Security Planning for Small Businesses: A Service- Learning Course

Security Planning for Small Businesses: A Service- Learning Course Todd Burri and Susan J Lincke University of Wisconsin-Parkside, burri004@uwp.edu, lincke@uwp.edu Abstract - Experiential, real-world problems results in higher impact learning. However, security planning is a complex process to learn. The Small Business Security Workbook was developed as part of an NSF CCLI grant to enable students to help small businesses in planning for security. The Workbook leads students and small business management through the security planning process, via a top-down (or bottom-up) approach and step-by-step procedures. Students learn concepts in lecture, which are just-in-time reviewed in the Workbook. The students practice with a case study, and then do actual security planning with a community partner. The Workbook is rated highly by both community partners and students in improving security in cooperating organizations. This paper describes the experience that a student team had with the Workbook and their community partner, as well as summarizing the overall perspective of the class. Index Terms Security planning, service learning, information security, small business security, SMB. INTRODUCTION The Information Systems Security course prepares students to become security analysts, and to achieve certification in the security field. The lecture aspect of the course emphasizes material from ISACA s Certified Information Security Manager (CISM) [1] and Certified Information Systems Auditor (CISA) [2]. The practical and project aspect of the course enables students to learn about security by helping a small businesses plan their security. Students use the specially-designed Small Business Security Workbook to practice with a case study before working with a community partner. This paper describes the process by focusing on the experience of one typical project group working with a local business manager. Barlett and Fomen [3] summarize in their literature review that Small-Medium Enterprises (SMEs) have been found to lack security, often because of lack of expertise and time. Over 80% of French SMEs have no business continuity plan or disaster recovery plan. SMEs lack internal IS expertise and security awareness, and are not aware of the security regulation they must adhere to. They often need to outsource security competencies, which they cannot afford. Thus, small businesses can appreciate the help that students can provide them assuming the students are competent. Also, students benefit, because SME s security problems are smaller, more manageable, and more understandable than what they would see at a larger organization. They could positively impact the organization. Service learning can help both small businesses and students gain competence in security. Service learning is established in engineering projects and software engineering development [4-7]. In the technology areas, service learning has helped students gain valuable job experience and group and communication skills, and assisted students in clarifying career goals [4]. It also has been useful in teaching ethics and standardized documentation techniques for ABET accreditation [5]. Not only do the students benefit, but also the instructor and community partners [6]. Service learning has been shown to attract women/minorities, who are attracted to helping people [8]. Service learning projects in security include evaluating organizational security maturity [9-10], and performing audits [11]. Service learning in audits enables students to learn to configure security experiments and interpret results, in addition to the traditional running of the tools in a security lab. Our experience with maturity evaluation and audits is that small businesses lack policies, and therefore it is difficult to do a professional audit. To our best knowledge, there is no other Workbook that helps students plan security. While the need for security in small businesses is obvious, the challenge is to provide competent materials simple enough for new security students to understand. Existing security recommendations, including ISO 27002 [12], COBIT [13], and the FIPS set of standards [14], are indeed expert sources. However, they are not easy to use, since they describe full-feature security, designed to handle large security problems. They must be read, deciphered, prioritized, designed, and implemented by full time staff (not commonly available to small businesses). Study guides for security certifications: CISA, CISM, and CISSP [1,2,15] likewise provide competency, but are equally difficult and time-consuming to digest. In contrast, our Small Business Security Workbook was designed to lead students and small business managers through the security planning process as an active learning or homework exercise, providing easy-to-follow procedures and just-in-time vocabulary and concepts. The Workbook is in digital form, enabling students to plan and document F1E-1

