May 20 2009

Security Requires More Than Technology

Indiana University takes a comprehensive approach to security.

State and federal legislation, industry compliance standards, grant funding agencies and privacy concerns increasingly require colleges and universities to take a comprehensive approach to protecting information. Relying on IT safeguards alone is no longer adequate to provide this protection.

An Information Security and Privacy Program is an institution's "soup to nuts" approach to information protection. Developing a comprehensive and effective program requires an understanding of the types of protections available (safeguards), why they are chosen (drivers), and what they consist of (ingredients).

Safeguards. These are the building blocks of the program. Their sole purpose is to protect information. How they provide that protection varies based on whether the safeguard is administrative, technical or physical.

Administrative safeguards offer oversight and guidance for the program. These include organizational activities and procedures such as staff training, data stewardship, and policy development and approval. Technical safeguards (such as antivirus software and firewalls) and physical safeguards (locks on filing cabinets and security cameras) specify the operational process of the program.

Drivers. The forces that guide and determine the content and structure of an institution's program are the institution itself, the external requirements placed upon the institution, and the threats faced by the institution. The philosophies, values and mission of the institution must be reflected throughout the program. For example, a research institution might be willing to assume additional risk to further a faculty member's research. Therefore, its safeguards must be developed with that in mind.

External entities also place security and privacy requirements on our institutions. These requirements can be statutory, regulatory or contractual. We must be mindful of — and our program must adequately address — these obligations.

Finally, our schools face threats that can exploit weaknesses in our program’s implementation. These threats can be environmental (such as hurricanes and floods), physical (unlocked file cabinets), administrative (inadequate training for staff) and technical (misconfigured firewalls). As with other program drivers, threats will vary by institution.

Understanding the program drivers helps in the selection of appropriate safeguards, as well as in the incorporation of the program’s ingredients.

Ingredients. The security program consists of three primary ingredients: governance, principles and standards. Governance implies the oversight and management of the program itself. It is imperative that the university leadership demonstrate support for the program. But how do principles and standards play into the program’s development?

Security principles such as “least privilege” (providing only as much access as required) and privacy principles such as “choice and consent” (informing individuals how information collected will be used) are essentially truths and beliefs related to security and privacy. They are fundamental and descriptive rather than prescriptive in nature. As a general rule, principles permeate all areas of the program and guide its development. Any of several industrywide security and privacy principles can form the basis of the program and can be supplemented with the institution’s principles as needed.

There are also several industry standards that can be used when developing the program. These standards can be quite prescriptive and identify specific safeguards that are considered “best practice” for an institution to follow. No single standard is thorough enough to be the sole basis of a program. Therefore, a comprehensive program must draw from several standards.

A robust collection of safeguards, and thus a program, is established through the careful combination of these three ingredients.

Lessons Learned

Indiana University CISO Tom Davis developed this list based on his experiences developing a security program:

  • Industrywide and institutional security and privacy principles are fundamental beliefs. As such, they should provide overarching guidance to the program.
  • The program will need to use several industry standards to be comprehensive; no single standard is enough.
  • A Gramm-Leach-Bliley Act program is often referred to as a document. However, an Information Security and Privacy Program is actually a collection of activities in a comprehensive approach to information protection.
  • Plans can be established to address any gaps that are identified as the program is developed, normally through the review of the industry standard safeguards.
  • Principles, being more descriptive, generally apply to higher education. However, some standards prescribe safeguards intended for businesses; those might not be applicable to higher education.
  • The ISO 27002 standard describes an Information Security Management System. An ISMS is another name for a program.
  • ISO 27002 is the broadest standard. It is common to base a program on it and then supplement the program with other standards, such as the Control Objectives for Information Technology (COBIT) standards for risk management.