Sunday, September 15, 2019

An analysis of Information Security Governance in the Universities in Zimbabwe Essay

Abstract The complexity and criticality of information security and its governance demand that it be elevated to the highest organizational levels. Within a university setup, information assets include student and personnel records, health and financial information, research data, teaching and learning materials and all restricted and unrestricted electronic library materials. Security of these information assets is among the highest priorities in terms of risk and liabilities, business continuity, and protection of university reputations. As a critical resource, information must be treated like any other asset essential to the survival and success of the organization. In this paper the writer is going to discuss the need for implementing Information Security Governance within institutions of higher education. Further than that, a discussion on how to best practice Information Security governance within the universities in Zimbabwe followed by an assessment on how far the Zimbabwean universities have implemented Information Security Governance. A combination of questionnaires and interviews is going to be used as a tool to gather data and some recommendations are stated towards the end of the paper. Introduction Governance, as defined by the IT Governance Institute (2003), is the â€Å"set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.† Information security governance is the system by which an organization directs and controls information security (adapted from ISO 38500). It specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated as well as ensuring that security strategies are aligned with business and consistent with regulations. To exercise effective enterprise and information security governance, boards and senior executives must have a clear understanding of what to expect from their enterprise’s information security programme. They need to know how to direct  the implementation of an information security programme, how to evaluate their own status with regard to an existing security programme and how to decide the strategy and objectives of an effective security programme (IT Governance Institute, 2006). Stakeholders are becoming more and more concerned about the information security as news of hacking, data theft and other attacks happen more frequently than ever dreamt of. Executive management has been showered with the responsibility of ensuring an organization provides users with secure information systems environment. Information security is not only a technical issue, but a business and governance challenge that involves adequate risk management, reporting and accountability. Effective security requires the active involvement of executives to assess emerging threats and the organization’s response to them (Corporate Governance Task Force, 2004). Furthermore the organizations need to protect themselves against the risks inherent in the use of information systems while simultaneously recognizing the benefits that can accrue from having secure information systems. Peter Drucker (1993) stated: â€Å"The diffusion of technology and the commodification of information transforms the role of information into a resource equal in importance to the traditionally important resources of land, labor and capital.† Thus as dependence on information system increases, the criticality of information security brings with it the need for effective information security governance. Need for Information Security Governance within universities. A key goal of information security is to reduce adverse impacts on the organization to an acceptable level of risk. Information security protects information assets against the risk of loss, operational discontinuity, misuse, unauthorized disclosure, inaccessibility and damage. It also protects against the ever-increasing potential for civil or legal liability that organizations face as a result of information inaccuracy and loss, or the absence of due care in its protection. Information security covers all information processes, physical and electronic, regardless whether they involve people and technology or relationships with trading partners, customers and third parties. Information security addresses information protection, confidentiality, availability and integrity throughout the life cycle of the information and its use within the organization. John P. Pironti (2006) suggested that among many reasons for information security  governance, the most important one is the one concerned with the legal liability, protection of the organization’s reputation and regulatory compliance. With the university setup, all members of the university community are obligated to respect and, in many cases, to protect confidential data. Medical records, student records, certain employment-related records, library use records, attorney-client communications, and certain research and other intellectual property-related records are, subject to limited exceptions, confidential as a matter of law. Many other categories of records, including faculty and other personnel records, and records relating to the university’s business and finances are, as a matter of university policy, treated as confidential. Systems (hardware and software) designed primarily to store confidential records (such as the Financial Information System and Student