Implementation Requirements Session F1E security by completing tables, editing existing proposed text, and preparing diagrams as necessary. The learn-asyou-go and ease of use is what separates this Workbook from other standards, documentation, and textbooks. NSF CCLI has funded the development of this Information Security course that would enable students to help small businesses plan and audit security, via service learning. The Workbook is professional, since it is built on material defined by the CISA/CISM study guides. Although the Workbook covers all major aspects of security planning, the organization can choose to prioritize their most critical security components. This course is offered to computer science and MIS undergraduates and CIS graduate students, with no previous security coursework. The instructor first lectures on a topic (e.g., risk). The lecture includes sample completed workbook tables for students to refer to. Students practice using the Workbook and a case study as an active learning exercise. The Health First Case Study deals with a fictional doctor s office that is planning their security. After practice, students are then prepared to work with their community partner. The instructor attends the first community partner meeting, and may attend additional harder topic sections, depending on the student group background. (Harder sections include risk and network security.) The instructor provides feedback to the students on each completed section, and students correct sections before a final grade is issued. The partner gets a digital copy of their filled-in Workbook at the semester end. The Workbook has four main sections: Chapter 3, the strategic/policy Level: this high level is the responsibility of upper-level management, and involves defining policies and goals in a broad way that will keep them aligned with overall business objectives. Example sections: risk, policy. Chapter 4, tactical/architecture level: this middle level is still a management task, which maps out how those high level policies will be met. Example sections: information security, physical security, metrics. Chapter 5, operational level: this low or day-to-day level defines procedures to implement the tactical level. This is where the detailed security procedures and standards are built and maintained. Chapter 6, audits: defines outlines and procedures for auditing security systems to ensure they are meeting their objectives. Figure 1 shows the layout of strategic/tactical sections of the Workbook, which address security requirements and high level design. Concepts and vocabulary are introduced just before they are needed. Then, students are asked to complete tables or modify skeleton text, etc. At the end of each section is a description of how professionals should use the defined security requirements to implement security (e.g., program firewalls). Skeleton Text Introduce Concepts & Definitions Do Workbook Components Recommend Professional Help FIGURE 1: WORKBOOK PROCESSES Tables Policies & Standards Color-coded Maps The service learning aspect will be further described by outlining a typical experience of one student team working with the Workbook. THE STUDENT TEAM For the purpose of the community project the class was divided into groups of two-three students and each group assigned to a partner. Our group consisted of one undergraduate and two graduate students. Our partner, here renamed Joanne for confidentiality reasons, was running a small local business and agreed to help with our project as a way to examine and improve the security of her network. In addition, there were some HIPAA issues that were relevant to her business, which made the case study that much more interesting and useful. HIPAA (Health Insurance Portability and Accountability Act) is serious regulation that is meant to protect patient privacy [16]. The penalty of Wrongful disclosure of individually identifiable health information can result in fines to $50,000 and one year in jail. If false pretenses are involved, fines can increase to $100,000 and five years in jail. HIPAA is very detailed in its requirements, and Joanne needed not only to pay attention to those areas where HIPAA is applicable, but to have her solution well-documented for legal reasons. Due to time constraints, we were only able to cover parts of Chapters 3-4 of the Workbook in our meetings. I should note that, although the class guidelines suggested a meeting every other week, we agreed to schedule one per week. That helped considerably; we got off to a very fast start and were able to be much more flexible dealing with schedule conflicts. During the semester, we managed to cover from Chapter 3: security policy, risk, and business continuity, and from Chapter 4: data security and network security, as well as security awareness training. Note that security awareness training is a presentation for use in employee orientations, and is separate from the Workbook. USING THE WORKBOOK F1E-2

