IT Security & Policy
Indiana’s Mark Bruhn says
he’s heard nearly every song and dance about campus IT security. Check below: Is he playing your song?
Mark S. Bruhn is Indiana University’s CIO and chief IT Security and Policy officer, working in the Office of the
for Information Technology, where he advises the university administration on technology deployment and usage, especially in the critical areas of policy and security. He
is also associate director
of the IU Center for Applied Cybersecurity Research (CACR) and chairs the CACR-sponsored annual Indiana Higher Education Cyber Security Summit (www.cacr.iu.edu). In addition to his work at IU, Bruhn is a member of the Executive Committee of the Educause/ Internet2 Task Force on Network and Systems Security,
co-chairs the Task Force’s Security Awareness and
Education Initiative, and
is involved in various other efforts to improve IT security
in higher education. In other words, if it’s about security and policy, Bruhn is there.
10 - Sensitive data: here, there, and everywhere
- Get rid of sensitive data ASAP: not collected, not compromised.
- If it must be collected/kept, store it on a secure, well-maintained computer.
- Don’t store it on workstations; secure a central computer, not thousands.
9 - Before you accuse me
- Make everyone responsible for his own computer/account/password security.
- Require them to ensure only appropriate people have access to their data.
8 - Communications breakdown?
- Rethink sensitive e-mail not encrypted before it’s sent out as an open postcard.
- Give users a method to communicate sensitive info (PGP, secure Web drop-off).
- Require antivirus software on all workstations, servers, e-mail relays—anywhere e-mail and documents are handled.
7 - Just what I needed!
- Help your organization realize: Security is a cost of doing business.
- Recognize that poor management of systems (i.e., configuration errors or lack of maintenance) accounts for most security breaches.
- Make sure techs are given adequate resources to manage and secure IT systems.
6 - The “seeker”
- Remember: Crackers use readily available automated scanners to scan entire networks daily for vulnerable systems and services.
- Determine: If crackers are doing this, your organization’s techs should, too.
- Remove vulnerabilities: Where they could afford privileged access to the system, a complete rebuild is critical.
5 - Set them free
- Understand all programs running on servers.
- Stop programs/services not truly required, to reduce vulnerability exploitation.
- Consult security guides and documents available at vendor Web sites.
4 - Silence is golden
- Realize: Weak passwords are still a common route to compromised computers.
- Require strong passwords (not dictionary words!) on every computer.
- Remind users: Passwords shouldn’t be shared with anyone, even support techs.
3 - Change the locks
- Don’t forget physical protection of IT systems—often overlooked, but critical to IT security plans.
- Restrict physical access to critical servers; don’t, and logical security is useless.
- Provide adequate climate control for all critical servers.
2 - Real, real gone
- Remove all traces of personal and business data from storage media (e.g., hard drives) before reassigning the device.
- Accept it: Deleting files/reformatting a hard drive d'esn’t remove stored data.
- Techs should use wiping utilities, degaussing, or destruction to securely remove all data remnants.
1- Show me the way
- Remember: An organization can’t begin to protect critical systems and functions without first knowing what technologies have been deployed.
- Once technologies and their interrelationships are clear, spot associated risks.
- Once risks related to technology are identified and prioritized, put your money where the risks are.