© 2005, EDUCAUSE/Internet2 Computer and Network Security Task Force

Information Security Governance: The Buck Stops Where?

Mark LukerVice President, EDUCAUSE

EDUCAUSE WRC 2005

Information Security Governance:A Call to Action

“The road to information security goes through corporate governance. America cannot solve its cyber security challenges by delegating them to government officials or CIOs. The best way to strengthen US information security is to treat it as a corporate governance issue that requires the attention of Boards and CEOs.”

Corporate Governance Task Force Reportwww.cyberpartnership.org

Why is Information Security Board Material?

Disruption of critical operations Loss of intellectual property Loss of trust and reputation Penalties from federal and state laws Liabilities may arise from lawsuits Threats to national security

Not Just a Technical Issue

Just as institutional policy is too important to leave to the lawyers…

Information security is too important to leave to the Chief Information Officer and the Chief Security Officer

Security Laws and Regulations FERPA Health Insurance Portability and

Accountability Act (HIPAA) Gramm-Leach-Bliley Act California: SB1386 Proposed S.1350: Notification of Risk to

Personal Data Act (Sen. Feinstein) Maryland: Data Security (and Privacy

Policies) Threats of further congressional action

Legal Issues Publications

IT Security for Higher Education: A Legal Perspective (March 2003)

http://www.educause.edu/ir/library/pdf/CSD2746.pdf

Liability for Negligent Security: Implications for Policy and Practice(October 2003)

http://www.educause.edu/ir/library/pdf/CSD2746.pdf

Do regulations matter?

Over 50% of respondents said that regulations and legal requirements drive security actions.

Toby Weiss

Computer Associates

National Context 1999: “Higher Ed Threatens National Security” 2000: EDUCAUSE/Internet2 Task Force on

Computer and Network Security 9/11: Raises the stakes 2003: National Strategy to Secure Cyberspace 2003: National Cyber Security Summit Throughout: Many leaks of personal, medical,

and financial information; intruders in our systems; attacks from us on others

National Strategy Feb 2003 Higher Ed a Critical Sector

Teach security officers Study security Threaten national security

Join national effort Fix our problems voluntarily or … Same boat as large corporations

National Summit Dec 2003 Task Forces

Awareness for Home Users & Small Businesses

Cyber Security Early Warning Software Development Lifecycle Technical Standards Corporate Governance

ISG Report: Executive Summary

If businesses, educational institutions, and non-profit organizations are to make significant progress securing their information assets, executives must make information security an integral part of core business operations. There is no better way to accomplish this goal than to highlight it as part of the existing internal controls and policies that constitute corporate governance.

ISG Framework Information Security Program

ISO/IEC 17799 Federal Information Security

Management Act (FISMA) Roles and Responsibilities Reporting

Information Security Program

Provide security for networks and systems

Policies and procedures to assess security risks; full lifecycle

Security awareness training Periodic testing; remedial action

processes Incident response procedures Business continuity plans

ISG Roles & Responsibilities Board responsibilities

Strategic oversight; alignment CEO responsibilities

Assign responsibility, accountability, and authority; oversee compliance

Executive responsibilities Security commensurate with risk;

integrate with operations

ISG Roles & Responsibilities Senior Managers responsibilities

Risk assessment, implement policies, secure operations

All employees responsibilities Awareness; compliance; reporting

ISG Reporting Adequacy, effectiveness,

acceptable residual risk reported to executives

Independent evaluation reported to the board

ISG Assessment Tool Business Dependency

Organizational Reliance on IT Risk Management People Processes Technology (last)

Organizational Reliance on IT Dependence upon information technology

systems and the Internet to conduct academic, research, and outreach programs and offer support services

Value of organization’s intellectual property stored or transmitted in electronic form

Impact of major system downtime on operations

Risk of losing personal information

Higher Education Characteristics Distributed, “light” management Changing mix of employees, students,

visitors Stakeholder sensitivity to privacy Reputation very important May have academic or research

programs in sensitive areas Potential impact on national or critical

infrastructure

Risk Management Does your organization have a

documented information security program?

Has your company conducted a risk assessment to identify the key objectives that need to be supported by your information security program?

Has your organization identified critical assets and the functions that rely on them?

Has a cost been assigned to the loss of each critical asset or function?

Impact of Security Risk=Threats x Vulnerabilities x

Impact Impact: Types of Risks

Operational Financial Reputational Legal Strategic

People Is there a person or organization that has

information security as their primary duty, with responsibility for maintaining the security program and ensuring compliance?

Does your information security function have the authority and resources it needs to manage and ensure compliance with the information security program?

Is responsibility clearly assigned for all areas of the information security architecture, compliance, processes and audits?

People (Cont’d) Does the information security function

report regularly to the executive staff and board of directors on the compliance of the business to and the effectiveness of the information security program and policies?

Have you implemented an information security education and awareness program such that all employees, contractors, and external providers know the information security policies that apply to them and understand their responsibilities?

Processes Does your institution have an official

information security architecture, based on your risk management analysis and information security strategy?

Do you have processes and procedures for involving the security personnel in evaluating and addressing any security impacts before the purchase or introduction of new systems?

Are there specific, documented, security-related configuration settings for all systems and applications?

Information Security Policies Based on your information security risk

management strategy, do you have written corporate information security policies that address each of the following areas? Individual employee responsibilities for

information security practices Acceptable use of computers, e-mail, Internet,

and intranet Protection of organizational assets, including IP

Is there a method for communicating security policies to all employees?

Security Program Administration Does your organization periodically test and

evaluate/audit your information security program, practices, controls, and techniques to ensure they are effectively implemented?

