Re: Network IPS Information Security Policy

["Basgen, Brian" <bbasgen () PIMA EDU>]

Randy,

 This might be useful. This is a guide we developed a few years ago that has, somewhat surprisingly, been one of the 
most frequently cited/used policies that we have:
  http://www.pima.edu/policies/standardguidlines/SPG-5702-AG.shtml

 I think you are on the right track thinking this is an essential building block in going down this path. 

 Note that the previous document I sent was an internal IT procedures document, whereas this link above is a document 
approved by our Chancellor, Cabinet, Faculty Senate, etc.

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
Office: 520-206-4873


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of randy 
marchany
Sent: Friday, November 13, 2009 2:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Network IPS Information Security Policy

Brian, thanks. It's those set of procedures that I'd like to see if
possible.  Yes, it's a machine "examining" content but at some point,
a human gets involved. That doesn't sell to the general public who has
no idea of how this technology works. They just hear " someone/thing
can look at my chats or email?". This set of procedures seems to be a
great first step in allaying those fears.

-r.

On Fri, Nov 13, 2009 at 3:12 PM, Basgen, Brian <bbasgen () pima edu> wrote:
>  We did not feel the need to create a Policy, but I've enclosed our "IPS review procedures" document.
>
>  Randy, to your question, we have policy with similar language to what Gary just posted. The key point here is that 
> we have both the right and obligation to monitor network traffic, we will not inspect the traffic of any particular 
> individual without following a very particular set of procedures.
>
> ~~~~~~~~~~~~~~~~~~
> Brian Basgen
> Information Security
> Pima Community College
> Office: 520-206-4873
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary 
> Dobbins
> Sent: Friday, November 13, 2009 12:30 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Network IPS Information Security Policy
>
> I'll paste at the end of this message an excerpt from our process for managing the IPS.  We set out to define one 
> that would be heavily inclusive of the campus IT community, so that it was mostly they who choose when and what to 
> block with the IPS, informed by the IDS side of the tool.
>
>
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kris Monroe
> > Sent: Friday, November 13, 2009 8:29 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: [SECURITY] Network IPS Information Security Policy
> >
> > Has anyone developed an Information Security Policy for their
> > Network
> > IPS that they could share?
> > My Information Security Policies Made Easy 10th Edition has IDS and
> > HIDS
> > but not Network IPS and I feel it is a different enough beast that
> > I'd
> > like some other references.
> > Regards,
> > -Kris
> >
> > Kris Monroe, CISSP, CISA, TECP
> > Network Security Engineer and Acting Information Security Officer
> > Ithaca College
>
> =====================================
> Management Process - Campus Perimeter/Border System
>
>   1. On behalf of the University, the Office of Information Technologies (OIT) will operate the University IPS. OIT 
> will monitor and analyze network traffic to identify cyber threats.
>   2. The OIT will propose IPS configuration changes to automatically block network traffic identified as a threat to 
> the campus computing resources.
>         1. Other members of the Notre Dame community may submit a proposal to recommend IPS configuration changes.
>   3. A configuration change proposal may be submitted for campus review via the OIT Change Control process. The 
> proposal must include an explanation of the functional impact of the change.
>         1. All proposed changes will be published to the IPS-EVENTS email list service and on the secure.nd.edu 
> website.
>         2. A one-week commentary period for each proposal will be available where members of the Notre Dame community 
> can comment on the proposed change. The IPS-EVENTS list service will be used to receive comments.
>   4. The OIT Change Advisory Board will provide oversight by reviewing comments and determining if the proposed 
> change is approved for deployment
>   5. Once approved, the change is scheduled through the OIT Change Control process.
>   6. After the change is deployed, a post-deployment notification will be posted to the IT-Events email list service 
> and on this website.
>   7. Rollback-If a configuration change creates unintended issues, the configuration can either be modified or turned 
> off. Problems should be reported using the standard OIT Unscheduled Service Outage/Performance Issues Notification 
> Process
>   8. The OIT Change Advisory Board will handle all emergency changes.
>   9. In order to create awareness of the Border IPS system configuration, an inventory of approved and proposed 
> changes will be maintained. The complete inventory is available to anyone with valid netid.