An IT Architecture for Emory University
Adopted by CIRT
Security Domain Architecture
February 20, 2002
ITA Version 1.9.8
© 2000 Emory University
Page 3-1
3.
Overview
3.1
Security in general
“Security is a topic that is about as exciting as watching paint dry.” -- Gene Spafford
“The only truly secure system is one that is powered off, cast in a block of concrete, and
sealed in a lead-lined vault with armed guards -- and even then I have my doubts.” --
Gene Spafford
“100% system security = 100% non production.” -- Rollo Rogers.
“If you don’t know the threat, how do you know what to protect? If you don’t know what
to protect, how do you know you are protecting it? If you are not protecting it. . . .the
adversary (dragon) wins!” -- The Laws of OPSEC
Balancing protection and access. Security involves a balance between protection and
access. Too great a restriction on access to data, information and other resources impedes the
use for which these resources were intended. It also reduces the value of information, since
information increases in value the more it is used. Instead, Emory needs to provide members of
its community with access to the resources that they need. Emory also needs to allow access to
certain resources by outside participants in Emory projects and programs and by consumers of
Emory-supplied systems, services, or data. At the same time, Emory needs to protect its assets
and restrict access to them according to its policies, license agreements, and the requirements
of granting and regulatory agencies.
The need for security policy decisions. No environment can be risk free or perfectly secure,
because some aspects of security can only be managed by personal choices. Indeed, in the
absence of policy to the contrary, people can leave sensitive information unprotected, share
passwords, and let others into secured areas. Thus people can thwart security no matter how
much money has been spent or how much technology has been put in place. Organizations that
are leading edge in security focus first on making decisions needed to establish security policy
before focusing on security technology.
What to protect. One of the first policy decisions is to identify the resources that need
protection (called “assets”) and classify them to indicate how much protection they need. This
document will be mostly concerned with IT resources, a category of potential assets that
includes such things as data and information, network facilities (voice, video, and data),
computers, printers, software, administrative and research data, and the connection(s) to the
Internet. Also included as potential assets are resources that the university does not own, but
which are in its custodial care.
Resource owners and classification. From the moment of their creation, all Emory resources
and information requiring protection need to be classified to indicate the level of protection. To
identify assets and determine the amount of protection they need, the architecture asserts that
every resource has an “owner,” that is, someone or some organizational unit that has final rights
regarding disposition of the resource. To enable owners to classify resources in a standard way,
the architecture envisions a classification scheme that allows owners to indicate the level of
protection needed in terms that the owner understands.
 |
 |
 |