The Guide to Information Security at a Higher Education Institution
Information security at a higher education institution doesn't just happen. Regardless of the size of the institution, security requires a well-thought-out, supported and executable strategic plan.
Clear, measurable, well-communicated and unambiguous security strategies that contribute to the institution's goals and objectives must be developed and redeveloped. These strategies should be geared toward maintaining confidentiality, integrity, and the availability of information and IT systems.
A comprehensive information security program combines people, processes and technologies. The objective is to provide a secure environment in which each student, faculty member and staffer can reach goals and objectives. The information security goals and objectives must map to the business goals and objectives of the institution. Security management must be able to articulate quantitatively that the business goals and objectives of the institution will be at risk if the security objectives are not met.
Higher education institutions need to be aware that security may decline and even deteriorate over time due to entropy. They must avoid being lulled into a status quo posture in which they:
• utilize technology to overcome deficiencies in information security training and security expertise;
• fixate on external threats;
• don't properly measure and document successes and failures;
• take a reactive rather than a proactive stance when it comes to matters involving information security;
• forget to plan.
Before developing a strategic security plan it is vital to understand the business objectives and the essential information security functions. Business objectives can be assessed and analyzed to identify dependencies on security. The security objectives can then be defined in terms of the business objectives.
Strategic planning in higher education is not like the planning process in corporate America or in government. Since the overall mission of a higher education institution is to contribute to the educational, cultural, economic and social advancement of society, strategic planning for these institutions requires a different set of skills and plays by a different set of rules.
When building a strategic plan, the institution must be viewed as a complete and interdependent system – a holistic approach. A strategy involves planning and positioning to meet one or more objectives or goals. Strategies do not have priorities: They are mutually exclusive and can be independent of other strategies within the plan.
Each strategy is supported by one or more initiatives. An initiative is the implementation of an operational plan that, through time, realizes part or all of the security strategies and objectives. The overall objective is to implement a set of interrelated initiatives that collectively achieve all the security objectives.
Building the Plan
The strategic plan should be defensible, measurable and comprehensive. When the strategic plan is complete, it will be used as a tool to help management understand and recognize the necessary technical, management and operational controls required to lower or eliminate security threats and risks to an acceptable level. The plan will also demonstrate how the information security program will be strategically aligned with the business objectives and work toward a mutual goal.
The plan allows management to make quantitative decisions on where and how much to invest in order to achieve an appropriate level of security. Remember that management invests to get benefits. Therefore, to win approval for an investment, security must demonstrate the potential benefits, present a nondisruptive implementation plan and later demonstrate that the benefits have been realized.
All processes and plans should be reviewed as part of an annual procedure or as the result of emergent threats/risks, errors, inefficiencies or ineffectiveness. A formal review process should be part of the strategic planning cycle.
The plan review process should include the overall review of the strategic plan and the steps needed to change the plan and adjust its direction based on the review and outside input. The revised plan must consider emergent strategies and changes affecting the institution's intended course.
A security strategic plan can fail for one or all of the three reasons listed below:
• misalignment of security strategies with business goals or objectives;
• mismanagement of the implementation process;
• lack of management support.
The plan, planning process and management must remain adaptive and resourceful during the life of the plan. Strategic planning and strategic thinking will take a system and people into uncharted territory – especially those in higher education. It is essential to realize that the strategic thinking and planning processes are ongoing. Strategic security planning is a journey, not a destination.
Stanton Gatewood is chief information security officer at the University of Georgia in Athens.
The 12-Step Plan to Campus Security
1. Identify executive leadership. An executive sponsor should be identified to champion and support the strategic plan.
2. Select an office of responsibility. The executive sponsor will need to select a security process owner or office that will manage the day-to-day activities of the process and be a single point of contact. In most cases, this will be the Office of Information Security.
3. Define the goals of the security strategy. Tying the business objectives to the strategic security objectives is the ultimate goal. Defining and prioritizing the specific goals of the strategic security plan is essential. To determine the security objectives, evaluate the potential for each business objective or initiative to be affected by each security function.
4. Establish a review mechanism. The evaluation and approval of security initiatives works best through a fully empowered process review board.
5. Clearly identify, categorize and prioritize the security requirements. Representatives from physical (facilities, public safety), logical (IT) and human (HR) security entities should be at the table.
6. Review and assess the current state of security. Review and record policies, directives, procedures, processes, guidelines, standards, existing technology (both hardware and software), awareness, training and education. Also factor the current political landscape into the review and assessment process.
7. Develop new policies. Any new policies should be considered at this point, such as an acceptable use policy and a minimum security configuration policy.
8. Evaluate and endorse plans. After the cross-functional teams have vetted the plans, the executive security review board should review the implementation plans from a standpoint of policy, budget, timing and priority.
9. Discuss, assign deliverables, schedule and execute the plan. Individuals should be assigned accountability, timeframes and deliverables for executing implementation plans.
10. Institute a vigorous program of education. Execution of a strategic plan requires a fit resource pool. An awareness, training and education program will ensure that all employees are confident in their roles and abilities.
11. Put everyone to work on the strategic plan. Everyone should be working toward the business objectives of the institution. Then introduce the strategic security objectives and explain how they work toward a mutual goal.
12. Measure security outcomes with metrics. IT security metrics must be based on IT security performance goals and objectives. Through collection, analysis and reporting of relevant performance-related data, true decision-making and improved performance and accountability can be realized.