, remote file services, and VPN.
A workflow plan and a communication plan for incident response are being developed.
Response will include the following initial steps:
Communication to appropriate staff/teams and others as required
Maintenance of a log of actions
Securing the area/facility
Determining the need for forensics and collecting forensic evidence as possible
Regaining control and analyzing the situation.
Forensic services are being put into place including established local teams and outside help/backup when needed.  Operational responsibility is at the campus level to preserve evidence first, provide audit log analysis, and restore service later.  Having swaps available critical infrastructure where possible.  It was noted that managers are held responsible for doing the right things in preparation and at the time of an incident but they are not held responsible if there is a breach.
UC is establishing an “instant services” vendor service to ensure chain of evidence if needed and pre-set agreements and process procedures for incidents with law enforcement so timely decisions are easier and good relations are maintained. 
Guidelines are being established for management of application log, system logs, network device logs, change management logs, and others as appropriate, ie, surveillance, physical access, etc.  They emphasized the importance of building a case for taking logs and putting them into a centrally located log management service that is a repository with appropriate tools.   
The presentation went into depth on each of the types of logs and the content that can be monitored for uses such as access, change, cost allocation, malfunctions, resource utilization, user activity, and, of course, security incidents.
As university records, logs must be appropriately managed and preserved and able to be retrieved as needed.  Retention periods must balance confidentiality of specific individual’s activities, the need to support investigations, and the cost of retaining the records within what is legally required unless there are extenuated circumstances.