In an article entitled “Universities Face a Rising Barrage of Cyberattacks”, Richard Pérez-Peña of the NY Times declares that American research universities are increasingly coming under cyberattack with millions of hacking attempts weekly. With this in mind, the decision was made to review the information security program of one such university.
The Information Security Program of the institution was developed to (1) ensure the security and confidentiality of customer information in compliance with applicable GLBA rules as published by the Federal Trade Commission, (2) provide administrative, physical, and technical safeguards to ensure compliance with the HIPAA Security Rule, (3) safeguard against anticipated threats to the security or integrity of protected electronic data, (4) provide oversight to ensure compliance with the Fair and Accurate Credit Transaction Act of 2003 (FACTA) for identity theft Red Flags, and (5) guard against unauthorized access to or use of protected data that could result in harm or inconvenience to any customer. The institution is currently compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Family Educational Rights and Privacy Act (FERPA), the Gramm-Leach-Bliley Act (GLBA), the Payment Card Industry Data Security Standard (PCI DSS) as well as the state Social Security Number (SSN) Disclosure Law.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a comprehensive law affecting institutions and departments that deal with protected health information. The institutions policy defines this as:
Individually identifiable health information, in any form received or created as a consequence of providing healthcare services or health plan benefits (including demographic information). Protected health information may include information used for research purposes, if that information identifies or could be used to identify a human research subject.
Because most, if not all of this information is stored, transmitted, and/or processed by various information systems, the security and privacy department assesses the compliance and risk of various departments within the institution.
The Family Educational Rights and Privacy Act (FERPA), also known as the Buckley Amendment, is designed to protect the privacy of students’ education records and personally identifiable information. This federal law spells out the rights of students and the responsibilities of educational institutions.
An education record is any record that is directly related to a student and maintained by the university. A student has the right of access to these records.
Education records include any records in whatever medium (handwritten, email, print, magnetic tape, film, diskette, etc.) that is in the possession of any school official. This includes transcripts or other records obtained from a school in which a student was previously enrolled.
The Gramm Leach Bliley Act (GLBA) is a comprehensive law affecting institutions and departments that deal with financial information which includes non-public personal information such as addresses and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers. Due to the fact that the institution does significantly engage in student loan making and provides other financial services that use non-public personal information, it falls within the definition of “financial institution” under GLBA regulations. For these reasons, the institutions constantly reviews policies and systems to ensure compliance with the requirements of the GLBA Safeguards Rule. Their current Family Educational Rights and Privacy Act (FERPA) initiatives will ensure compliance with the Privacy Rules required by the GLBA.
The Payment Card Industry Data Security Standards (PCIDSS) were developed by all major credit card branding companies including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, Visa Inc, and the PCI Security Standards Council, in order to provide security measures for protecting payment cardholder information and the merchants who store that sensitive information. This multifaceted security standard includes requirements for “security management, policies, procedures, network architecture, software design and other critical protective measures”, according to the PCI Security Standards Council.
The Council uses a dynamic approach to maintaining these standards as technology changes and consumer information is compromised. The standard is made up of 12 requirements that, if complied with, will mitigate breaches within the institution’s information networks and other secure information storage methods. Higher Education is, unfortunately, one of the highest risk environments for security breaches. Statistically, there are a disproportionate number of breaches occurring at educational institutions within the Payment Card industry. Therefore, PCIDSS is a required standard that all Universities, as well as all merchants, service providers, and banks, must comply with and is supported by state and federal law. Some of these laws include the Fair & Accurate Credit Transaction Act (FACTA) and the Gramm‐Leach‐Bliley Safeguards Rule. If a breach occurs, fines can be charged up to $500,000 which does not include other possible monetary loss due to the breach and the consequences of the information being compromised.
In the state where the institution is located agencies are limited in the ways that they can disclose an individual’s Social Security Number (SSN). When a state agency discloses an SSN improperly, the state agency employee making the improper disclosure can be penalized. If the employee’s disclosure was “negligent,” the charge is a Class A infraction. If the disclosure is “knowing, intentional, or reckless,” the charge is a Class D felony. The presumptive sentence or fine for a Class D felony is a prison term between six (6) months and three (3) years, with the advisory sentence being one and one-half (1½) years. In addition, the person may be fined not more than ten thousand dollars ($10,000). State agencies also must notify individuals if their SSN is improperly disclosed.