Information System and all medical records systems) require enhanced security protections and are controlled (strategic) systems to which access is closely monitored. Networks provide connection to records, information, and other networks and also require security protections. The use of university information technology assets in other than a manner and for the purpose of which they were intended represents a misallocation of resources and, possibly, a violation of law. To achieve all this in today’s complex, interconnected world, information security must be addressed at the highest levels of the organization, not regarded as a technical specialty relegated to the IT department. Information security is a top-down process requiring a comprehensive security strategy that is explicitly linked to the organization’s business processes and strategy. Security must address entire organization’s processes, both physical and technical, from end to end. Hence, Information security governance requires senior management commitment, a security-aware culture, promotion of good security practices and compliance with policy. It is easier to buy a solution than to change a culture, but even the most secure system will not achieve a significant degree of security if used by ill-informed, untrained, careless or indifferent personnel (IT Governance Institute, 2006). In an interview the executive director and information security expert on IT Governance and cyber security with the IT Governance and Cyber Security Institute of sub-Saharan Africa, Dr Richard Gwashy Young has this to say â€Å"†¦remember in  Zimbabwe security is regarded as an expense not an investment† (Rutsito, 2012). Benefits of Information Security Governance Good information security governance generates significant benefits, including: The Board of directors taking full responsibility for Information security initiatives Increased predictability and reduced uncertainty of business operations by lowering information security-related risks to definable and acceptable levels Protection from the increasing potential for civil or legal liability as a result of information inaccuracy or the absence of due care. The structure and framework to optimize allocation of limited security resources Assurance of effective information security policy and policy compliance A firm foundation for efficient and effective risk management, process improvement, and rapid incident response related to securing information A level of assurance that critical decisions are not based on faulty information Accountability for safeguarding information during critical business activities. Compliances with local and international regulations will be easier Improved resource management, optimizing knowledge, information security and information technology infrastructure The benefits add significant value to the organization by: Improving trust in customer/client relationships Protecting the organization’s reputation Decreasing likelihood of violations of privacy Providing greater confidence when interacting with trading partners Enabling new and better ways to process electronic transactions like publishing results online and online registration. Reducing operational costs by providing predictable outcomes—mitigating risk factors that may interrupt the process The benefits of good information security are not just a reduction in risk or a reduction in the impact should something go wrong. Good security can improve reputation, confidence and trust from others with whom business is conducted, and can even improve efficiency by avoiding wasted time and effort recovering from a security incident (IT Governance Institute, 2004). Information Security Governance Outcomes Five basic outcomes can be expected to result from developing an effective governance approach to information security: Strategic alignment of information security with institutional objectives Reduction of risk and potential business impacts to an acceptable level Value delivery through the optimization of security investments with institutional objectives Efficient utilization of security investments supporting organization objectives Performance measurement and monitoring to ensure that objectives are met Best practices The National Association of Corporate Directors (2001), recognizes the importance of information security and recommends four essential practices for boards of directors. The four practices, which are based on the practicalities of how boards operate, are: Place information security on the board’s agenda. Identify information security leaders, hold them accountable and ensure support for them. Ensure the effectiveness of the corporation’s information security policy through review and approval. Assign information security to a key committee and ensure adequate support for that committee. It is critical that management ensure that adequate resources are allocated to support the overall enterprise information security strategy (IT Governance Institute, 2006). To achieve effective information security governance, management must establish and maintain a framework to guide the development and maintenance of a comprehensive information security programme. According to Horton, et al (2000), an information security governance framework generally consists of: An information security risk management methodology; A comprehensive security strategy explicitly linked with business