Security Policy Guideline For Higher Educational Establishment

Published Date: 02 Nov 2017

Table of Contents 1

1 Introduction 2

1.2 Purpose 2

1.3 Scope 2

1.4 Policy Statement 3

2. Overview of network security issues 3

3. A Risk Assessment analyses 3

3.1 Assets 3

3.1.1 Classifying and Categorizing assets. 4

3.2 Threats. 5

3.3 Security Priority Identification 6

Security Control Procedure 7

Security Hardware and Software Location 8

Disaster Recovery Plan 8

References 8

Appendix 8

1 Introduction

XYZ Educational Establishment handles sensitive information which should be handled in a professional manner and should meet government requirement to run business and to keep confidential information. These information includes but not limited to the following university assets: financial data, student's private information, researches, protected lab information and etc. Some of those information like financial documents and credit records are required are required to keep private and not to disclose. Exposure of those information could harm University, its members and students. Mishandling or exposing those information could subject the University to fines or other sanctions and harm the reputation of University or its members. In order to help the University to run and do business professionally, all employees, students and guesses of the University are required to protect information, hardware and software assets secure.

1.2 Purpose

The policy provides framework to manage information security assets of the University and its applies to followings:

All who have access to the University Information System, including employees, contractors, students and visitors.

Any Operating System, network management solutions and communication systems.

Any information data processed by University is to agree with its operational activity, regardless of whether its processed digitally, virtually or physically.

Services provided to the University Information assets

Services provided by external agencies to deal with University Information Assets.

1.3 Scope

The university performs its operation through wired and wireless networks and makes its educational resources to students via online access to the information assets. The policy defined here is aimed to the currently available departments and groups at the University and they are as follows: Students, Academic Staff, Financial Staff, Registry Staff and IT Staff. The designed security policy must ensure professional operation of department and enable all necessary conditions to achieve their goals. The Illustration of Network map of departments can be seen in Appendix 1. The CIA triangle, Confidentiality, Integrity and Availability of information system, software, and data stored online or transmitted over network is crucial to be kept in tact to protect its reputation. The university face challenges from ever evolving threats from online and offline sources, that is why University is committed to protect its system and information assets from threats which could occur. The university has crafted following objectives to mitigate the information security threats:

To provide mean for staff, students and visitor to perform their duties in secure manner using secure, efficient and reliable technology

To protect financial, personal, academic and administrative information from ongoing threats by keeping them secure using security technologies.

To establish acceptable level of security policy and necessary steps to protect information assets from theft, misuse and illegal distribution, but yet to provide means to accomplish tasks and their roles within the university.

To provide and encourage staff, students and visitors to always maintain awareness on not being victim of social engineering and providing them trainings and support throughout their operational time.

To ensure that the university is able to track and handle security breaches

To be able to recover from disaster if breach is occurred and find the source.

1.4 Policy Statement

Information Security Policy is considered to be essential asset of University and the everyone who is involved at University is responsible for ensuring that communication systems, information assets, physical assets, digital material and other facilities are used effectively, professionally and in lawful manner. There many responsibilities and roles applied to protect information assets but these policies and mitigation procedures can't cover all situation and future threats which are evolving, that is why this information security policy is considered to be ever evolving document. These document is usually reviewed and maintained up to date to meet current regulations on protecting information assets.

2. Overview of network security issues

3. A Risk Assessment analyses

The goal at this point is to create a method to evaluate the relative risk of vulnerability the University faces.

Risk Assesmtn is considered to be the process where the organization is to learn and to be able to evaluate and assess its risks. The better you know internal assets and its value the better the security control procedure.In order to start evaluating the risk, risk must be identified with the process of self examination. Managers or University Executives normally identify the information assets and classfy them into smaller managable groups and prioritze them by their importance.

3.1 Assets

So, the process must start with creating Inventory of Information Assets which should identify information assets, including people, procedures, data, information software, hardware, security devices and networking elements. In our Case, the University consist of mainly 5 departments with each being devided into smaller groups and this step should be done without prejudjing the value of each assets. Some of those information may not be considered to be as important as others. Like documents created by finance department is valued much higher than the documents created by Students. That is why the Information Assets must be identified. The sample table can be seen below [book reference].

(table 7-1 from slide 2 to come here)

3.1.1 Classifying and Categorizing assets.

Once the initial inventory is gathered together, managers must determine whether those assets are meaningful. For example, the assets created by students could be temprorary documents, draft of essays or personal files in an allocated filespace. Those information are stored in the filespace storaga.

So, inventory should reflect the sensitivity and security priority assigned to each of information asset. Each of these categories defines the level of protection needed for particular information assets. The Classification for the university can be seen in TABLE 2. After each information asset is identified, categorized, classified and relative value is given to those assets. This is where assets analyses start. Relative values are given so that the information is given highest priority and value depending on its sensitivity and judgement of managers are taken into account for this process. The possible questions to ask for classifying and judging the values are:

Which information asset is the most critical to the success of the organization?