We did not always cover the material sequentially in the Workbook. However, I will discuss the sections in order for sake of simplicity. The Strategic Level Chapter 3 of the Workbook covers information security at the strategic or policy level. Ethics, policies and standards, asset valuation and prioritization, and contingency planning all begin with broad, high-level statements that set the organization s goals and priorities. Code of Ethics: The first section includes a formal code of ethics. It contains a number of examples of policy statements regarding proper employee conduct in various aspects of a business enterprise general behavior, confidentiality, conflicts of interest, and so on. Joanne s organization already had an employee handbook containing its own code of ethics that, after reviewing this section, she felt was already adequate. We noted that and moved on. Policy: We evaluated the COBIT maturity level of her organization using a 1-hour questionnaire, contained in a Workbook appendix. The organization rated low (similar to most of our partner organizations), between COBIT levels 1 and 2. Then, we addressed the Workbook section on policy, which is a required element of HIPAA. The Workbook defines some terms policy, standard, guideline, procedure. It s important to understand the exact meaning of each in order to develop a cohesive, systematic program (this is why the Workbook is organized the way it is). We spent some time discussing these concepts and discussing the COBIT standard on which the policy section is based. Joanne was already somewhat familiar with the concepts of a process maturity model (unlike other partners). The policy section includes a number of subsections; each contains an example of a policy addressing a particular subject (such as Risk, Human Resources, Business Continuity ), and one or more sample standards that could be defined for following the policy. For example, the policy for Access Control invokes the concept of least privilege (that an employee shall have access only to the information that is relevant to his or her job), and states that access to hardware and software shall be properly controlled. A standard accompanying that policy includes specific requirements for identity authentication (username and password) and for automatically locking workstations when not in use. There are 16 policy subsections in the Workbook. Not all applied to Joanne, and some policies were already in place at her business. We discussed each section, especially the ones she did not have a policy for, and added notes where appropriate. Risk Analysis: Risk analysis is a mandatory element of HIPAA. Therefore, we considered this to be a very important topic and spent a lot of time on it. The Workbook section describes a systematic method for identifying, prioritizing and addressing the risks an organization faces. The first step is to determine the value of the organization s assets. Assets include both the physical items needed to conduct business computer equipment and office furniture, for example, and the data to be stored in her files, both paper and electronic. We made a list of Joanne s assets and estimated the value of each, including the direct cost of replacing an asset, as well as other potential financial impacts associated with a loss, such as legal liabilities and interruption of operations. Next we considered possible threats to the assets enumerated above. There are two ways to go about this analysis: qualitative and quantitative. Quantitative risk analysis can be used when the monetary cost of an adverse event is easily calculated; the loss or destruction of a particular piece of hardware, for example. When the cost and frequency is not so straightforward, qualitative analysis must be used. A lost database will have to be reconstructed, and the time required to do so may be estimated. However, if a fire puts a business out for days, the amount of damage, lost business days, and loss of customers may be unknown. Educated guesswork is sometimes the only way to estimate the total impact of the event. In each case we estimated the likelihood of the threats, calculated the total cost of an occurrence of each (as best we could), and used those figures to calculate the annual loss expectancy (ALE) for each. The ALE is useful for threat mitigation; if a particular event is predicted to occur once every ten years, and the cost of repairing the damage is ten thousand dollars, an organization could reduce the impact of the event by setting aside one thousand dollars per year to amortize the cost or pay for a control to reduce its likelihood or impact. Joanne was particularly interested in this area; the results of the analysis, albeit rudimentary, are very useful for prioritizing how one deals with risk (essentially the higher the ALE, the higher the priority), and for planning how to mitigate exposure through insurance, procedures, technological controls, or other means. Since Joanne was concerned with HIPAA, and HIPAA involves precise fine and jail time, this made the cost of a security breach easier to estimate. Finally, using the list of assets and threats, we considered what steps would be appropriate to protect the one and minimize or avoid the other. The security control measures we decided on were necessarily high-level and nonspecific. Therefore a cost/benefit analysis was outside the scope of the discussion. We left that for Joanne to handle at her own convenience. Business Impact Analysis & Business Continuity: This section (also mandatory for HIPAA) considers how an organization should plan ahead to continue operating after a serious mishap. We read through it as a group and discussed the concepts of impact, continuity, and disaster F1E-3

