Current Security Subcommittee Projects

This page tries to list the current projects of the Security Subcommittee. Note some of the pages may go to restricted content.

Policy Issues

The Security Subcommittee works on various "Policy" issues as they are presented to us or we feel they need to be addressed. Here is a current listing with some notes of current policy issues being worked on.

Data Classification

• new policy
• versions were presented to UITC and Legal in 2005 but were considered unimplementable and unenforceable; new version being worked on
• revised draft reviewed by Legal, Audit, Security Subcommittee, UITC; recommend 7/12/2006 by UITC to move forward in approval proces; http://www.ncsu.edu/it/uitc/07-12-06/draft-DCS-PRR-07-12-06.doc
• merged into update DMP

Security Controls Guidelines

• new document
• version has been presented to UITC for comments in 2005; still being revised
• [April 2006] a better presented online version being worked on

Data Management Procedures

• revised REG 08.00.3
• routine updates to reflect university organizational changes
• reorganized document to make applicable to and usable by all of campus instead of just administrative computing
• draft reviewed by Legal, Audit, Security Subcommittee, UITC; recommend 7/12/2006 by UITC to move forward in approval proces; http://www.ncsu.edu/it/uitc/07-12-06/draft-DMP-PRR-07.12.06.doc
• revised version approved 19 Dec 2006

Anti-Virus requirement

• revised REG 08.00.10
• some wording changes to help with enforcement

Password Requirements

• new/revised
• currently just set by ITD and ETSS for accounts they manage
• need to look at requirements that would apply to all of campus
• [5/9/2007] UITC recomended adoption of latest proposal

Data Disposal/Data Removal

• new/revised Data Removal
• need to get directions for all hard-drive + OS types
• need to expand information to include reuse/transfers no just surplus
• need to include non-hard-drive disposal/removal
• need to specify standard for erasing not just software product

Pain Points

This is a listing of items that committee members suggested during open discussion as targets for improvement on campus at our 15 December 2005 meeting. They are in no particular order. Each item is presented with comments/thoughts that came up during the discussion.

data disposal

• incomplete job with current procedures only covering surplus computers
• need to provide guidance on all disposal; electronic and paper
• need to discuss transfers/reuse
• transfer needs to address software license issues with transfered computers
• [4/17/2006] current URL http://www.ncsu.edu/data_removal/

web presence

must get our web site out there with information

security subcommittee - accountability and responsibility

what is our level of accountability and responsibility?

unsecured computer/application interfaces

• need to especially look at web applications as many are not running with SSL
• a large number use self signed certificates
• need to do a better job of pushing use of existing CAs to sign certificates; Thawte for commercial or ITD or ITECS for internal uses
• need to look at application security for all applications accessing sensitive data; special focus on the client/server link and data transfers
• [4/17/2006] current listing for committee reference

restricting network access to registered hosts

• what capability is there to restrict network access to only hosts registered in QIP, looking at MAC restrictions; eg. could all unregistered MACs be blocked at the building router?
• this is not really feasible with the current environment
• could use something like Nomad (Cisco Clean Access) to force user+host registration
• can look into doing compares of what machines (IP+MAC) are seen on the network with what information is in QIP; would then need a process for encouraging updating the information or consequences when it isn't updated
• related question on Computer Use Reg
  what does 'registered in the ncsu.edu domain' mean?
  do we want to require MACs on all registrations with a special category for virtual IPs where MACs don't make sense?

awareness

• people are not aware of their security responsibilities
• don't understand why they need to be concerned with security
• they don't see any consequences of not implementing security
• no real graduate student orientation to the campus IT environment; eg. computer use reg, sharing accounts


• related issue -- Data Compliance Form
  • currently a one time signing
  • having annual re-signing would be a good place to add some awareness; especially to refresh people on the due care in handling the sensitive information they can access

how to handle notification of possible problems vs. confirmed problems

• ITD security gets numerous reports each day of odd activity that could be a security problem
• in most cases unless a real problem can be confirmed notices are not sent to the department that owns the computer; this is done to prevent them chasing down lots of false positives
• is this information useful to get out to the departments and how to do it without overloading

security standards

• need to do more work on getting security standards out for reference by admins on campus
• they want to know how to properly security their machines

access without training

• we are frequently giving people access to systems without requiring an prior training
• this is especially a concern with business applications; eg. HR and Financials

HR and IT issues

• need to get HR engaged in making sure security responsibilities are being put into job descriptions
• also get them more involved in making sure employees not following good security practices are actually dealt with