University information technology standards not just for ITS

In December 2011, the University of North Carolina (UNC) Information Technology Security Council (ITSC) recommended the adoption of ISO 27002 as the common security framework baseline for the UNC system to the UNC Chief Information Officer (CIO) Council. The following month, the UNC CIO Council accepted the recommendation to use ISO 27002 as the official security framework of the UNC system. In April 2012, chancellors of all UNC system institutions submitted letters to UNC General Administration indicating the adoption of ISO 27002 as the official security framework for their campus. But since April 2012, the UNC Charlotte Internal Audit Department has discovered that there is a wide variance in the awareness and implementation of the ISO standards on campus.

What is ISO 27002?

ISO 27002 established guidelines and general principles for initiating, implementing, maintaining and improving information security management within an organization. The actual controls listed in the standard are intended to address specific requirements identified after completing a formal risk assessment. Employees can find a link to a copy of the standards on the IT Governance webpage within the ITS website.

The 2013 version of the standard has 114 controls across 14 categories:

  • Information security policies
  • Organization of information security
  • Human resource security
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operations security
  • Communications security
  • System acquisition, development and maintenance
  • Supplier relationships
  • Information security incident management
  • Information security aspects of business continuity management
  • Compliance

Each of the 114 controls is laid out in a similar pattern:

• A specific control statement, such as “a set of policies for information security should be defined, approved . . .” followed by,

Implementation guidance, such as “. . . policies should address requirements created by a) business strategy; b) regulations, legislation . . .”, and in most cases,

Other information, such as “If . . . policies are distributed outside the organization, care should be taken. . .

Why are standards important?

According to EDUCAUSE, a nonprofit membership association focused on information technology in higher education, “From 2005 to early 2014, there were 562 reported data breaches at 324 unique higher education institutions. About 7 percent of all U.S. higher education institutions have had at least one data breach, and one-third of these institutions have had more than one. The estimated cost of a single breach is $8 million, not counting reputational costs or loss of productivity.” [1]

Also, the U.S. Department of Homeland Security suggests that “higher education institutions are attractive targets for cybercrime due to their open and transparent environments, robust and complex IT infrastructure, and innovative research and development programs.”2

And finally, “Most universities’ financial, administrative, research and clinical systems are accessible through a campus network. Similarly, medical records, student records, many employment-related records, library use records, attorney-client communications and certain research and other intellectual property-related records are housed on campus servers. As such, they are vulnerable to security breaches that may compromise confidential information and expose the university to losses and other risks. These security risks have impacted over 200 colleges and universities to date, institutions that have lost control of more than 22 million files of detailed data and information that include social security numbers and other personal, medical, financial, professional and extremely sensitive research project information.3

What does all this mean to faculty and staff members?

The controls in ISO 27002 are significant weapons that can be used in the fight against those looking to attack the University. The ISO framework applies to the entire University IT function. Both centrally managed and locally managed servers and applications are expected to meet the standards described in the framework. Some of the controls can be met by ITS, but many require action by ITS and those with locally managed assets. A good start is to promote the completion of the information security awareness training modules recently made available in Moodle to all employees. These training videos raise awareness about information security and promote good information security practices.

Tom York, director of internal audit, said, “We realize that implementation will take some time and probably additional resources, but we all need to become more aware of what the standards are, how they apply to each organization, and what steps will be needed to reach compliance. It’s not about being able to pass an audit. It’s about protecting our data and our systems that store and process that data.”

As EDUCAUSE pointed out, “Data are the lifeblood of institutions of higher education. Without the exchange and transmission of data, students could not enroll and their progress toward a degree could not be tracked, employees would not be paid, and research could not take place. Institutions use data in operational and strategic ways every day. However, if individuals perceive that an institution will not safeguard their sensitive personal data, or if regulatory bodies discover that an institution does a poor job of safeguarding the data entrusted to it, then the future exchange of data is threatened. Data are central to the mission of higher education.” 4

[1]

AN EDUCAUSE EXECUTIVE BRIEF August 2014, “Foundations of Information Security: Institutional Implications for Safeguarding Data”

2 YuLin Bingle, Marc Hoit, Lauren Kielsmeier, and Jenny Menna, “U.S. Department of Homeland Security Cybersecurity Engagement for Colleges and Universities,” EDUCAUSE Live! webinar, July 24, 2014.

3 “The College Cyber Security Tightrope: Higher Education Institutions Face Greater Risks”, Rod Rasmussen, April 28, 2011, Securityweek.com

4 EDUCAUSE, “Foundations of Information Security: Institutional Implications for Safeguarding Data”