and IT objectives; An effective security organizational structure; A security strategy that talks about the value of information both protected and delivered; Security policies that address each aspect of strategy, control and regulation; A complete set of security standards for each policy to ensure that procedures and guidelines comply with policy; Institutionalized monitoring processes to ensure compliance and provide feedback on effectiveness and mitigation of risk; A process to ensure  continued evaluation and update of security policies, standards, procedures and risks. This kind of framework, in turn, provides the basis for the development of a cost-effective information security program me that supports an organization’s goals and provides an acceptable level of predictability for operations by limiting the impacts of adverse events. In his article Kaitano (2010), pointed some characteristics of good corporate governance coupled with good security governance. These include and not limited to: Information security being treated as and organization wide issue and leaders are accountable. Leads to viable Governance, Risk and Compliance(GRC) Milestones It is risk-based and focuses on all aspects of security Proper frameworks and programs have been implemented It is not treated as a cost but a way of doing business Roles, responsibilities and segregation of duties are defined It is addressed and enforced by policy Adequate resources are committed and Staff are aware and trained It is planned, managed, measurable and measured It is reviewed and audited The overall objective of the programme is to provide assurance that information assets are protected in accordance with their value or the risk their compromise poses to an organization. The framework generates a set of activities that supports fulfillment of this objective. Principles for information security within the University In their article titled Information Security Policy: Best Practice Document, Hostland et al (2010) pointed out some guiding principles for information security within a university setup. The following are some of the principles they mentioned: 1. Risk assessment and management The university’s approach to security should be based on risk assessments and should be continuously done and the need for protective measures evaluated. Measures must be evaluated based on the university’s role as an establishment for education and research and with regards to efficiency, cost and practical feasibility. An overall risk assessment of the  information systems should be performed annually. Risk assessments must identify, quantify and prioritize the risks according to relevant criteria for acceptable risks. Risk assessments should be carried out when implementing changes impacting information security. Some recognized methods of assessing risks like ISO/IEC 27005 should be employed. Risk management is to be carried out according to criteria approved by the management at University. Risk assessments must be approved by the management and if a risk assessment reveals unacceptable risks, measures must be implemented to reduce the risk to an acceptable level. 2. Information security policy The Vice Chancellor should ensure that the information security policy, as well as guidelines and standards, are utilized and acted upon. He must also ensure the availability of sufficient training and information material for all users, in order to enable the users to protect the university’s data and information systems. The security policy should be reviewed and updated annually or when necessary, in accordance with principles described in ISO/IEC 27001. However, all important changes to university’s activities, and other external changes related to the threat level, should result in a revision of the policy and the guidelines relevant to the information security. 3. Security organization The Vice Chancellor is responsible for all government contact. The university should appoint CSO (Chief Security Officer). Each department and section should also be responsible for implementing the unit’s information security. The managers of each unit must appoint separate security administrators. The Registrar Academics has the primary responsibility for the information security in connection with the student registry and other student related information. The IT Director has executive responsibility for information security in connection with IT systems and infrastructure. The Operations manager has executive responsibility for information security in connection with structural infrastructure. He also has overall responsibility for quality work, while the operational responsibility is delegated according to the management structure. The Registrar Human Resources also has executive responsibility for information security according to the Personal Data Act and is the controller on a daily basis of the personal information of the  employees. The Registrar Academics and Research Administration have also executive responsibility for research related personal information. University’s information security should be revised on a regular basis, through internal control and at need, with assistance from an external IT auditor. 