Information Security Policy for ABCD University - Coursework Example

Information Security Policy for ABCD By of 1995 Words Introduction The ABCD Information Security Policy outlines the institution’s plans and strategies to be used in safeguarding its information and physical technology facilities. Being a living document, this policy statement is not stagnant but continues to grow and change with circumstances and trends in the broader field of information technology. Thus, the policy is subjected to updates as student, administration and faculty and technology requirements shift. The information security policy is thus instrumental in ensuring the university protects and makes confidential its information, data and IT assets. At the core of this protection plan and strategy are the university’s research and structural project-derived data, information and technology. ABCD University has data, information, knowledge and physical assets that are not only of great value but are also sensitive, necessitating utmost security measures. The information worth protecting through this information security policy related to research information and data, data on the institution’s finances, building plans and personally identifiable information. This information is sensitive and vital to the university, hence, must be protected by prohibiting unauthorized access, use and dissemination. If exposed to illegal or unauthorised individuals or organisation, the university’s image could be jeopardized or its rights over the use and possession of such information could be abused. Irreparable damage could be caused on the university by the leakage of this sensitive information, data and knowledge. Consequently, all the stakeholders of the university are called upon to execute their duty of ensuring the safety of this information, using the measures outlined in this policy document. Any stakeholder who for one reason or the other fails to comply with the requirements of this policy document could be subjected to disciplinary action, including termination for employees.  This policy outlines the protection of information and data in relation to security of third party access, asset classification and control, data or information classification, user training, response to security incidents and malfunctions, physical and environmental security, access control, cryptographic controls, compliance and system audit controls. Data Sensitivity, Classification and Controls Information in the university’s database is assigned sensitivity levels, with their corresponding levels of control and access. The sensitivity levels and controls are determined by the integrity, confidentiality and availability aspects of the data or information. On confidentiality, the lowest level of sensitivity is public information. This information can be accessed and shared freely with members of the public within or outside the university premises. There is no need for permission from those responsible for information storage and safety. The second sensitivity level is internal Information. This information is shared among members within the university community but not to outsiders. For purposes of sharing with people and organisations outside the university community, further clearance must be granted by the authority. Departmental information can be shared among members of a department. Authorization by the right personnel in the department ought to be obtained if such information is to be shared with people and organisations outside the department. Whereas confidential information can be shared to individuals and organisation that need to know it for purposes that the university concurs with, highly confidential information must be handled in a stricter manner. Highly confidential information and data can only be shared after authorization from the top management of the university, which is the topmost guardian of information in the university. Compliance and System Audit Control All students and university employees are expected to comply with all the requirements of the information security policy. Hence, everybody must be responsible in accessing, using and disseminating the institution’s data, information and knowledge. All workers at the university are only allowed to access data and information which they need to use in the execution of their duties, as assigned by the university. Moreover, permission must first be obtained from the right authorizing officer. Second, it is the duty of each employee to understand and appreciate the sensitivity and confidentiality of the information to which they have been granted access. Hence, the university must train its employees on the sensitivity of its information. Employees are also not allowed to access, reveal, copy, print, lend, divulge or sell any data or information belonging to the university, unless due authorization has been obtained. It is also against the university policy to access personally identifiable data or information without permission from the concerned individual. Employees are also expected to: (i) Comply with the Universitys requirement that everyone protects his or her office computers, used in the execution of their university-assigned duties (ii) Safeguard the confidentiality, uprightness and accessibility of the institutions data, information and knowledge as guided by the informations sensitivity and access controls (iii) Protect all the physical key, ID card or computers and network account that by which they access university information (iv) To develop and use difficult-to-guess computer passwords, making it difficult for unauthorized entry and use of information (v) To destroy or make unusable any confidential and highly confidential information in any physical document such as reports, microfilm, memos, microfiche) or/and in any electronic, magnetic or optical storage devices such as USB key, CD, hard disk, magnetic tape, diskette prior to discarding these devices. (vi) Report any activity suspected of causing compromise of sensitive information to the University’s IT Security system and personnel. (vii) To protect sensitive information even after leaving the institution Physical and Environment Security The security of the physical assets and the IT environment is equally important to the university. Since the University’s regulatory requirements play a role in its information security, it is essential to ensure organizational data is safe and secure at every access point. Stakeholder awareness is not enough to secure the University’s information. Thus, the University gauges its security preparedness and secure its IT environment. First, the University secures its IT environment by classifying the data and information in its environment. The data is classified as private, confidential or public prior to assigning security protocols and policies to protect the data and information for each level of classification.” The University has secure information environments