USG information security executive brief

USG Information Security Executive Brief

Information Security - Executive Summary
The University System of Georgia has a responsibility to serve the needs of its students and citizens and this is achieved through the efficient and secure collection and utilization of information. This information is often confidential and sensitive in nature. As we continue to rely on the Internet and technology to store, process and transmit this information, it is essential that we understand the associated information security risks and know how to protect the data and information systems.
As a public sector and higher education leader, you have the responsibility to protect the assets entrusted to you and your institution by ensuring the security of information.
There are three core principles of information security that every business leader should be aware of: Confidentiality, Integrity, and Availability. Information must remain confidential where appropriate (Confidentiality), data must retain its integrity and not be altered maliciously or accidentally (Integrity), and the information needed to provide services must be available to those who need it, when they need it (Availability).
Some examples of how your computer system would be affected by an information security incident could include hackers breaking into your system and stealing personal and sensitive information; or disgruntled employees manipulating or destroying important state or federal government data. These and other information security incidents would certainly have a negative impact on your ability to provide services to students, employees and citizens, and potentially result in a loss of public confidence.
The following Executive Brief was developed to increase awareness of the importance of information security to senior executives. By taking a proactive approach to information security and privacy, you are making an important commitment to protecting this most precious asset - information.
What Challenges Have Been Discovered? From recent information and information system audits at several institutions, some significant "systemic" information processing issues have been identified. The two major areas where findings were identified are: 1) the technical architecture and methodologies used to secure the information technology infrastructure, services, and data (Perimeter and Network Security - NetSec), and 2) department level operational procedures for managing access to sensitive or confidential information (Identity and Access Control Management IAM). Common vulnerabilities include the transmission of PCI DSS (credit card), FERPA, or HIPAA data across the network, without the data being properly encrypted to ensure someone with malicious intent could not intercept and misuse the sensitive or confidential information. Another significant issue was the lack of policies, standards, and department level procedures defining how to receive, manage, store, and destroy sensitive or confidential information. Regardless of the
2

information's form, whether in an electronic email transmission or hard copy filed away in a desk drawer, high risk information must be treated with the utmost care.
To resolve these key issues, additional investment and effort should be made to determine what documented policies, standards, and procedures exist at your institutions to protect high risk information, e.g., practical job roles and responsibilities for individuals in departments, and the physical network infrastructure design and data transmissions to and from sensitive information systems. The diagram below provides a visual explanation and exercise that can used to assess your university's processes and their effectiveness.

Policy Standards

Logical to Virtual / Physical Translation and Transmission for Functional and Operational Data
Requirements
Program Screens

Outsourced Solution or Third Party Support
Internet

Procedures

Application

Department

Client

Director

`

Aka. Business

Owner Worker Bees

Aka. Trustees

Functional Business Requirements

Infrastructure

Application Server
Services, Tools, or Resource Provider aka.
Steward
Operational Support Requirements

The solution is to develop an institution-wide information risk awareness plan: This plan should include and be implemented with the following tenants:
Define the different types of high risk information, e.g., PCI DSS, FERPA, HIPAA, public, sensitive and confidential information at your institution per the Business Procedures Manual.
Identify who is responsible and accountable for safe-guarding information at each functional or operational level, e.g., business owner, trustees, and stewards.
Establish both manual and technical controls to effectively safe-guard the high risk information.
Limit the amount of unnecessary collection or use of high risk information. Provide periodic information security awareness training. Verify compliance through routine self-evaluations. Assimilate the risk plan into your existing security awareness culture.

3

Why Is Information Security Important? Many of our critical higher education services rely on the Internet and technology to function. Everything from applying for admission online to conducting federally funded research can be done quickly and conveniently online. This convenience does come with risks, however. The average unprotected computer connected to the Internet can be compromised in less than a minute. Thousands of infected web pages are being discovered every day. Data breaches are occurring all too often. New cyber attack methods are launched continually. These are just a few examples of the threats facing us, and they highlight the importance of information security as a proactive approach to protecting data and systems.
These rapidly accelerating and increasingly sophisticated cyber threats and the potential devastating consequences they pose to our interconnected system, state and local governments make it clear that we must act now.
It's important to note that information security is not a technology issue, but rather people and management issue requiring leadership, expertise, and accountability, due diligence and risk management. Information security needs to be addressed in a coordinated, enterprise approach, and factored into program decisions.
What Does All This Mean? Each USG Institution leader is responsible and accountable for overseeing the Confidentiality, Integrity and Availability of information with which have been entrusted. The University System of Georgia and the public expects that information provided to the institution and the System Office will be handled with due care and diligence in accordance with all appropriate policies, standards, laws, rules and regulations.
Any kind of unauthorized access or system compromise can lead to a breach of information. Compromised information can jeopardize the health, safety and welfare of the public.
Information security should be integrated at the beginning of any project or process and should never be considered an ad-hoc addition. It is far more prudent to address security at the beginning of an initiative rather than adding it in at the end, or injecting it after an event has occurred. In the end, it is an effort that is worth doing and worth doing well.
What Can You Do? While one hundred percent security does not exist, there are steps that can be taken to manage the risks and apply due diligence in protecting information and systems.
4

First and foremost embrace information security as a priority. Be a champion for the cause.
Establish a security organization and function that assists management in the development of policies and assists the institution in carrying them out.
Assign responsibility, accountability and authority for all security-related functions to appropriate individuals in the organization.
Establish clear, pragmatic continuity of operations programs, which are then continually tested and kept up to date.
Conduct information security audits based on a clear processes and accountabilities, with management tracking the closure of recommendations.
Include security in job performance appraisals, and apply appropriate rewards and disciplinary measures.
Develop and introduce clear and regular reporting on an organization's (within the institution) information security status to the Senior Executive Leadership based on the established policies, guidelines and applicable standards. Report on compliance with these policies, important weaknesses and remedial actions, and important security projects.
Ensure effective coordination amongst all of the organization's security and risk management functions (IT, information security, emergency operations and law enforcement). Remember, information security is everyone's responsibility!
Document prepared by OIIT Chief Information Security Officer Stan Gatewood and the Department of Internal Audit under the direction of Ron Stark
5