Which information asset generates the most revenue?

Which information asset generates the highest profitability?

Which information asset is the most expensive to replace?

Which information asset is the most expensive to protect?

Which information asset’s loss or compromise would be the most embarrassing or cause the greatest liability?

SAMPLE ASSET CLASSIFICATION WORKSHEET.

And the final step in risk identification process is to list the assets in order of their importance and sensitivity.

[Weighed factor analyses]

3.2 Threats.

In computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm. A threat can be either "intentional" (i.e., intelligent; e.g., an individual cracker or a criminal organization) or "accidental" (e.g., the possibility of a computer malfunctioning, or the possibility of an "act of God" such as an earthquake, a fire, or a tornado) or otherwise a circumstance, capability, action, or event.

In any cases whether be it computer crime related threat, natural threat or accidental threat all of them are considered to be harmful if they affect the operation of organization and its information system. Threats could be classified according to their types. Type: Physical damage, natural event, loss of service, information leakage, technical failure or system hack. Microsoft organization also defines its own threat category and its as follows:

Spoofing of user identity

Tampering

Repudiation

Information disclosure (privacy breach or Data leak)

Denial of Service (D.o.S.)

Elevation of privilege

But they all are considered to be computer related with no natural or geolocational threats. Each threat presents an unique challenge to information security and must be handled with specific controls that directly address the particular threat and the threat agent’s attack strategy. Before threats can be assessed in the risk identification process, however, each threat must be further examined to determine its potential to affect the targeted information asset . [TABLE 7-3] and the risk assesmtn table after all can be seen on table [7-4] with university threat factors.

Given the devolved nature of the University’s structure, the risk assessment should be carried out in the first instance by departments. However, the departmental assessment must be consistent with the general principles in this section. 

The risk assessment should identify the department’s information assets; define the ownership of those assets; and classify them, according to their sensitivity and/or criticality to the department or University as a whole. In assessing risk, departments should consider the value of the asset, the threats to that asset and its vulnerability

Where appropriate, information assets should be labelled and handled in accordance with their criticality and sensitivity. 

Rules for the acceptable use of information assets should be identified, documented and implemented.

Information security risk assessments should be repeated periodically and carried out as required during the operational delivery and maintenance of the University’s infrastructure, systems and processes.

The threat the University could face is from multiple vectors of attacks. it could be from natural disasters to black hat hacking. A visitor could bring hazard to the University by bringing in any type of harmful software which could compromise the security of University or student could steal copy of software and distribute to Internet. These all are considered to be threat to the University.

3.3 Security Priority Identification

3.4 Classification and control of assets

3.4.1.1 "Assets" include both information assets and physical assets.

3.4.1.2 Information and infrastructure should be classified according to security level and access

control.

3.4.1.3 Information as mentioned in item 3.4.1.1 should be classified as one of three categories for

confidentiality:

Sensitive

Information of a sensitive variety where unauthorized access (including internally) may lead to

considerable damage for individuals, the university college or their interests. [Sensitive information

is here synonymous with being kept from public access according to the Norwegian Public

Administration Act or sensitive personal information as defined by the Personal Data Act.

Corresponding national legal requirements may apply.] This type of information must be secured in

"red" zones, see chapter 3.6.

Internal

Information which may harm <X University> or be inappropriate for a third party to gain knowledge

of. The System owner decides who may access and how to implement that access.

Open

Other information is open.

13

3.4.1.4 <X University> shall carry out risk analyses in order to classify information based on how

critical it is for operations (criticality).

3.4.1.5 Routines for classification of information and risk analysis must be developed.

3.4.1.6 Users administrating information on behalf of <X University> should treat said information

according to classification.

3.4.1.7 Sensitive documents should be clearly marked.

3.4.1.8 Classification of equipment according to criticality will be discussed in chapter 3.11.

3.4.1.9 A plan for electronic storage of essential documentation should be developed.

3.4.1.10 Information that is vital for operations should be accessible independent of which

systems the information was created or processed in.

Security Control Procedure

The degree of security control required depends on the sensitivity or criticality of the information. The first step in determining the appropriate level of security therefore is a process of risk assessment, in order to identify and classify the nature of the information held, the adverse consequences of security breaches and the likelihood of those consequences occurring. In order to keep up with competition, organizations must design and create safer environment in which business functions. This organization must be able to keep the Confidentiality, Availability and the Integrity of the data. This is achieved by designing the proper procedure and methodology.

There are four basic strategies to control risks

Avoidance: applying safeguards that eliminate or reduce the remaining uncontrolled risks for the vulnerability

Transference: shifting the risk to other areas or to outside entities

Mitigation: reducing the impact should the vulnerability be exploited

Acceptance: understanding the consequences and accepting the risk without control or mitigation

Once a control strategy has been selected and implemented, the effectiveness of controls should be monitored and measured on an ongoing basis to determine its effectiveness and the accuracy of the estimate of the risk that will remain after all planned controls are in place.

Security Hardware and Software Location

Disaster Recovery Plan

References