defined and described as follows: Research Environment: A secluded facility for research on the usability and effectiveness of new technologies and solutions to IT in general and information security in particular. Developer Work Space: An isolated and protected environment reserved for IT coders and technicians to do the work on integrated IT solution. This environment is equipped with the necessary tools and technologies for coders and technicians create the required information security designs for products such as Systems and Software. Centralized Build Environment: An isolated area for technicians working on a common Product, System, or Software for the creation of a unified and properly operational IT product. Integration Testing Environment: An environment for testing the integration of the University’s data, information and communication connections, channels and exchanges, for efficiency. User Acceptance Testing Environment: A protected environment for user interaction with IT products, systems or Software, set aside for obtaining approvals products, their features and functions. Production Environment: This is the last environment in which IT products are used. Since it is the most important environment in the University’s information systems, its protection is paramount to the business of the institution. Response to Information Security Incidents In case of an occurrence or escalation of incidents and accidents to the University’s information system; 1. The Chief Information Officer (CIO) or any relevant authority initiates security response. This duty of initiating an emergency security response could be assigned to any other personnel, by the CIO or other such executive present during the incident. 2. The responsible officer then assembles the right response unit at a predefined site. The CIO or an assigned in-charge must be present at the meeting of the response team 3. At the meeting, the team is briefed on the incident status, course of action and resolutions to deal with the incident. 4. The CIO or the assigned incident coordinator gives a report on the cost, exposure and the recurrent risks of the incident after which the entire response team is expected to determine and outline the most appropriate course of action. 5. One of the courses of action is ‘lock-down and repair.’ In this strategy, the response team performs actions needed to avert more damage to the organization. It also entails the repair of affected systems and making the necessary changes to prevent a re-occurrence of the event. 6. The response team also has the power to declare that a reported incident was not an emergency and did not need an emergency response team. Hence, a report is made to that effect, noting the recommended course of action. For instance, the issue can be handled just like a normal incident with recommendations to the management of the university on the right course of action. 7. Monitoring, evaluation and capture are also effective emergency handling strategies proposed for the University’s information security. The management and the IT team are expected to conduct methodical investigation and sustained scrutiny to help in the detection and capture of the perpetrator of information security breaches. Once investigations are made and culprits or suspects captured, the management, especially the Vice Chancellor and the Deputy Vice Chancellors, should be notified. 8. It is also mandatory that log data is reviewed and analyzed after every incident to help determine the nature and scope of the incident. The detection tools for such reviews and analysis include but are not limited to virus, spyware and rootkit use, which are quite vital in the determination of the appropriate mitigation and repair measures. 9. The IT department also investigates incidents to determine the sources of attack and capture perpetrators, activities that require forensics tools, log analysis, clean lab and dirty lab environments. It also equally important to communicate with law enforcement agencies such as the police on incidents of information security breach. User-Training User training is instrumental in the successful implementation and use of the University’s information systems and the system’s security. The University’s information system is easy to use and customize for all types of users, depending on their confidentiality levels. First, the administrators are trained on the quick and effective access, use and protection of the information system. The planning for IT security training start long before a user is allowed to access the information system. The following strategies will guide the information security training: 1. Establishing Security Training Goals: The University’s main objective is to avail information security training that is ideal for each category of users. The achievement of this objective implies reduced usage and productivity losses associated with information system transition for new workers and workers changing departments. In essence, the University sets out to get employees and other information users up to the required skill levels as fast as possible to enable them undertake their roles and responsibilities. 2. Assessment of Users’ Needs: Before information security training is initiated, the concerned personnel examine the needs of each individual and departmental users of information. This examination is vital in identifying and quantifying the technical skills necessary for each level and the real users of each category of information in the University. 3. The Delivery Methods: The University has identified the following methods as effective in various circumstances to deliver information security training: Seminar and group demonstration Computer Based Training (CBT) Individual hands-on instruction Hands-on classroom style instructor-led training Book-based self-paced training 4. Training program: The importance of thoroughly prepared training programs for information security training is an integral element in the University’s information department. Given that user training is more effective if the training is customized the institutions use and users of software, comprehensive training programs have to be drawn before any training is initiated. 5. Flexible and Scalable Programs: Information security training at the University are flexible enough to cater for the needs of small classes as well as big classes. Small programs target new employees joining the institution while small programs target entire programs being trained on an aspect of information security or rollout of organization-wide security training. References Butler, J. G. (2012) A history of information technology and systems. University of Arizona. Hilbert, M., and López, P. (2011) "The Worlds Technological Capacity to Store, Communicate, and Compute Information." Science, 332 (6025): 60–65. Wu, S. (2013) "How much information is there in the world?" USC News (University of Southern California). Read More