recovery as they applied to our results in risk analysis. However we decided that what we had already accomplished was sufficient for the time being and didn t go into too much detail. Joanne already had a good grasp of recovery point objective (the amount of data you can afford to lose and still function; basically defines how often you need to back up your files) and recovery time objective (the amount of time between the occurrence of an adverse event and the recovery/resumption of operations) and how she would apply them to her business. The Tactical Level Chapter 4 goes on to the tactical level how to accomplish the goals set by policy. Issues such as access control levels, data handling, and protective measures are worked out at this level. Information Security: This section begins with introductory definitions of concepts like need-to-know (an employee should only have access to the data needed to do his or her job), least privilege (likewise an employee s ability to manipulate data should be limited to job requirements) and data owner (the person in an organization who is primarily responsible for an asset). Also included is information about Wisconsin s laws regarding personally identifiable information and what a business needs to do to protect it. Joanne selected this Workbook section because information security is required for protection of health information, and authentication and access control are important aspects of HIPAA s Security Rule. After reviewing that material we started on the Criticality Classification Systems and Sensitivity Classification Systems (Sections 4.1.1 and 4.1.2). It can be easy to mix these up. We did, several times. Criticality has to do with the importance of the data to the business how long it can keep going without a particular asset, before affecting income. Sensitivity has to do with permissions and access to data within an organization who should be able to see, use or change the information in files. We added statements defining the criticality and sensitivity of certain types of data to Joanne s business. Joanne s organization had confidential techniques and processes, in addition to personal health information. Treatment of Sensitive Data includes a table describing how data should be stored, handled, disposed of, and categorized by sensitivity level. The table was already populated with suggested procedures what areas need to be locked, what data needs to be encrypted, how old data should be disposed of, and so on. We amended it to reflect Joanne s more stringent requirements. For Asset Inventory, we listed important electronically-stored data along with some substantial information about each. Data does not always refer only to information; it covers anything stored on a computer to include programs and applications, without which a business couldn t function. We listed a variety of data types needed for Joanne s business along with descriptions, usage requirements and read/write permissions for all relevant employees. We were able to be very thorough on this section, as Joanne was very confident about what she wanted to include and had decision-making authority regarding classifications and permissions. The last part of 4.1 defines Role Based Access Control. We identified the specific roles that existed in the organization (again, Joanne had a very clear idea of what she wanted), defined them, named employees who held them, and specified what types of data could be accessed by each. Network Security: There are two parts to the Network Security section: defense in depth, and the network diagram. We listed several computer applications that Joanne would be using, the server they would be located on, and what protective measures were required for each. Next there is a color-coded Network Diagram, which we altered to reflect Joanne s configuration. The diagram shows paths of logical access to the network and is accompanied by text describing protective controls. Student Perspective The students were gratified at the effort Joanne put into the project. As students, we were routinely expected to work as late as necessary. She was not a student, and I had some misgivings about her willingness to spend all evening once a week working on something that I regarded as our school assignment. However, other than a few meetings she missed due to other obligations, she was very reliable and interested in the material. In our group, I was the one who owned a laptop computer, so it was my job to follow the Workbook as we talked and to make whatever changes were agreed upon (after each meeting I emailed the