Anchor | ||||
---|---|---|---|---|
|
Table of Contents
- Organization of Information Security Getting Started | Organization of Information SecurityOverview | Organization of Information SecurityResources | Organization of Information SecurityStandards
- Internal Organization (ISO 6.1)
- Mobile Computing and Teleworking (ISO 6.2)
Anchor | ||||
---|---|---|---|---|
|
Tip | ||
---|---|---|
| ||
Information security or IT staff responsible for developing and maintaining an effective information security program can take advantage of information and resources in the HEISC Information Security Guide that can assist with key information security initiatives. Following are some additional recommendations:
|
Organization of Information SecurityTop of page
Anchor | ||||
---|---|---|---|---|
|
Overview
The Organization of Information Security can be thought of as having an emphasis on establishing information security related roles and responsibilities throughout an institution of higher education. Two major areas are addressed in this section:
...
Mobile Computing and Teleworking relates to the risks of working with mobile devices in unprotected environments.
Organization of Information Security Top of page
Anchor | ||||
---|---|---|---|---|
|
Internal Organization (ISO 6.1)
Panel | ||
---|---|---|
| ||
Objective: Institutions of higher education need to establish a mechanism to manage information security across the entire enterprise and gain the support of institutional leadership to assist in providing overall direction. |
- Implementing a Security Strategy
- Information Security Governance
- Managing the Information Security Program
- Information Security Program Assessment Tool
- Information Security Roles and Responsibilities
- Segregation of Duties
- Contact with Authorities
- Contact with Special Interest Groups
- Information Security in Project Management
Anchor | ||||
---|---|---|---|---|
|
Implementing a Security Strategy
Key Question: Do we have a regularly updated information security strategy that supports the mission and strategic objectives of our institution?
...
Here's a reference to one approach to strategic planning, "The Shifting Landscape Strategic Security Model" (presented at the 2010 Security Professionals Conference, which might prove to be a useful aid).
Organization Top of Information Security of page
Anchor | ||||
---|---|---|---|---|
|
Information Security Governance
Key Question: Have we established governance structures and groups that foster awareness and shared ownership of information security issues and objectives?
...
- What is Information Security Governance and What it is Not
- Why Information Security Governance is Needed
- How to Govern Information Security
- Organizational Structure
- Roles and Responsibilities
- Strategic Planning
- Policy
- Compliance
- Risk Management
- Measuring and Reporting Performance
- Governance Models and Success Stories
Building an ISO/IEC 27001 Certified Information Security Management System (ISMS) at University of Tampa (2015)
This case study describes a decision and process used by the University of Tampa to go beyond compliance with ISO 27002 (essentially the controls portion of the ISO standard) and become certified under 27001 (ISO/IEC 27001:2005 Information technology -- Security techniques -- Specification for an Information Security Management System) which required complete commitment from top management.
...
- Information Security Council Charter (University at Albany - SUNY)
- Information Security Advisory Council Charge (Appalachian State University)
- Initiating Security Initiatives Through System-Wide IT Governance (University of Alaska, 2011 presentation)
Organization Top of Information Security of page
Anchor | ||||
---|---|---|---|---|
|
Managing the Information Security Program
Here are several useful references that provide insight into the process of managing information security within the higher education community. There are no magic bullets provided but each reference does develop some ideas that may prove useful.
...
- Surviving the Onslaught: Running a Security Program by Yourself is a presentation made at the 2010 Security Professionals Conference which examines ways in which a security program can be successfully mounted with very limited resources.
Organization Top of Information Security of page
Anchor | ||||
---|---|---|---|---|
|
Information Security Program Self-Assessment Tool
The Information Security Program Self-Assessment Tool was created to evaluate the maturity of higher education information security programs using as a framework the International Organization for Standardization (ISO) 27002 "Information technology Security techniques code of practice for information security management." This tool was intended for use by an institution as a whole, although a unit within an institution may also use it to help determine the maturity of its individual information security program. Unless otherwise noted, it should be completed by chief information officer, chief information security officer or equivalent, or a designee.
Organization of Information Security Top of page
Anchor | ||||
---|---|---|---|---|
|
Information Security Roles and Responsibilities
Key Question: Have we established well-defined roles and responsibilities at all levels of our institution to help support and address our information security strategy and objectives?
...
It is also important to establish data ownership and data handling roles (e.g., data owners, stewards, custodians, and users). Many institutions formally identify and document these roles within their information security policies and data management frameworks.
Organization of Information Security Top of page
Anchor | ||||
---|---|---|---|---|
|
Segregation of Duties
Key Question: Have we reviewed areas where procedures and tasks for critical data and systems can be segmented between multiple individuals and/or roles to lower the risk of insider threats?
...
When this is not possible, monitoring and auditing critical processes is very important.
Organization Top of Information Security of page
Anchor | ||||
---|---|---|---|---|
|
Contact with Authorities
Key Question: Have we identified and established a relationship and contacts with relevant agencies including law enforcement partners who may be called upon during emergencies?
...
Note: It is also important to establish relationships with key campus partners prior to an emergency - e.g., internal audit, human resources, and legal counsel.
Organization Top of Information Security of page
Anchor | ||||
---|---|---|---|---|
|
Contact with Special Interest Groups
Key Question: Have we engaged with groups within our community of practice to share and receive ideas and information?
...
- EDUCAUSE Security Discussion List: The Higher Education Information Security Council (HEISC) is a key organization for collaborating with other security professionals in the higher education space, and oversees this open discussion group.
- REN-ISAC: This organization allows private information sharing within a community of trusted representatives at member organizations in the research and education communities.
- ISSA: An international community of cybersecurity professionals.
- ISACA: An association that engages in the development, adoption, and use of globally accepted, industry-leading knowledge and practices for information systems. The organization currently reflects a broad range of IT governance professionals.
- US-CERT: A United States Government organization sharing information about cybersecurity threats to a broad audience of government, business, and citizens.
- SANS Internet Storm Center (ISC): Provides a free analysis and warning service to Internet users and organizations.
Organization Top of Information Security of page
Anchor | ||||
---|---|---|---|---|
|
Information Security in Project Management
Key Question: Do we have a formal IT project management discipline and does it include integration with relevant information security roles for risk assessment?
...
Practical Project Management For Security Implementation in Enterprise Systems
Organization Top of Information Security of page
Anchor | ||||
---|---|---|---|---|
|
Mobile Computing and Teleworking (ISO 6.2)
Panel | ||
---|---|---|
| ||
Objective: To cover the appropriate safeguards that an institution can implement to prevent the unauthorized access to institutional information resources while using mobile computing and teleworking facilities. |
...
The EDUCAUSE Mobile Internet Device Security Guidelines page contains helpful advice to develop mobile Internet device security policy, standards, guidelines and procedures. It is organized into easy to follow steps to define objectives, develop a plan, and answer some of the questions being asked by users and security professionals alike.
Organization of Information Security Top of page
Anchor | ||||
---|---|---|---|---|
|
Resources
Organization Top of Information Security of page
Anchor | ||||
---|---|---|---|---|
|
Standards
27002:2013 Information Security Management | 800-100: Information Security Handbook: A Guide for Managers | APO01.02 | Req 3 | ID.AM-6 | 45 CFR 164.308(a)(2) |
Organization of Information SecurityTop of page
...
Questions or comments? Contact us.
...