Information security or IT staff responsible for developing and maintaining an effective information security program can take advantage of information and resources in the HEISC Information Security Guide that can assist with key information security initiatives. Following are some additional recommendations:
|
Top of page
Security Program Development can be thought of as having an emphasis on establishing information security related roles and responsibilities throughout an institution of higher education. Two major areas are addressed in this section:
Establishing an effective internal Information Security Organization can be further sub-divided into multiple topics of interest:
One of the key sub-topics is information security roles and responsibilities, which addresses the need to designate and assign accountability for information security across the institution to ensure that institutional staff and faculty apply appropriate protection to assets and information under their direct control. Additionally, this topic addresses the need to establish an information security governance framework and designate a leader who will manage the information security program and develop program initiatives. This designation should be documented in a formal job description for the individual with the designated responsibility and such designation should be utilized in properly demonstrating compliance with applicable regulatory and compliance requirements such as HIPAA, GLBA, and PCI DSS. (HIPAA, for example, requires this designation in §164.308(a)(2).) Note that there are a variety of roles and responsibilities for campus information security leaders (read more in this article on the 7 Types of CISOs or visit the National Cybersecurity Workforce Framework).
Avoiding conflicts of interest that can arise when segregation of duties is not considered. This is another area to be addressed to ensure that no single individual at an institution can escape detection if engaging in unauthorized activities or abusing access to information and technology systems.
The information security organization is also responsible for appropriate contact with authorities and contact with special interest groups.
Addressing information security in project management activities is important to ensure that risks are identified and addressed throughout the project management lifecycle.
Mobile Computing and Teleworking relates to the risks of working with mobile devices in unprotected environments.
Top of page
Objective: Institutions of higher education need to establish a mechanism to manage information security across the entire enterprise and gain the support of institutional leadership to assist in providing overall direction. |
Key Question: Do we have a regularly updated information security strategy that supports the mission and strategic objectives of our institution?
An effective information security strategy for a higher education institution must take into account the overall strategic objectives of the institutions and varied campus groups, including academic (research included), administrative (or business), clinical, and residential environments. Even when focusing on critical processes and legal mandates, it is necessary to extend protective measures beyond the underlying IT systems and associated administrative staff. For example, many faculty members have access to student records, and this access must be considered when assessing the security risks associated with these data. A failure to provide faculty with securely configured workstations increases the risk of sensitive data being exposed via their computers. This risk can also be reduced by implementing a middleware solution to properly control which records each faculty member can access and to minimize the amount of sensitive data stored on their computers. Also, to be effective, security practices cannot rely completely on technological solutions. Continuing the example, policies are required to clearly define faculty members' responsibilities relating to student data and the security of their workstations. Also, awareness programs aimed specifically at faculty members and their responsibilities to safeguard student information might be developed, possibly in conjunction with the institution's student information steward (e.g., at many institutions this is the Registrar).
To complicate matters, the operational needs of college and university networks often directly conflict with security practices such as perimeter firewalls, port authentication, centralized configuration management, and strong authentication. Higher education networks must therefore be designed to balance security and privacy requirements while accommodating a wide variety of end users and their needs – e.g., visitors, new students arriving with computers, researchers sharing large quantities of data with members of other academic institutions, remote access to a variety of network services for individuals who are traveling or telecommuting, and mobile users moving between classrooms, libraries, and indoor and outdoor study spots on campus. Although firewalls are becoming widely used to protect critical systems on university networks, their use at the perimeter is less common because it is difficult to reconcile their restrictiveness with the need for an open networking environment that supports research, learning, and high-speed networking. Although centralized management is feasible for certain hosts on a university network, this approach is not suitable for most student computers and many faculty, research, and clinical systems. In the end, security and privacy practices need to be integrated into operational practices in a way that makes the most sense for each campus.
This is not to say that higher education institutions cannot be secured; many colleges and universities are successfully balancing the need for security and an open, collaborative networking environment. Throughout this Information Security Guide readers will find general advice, as well as specific institutional examples, of successful approaches to managing information security within higher education.
Here's a reference to one approach to strategic planning, "The Shifting Landscape Strategic Security Model" (presented at the 2010 Security Professionals Conference, which might prove to be a useful aid).
Top of page
Key Question: Have we established governance structures and groups that foster awareness and shared ownership of information security issues and objectives?
Effective institutional governance of the information security function is critical to a successful program. It can be both the "proof of the pudding..." with regard to management commitment and provide necessary guidance when deciding where to allocate scarce resources. This well researched section draws from experts in the field and provides useful background and advice which can be adapted to a wide variety of campus cultures. The topical outline shown below reflects the broad array of subjects covered in this very deep Information Security Governance article. Additional resources are available on the EDUCAUSE IT Governance, Risk, and Compliance website or in the U.S. Department of Education's Privacy Technical Assistance Center (PTAC) Toolkit.
Building ISO 27001 Certified Information Security Programs (University of Tampa, 2017)
This case study describes a decision and process used by the University of Tampa to go beyond compliance with ISO 27002 (essentially the controls portion of the ISO standard) and become certified under 27001 (ISO/IEC 27001:2013 Information technology -- Security techniques -- Specification for an Information Security Management System) which required complete commitment from top management.
Some additional resources and examples of higher education information security governance:
Top of page
Here are several useful references that provide insight into the process of managing information security within the higher education community. There are no magic bullets provided but each reference does develop some ideas that may prove useful.
