Information Security: A Perspective for Higher Education



Similar documents
Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

PCI Requirements Coverage Summary Table

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Securing the Service Desk in the Cloud

SUPPLIER SECURITY STANDARD

Online Lead Generation: Data Security Best Practices

Security Controls What Works. Southside Virginia Community College: Security Awareness

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Cisco Advanced Services for Network Security

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

How To Protect Decd Information From Harm

933 COMPUTER NETWORK/SERVER SECURITY POLICY

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

VMware vcloud Air HIPAA Matrix

R345, Information Technology Resource Security 1

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

How To Manage Security On A Networked Computer System

Information Security Policy

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

PCI Requirements Coverage Summary Table

Ensuring IP Telephony Performance Through Remote Monitoring

Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

Information Resources Security Guidelines

BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN

Network Security Policy

QRadar SIEM 6.3 Datasheet

HIPAA Security Alert

Managed Security Services for Data

Wellesley College Written Information Security Program

Estate Agents Authority

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

Evaluating Internal and Outsourced Models for Network Monitoring

Better secure IT equipment and systems

VA Office of Inspector General

Hengtian Information Security White Paper

Analyzing Logs For Security Information Event Management

Standard: Information Security Incident Management

Supplier Information Security Addendum for GE Restricted Data

Client Security Risk Assessment Questionnaire

WHITEPAPER. Addressing Them with Adaptive Network Security. Executive Summary... An Evolving Network Environment Adaptive Network Security...

Enterprise Computing Solutions

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

plantemoran.com What School Personnel Administrators Need to know

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Payment Card Industry Data Security Standard

Data Processing Agreement for Oracle Cloud Services

SecureAge SecureDs Data Breach Prevention Solution

Franchise Data Compromise Trends and Cardholder. December, 2010

Permeo Technologies WHITE PAPER. HIPAA Compliancy and Secure Remote Access: Challenges and Solutions

BMC s Security Strategy for ITSM in the SaaS Environment

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Network and Security Controls

State HIPAA Security Policy State of Connecticut

Central Agency for Information Technology

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Server Protection Policy 1 1. Rationale 1.1. Compliance with this policy will help protect the privacy and integrity of data created by and relating

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

KEY STEPS FOLLOWING A DATA BREACH

State of Oregon. State of Oregon 1

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

Odessa College Use of Computer Resources Policy Policy Date: November 2010

Supplier IT Security Guide

Information Technology Branch Access Control Technical Standard

WHITE PAPER. Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

Directed Circuits Meet Today s Security Challenges in Enterprise Remote Monitoring. A White Paper from the Experts in Business-Critical Continuity TM

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

ICANWK406A Install, configure and test network security

The Protection Mission a constant endeavor

LogRhythm and PCI Compliance

Payment Card Industry Self-Assessment Questionnaire

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

Information security controls. Briefing for clients on Experian information security controls

March

Information Security Policy

Monitoring Your IP Telephony Network

Information Security Policy Manual

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)

Network Security Policy: Best Practices White Paper

Information Security Program

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Data Management Policies. Sage ERP Online

Attachment A. Identification of Risks/Cybersecurity Governance

Transcription:

Information Security: A Perspective for Higher Education A By

Introduction On a well-known hacker website, individuals charged students $2,100 to hack into university and college computers for the purpose of changing academic grades. Although many students paid for these services, the website turned out to be a scam. In another incident, the University of Texas at Austin was subject to a brute force attack of the school database that disclosed the Social Security numbers and e-mail addresses of some 59,000 students, alumni and university employees. These examples illustrate the potential for manipulating and exploiting technologies commonly utilized by universities and colleges today. The proliferation of e-mail use, distance learning and other services that enhance the quality of the student experience and extend education beyond the campus carry a potentially significant price when privacy is not maintained. As federal and state regulations for information technology and privacy gain visibility from well-publicized incidents, all organizations regardless of industry are reviewing the potential liability implications resulting from lack of compliance. Due diligence has become a primary occupation for all, where client or patient information is considered a fundamental data component of the business process, operating under a regulatory umbrella. The obligation on the part of any institution is well-defined and presents specific challenges. Higher Education is no exception; this environment has a strong need for open and accessible networks, but that requirement also generates an obligation on the part of each college to protect the systems and the data they contain. NEC Unified Solutions has the experience to address these challenges by providing regulatory expertise and a comprehensive strategy for information security compliance. This white paper discusses the regulatory obligations each institution must consider and provides a practical approach to help colleges and universities meet the challenges related to data asset protection. Regulatory Overview Several key privacy regulations apply to educational institutions, including a combination of both federal and state directives in some cases. The following list is just a sampler of those of concern to colleges and universities. Family Education Rights and Privacy Act (FERPA) FERPA is perhaps the most applicable federal regulation targeting colleges and universities in that it specifically prohibits the disclosure of personally identifiable education information regardless of state, i.e. written records or electronic data. This includes information pertaining to NEC Unified Solutions, Inc 2005 2 of 9

