Versions Compared

Old Version 28

changes.mady.by.user Valerie Vogel

Saved on

compared with

New Version 29

changes.mady.by.user Valerie Vogel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Anchor
Top
Top

Table of Contents

Anchor
Getting Started
Getting Started

Tip
titleGetting Started

Information security or IT staff responsible for developing and maintaining an effective information security program can take advantage of information and resources in the HEISC Information Security Guide that can assist with key information security initiatives. Following are some additional recommendations:

  1. Adopt a standardized (best practices) approach to developing your information security program. A wealth of guidance is provided in the below standards and frameworks:

    1. NIST Cybersecurity Framework

    2. NIST Special Publication 800-53 Revision 4

    3. ISO/IEC 27001:2013

    4. ISO/IEC 27002:2013

    5. COBIT 5

    6. 20 Critical Security Controls

  2. Incorporate compliance requirements that may apply to your institution:

    1. FERPA (Family Educational Rights and Privacy Act)

    2. GLBA (Gramm-Leach-Bliley Act) Safeguards Rule

    3. HIPAA (Health Insurance Portability and Accountability Act)

    4. PCI-DSS (Payment Card Industry Data Security Standard)

    5. Additional resources include the Higher Education Compliance Alliance's Compliance Matrix and an article describing New Mexico State University's IT Compliance Framework for Higher Education.

  3. Review the following HEISC resources for additional recommendations:

    1. Toolkit for New CISOs

    2. Mentoring Toolkit

    3. Mobile Internet Device Security Guidelines

    4. Developing Your Campus Information Security Website

    5. Top Information Security Concerns for Campus Executives & Data Stewards

    6. Top Information Security Concerns for HR Leaders & Process Participants

    7. Top Information Security Concerns for Researchers

    8. Many more resource are available under Hot Topics and Toolkits!

  4. Identify the roles and responsibilities of staff with direct responsibility for information security. Use the standards and frameworks below as references. 

    1. National Cybersecurity Workforce Framework
    2. National Initiative for Cybersecurity Careers and Initiatives (NICCS) Workforce Planning
  5. Use the Information Security Program Assessment Tool to help you determine the maturity level of your institution’s information security program. Identify opportunities for improvements and potential collaborations with key stakeholders.

  6. Review the results of prior risk assessments and IT controls audits to help identify and prioritize areas that need the most attention.

  7. Develop an information security plan that addresses:

    1. Gaps in coverage (information security controls, policies, and/or program initiatives that need to be developed)

    2. Compliance requirements

    3. How your information security program’s initiatives align with IT and Institutional goals and objectives

  8. Engage with other higher education information security professionals at the annual EDUCAUSE Security Professionals Conference

  9. Join the EDUCAUSE Security Discussion List

  10. Consider whether your institution may benefit from becoming a member of Research and Education Networking - Information Sharing and Analysis Center (REN-ISAC)

     

Organization of Information SecurityTop of page

Anchor
Overview
Overview

Overview

The Organization of Information Security can be thought of as having an emphasis on establishing information security related roles and responsibilities throughout an institution of higher education. Two major areas are addressed in this section:

...

Mobile Computing and Teleworking relates to the risks of working with mobile devices in unprotected environments.

Organization of Information Security Top of page

Anchor
Internal
Internal

Internal Organization (ISO 6.1)

Panel
bgColor#FFFFCE

Objective: Institutions of higher education need to establish a mechanism to manage information security across the entire enterprise and gain the support of institutional leadership to assist in providing overall direction.

Anchor
strategy
strategy

Implementing a Security Strategy

Key Question: Do we have a regularly updated information security strategy that supports the mission and strategic objectives of our institution? 

...

Here's a reference to one approach to strategic planning, "The Shifting Landscape Strategic Security Model" (presented at the 2010 Security Professionals Conference, which might prove to be a useful aid).

Organization Top of Information Security of page

Anchor
governance
governance

Information Security Governance

Key Question: Have we established governance structures and groups that foster awareness and shared ownership of information security issues and objectives?

...

  • What is Information Security Governance and What it is Not
  • Why Information Security Governance is Needed
  • How to Govern Information Security
    • Organizational Structure
    • Roles and Responsibilities
    • Strategic Planning
    • Policy
    • Compliance
    • Risk Management
    • Measuring and Reporting Performance
  • Governance Models and Success Stories
(lightbulb) Building an ISO/IEC 27001 Certified Information Security Management System (ISMS) at University of Tampa (2015)

This case study describes a decision and process used by the University of Tampa to go beyond compliance with ISO 27002 (essentially the controls portion of the ISO standard) and become certified under 27001 (ISO/IEC 27001:2005 Information technology -- Security techniques -- Specification for an Information Security Management System) which required complete commitment from top management.

...

  1. Information Security Council Charter (University at Albany - SUNY)
  2. Information Security Advisory Council Charge (Appalachian State University)
  3. Initiating Security Initiatives Through System-Wide IT Governance (University of Alaska, 2011 presentation)

Organization Top of Information Security of page

Anchor
managing
managing

Managing the Information Security Program

Here are several useful references that provide insight into the process of managing information security within the higher education community. There are no magic bullets provided but each reference does develop some ideas that may prove useful.