Gaining the Confidence of Others
While information security offices generally have the authority to help establish policies and standards, transitioning these policies and standards into actual practice often involves extensive communication, relationship management, and development of influence. The resources below can also help provide some outside perspective.
Getting Along with Less
Another common issue faced by campus information security offices is limited resources (in terms of funding, personnel, or both).
Top of page
The Information Security Program Self-Assessment Tool allows colleges and universities to evaluate the maturity of their campus security programs. This tool is intended for use by an institution as a whole, although a unit within an institution may also use it to help determine the maturity of its individual information security program. Unless otherwise noted, it should be completed by chief information officer, chief information security officer or equivalent, or a designee.
Top of page
Key Question: Have we established well-defined roles and responsibilities at all levels of our institution to help support and address our information security strategy and objectives?
Information security is the responsibility of everyone at the institution. It is important to establish roles and responsibilities for campus staff, faculty, and students so that everyone knows what is expected of them when handling information. Leadership is also very important, and many institutions have at least one person who is primarily responsible for organizing the information security program. Typically this is a Chief Information Security Officer (CISO), Information Security Officer (ISO), Director of Information Security, although the title may vary depending on the campus. No matter what title is selected, there should be someone at the institution who can provide a high level of decision-making support to campus leadership when considering information security issues and solutions. Read more in the EDUCAUSE Review article, Evolution and Ascent of the CISO.
It is also important to establish data ownership and data handling roles (e.g., data owners, stewards, custodians, and users). Many institutions formally identify and document these roles within their information security policies and data management frameworks.
Top of page
Key Question: Have we reviewed areas where procedures and tasks for critical data and systems can be segmented between multiple individuals and/or roles to lower the risk of insider threats?
Segregation of duties is the concept of having more than one person required to complete a task. This is a best practice, especially in cases where sensitive data is being handled. Segregation of duties is a control put in place by many institutions to mitigate the risk of an insider threat or accidental employee mistakes. Sometimes this isn't practical or possible, but the institution should be aware of the risks of a single person having too much access.
Ideally, critical processes or activities should be split up between multiple people. For example the initiation of a process, its execution, and authorization should be separated when possible.
When this is not possible, monitoring and auditing critical processes is very important.
Top of page
Key Question: Have we identified and established a relationship and contacts with relevant agencies including law enforcement partners who may be called upon during emergencies?
Relationships with law enforcement are important to an institution, and should be established prior to an emergency. Having a protocol for engagement established before there is an emergency will help in handling an incident appropriately.
A protocol for engagement with law enforcement can be a part of the security incident response plan or a broader crisis management procedure for the campus. The plan should be clear about which situations require working with law enforcement, such as when laws are broken. The plan should also clearly state who contacts authorities and under what circumstances (e.g., when law enforcement should be contacted by the information security office or campus safety).
Law Enforcement Resources and Contacts
Note: It is also important to establish relationships with key campus partners prior to an emergency - e.g., internal audit, human resources, and legal counsel.
Top of page
Key Question: Have we engaged with groups within our community of practice to share and receive ideas and information?
There are many groups that support Information Security that an institution can collaborate and participate in. The information security threat landscape is ever changing and security professionals can benefit from collaborating together. Being connected to special interest groups allows for knowledge transfer and best practice development. Warnings about potential threats can also help security operations prepare and respond appropriately. Some organizations include:
Top of page
Key Question: Do we have a formal IT project management discipline and does it include integration with relevant information security roles for risk assessment?
Information Security should be a part of the project management lifecycle in any institution. From project concept to completion, information security should be consulted so that information assets are properly protected. Often information security is an afterthought or not included in the project process. This approach can dramatically increase project costs and expose the institution to unnecessary risk.
Practical Project Management For Security Implementation in Enterprise Systems
Top of page
Objective: To cover the appropriate safeguards that an institution can implement to prevent the unauthorized access to institutional information resources while using mobile computing and teleworking facilities. |
Teleworking (i.e., telecommuting), e-commerce, use of intranets, online education, and the increase use of portable computing devices (e.g., laptops, tablets, smartphones) are driving the need for access to information resources from any place at any time. Today's mobile workforce or users are no longer just staff faculty, and students trying to check e-mail from home but part and full-time telecommuters, business partners, full-time students. and patients who rely on access to institutional networks to accomplish day-to-day business functions, attend classes, and follow-up on medical treatments. Information security controls specifically targeting mobile computing and remote access to information resources are becoming an increasingly critical component of any institution information security program ensuring the protection of the integrity of the institutional networks while allowing remote access to it.
Challenges of Mobile Computing:
To enable remote access to institutional information resources, institutions of higher education are implementing Virtual Private Networks (VPN) technology to provide a secure connection to the institutional network. VPNs send data securely through a shared network. VPNs can be established between remote users and a network or between two or more networks thus using the Internet as the medium for transmitting information securely over and between networks via a process called tunneling.
The EDUCAUSE Mobile Internet Device Security Guidelines page contains helpful advice to develop mobile Internet device security policy, standards, guidelines and procedures. It is organized into easy to follow steps to define objectives, develop a plan, and answer some of the questions being asked by users and security professionals alike.
Top of page
Top of page
27002:2013 Information Security Management | 800-100: Information Security Handbook: A Guide for Managers | APO01.02 | Req 3 | ID.AM-6 | 45 CFR 164.308(a)(2) |
Top of page
Questions or comments? 
Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).