Do you conduct a periodic independent evaluation /audit of your information security program and practices for each business unit?

Does each periodic independent evaluation/audit test the effectiveness of information security policies, procedure, and practices of a representative subset of each business unit’s information systems?

Leadership Matters There is a positive impact when the

president and provost are actively involved in the development of IT security policy.

Only 14 percent regularly report incidents to senior management.

EDUCAUSE Center for Applied Research, 2003

Letter to Presidents (February 2003) Set the tone: ensure that all campus stakeholders know that

you take Cybersecurity seriously. Insist on community-wide awareness and accountability.

Establish responsibility for campus-wide Cybersecurity at the cabinet level. At a large university, this responsibility might be assigned to the Chief Information Officer. At a small college, this person may have responsibility for many areas, including the institutional computing environment.

Ask for a periodic Cybersecurity risk assessment that identifies the most important risks to your institution. Manage these risks in the context of institutional planning and budgeting.

Request updates to your Cybersecurity plans on a regular basis in response to the rapid evolution of the technologies, vulnerabilities, threats, and risks.

David WardPresident, American Council on Education

Key Messages to Executives College and university networks, if

not secured, pose a threat to the institution

Personal information, institutional data, and intellectual property, if not protected, can be compromised or disclosed without authorization

College and university networks, if not secured, pose a threat to others

Key Messages to Executives Success will require

“mainstreaming” information security into the normal governance process of the institution.

Each member of the community has a role to play.

Top-level leadership is required for this change in culture.

Help is available:

EDUCAUSE/Internet2Computer and Network Security Task

Force

http://www.educause.edu/security

Security for the Here and Now

Working groups in awareness and training, effective practices, risk assessment, policies and legal issues, and emerging technologies

New annual conference for security practitioners in higher education

A Framework for Action pledging increased executive support New book Computer and Network Security in Higher

Education, edited by Mark Luker and Rodney Petersen Effective IT Security Practices Guide and over 40 campus case

studies EDUCAUSE Center for Applied Research Bulletins: Computer

and Network Security and Higher Education's Core Values and Life with HIPAA: A Primer for Higher Education

Results to date in Security

An e-mail Security discussion list with over 1,300 subscribers A partnership between EDUCAUSE and the Center for Internet

Security The Information Security Governance Self Assessment Tool for

Higher Publication of Principles to Guide Efforts to Improve Computer

and Network Security for Higher Education and IT security for Higher Education: A Legal Perspective

A CD that contains Cybersecurity Awareness Resources for the Higher Education Community

A blog plus a large number of presentations and articles

Working with Others - 1

National Infrastructure Protection Center (NIPC), formerly in the FBI, now in the Department of Homeland Security (DHS)

InfraGard National Centers of Excellence in Information Assurance

(formerly NSA centers) Center for Information Security Cybersecurity Forum for Higher Education (for

cybersecurity issues of industry and higher education) US-Computer Emergency Readiness Team (US-CERT) NSF planning workshops

Working with Others - 2

National Cybersecurity Partnership – a broad coalition of security experts in industry and higher education that drew up specific plans to improve our cybersecurity (without government intervention)

Congressman Adam Putnam’s (R-FL) Corporate Information Security Working Group – a parallel coalition with many of the same players formed by Congressman Putnam, then of the House Committee on Government Reform’s Subcommittee on Technology and Information Policy, to help determine if congressional intervention would indeed be required

Partnership for Critical Infrastructure Security (PCIS) – the newly formed national organization of Sector Coordinators, each of which represents the cybersecurity activities of a single critical sector.

Major Points Information Security is now critically important

to the institution and the nation Success will require a complete new system of

people, processes, and technology Risk assessment is used to balance investment

with risk Executive leadership and board oversight will be

required on an ongoing bases Each person in the institution has a role Model programs and guidelines are available

Questions for discussion1. How much does your campus rely on IT and IS?2. Do you have a documented security program with

someone in charge? Have you done a risk assessment?

3. How often do you report on compliance and effectiveness to leaders and the board?

4. Do you have written policies and procedures appropriate for faculty, staff, students, others?

5. To what extent do deans, directors, department heads, and other administrators feel, and are held, responsible for information security in their own units?

Questions for discussion How would you describe your institution’s

relative reliance on information technology and networks for operations and business continuity?

To what extent has your institution documented an information security program with a person or office designated with responsibility and authority for information security? How far has your institution gone in terms of conducting a risk assessment to identify the key objectives that need to be supported by your information security program?

Questions for discussion What is the reporting frequency from the

information security function to institutional leaders and the governing board on the compliance of the institution with, and the effectiveness of, the information security program and policies?

To what extent has your institution developed written information security policies and procedures, based on a risk management strategy, that are consistent, easy to understand, and readily available to administrators, faculty, employees, students, contractors, and partners?

Questions for discussion To what extent do deans, directors,

department heads, and other administrators feel, and are held, responsible for information security in their own units?

Questions for discussion How would you describe your institution’s relative reliance on information

technology and networks for operations and business continuity? To what extent has your institution documented an information security program

with a person or office designated with responsibility and authority for information security? How far has your institution gone in terms of conducting a risk assessment to identify the key objectives that need to be supported by your information security program?

What is the reporting frequency from the information security function to institutional leaders and the governing board on the compliance of the institution with, and the effectiveness of, the information security program and policies?

To what extent has your institution developed written information security policies and procedures, based on a risk management strategy, that are consistent, easy to understand, and readily available to administrators, faculty, employees, students, contractors, and partners?

To what extent do deans, directors, department heads, and other administrators feel, and are held, responsible for information security in their own units?