4. Information security in connection with users of University’s services Prior to employment security responsibility and roles for employees and contractors should be described. A background check is should also be carried out of all appointees to positions at the university according to relevant laws and regulations. A confidentiality agreement should be signed by employees, contractors or others who may gain access to sensitive and/or internal information. IT regulations should be accepted for all employment contracts and for system access for third parties. During employment, the IT regulations for the university’s information security requirements should be in place and the users’ responsibility for complying with these regulations is to be emphasized. The IT regulations should be reviewed regularly with all users and with all new hires. All employees and third party users should receive adequate training and updating regarding the Information security policy and procedures. Breaches of the Information security policy and accompanying guidelines will normally result in sanctions. University’s information, information systems and other assets should only be utilized for their intended purpose. Necessary private usage is permitted. Private IT equipment in the university’s infrastructure may only be connected where explicitly permitted. All other use must be approved in advance by the IT department. On termination or change of employment, the responsibility for termination or change of employment should be clearly defined in a separate routine with relevant circulation forms. The university’s assets should be handed in at the conclusion of the need for the use of these assets. University should change or terminate access rights at termination or change of employment. A routine should be present for handling alumni relationships. Notification on employment termination or change should be carried out through the procedures defined in the personnel system. 5. Information security regarding physical conditions IT equipment and information that require protection should be placed in secure physical areas. Secure areas should have suitable access control to  ensure that only authorized personnel have access. All of the University’s buildings should be secured according to their classification by using adequate security systems, including suitable tracking/logging. Security managers for the various areas of responsibility should ensure that work performed by third parties in secure zones is suitably monitored and documented. All external doors and windows must be closed and locked at the end of the work day. On securing equipment, IT equipment which is very essential for daily activities must be protected against environmental threats (fires, flooding, temperature variations). Information classified as â€Å"sensitive† must not be stored on portable computer equipment (e.g. laptops, cell phones, memory sticks). If it is necessary to store this information on portable equipment, the information must be password protected and encrypted in compliance with guidelines from the IT department. During travel, portable computer equipment should be treated as carry-on luggage. Fire drills should also be carried out on a regular basis. 6. IT communications and operations management Purchase and installation of IT equipment and software for IT equipment must be approved by the IT department. The IT department should ensure documentation of the IT systems according to university’s standards. Changes in IT systems should only be implemented if well-founded from a business and security standpoint. The IT department should have emergency procedures in order to minimize the effect of unsuccessful changes to the IT systems. Operational procedures should be documented and the documentation must be updated following all substantial changes. Before a new IT system is put in production, plans and risk assessments should be in place to avoid errors. Additionally, routines for monitoring and managing unforeseen problems should be in place. Duties and responsibilities should be separated in a manner reducing the possibility of unauthorized or unforeseen abuse of the university’s assets. Development, testing and maintenance should be separated from operations in order to reduce the risk of unauthorized access or changes, and in order to reduce the risk of error conditions. On system planning and acceptance, the requirements for information security must be taken into consideration when designing, testing, implementing and upgrading IT systems, as well as during system changes. Routines must be developed for  change management and system development/maintenance. IT systems must be dimensioned according to capacity requirements and the load should be monitored in order to apply upgrades and adjustments in a timely manner as it is especially important for business-critical systems. Written guidelines for access control and passwords based on business and security requirements should be in place. Guidelines should be re-evaluated on a regular basis and should contain password requirements (frequency of change, minimum length, character types which may/must be utilized) and regulate password storage. All users accessing systems must be authenticated according to guidelines and should have unique combinations of usernames and passwords. Users are responsible for any usage of their usernames and passwords. Data Gathering A structured questionnaire adapted and modified from previous questionnaires used by Corporate Governance Task Force, (2004) was used as the main instrument to gather data. Of the total 