updated version to the group with new changes highlighted in blue). I therefore spent some amount of time in each meeting haggling with Joanne and the others to ensure that I understood exactly what was meant and that I entered it correctly. Perhaps for that reason, I tended to focus narrowly on the precise topic under discussion at the time, rather than keeping in mind the overall picture. In retrospect, it might have been more useful to think of each section as it fit into the whole, rather than as a separate thing. However Joanne seemed to have a good grasp of the material and how it would apply to her business overall. Our graduate student leader, James, did a very good job of running the meetings (somebody had to) and breaking down the chapters into manageable parts while still keeping it coherent. Gabriel and I contributed to the discussion largely from our personal experience; he had worked as a network administrator, while I was (at the time) a manager for a private security company and already had a fair understanding of basic security principles. As a result of our project, we recommended tying the Workbook material more closely to the lecture notes and to F1E-4

the case study. The case study involved a fictional doctor s office, which brought up many of the same specific HIPAA issues that concerned Joanne s business. The lecture notes contained plenty of pertinent information. In a second semester, the lecture notes were enhanced to include example completed tables and diagrams to help tie the materials together better. Going through the case study in class was sometimes more awkward, compared to working with a real-world partner, because we found ourselves trying to make decisions regarding a business none of us had any experience with. We broke into groups for the case study as well; I had different partners there than for the community project which had both good and bad aspects. On one hand, I was able to hear different perspectives on the material. On the other, working with the same group on both parts of the class material might have benefitted us by aligning our understanding of the material, and benefitted Joanne by offering her better-prepared partners in our meetings together. COURSE OUTCOMES The experience of this student group was representative of four other student groups in two separate semesters, accomplishing similar security planning tasks. All groups worked with small business management, who generally used an IT service consultant for their IT needs. While most student groups worked with security planning and the Workbook, other student groups were involved with an extended audit (also defined by the Workbook), and/or security awareness training or testing. Their results are also included in the evaluations discussed below. Results are shown for two semesters. The first semester the course was offered in the evening, and working students, including graduate students, enrolled. The second semester, the course was offered during the day, and had no in-class graduate students or students with extensive working experience participating with the community project. This lack of experience in the second semester did require the instructor to be more involved during the beginning of the semester. Experienced/graduate students also added more to the inclass discussion during the first semester. After both semesters, both students and cooperating community partners rated the community-based learning experience highly. Table 1 shows student responses to community project evaluation. During this survey, students were asked using a 4-point scale: Strongly Disagree, Disagree, Agree, and Strongly Agree, and the results show the percentage of students replying Agree / Strongly Agree. Students who marked Agree or Strongly Agree are counted in the Agreed category. It is interesting to note that in the second course offering 100% of students agreed that they had helped their community partner. TABLE I STUDENT ASSESSMENT OF COMMUNITY-BASED LEARNING Student Survey (Results show Agree / Strongly Agree ) The community project helped me to better understand the course lectures and readings. Community projects should be part of more classes at this university I felt that the community project I did through this course benefited the community partner s organization 1 st 2 nd 90/10% 85/0% 80/10% 85/14% 80/0% 100/28.6% Student comments included: Working with the community partner, however, did help with understanding and knowing the course material. The workbook was a clear application of the topics discussed throughout the class and an extension of them. The documentation and resources involved in the project with the community partner were immeasurably helpful. Some of the simplest things for us was amazing for our partner Table 2 shows the results where community partners were asked four questions, which could be answered with Very Satisfied, Satisfied, Not Satisfied, or Not Applicable. All partners were Satisfied, and most partners were Very Satisfied with the quality of students work. Their reaction was initially split