student financial aid records as well as grades. Furthermore, institutions require written permission from students to disclose such information to any other party. Computer Fraud and Abuse Act (CFAA) The CFAA applies to individuals who gain unauthorized access to protected computers under the intent to obtain information that may be of specific value and the premise to commit fraud. The definition of a protected computer includes any computer device that is utilized for communication or commerce by a financial institution or the U.S. government. Gramm-Leach-Bliley (GLBA) This act targets financial institutions, but also applies to colleges and universities whenever customer financial information is maintained. This information includes names, Social Security numbers as well as customer account numbers. The regulation requires such institutions to protect this data and information to ensure integrity. USA Patriot Act The Patriot Act was passed as a result of the terrorist events that took place on September 11, 2001. This act provides law enforcement agencies with greater access to electronic communications. A key provision that applies directly to educational institutions includes requiring colleges and institutions to grant access to student records related to any suspected terrorist investigations or activities. Health Insurance Portability and Accountability Act of 1996 (HIPAA) The intent of the HIPAA Act of 1996 is to protect patient rights and certain health plan participants. As part of this act, patients must receive written policies related to information policies. Furthermore, this act requires any college or university that may be affiliated with health care providers to alert students of such health care provider information policies. In addition, HIPAA requires such entities to detail and internally publish information security policies, educate employees, perform security assessments as well as maintain other security-related activities that protect data assets covered under the act. A Practical Approach Regardless of regulatory compliance, it behooves any organization to exercise due diligence with respect to the protection of student information or any other data assets. It is also imperative for educational institutions to recognize that information can be maintained and disclosed in any manner, i.e. verbally, electronically or in a written document. NEC Unified Solutions, Inc 2005 3 of 9

Regardless of how data is transmitted, most regulations require measures that control information at appropriate levels within the context of the intended regulation and therefore appropriate control mechanisms must be applied. The section below provides an overview of a practical approach for the protection of data assets based in part on information security best practices derived from ISO 17799. Building the Regulatory Compliance Roadmap In order for any educational institution to comply with regulations or perhaps internal directives, appropriate steps must be taken in order to recognize those areas where opportunities exist to better protect data assets and in turn provide greater degree of privacy. A compliance roadmap should be developed to highlight specific regulations that an institution needs to address as part of its compliance and information security program. This process should include regulations and mandates that are both federal as well as state specific. As an example, the states of Arizona, California and New York, prohibit schools and colleges from displaying student Social Security numbers on student rosters or identification cards as well as any other documents that may collectively list individuals attending such institutions. The Compliance Roadmap should include a matrix of specific regulatory requirements and the correlation between such regulations and an organization s specific information security processes and computing assets. In other words, the matrix should identify gaps in current processes that may pose compliance challenges. This approach can be utilized as an excellent starting point for the identification of activities tied to the compliance process. Furthermore, such a matrix can be used to identify challenges as simple as a lack of intelligence, i.e. the identification of the fact that the institution does not have enough information to determine what to protect and how to address such challenges. Furthermore, such roadmap documentation can serve as a basis for designing an effective security program as well as the security architecture including policies, procedures, intrusion detection, virus control, auditing and assessments as well as metrics associated with the measurements of associated risk and risk remediation. Defining Information Security Risk and Vulnerabilities In order for organizations to address potential gaps, a comprehensive information security assessment should be conducted to identify vulnerabilities and define specific risks associated with such NEC Unified Solutions, Inc 2005 4 of 9

vulnerabilities within the context of regulatory directives. The assessment should focus on the organization as a whole and not just its technology components. It must be understood that security is a process. Therefore, assessing only the technology may, in fact, provide merely a partial picture of the security posture. The following phases should be considered rudimentary assessment activity requirements. Security Assessment Approach Phase I - Information Security Program and Security Strategy Assessment This phase includes the discovery and verification of processes associated with the management and maintenance of the information security initiative. This assessment phase should cover all non-technical technology risk management processes, such as: Compliance monitoring Physical data protections Policies and procedures System configuration templates Liability coverage Intrusion detection/prevention Anti-virus management Incident handling and response Remote access E-mail risk management (Anti-virus and SPAM management) Security Awareness Vulnerability alert handling and dissemination Phase II - External Network Vulnerability Assessment This assessment component is focused on the discovery of vulnerabilities related to networks and devices that maintain a presence outside of the institutions administrative, protected or private network, including the following: Connectivity or segregation of the administrative and student networks External routers Firewalls Web servers DMZ architectures NEC Unified Solutions, Inc 2005 5 of 9