13 universities in Zimbabwe, 9 managed to participate in this research. The questionnaires were completed by the Executive Dean, IT Director, Operations Manager or Chairperson for the department. Section I: Organizational Reliance on IT The first section was designed to help in determining the institution’s reliance on information technology for business continuity. Table 1: Characteristics of Organization Questions Scores/Frequency 0 1 2 3 4 Dependence on information technology systems and the Internet to conduct academic, research, and outreach programs and offer support services 9 Value of organization’s intellectual property stored or transmitted in electronic form 2 7 The sensitivity of stakeholders (including but not limited to students, faculty, staff, alumni, governing boards, legislators, donors, and funding agencies) to privacy 2 3 4 Level of regulation regarding security (international, federal, state, or local regulations) 1 4 3 1 Does your organization have academic or research programs in a sensitive area that may make you a target of violent physical or cyber attack from any groups? 5 1 2 1 Total score 1 9 6 7 22 Scoring: Very Low = 0; Low = 1; Medium = 2; High = 3; Very High = 4 Section II: Risk Management: This section assesses the risk management process as it relates to creating an information security strategy and program. Table 2: Information Security Risk Assessment Questions Scores/Frequency 0 1 2 3 4 Does your organization have a documented information security program? 2 5 2 Has your organization conducted a risk assessment to identify the key objectives that need to be supported by your information security program? 2 4 3 Has your organization identified critical assets and the functions that rely on them? 2 2 5 Have the information security threats and vulnerabilities associated with each of the critical assets and functions been identified? 2 4 2 1 Has a cost been assigned to the loss of each critical asset or function? 1 3 3 2 Do you have a written information security strategy? 2 4 2 1 Does your written information security strategy include plans that seek to cost-effectively reduce the risks to an acceptable level, with minimal disruptions to operations? 4 2 2 1 Is the strategy reviewed and updated at least annually or more frequently when significant changes require it? 2 3 3 1 Do you have a process in place to monitor federal, state, or international legislation or regulations and determine their applicability to your organization? 2 2 3 2 1 Total 10 16 26 14 16 Scoring: Not Implemented = 0; Planning Stages = 1; Partially Implemented = 2; Close to Completion = 3; Fully Implemented = 4 Section III: People This section assesses the organizational aspects of the information security program. Table 3: Information Security Function/Organization Questions Scores/Frequency 0 1 2 3 4 Do you have a person that has information security as his primary duty, with responsibility for maintaining the security program and ensuring compliance? 4 3 1 1 Do the leaders and staff of your information security organization have the necessary experience and qualifications? 5 2 2 Is responsibility clearly assigned for all areas of the information security architecture, compliance, processes and audits? 3 4 1 1 Do you have an ongoing training program in place to build skills and competencies for information security for members of the information security function? 2 2 3 2 Does the information security function report regularly to institutional leaders and the governing board on the compliance of the institution to and the effectiveness of the information security program and policies? 2 3 3 1 Are the senior officers of the institution ultimately responsible and accountable for the information security program, including approval of information security policies? 3 4 2 Total 16 17 14 7 0 Scoring: Not Implemented = 0; Planning Stages = 1; Partially Implemented = 2; Close to Completion = 3; Fully Implemented = 4 Section IV: Processes This section assesses the processes that should be part of an information security program. Table IV: Security Technology Strategy Questions Scores/Frequency 0 1 2 3 4 Have you instituted processes and procedures for involving the security personnel in evaluating and addressing any security impacts before the purchase or introduction of new systems? 2 3 3 1 Do you have a process to appropriately evaluate and classify the information and information assets that support the operations and assets under your control, to indicate the appropriate levels of information security? 1 2 3 2 1 Are written information security policies consistent, easy to understand, and readily available to administrators, faculty, employees, students, contractors, and partners? 2 3 3 1 Are consequences for noncompliance with corporate policies clearly communicated and enforced? 1 3 2 3 1 Do your security policies effectively address the risks identified in your risk analysis/risk assessments? 2 3 4 Are information security issues considered in all important decisions within the organization? 3 2 3 1 Do you constantly monitor in real time your networks, systems and applications for unauthorized access and anomalous behavior such as viruses, malicious code insertion, or break-in attempts? 1 3 3 1 1 Is sensitive data encrypted and associated encryption keys properly protected? 2 3 2 1 1 Do you have an authorization system that enforces time limits and defaults to minimum privileges? 