Home

Overview

Program

Schedule of Events

Committee

Registration

Contributors

Charleston

Hotel

Travel Information

Security Policy: How, Who, What?

Presenter: John Rasmussen, Manager, Security Engineering, Oregon Health & Science University

Not so long ago security was based on providing an optional desktop virus checker along with a bit of packet shaping or a limited firewall. Today the threats come faster than institutions can respond. In addition to everyday threat responses Sarbanes-Oaxley, GLB, FERPA, HIPAA compliance mechanisms are demanded, administrators are asking for reduced intrusion costs and auditors are asking for the written policies. How do we enable the institution to provide services and provide reasonable protection from a hostile network (sometimes hostile even inside the firewall) while maintaining a flexible and adaptable policy? This session will provide a brief overview of general principles of developing security policy followed by a lively discussion of topics such as:

• Who writes policy?
• Who needs to be involved in the policy development process?
• Who determines the need for policy?
• Can the usual (months long) policy adoption process work when security needs change hourly?
• Who pays for policy?
• What are the implications of poor policy implementation?
• What are the benefits of effective policy implementation?
• What are the most vexing policy issues?
• Can the IT organization successfully be the policy work?
• How is policy enforced?
• Can IT enforce policy and still be viewed as a service provider?
• Can policy be flexible and adaptable enough to meet the needs of the institution?