Re: Centralized security administration

[Robert Ono <raono () UCDAVIS EDU>]

Keith
The development of the UC Davis Cyber-safety policy was initiated by a
security workgroup and took about four months to reach campus adoption.
The UC Davis security standards built upon the UC Berkeley and UC San
Diego minimum security standards (see campus links under
http://www.ucop.edu/irc/itsec/uc/). The UC Davis Cyber-safety policy was
broadly discussed within the academic, technical and administrative
communities before campus adoption. The policy goes beyond establishing
security standards by requiring schools, colleges and administrative
organizations to annually review and report on their compliance to the
campus security standards and describe improvement plans, where
appropriate. The policy was originally approved in May 2005 and was
revised in July 2006. As part of the July revision, an online survey was
developed for the 2006 report.

Please feel free to use the approach and material as a guide, where
appropriate.

Physical security, as mentioned by Valdis, can be a challenge to
implement. However, one of the main drivers for moving the physical
security standard to the "level two" category was the risk level
associated to physical security exposures.  Campus experience revealed
that the greatest security benefits would be afforded by promoting patch
deployment, installation of anti-virus updates, strong authentication,
security measures for restricted data, disabling of non-secure protocols
and use of firewall services - all "level one" security practices. Over
time, the placement of a security practice within a particular security
category may change.

Bob



Hunt,Keith A wrote:

> Hello Bob,
>
> Some really good stuff there. Any idea how much effort to develop the
> policies, guidelines, surveys, etc and keep it all up to date?
>
> And would you mind if I used some of it as a guide for something similar
> here?
>
> A question about the Level 1 and Level 2 practices: why did physical
> security get bumped down to Level 2? I would consider that very basic,
> and also one of the easier problems to fix.
>
> --
> Keith
>
>
>
> > -----Original Message-----
> > From: Bob Kehr [mailto:rskehr () ucdavis edu]
> > Sent: Thursday, August 17, 2006 12:04 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Centralized security administration
> >
> > General SysAdmin at our university is very decentralized. The current
> > approach is "policy" in conjunction with reporting, scanning, and IDS.
> >
> > http://security.ucdavis.edu/cybersafety.cfm
> > http://manuals.ucdavis.edu/ppm/310/310-21.htm - note IV.B
> > http://security.ucdavis.edu/vuln_resources.cfm
> > http://www.ucop.edu/irc/itlc/sautter/ucd_2005_winner.html
> >
> > -Bob Kehr


--
Robert A. Ono, CISSP
Information Technology Security Coordinator
Office of the Vice Provost
Information and Educational Technology
University of California, Davis
(530) 757-5795