worm policy 1
How to Kill Worms and
Viruses with Policy
Pontifications
Scott Bradner
University Technology Security Officer
Harvard University
sob@harvard.edu
worm policy 1
How to Kill Worms and
Viruses with Policy
Pontifications
Scott Bradner
University Technology Security Officer
Harvard University
sob@harvard.edu
worm policy 2
new title (for me)
continuing (Harvard) responsibilities
but now formalized
“University Technology Security Officer”
“technology” because no management of police
worm policy 3
tasks
helps coordinates ways to ensure compliance to laws
watches out for new laws
coordinates development, implementation &
administration of high-level security policies
helps coordinate security awareness programs
advises CIO
facilitates security & privacy aware culture
monitors security risks
worm policy 4
does he actually do anything himself?
Can he?
worm policy 5
Harvard looks Like
worm policy 6
Reality
HBS
FAS
HMS
GSD
DIV
GSE
JFK
LAW
SPH
RAD
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
CA
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
worm policy 7
actually, real reality is worse in technology
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
Q u i c k T i m e ™ a n d a
T I F F ( U n c o m p r e s s e d ) d e c o m p r e s s o r
a r e n e e d e d t o s e e t h i s p i c t u r e .
Q u i c k T i m e ™ a n d a
T I F F ( U n c o m p r e s s e d ) d e c o m p r e s s o r
a r e n e e d e d t o s e e t h i s p i c t u r e .
research lab
research lab
research lab
research lab
research lab
research lab
research lab
research lab
research lab
research lab
research lab
research lab
research lab
research lab
research lab
research lab
research lab
research lab
research lab
research lab
research lab
research lab
worm policy 8
times are changing
but are not yet changed
“ETOB” no longer
a legit reason
worm policy 9
so what can he do?
since assertions of central control falls on deaf ears
chair University Technology Architecture Group
(UTAG)
“CIOs” from around the University
vets new technology ideas
e.g. PIN system, LDAP directory
discussion of policies
e.g. wireless nets
work with RMAS & OGC
be a visitor
worm policy 10
laws can be used as a stick
FIRPA (Family Educational Rights and Privacy Act)
privacy of educational records and directory
information
HIPPA (Health Insurance Portability and
Accountability Act) privacy of medical records
GLB (Gramm-Leach-Bliley) privacy of financial
information
Database Security Breach Act (CA)
DMCA) Digital Millennium Copyright Act - RIAA
empowerment act
worm policy 11
the university technology environment
no university firewall
that would be silly
some school firewalls
some internal firewalls
good router ACLs (in some places)
mostly switches
reasonable clue in most official IT groups
near software monoculture on non-student desktops
mixed server picture
worm policy 12
the players
ca staff
school staff
undergrad students
grad students
tenants
researchers
faculty
worm policy 13
my task
(until Larry changes the culture)
get the schools to think they came up with
security and privacy efforts
use laws as sticks when enthusiasm fades
get buy-in on guidelines
worm policy 14
too much
posture, pontificate & cajole
too little
“you must”
but I knew what I was getting into
this bed was already on fire
worm policy 15
thanks & have a good lunch