2 2 2 3 Do your systems and applications enforce session/user management practices including automatic timeouts, lock out on login failure, and revocation? 2 3 2 2 Based on your information security risk management strategy, do you have official written information security policies or procedures that address each of the following areas? Individual employee responsibilities for information security practices 4 3 1 1 Acceptable use of computers, e-mail, Internet, and intranet 2 3 2 2 Protection of organizational assets, including intellectual property 2 2 3 2 Access control, authentication, and authorization practices and requirements 1 2 3 1 2 Information sharing, including storing and transmitting institutional data on outside resources (ISPs, external networks, contractors’ systems) 2 1 3 2 1 Disaster recovery contingency planning (business continuity planning) 1 1 3 4 Change management processes 2 3 2 2 Physical security and personnel clearances or background checks 1 3 3 2 Data backups and secure off-site storage 1 1 3 4 Secure disposal of data, old media, or printed materials that contains sensitive information 2 3 4 For your critical data centers, programming rooms, network operations centers, and other sensitive facilities or locations: 2 3 4 Are multiple physical security measures in place to restrict forced or unauthorized entry? 1 2 3 3 Is there a process for issuing keys, codes, and/or cards that require proper authorization and background checks for access to these sensitive facilities? 2 1 3 3 Is your critical hardware and wiring protected from power loss, tampering, failure, and environmental threats? 1 4 4 Total 17 45 58 50 47 Scoring: Not Implemented = 0; Planning Stages = 1; Partially Implemented = 2; Close to Completion = 3; Fully Implemented = 4 Discussion As shown by the total scores on Table 1, a majority of the university has a very high reliance on the IT in their services. This is depicted by the structure and characteristics of the university. Information risk assessment and management leaves a lot to be desired by the universities. Most the universities have partially implemented such programs. A large number of employees in the IT departments of most universities do no have sufficient skills to implement good information security governance. Most universities lack the leaders who have the rightful know how on the subject. In addition  to that, there is no a representative in the council who will be an IT expert, hence most leaders lack interest and initiatives on information security. Due to lack of full responsibility of information security by the leaders, to implement processes for information security might also be a challenge especially to the IT department as normally is the department given the responsibility. Conclusion There is a need for institutions to start focusing on proper information security governance. For a start organization such as the Government, the Computer Society of Zimbabwe, Zim Law Society, POTRAZ, ICAZ, IIAZ, Zimbabwe Institute of Management and other industry governing bodies should put their heads together and define the appropriate legislations that mandates information security governance either by referring to existing international frameworks (PCI-DSS, SOX, COSO, ITIL, SABSA, Cobit FIPS, NIST, ISO 27002/5, CMM, ITG Governance Framework) or by consulting local information security and business professionals to come up with an information security governance framework. As the Zimbabwean economy is slowly sprouting, the art of information security governance in the universities should also take a leap. The adoption information security governance will ensure that security will become a part of any university and thus customers confidence will be boosted. References Drucker, P. ‘Management Challenges for the 21st Century’, Harpers Business , 1993. Corporate Governance Task Force, Information Security Governance: Call to Action, USA, 2004. IT Governance Institute, Board Briefing on IT Governance, 2nd Edition, USA, 2003, www.itgi.org. IT Governance Institute, Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition, USA, 2006. ISO/IEC 38500: Corporate Governance of Information Technology, 2008. IT Governance Institute, COBIT 4.0, USA, 2005, www.itgi.org IT Governance Institute, COBIT ® Security Baseline, USA, 2004, www.itgi.org National Association of Corporate Directors, ‘Information Security Oversight: Essential Board Practices’, USA, 2001 John P. Pironti,  Ã¢â‚¬Å"Information Security Governance: Motivations, Benefits and Outcomes,† Information Systems Control Journal, vol. 4 (2006): 45–8. 21. Rutsito, T. (2005) ‘IT governance, security define new era’ The Herald, 07 November. Kaitano, F. (2010) ‘Information Security Governance: Missing Link In Corporate Governance’ TechZim. http://www.techzim.co.zw/2010/05/information-security-governance-missing-link-in-corporate-governance [accessed 02 May 2013]. Horton, T.R., Le Grand, C.H., Murray, W.H., Ozier, W.J. & Parker, D.B. (2000). Information Security Management and Assurance: A Call to Action for Corporate Governance. United States of America: The Institute of Internal Auditors. Hostland, K, Enstad, A. P, Eilertsen, O, Boe, G. (2010). Information Security Policy: Best Practice Document. Corporate Governance Task Force, (2004). Information Security Governance: Call to Action, USA

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.