Cyber Security Governance in Open Distance Learning With specific reference to Online Evaluation and Assessment Prof Basie Von Solms Director : Centre for Cyber Security Academy for Computer Science and Software Engineering University of Johannesburg basievs@uj.ac.za Prof Elmarie Kritzinger School of Computing University of South Africa kritze@unisa.ac.za UNISA logo
Overview What is Corporate Governance? What is Information and Cyber Security governance? Cyber Risks related to ODL Evaluation and Assessment Plan of Action
What is Corporate Governance? Corporate Governance consists of the set of policies and internal controls by which organizations, irrespective of size or form, are directed and managed.. the system by which corporations are directed and controlled.
What is Information Security Governance? Information Security Governance consists of the management commitment and leadership, organizational structures, user awareness and commitment, policies, procedures, processes, technologies and compliance enforcement mechanisms, all working together to ensure that the confidentiality, integrity and availability (CIA) of the company s electronic assets (data, information, software, hardware, people etc) are maintained at all times.
What is Cyber Security Governance? Cyber Security Governance can be seen as that part of Information Security Governance which specifically concentrates on securing electronic assets against threats and risks arising because of the use of the Internet As any ODL environment uses the Internet, Cyber Security Governance is core to properly governing and managing an ODL environment
Relationship between Corporate Governance and Cyber Security Governance Information security governance (and therefore Cyber Security Governance) is a subset of organizations overall (corporate) governance program. Cyber Security Governance is a component of Corporate Governance, and therefore a Top Management responsibility
Cyber Security Governance in a tertiary institution ODL systems : integrated environment for teaching, evaluating, assessing and managing activities an complete learning environment based on the use of the Internet As stated, it is a part of good Corporate Governance to manage the related cyber security risks to the confidentiality, integrity and availability of this whole ODL environment
Cyber Security Governance in a tertiary institution Cyber Security in an ODL environment has to do with managing the cyber (internet) risks related to all activities in an ODL environment Let us look at an example
University of South Africa (UNISA) UNISA has a global reach with students on all continents. UNISA (South Africa s biggest university) accounts for more than a third of all university students in the country. Between 400 000 500 000 students. UNISA is moving from ODL to ODeL. UNSA aims to fully online by 2015. UNISA have assessments (assignments & exams) that is based on electronic submissions. UNISA students expected to part of the electronic student community. Prof SH von Solms
An Example of an ODL environment A comprehensive ODL environment provides, amongst others, the following to lecturers (L) and students (S): (L) : Load course material onto course websites for students to retrieve (S) : Retrieve course material and lectures from a course website (S) : Submit assignments to a course web site from where lecturers retrieve and mark such assignments (L) : Store assignment marks on course web site
An Example e-learning environment (S) : Access a course web site to retrieve their marks for assignments (L) : Store tests to be written directly on the course web site (S) : Write difference types of tests directly on their work stations (from different decentralized locations) with results marked by the system and stored on a course database (S) : Access course web sites to get the results of tests
Cyber Risks arising from this environment Course material may be altered by unauthorized people Bogus course material may be loaded on course web sites, or web sites may be defaced Submitted assignments can be copied from course web sites by unauthorized parties Submitted assignments can be changed or deleted by unauthorized parties Marks can be changed/deleted Access to test papers may happen, test contents can be changed, or the test can be deleted before the scheduled test date
Cyber Risks arising from this environment People may masquerade as students and write tests on behalf of such students Students may get unauthorized help during the writing of tests The destruction of course web sites and course databases containing marks Denial of service attempts against course websites preventing authorized students to access the web site Logon information (student/user ID and passwords) of lecturers and students can be intercepted and misused
Cyber Risks arising from this environment These risks arise because the following 6 characteristics of Cyber Security are not enforced: Identification and Authentication Authorization (Logical Access control) Confidentiality Integrity Non-repudiation Availability
Cyber Risks arising from this environment Let us investigate a few of these risks which are specifically related to evaluation and assessment
Cyber Risks arising from this environment Risk 1 : It may not be the correct student writing the test. The student might have given his/her student-id and password to another student, who writes the test on behalf of the real student. If this is not prevented right at the logon phase, it may probably never be found out Reason : Identification and Authentication not properly enforced
Cyber Risks arising from this environment Risk 2 : The answers are intercepted by another student while these answers are being sent over the Internet, and the interceptor may now submit these answers directly as his/her own Reason : Confidentiality not properly enforced
Cyber Risks arising from this environment Risk 3: During the writing of the test, a student may realize that he/she will not be able to pass the test, and then cause a denial of service attack which may take the web site down, in effect causing the test to be rescheduled because no other student would be able to access the relevant web site any more Reason : Availability not properly enforced
Cyber Risks arising from this environment Risk 4: A student may log on, but not submit any answers. At a later stage the student may claim that he/she had supplied all answers, and claim that the system lost them Reason : Identification and Authentication, Non-repudiation and Availability (Backups) not properly enforced
Consequences If such risks are not countered, the standard of education will fall and the brand name of the institution will be negatively affected Good Cyber Security Governance must realize and counter all these risks right from the start
Plan of Action when intending to implement an ODL Environment 1 Perform a proper risk analysis to identify all the Cyber and business related risks involved in the implemented, or intended, ODL system. 2 Determine the potential impact of these risks on the institution if they should materialize 3 Determine how to handle these risks, ie ignore them, transfer them or accept and manage them
Plan of Action 4 Determine the information security counter measures needed to manage those risks which are accepted investigate how well the intended commercial ODL package to be implemented addresses these risks 5 Create a proper Enterprise Information and Cyber Security Management (EICSM) system to continuously manage these risks 6 Review the risk situation (step 1 above) on an annual basis and adapt the EICSM system as necessary.
Conclusion Top management of educational institutions, using or intending to use ODL environments to provide platforms for integrated educational, learning, evaluation and assessment environments must understand and accept their Corporate Governance responsibility and accountability for decisions to implement and use such systems, and ensure that the correct Information and Cyber Security Governance is in place If they do not, such systems will come back to haunt them.
Thanks