Information Security Governance: A Call to Action “The road to information security goes through corporate governance. America cannot solve its cyber security challenges by delegating them to government officials or CIOs. The best way to strengthen US information security is to treat it as a corporate governance issue that requires the attention of Boards and CEOs.” Corporate Governance Task Force Report www.cyberpartnership.org
Why is Information Security Board Material? Disruption of critical operations Loss of intellectual property Loss of trust and reputation Penalties from federal and state laws Liabilities may arise from lawsuits Threats to national security
Not Just a Technical Issue Just as institutional policy is too important to leave to the lawyers… Information security is too important to leave to the Chief Information Officer and the Chief Security Officer
Security Laws and Regulations FERPA Health Insurance Portability and Accountability Act (HIPAA) Gramm-Leach-Bliley Act California: SB1386 Proposed S.1350: Notification of Risk to Personal Data Act (Sen. Feinstein) Maryland: Data Security (and Privacy Policies) Threats of further congressional action
Legal Issues Publications IT Security for Higher Education: A Legal Perspective (March 2003) http://www.educause.edu/ir/library/pdf/CSD2746.pdf Liability for Negligent Security: Implications for Policy and Practice (October 2003) http://www.educause.edu/ir/library/pdf/CSD2746.pdf
Do regulations matter? Over 50% of respondents said that regulations and legal requirements drive security actions. Toby Weiss Computer Associates
National Context 1999: “Higher Ed Threatens National Security” 2000: EDUCAUSE/Internet2 Task Force on Computer and Network Security 9/11: Raises the stakes 2003: National Strategy to Secure Cyberspace 2003: National Cyber Security Summit Throughout: Many leaks of personal, medical, and financial information; intruders in our systems; attacks from us on others
National Strategy Feb 2003 Higher Ed a Critical Sector Teach security officers Study security Threaten national security Join national effort Fix our problems voluntarily or … Same boat as large corporations
National Summit Dec 2003 Task Forces Awareness for Home Users & Small Businesses Cyber Security Early Warning Software Development Lifecycle Technical Standards Corporate Governance
ISG Report: Executive Summary If businesses, educational institutions, and non- profit organizations are to make significant progress securing their information assets, executives must make information security an integral part of core business operations. There is no better way to accomplish this goal than to highlight it as part of the existing internal controls and policies that constitute corporate governance.
ISG Framework Information Security Program ISO/IEC 17799 Federal Information Security Management Act (FISMA) Roles and Responsibilities Reporting
Information Security Program Provide security for networks and systems Policies and procedures to assess security risks; full lifecycle Security awareness training Periodic testing; remedial action processes Incident response procedures Business continuity plans
ISG Roles & Responsibilities Board responsibilities Strategic oversight; alignment CEO responsibilities Assign responsibility, accountability, and authority; oversee compliance Executive responsibilities Security commensurate with risk; integrate with operations
ISG Reporting Adequacy, effectiveness, acceptable residual risk reported to executives Independent evaluation reported to the board
ISG Assessment Tool Business Dependency Organizational Reliance on IT Risk Management People Processes Technology (last)
Organizational Reliance on IT Dependence upon information technology systems and the Internet to conduct academic, research, and outreach programs and offer support services Value of organization’s intellectual property stored or transmitted in electronic form Impact of major system downtime on operations Risk of losing personal information
Higher Education Characteristics Distributed, “light” management Changing mix of employees, students, visitors Stakeholder sensitivity to privacy Reputation very important May have academic or research programs in sensitive areas Potential impact on national or critical infrastructure
Risk Management Does your organization have a documented information security program? Has your company conducted a risk assessment to identify the key objectives that need to be supported by your information security program? Has your organization identified critical assets and the functions that rely on them? Has a cost been assigned to the loss of each critical asset or function?
Impact of Security Risk=Threats x Vulnerabilities x Impact Impact: Types of Risks Operational Financial Reputational Legal Strategic
People Is there a person or organization that has information security as their primary duty, with responsibility for maintaining the security program and ensuring compliance? Does your information security function have the authority and resources it needs to manage and ensure compliance with the information security program? Is responsibility clearly assigned for all areas of the information security architecture, compliance, processes and audits?
People (Cont’d) Does the information security function report regularly to the executive staff and board of directors on the compliance of the business to and the effectiveness of the information security program and policies? Have you implemented an information security education and awareness program such that all employees, contractors, and external providers know the information security policies that apply to them and understand their responsibilities?
Processes Does your institution have an official information security architecture, based on your risk management analysis and information security strategy? Do you have processes and procedures for involving the security personnel in evaluating and addressing any security impacts before the purchase or introduction of new systems? Are there specific, documented, security- related configuration settings for all systems and applications?
Information Security Policies Based on your information security risk management strategy, do you have written corporate information security policies that address each of the following areas? Individual employee responsibilities for information security practices Acceptable use of computers, e-mail, Internet, and intranet Protection of organizational assets, including IP Is there a method for communicating security policies to all employees?
Security Program Administration Does your organization periodically test and evaluate/audit your information security program, practices, controls, and techniques to ensure they are effectively implemented? Do you conduct a periodic independent evaluation /audit of your information security program and practices for each business unit? Does each periodic independent evaluation/audit test the effectiveness of information security policies, procedure, and practices of a representative subset of each business unit’s information systems?