between Satisfied and Very Satisfied for scope and timing of the project. Groups often encounter scheduling challenges with their very busy manager interface. After the first semester, students were encouraged to try to meet weekly with their partner. TABLE II PARTNER ASSESSMENT OF COMMUNITY-BASED LEARNING Partner Survey (Results show Satisfied / Very Satisfied ) 1 st 2 nd The quality of students work 100/100% 100/75% Scope and timing of the project 100/50% 100/100% Level and quality of 100/75% 100/75% communication with faculty/staff Level and quality of 100/75% 100/50% communication with students. Community partners comments, including both positive and negative aspects included: I loved your class. I resented that they took up so much time on Thursdays I would do this again. The results were really excellent. They were both a pleasure to work with, respectful and engaged, professional. This was a great exercise the ways of shoring up security. Concerning student communication, sometimes there was a lag time in responsiveness in coordinating schedules. Rescheduling F1E-5

when a meeting was cancelled was challenging and took time. It is interesting to note that the simulated case study was not as liked by the students as the real world project. After the first semester, the case study was re-written to be in conversational format and provide more details. Although the case study still is not as liked as the service learning aspect, the students do recognize the importance of the case study before meeting with the community partner. ACKNOWLEDGEMENTS The development of this course (including Workbook) was funded by the National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author and/or source(s) and do not necessarily reflect the views of the NSF. We would like to thank NSF for making this work possible, and also thank the students who participated in the course, thereby helping to improve it! CONCLUSION This Information Systems Security course uses service learning, with lecture materials based on the CISA/CISM certifications. A Small Business Security Workbook was used first with a case study, then a community partner. This Workbook leads inexperienced security students through the security planning process. The communitybased learning aspect of the course was found to be successful by both community partners and students. These materials are available for teaching or general use by contacting the instructor (lincke@uwp.edu). The student author, Todd Burri, successfully passed his CISM exam one semester later, with additional study. [8] Bair, B. and Cohoon, J. M. TWiCE Undergraduate Experience in Research and Community Service, Grace Hopper Women in Computing Conf., 2006. [9] Schnieder, H. & Wagner, L. Information Assurance Awareness: Partnership between Students and Community. Proc. 13 th Colloquium for Information Systems Security Education, Seattle WA, June 1-3, 2009. [10] Lincke, S., Kumar, R. & Tiwari, V. (2011). Security of Information Systems in Schools: An Evaluation using Audit and COBIT Interviews. Journal of Information Security (JISSEC), vol. 6, no. 3, Dec. 30 2010. [11] Lincke, S.J. Network Security Auditing as a Community-Based Learning Project. Proc. 38 th SIGCSE Tech. Symp. on Computer Science Education, March 7-10, 2007, pp. 476-480. [12] ISO/IEC. ISO/IEC 27002:2005 Information Technology Security techniques Code of practice for information security management, DOI= http://www.iso.org/iso/catalogue_detail?csnumber=50297, 2005. [13] IT Governance Institute. COBIT 4.1, Arlington Heights IL, DOI=http://www.itgovernance.co.uk/cobit.aspx, 2007. [14] NIST, Federal Information Processing Standards Publications, DOI= http://www.itl.nist.gov/fipspubs/, 2010 [15] Harris, S. CISSP All-in-One Exam Guide, 5th Ed., McGraw-Hill, NY, 2010. [16] U.S. Dept. of Health and Human Services. Health Insurance Portability and Accountability Act (HIPAA) DOI=http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.ht ml, 2010. REFERENCES [1] ISACA. CISM Review Manual 2010, Arlington Heights IL. DOI=http://www.itgovernance.co.uk/products/1402, 2009. [2] ISACA. CISA Review Manual 2010, Arlington Heights IL. DOI=http://www.itgovernance.co.uk/products/1403, 2009. [3] Barlette, Y., and Fomin, V. V. Exploring the suitability of IS security management standards for SMEs, Proc. 41 st Hawaii International Conf. on System Sciences, IEEE, 2008, pp. 308-313. [4] Carter, L. The Business of Service Learning, 39 th ASEE/IEEE Frontiers in Education Conf., Oct 18-21, 2009, pp. T3G-1-T3G-6. [5] DeRego, F. R., Zoltowski, C., Jamieson, L. & Oakes, W. Teaching Ethics and the Social Impact of Engineering within a Capstone Course, 35 th ASEE/IEEE Frontiers in Education Conf., Oct. 19-22, 2005, pp. S3D-1-S3D-5. [6] Mikelic, N. & Boras, D. Service Learning: Can our students learn how to become successful student?, Conf. Information Technology Interface, June 10, 2006, pp. 289-294. [7] Alkadi, G., Beaubouef, T., & Schroeder, R. The Sometimes Harsh Reality of Real World Computer Science Projects, ACM Inroads, Dec. 2010, vol. 1, no. 4, pp. 59-65. F1E-6