...

Organization Top of Information Security of page

Anchor
assessment
assessment

Information Security Program Self-Assessment Tool

The Information Security Program Self-Assessment Tool was created to evaluate the maturity of higher education information security programs using as a framework the International Organization for Standardization (ISO) 27002 "Information technology Security techniques code of practice for information security management." This tool was intended for use by an institution as a whole, although a unit within an institution may also use it to help determine the maturity of its individual information security program. Unless otherwise noted, it should be completed by chief information officer, chief information security officer or equivalent, or a designee.

Organization of Information Security Top of page

Anchor
roles
roles

Information Security Roles and Responsibilities 

Key Question: Have we established well-defined roles and responsibilities at all levels of our institution to help support and address our information security strategy and objectives?

...

It is also important to establish data ownership and data handling roles (e.g., data owners, stewards, custodians, and users). Many institutions formally identify and document these roles within their information security policies and data management frameworks.

Organization of Information Security Top of page

Anchor
duties
duties

Segregation of Duties

Key Question: Have we reviewed areas where procedures and tasks for critical data and systems can be segmented between multiple individuals and/or roles to lower the risk of insider threats?

...

When this is not possible, monitoring and auditing critical processes is very important.

Organization Top of Information Security of page

Anchor
authorities
authorities

Contact with Authorities

Key Question: Have we identified and established a relationship and contacts with relevant agencies including law enforcement partners who may be called upon during emergencies?

...

Note: It is also important to establish relationships with key campus partners prior to an emergency - e.g., internal audit, human resources, and legal counsel.

Organization Top of Information Security of page

Anchor
special
special

Contact with Special Interest Groups

Key Question: Have we engaged with groups within our community of practice to share and receive ideas and information?

...

  • EDUCAUSE Security Discussion List: The Higher Education Information Security Council (HEISC) is a key organization for collaborating with other security professionals in the higher education space, and oversees this open discussion group.
  • REN-ISACThis organization allows private information sharing within a community of trusted representatives at member organizations in the research and education communities.
  • ISSA: An international community of cybersecurity professionals.
  • ISACA: An association that engages in the development, adoption, and use of globally accepted, industry-leading knowledge and practices for information systems. The organization currently reflects a broad range of IT governance professionals.  
  • US-CERT: A United States Government organization sharing information about cybersecurity threats to a broad audience of government, business, and citizens.
  • SANS Internet Storm Center (ISC): Provides a free analysis and warning service to Internet users and organizations.

Organization Top of Information Security of page

Anchor
project
project

Information Security in Project Management

Key Question: Do we have a formal IT project management discipline and does it include integration with relevant information security roles for risk assessment?

...

Practical Project Management For Security Implementation in Enterprise Systems

Organization Top of Information Security of page

Anchor
Mobile
Mobile

Mobile Computing and Teleworking (ISO 6.2)

Panel
bgColor#FFFFCE

Objective: To cover the appropriate safeguards that an institution can implement to prevent the unauthorized access to institutional information resources while using mobile computing and teleworking facilities.

...

The EDUCAUSE Mobile Internet Device Security Guidelines page contains helpful advice to develop mobile Internet device security policy, standards, guidelines and procedures. It is organized into easy to follow steps to define objectives, develop a plan, and answer some of the questions being asked by users and security professionals alike.

Organization of Information Security Top of page

Anchor
Resources
Resources

Resources

Panel
bgColor#ADD8E6

Campus Case Studies On This Page
(lightbulb) Building an ISO/IEC 27001 Certified Information Security Management System (ISMS) at University of Tampa

EDUCAUSE Resources

Initiatives, Collaborations, & Other Resources

Organization Top of Information Security of page

Anchor
Standards
Standards

Standards

ISO

NIST

COBIT

PCI DSS

2014 Cybersecurity Framework

HIPAA Security

27002:2013 Information Security Management
Chapter 6: Organization of Information Security
ISO 27001:2013
ISO/IEC 27003:2010
ISO/IEC 27004:2009
ISO 27014:2013

800-100: Information Security Handbook: A Guide for Managers
800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems

APO01.02
APO01.06
APO07.02
APO07.03
APO10.04
APO10.05
APO13.01
APO13.12
DSS01.04
DSS05.01
DSS05.03
DSS06.03

Req 3
Req 4
Req 6
Req 8

ID.AM-6
ID.GV-2
ID.RA-2
PR.AC-3
PR.AC-4
PR.AT-2
PR.AT-3
PR.AT-4
PR.AT-5
PR.DS-5
PR.IP-2
DE.DP-1

45 CFR 164.308(a)(2)
45 CFR 164.308(b)(1)
45 CFR 164.314(a)(1)

Organization of Information SecurityTop of page

...

(question) Questions or comments? (info) Contact us.

...