Modems (war-dialing) Campus-campus VPN connectivity and protections Wireless networks Phase III - Internal Network Vulnerability Assessment This phase includes the discovery of vulnerabilities associated with an institution s internal network computing devices such as: Routers Switches Servers Desktops Gateways VoIP (Voice over IP) Any other IP based device located on the school network Information Security Policies Policies are a key component and the center point of any information security program. Such documents should define clearly and concisely the required activities that protect data and ensure privacy. These documents also serve as a definition of due diligence on the part of the institution. For example, data classification policies ensure that all data protection measures are applied across the organization in a uniform manner regardless of state, i.e. handwritten or electronic. In conjunction with an effective security awareness program, where all employees are trained in information security rudimentary concepts and the use of information security policies, this process will ensure that all employees will become full participants in the information security effort aiding in the regulation of privacy and disclosure. At a minimum, most policies address the following areas: Privacy Access to Electronic Information Categories of Responsibility Ownership of Information, Data and Software Data Integrity Classification of Data and Information Personal Use of Computers Downloading Software NEC Unified Solutions, Inc 2005 6 of 9

Passwords Storage of Passwords Computer Viruses Destruction of Information and Data Modems Use of Personal Computer Equipment Positioning Computer Display Screens Locking Sensitive Information Disclosing Information About Computer Security Tools to Compromise Computer Security Intellectual Property Rights Login Banner Password System Set-Up Log-In/Log-Off Process System Privileges and User Account Set-Up Revoking System Access and Notification Data Back-Up Data Encryption Computer System Logs Data Center and Physical Security E-Mail Security Internet Acceptable Usage Establishing Internet-Based Network Connections Mobile Computers Procedures In order for educational institutions to demonstrate due diligence and provide auditors with the appropriate documentation related to security and privacy control, it is imperative that detailed processes exist with respect to change management. The value of any security or privacy process-related activity is its audit ability. In other words, the ability to demonstrate a procedural approach to managing activities. These procedures must include documents such as incident handling, system configuration and system development as well as, for example, processes that control the purchasing process. This procedure must define the required criteria for evaluating vendors and suppliers with respect to pre- NEC Unified Solutions, Inc 2005 7 of 9

existing security controls in hardware, software and consulting services. These types of procedures play a key factor in ensuring that internal policies are not violated due to the introduction of less-secure systems and services, so that security and privacy are maintained at acceptable levels of risk. Liability Insurance Coverage An area that educational institutions continue to overlook with respect to information security is the area of insurance coverage. Every institution purchases a policy that covers the organization for a number of potentially costly events; however, few consider the fact that the errors and omissions policy sections are an opportunity to extend coverage into the information security arena. This type of coverage is often associated with hacker related events and circumstances that directly affect a school s ability to control privacy. In addition, this type of insurance coverage should be well scrutinized and developed in concert with the overall information security program, so that capital allocation related to the security initiative will be balanced by coverage. This type of coverage, however, can only be obtained once the due diligence related to data and information protection has been exercised. Information Security Program Management With respect to capital constraints, many institutions have allocated the responsibility of information security to all Information Technology staff, in effect making this everyone s responsibility. This approach is simply not effective in the real world, due to the lack of ownership. A key factor to ensure that an effective information security program exists within the institution is to designate a specific individual or individuals with the responsibility for the development, coordination and on-going development of the security program. This individual should be tasked with both process and technology as well as vendor management and the reporting of security-related activities. Furthermore, this individual should work in concert with the compliance office to ensure that the intent of specific state and federal regulations has been met by the institution as whole. Conclusion Implementing robust information security standards for higher education requires not only a knowledge of the pertinent regulatory requirements but a practical approach to ensuring full compliance. NEC Unified Solutions can help your organization develop a Compliance Roadmap to identify regulatory requirements and evaluate how your organization measures up in each area. Such a roadmap can serve as a basis for designing an effective security program as well as the security NEC Unified Solutions, Inc 2005 8 of 9

architecture. This program will include policies, procedures, intrusion detection, virus control, auditing and assessments as well as metrics associated with the measurements of associated risk and risk remediation. If you are interested in partnering with NEC Unified Solutions for your information security strategy, contact us at 1-800-240-0632. About NEC Unified Solutions NEC Unified Solutions Inc., a leader in integrated communications solutions for the enterprise, delivers the industry s most innovative suite of products, applications and services that help customers achieve their business goals. With more than a century of communications and networking expertise, NEC Unified Solutions, Inc., a subsidiary of NEC America and affiliate of NEC Corporation (NASDAQ: NIPNY), offers the broadest range of communications services and solution choices, flexible product platforms and applications, and an open migration path to protect investments. NEC Unified Solutions, Inc. serves the Fortune 1000 and customers across the globe in vertical markets such as hospitality, education, government and healthcare. For more information, visit www.necunifiedsolutions.com or call 1-800-240-0632. All trademarks are property of their respective owners. Additional Resources 1. http://www.beahacker.com 2. Ralph K. M. Haurwitz, Hackers steal vital data about UT students, staff, Austin American-Statesman, March 6, 2003, available via www.austin360.com/aas/metro/030603/0306authack.html NEC Unified Solutions, Inc 2005 9 of 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information