Versions Compared

Old Version 56

changes.mady.by.user Valerie Vogel

Saved on

compared with

New Version 57

changes.mady.by.user Valerie Vogel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Anchor
Top
Top

Table of Contents

Anchor
Getting Started
Getting Started

Tip
titleGetting Started

In order to secure the information that flows across internal networks and to/from the Internet, colleges and universities need to effectively manage their physical and logical network infrastructure. The protection of networked information assets requires policies, standards, and a sound network control strategy. If you are just getting started in this area of your security program, then the following steps can be very helpful to get underway:

  1. Develop policies and standards that support the:

    1. Establishment of clear authority and accountability for network management.

    2. Risk based segregation of groups of systems, users, and information systems 

    3. Authority to control, actively monitor, and log traffic traversing designated ingress and egress points. 

  2. Identify threats related to the communications environment. (see HEISC Risk Management Framework)

    1. Evaluate threat scenarios and methods of network attack (reconnaissance, exploitation, data exfiltration)

  3. Identify the most critical systems, data, or equipment within the network. (see Asset Management)

  4. Use routing and firewalls to define the network perimeter.

  5. Use a border firewall and/or Intrusion Detection/Prevention devices to limit entry/exit of network traffic.

  6. Define the “demilitarized zone” of the network where the public can access limited network resources, as well as public access points to the network such as open access ports and public WiFi.

  7. Define restricted portions of the network for use by authorized staff and facility personnel; use identity and access management controls for users and systems on the network.

  8. Define highly restricted portions of the network such as within data centers, communications facilities, or other highly restricted areas.

  9. Establish information transfer policies and encryption standards that address varied needs for confidentiality, integrity, and non-repudiation of internal and external data exchanges.

Communications SecurityTop of page

Anchor
Overview
Overview

Overview

Communications encompasses the breadth of digital data flows both within an organization and between external entities across network infrastructures. These flows now include data, voice, video, and all of their associated signaling protocols. Securing these information flows as they traverse Intranets, Extranets, and Internet requires effective network infrastructure management as well as controls, policies, and procedures. This chapter provides guidance in planning, developing, and implementing the most essential elements of a Communications Security strategy.

Communications Security Top of page

Anchor
Management
Management

Network Security Management (ISO 13.1)

Panel
bgColor#FFFFCE

Objective: To ensure the protection of information in networks and its supporting information processing facilities.

...

Communications Security Top of page

Anchor
Transfer
Transfer

Information Transfer (ISO 13.2)

Panel
bgColor#FFFFCE

Objective: To maintain the security of information transferred within an organization and with any external entity.

Information transfer policies and procedures

Clear policies and procedures that govern the transfer of information between individuals both within and outside your organization should be established. Be sure to consider all possible methods of communication, including face-to-face, e-mail, voice, fax, and video, when drafting your policies.

...

Top of page

Agreements on information transfer

If your organization has a business need to transfer information to a third party, then you should (and, in some cases, are legally required) to enter into an official agreement with them in order to preserve the security of that information. These agreements generally set minimum standards for protecting your data, and may also establish the limits of liability for both parties in the event of a breach or other unauthorized disclosure of data.

...

Top of page

Electronic messaging

Electronic messaging includes e-mail, peer-to-peer file transfer, social network-based communications (e.g., Google Hangouts, Facebook chats, LinkedIn InMail, etc.) and more. Your organization should consider introducing a policy that governs the authorized use of these mediums; at a minimum, such a policy should establish the authority to represent your organization in an official capacity on the Internet. Also, because your organization is unable to apply technical controls to third-party electronic messaging mediums – Google Hangouts, Facebook, et. al. – there is no way for you to quantify or improve their level of security in order to effectively secure a confidential message traveling across one of these mediums. The solution to this problem is to clearly state in your policy that organization-related business is only to be communicated and/or conducted using approved, secured methods (e.g., e-mail).

Top of page

Confidentiality or non-disclosure agreements

Confidentiality or non-disclosure agreements are legally enforceable documents designed to protect your organization's confidential information and intellectual property. These agreements, signed by the organization and its employees and/or third parties, establish the responsibilities of all parties to ensure that no one discloses sensitive data in an unauthorized manner. 

Communications Security Top of page

Anchor
Resources
Resources

Resources

Panel
bgColor#ADD8E6

Campus Case Studies On This Page
(lightbulb) Enhancing Application Security with a Web Application Firewall - UC, Irvine (2011)

EDUCAUSE Resources
EDUCAUSE Resources & Resource Center Pages

HEISC Toolkits/Guidelines

Templates/Sample Plans

Security Professionals Conference 2014

Security Professionals Conference 2013

Enterprise IT Leadership Conference 2013

EDUCAUSE Annual Conference 2012

Security Professionals Conference 2012

Southeast Regional Conference 2012

Mid-Atlantic Regional Conference 2012

EDUCAUSE Annual Conference 2011

Security Professionals Conference 2011

EDUCAUSE Annual Conference 2010

Security Professionals Conference Archives 2008-2010

Management and Operations:

Policy and Compliance:

Corporate and Campus Solutions:

Strategic Security:

Technology Concepts:

Advanced Technology:

Initiatives, Collaborations, & Other Resources

  • ECAR Working Groups; Bring together higher education IT leaders to address core technology challenges.

Communications Security Top of page

Anchor
Standards
Standards

Standards

ISO

NIST

COBIT

PCI DSS

2014 Cybersecurity Framework

HIPAA Security

27002:2013 Information Security Management
Chapter 13: Communications Security
ISO/IEC 18028-4:2005
ISO/IEC 27033-1:2009

800-100: Information Security Handbook: A Guide for Managers
800-53: Recommended Security Controls for Federal Information
Systems and Organizations
800-14: Generally Accepted Principles and Practices for Securing
Information Technology Systems

APO01.06
APO13.01
DSS05.02
DSS06.06

Req 6
Req 12

ID.AM-3
PR.AC-3
PR.AC-5
PR.DS-2
PR.DS-5
PR.PT-4

45 CFR 164.314(a)(1)
45 CFR 164.308(b)(4)
45 CFR 164.314(a)(2)(i)
45 CFR 164.314(a)(2)(ii)
45 CFR 164.312(e)(1)

Communications SecurityTop of page

...

(question) Questions or comments? (info) Contact us.

...