Leadership Matters There is a positive impact when the president and provost are actively involved in the development of IT security policy. Only 14 percent regularly report incidents to senior management. EDUCAUSE Center for Applied Research, 2003
Letter to Presidents (February 2003) Set the tone: ensure that all campus stakeholders know that you take Cybersecurity seriously. Insist on community-wide awareness and accountability. Establish responsibility for campus-wide Cybersecurity at the cabinet level. At a large university, this responsibility might be assigned to the Chief Information Officer. At a small college, this person may have responsibility for many areas, including the institutional computing environment. Ask for a periodic Cybersecurity risk assessment that identifies the most important risks to your institution. Manage these risks in the context of institutional planning and budgeting. Request updates to your Cybersecurity plans on a regular basis in response to the rapid evolution of the technologies, vulnerabilities, threats, and risks. David Ward President, American Council on Education
Key Messages to Executives College and university networks, if not secured, pose a threat to the institution Personal information, institutional data, and intellectual property, if not protected, can be compromised or disclosed without authorization College and university networks, if not secured, pose a threat to others
Key Messages to Executives Success will require “mainstreaming” information security into the normal governance process of the institution. Each member of the community has a role to play. Top-level leadership is required for this change in culture.
Help is available: EDUCAUSE/Internet2 Computer and Network Security Task Force http://www.educause.edu/security
Security for the Here and Now Working groups in awareness and training, effective practices, risk assessment, policies and legal issues, and emerging technologies New annual conference for security practitioners in higher education A Framework for Action pledging increased executive support New book Computer and Network Security in Higher Education, edited by Mark Luker and Rodney Petersen Effective IT Security Practices Guide and over 40 campus case studies EDUCAUSE Center for Applied Research Bulletins: Computer and Network Security and Higher Education's Core Values and Life with HIPAA: A Primer for Higher Education
Results to date in Security An e-mail Security discussion list with over 1,300 subscribers A partnership between EDUCAUSE and the Center for Internet Security The Information Security Governance Self Assessment Tool for Higher Publication of Principles to Guide Efforts to Improve Computer and Network Security for Higher Education and IT security for Higher Education: A Legal Perspective A CD that contains Cybersecurity Awareness Resources for the Higher Education Community A blog plus a large number of presentations and articles
Working with Others - 1 National Infrastructure Protection Center (NIPC), formerly in the FBI, now in the Department of Homeland Security (DHS) InfraGard National Centers of Excellence in Information Assurance (formerly NSA centers) Center for Information Security Cybersecurity Forum for Higher Education (for cybersecurity issues of industry and higher education) US-Computer Emergency Readiness Team (US-CERT) NSF planning workshops
Working with Others - 2 National Cybersecurity Partnership – a broad coalition of security experts in industry and higher education that drew up specific plans to improve our cybersecurity (without government intervention) Congressman Adam Putnam’s (R-FL) Corporate Information Security Working Group – a parallel coalition with many of the same players formed by Congressman Putnam, then of the House Committee on Government Reform’s Subcommittee on Technology and Information Policy, to help determine if congressional intervention would indeed be required Partnership for Critical Infrastructure Security (PCIS) – the newly formed national organization of Sector Coordinators, each of which represents the cybersecurity activities of a single critical sector.
Major Points Information Security is now critically important to the institution and the nation Success will require a complete new system of people, processes, and technology Risk assessment is used to balance investment with risk Executive leadership and board oversight will be required on an ongoing bases Each person in the institution has a role Model programs and guidelines are available
Questions for discussion 1. How much does your campus rely on IT and IS? 2. Do you have a documented security program with someone in charge? Have you done a risk assessment? 3. How often do you report on compliance and effectiveness to leaders and the board? 4. Do you have written policies and procedures appropriate for faculty, staff, students, others? 5. To what extent do deans, directors, department heads, and other administrators feel, and are held, responsible for information security in their own units?
Questions for discussion How would you describe your institution’s relative reliance on information technology and networks for operations and business continuity? To what extent has your institution documented an information security program with a person or office designated with responsibility and authority for information security? How far has your institution gone in terms of conducting a risk assessment to identify the key objectives that need to be supported by your information security program?
Questions for discussion What is the reporting frequency from the information security function to institutional leaders and the governing board on the compliance of the institution with, and the effectiveness of, the information security program and policies? To what extent has your institution developed written information security policies and procedures, based on a risk management strategy, that are consistent, easy to understand, and readily available to administrators, faculty, employees, students, contractors, and partners?
Questions for discussion To what extent do deans, directors, department heads, and other administrators feel, and are held, responsible for information security in their own units?
Questions for discussion How would you describe your institution’s relative reliance on information technology and networks for operations and business continuity? To what extent has your institution documented an information security program with a person or office designated with responsibility and authority for information security? How far has your institution gone in terms of conducting a risk assessment to identify the key objectives that need to be supported by your information security program? What is the reporting frequency from the information security function to institutional leaders and the governing board on the compliance of the institution with, and the effectiveness of, the information security program and policies? To what extent has your institution developed written information security policies and procedures, based on a risk management strategy, that are consistent, easy to understand, and readily available to administrators, faculty, employees, students, contractors, and partners? To what extent do deans, directors, department heads, and other administrators feel, and are held, responsible for information security in their own units?