In November 2009, the Vice Chancellor for Information Services (VCIS) charged a task force consisting of members of the two primary campus information technology consultative bodies (Administrative Computing Committee and the Academic Computing Council) to investigate the issues related to information technology administration and governance on campus.
One of the primary motives for creating a new governance structure is that the structure at the time had been in place for over six years and during that time the needs of the campus have evolved. Evidence of this is seen in the informal groups which have evolved to address specific information technology issues. While much productive work has been done in some of the groups, none of these informal groups have any official standing. Because of this, confusion exists in many cases about where the appropriate decision making authority for different information technology issues rests within the University.
As a result of the work of the task force, as well as additional consultation by the VCIS with faculty members, deans, staff, and students, the information technology governance structure was modified as outlined in the figure below:
The major focus of this new structure is to:
- Establish a clear framework for defining how information technology can best be used to advance the strategic interests of the University and its various communities,
- Create a clear line of communication and decision making for major information technology initiatives,
- Define the responsibilities of all groups that are part of the process,
- Institute membership criteria for groups, and
- Clarify participation criteria in the various groups.
The new structure clarifies the roles of the various components of information technology governance. The creation of the Executive Information Technology Steering Committee (EITSC) defines a level of governance that can allocate resources and define priorities at an institution-wide level. Reporting directly to the EITSC are five groups: Student Technology Services Committee, Infrastructure and Architecture Advisory Committee, Research and Educational Technology Committee, Enterprise Systems Planning Advisory Committee, and Information Security Advisory Committee. Each of these committees has been created to represent the specific interests of particular groups on campus. As appropriate, these groups may have subcommittees charged to accomplish various operational goals or facilitate coordination and cooperation in the use of resources across campus.
To foster greater participation and engagement in information technology throughout the University, some overarching principles have been developed which are applicable to all committees and subcommittees:
- For committees and subcommittees with staggered appointments, some of the initial appointments will be for half of the “regular” appointment term in order to put a rotation schedule into effect. Determining the initial appointment period for each member will be by a random selection process.
- Each group (except EITSC and subcommittees) will have two conveners. One convener will be selected from the non-IS units of the University and a second convener will be assigned from Information Services. The primary responsibility of the non-IS convener is to facilitate discussion of relevant issues for the committee whereas the primary responsibilities of the IS convener are to both facilitate coordination of and represent the efforts of the committee within the IS division as well as bring to the group issues originating in IS that are relevant to the group’s constituency.
The Information Security Program is coordinated by the Chief Information Security Officer (CISO), who is also designated as the HIPAA Security Officer. The Coordinator is responsible for development, implementation, and oversight of the institution’s compliance with the policies and procedures required by the Safeguards Rule of GLBA and the Security Rule of HIPAA. Although ultimate responsibility for compliance lies with the Coordinator, representatives from each of the operational areas are responsible for implementation and maintenance of the specified requirements of the security program in their specific operation.
To ensure currency of the Information Security Program and to evaluate potential policy or procedural changes driven by particular regulations, the institution has an Information Security Policy and Compliance Director who is responsible for writing the policies and guidance documents that ensure that the wealth of information the University collects is safeguarded properly. This individual is also responsible for creating metrics to determine whether the security activities are reducing information security risks to the institution.
The Coordinator of the Information Security Program must work with all relevant areas of the institution to identify potential and actual risks to security and privacy of electronic information. Each representative, or designee, will fully participate in periodic data security reviews as specified by the Coordinator. Each representative, or designee, must also participate in a data security review whenever there is a material system change in that area. Documentation of the review will be retained by the Coordinator for a period of six (6) years from the date of its creation or the date when it last was in effect, whichever is later.
The Security and Policy department routinely conducts risk assessment and security compliance procedures to provide departments with an in-depth understanding of security issues, its compliance with institutional security policies, requirements, and guidelines, and compliance with local, state, and federal laws.
Before the process begins, one person (generally administrative) from the department being assessed is chosen as the security liaison. This person is responsible for communicating with the Security and Policy department, coordinating departmental efforts, and collecting all relevant data from within the department. The liaison should be available throughout the risk assessment process to answer additional questions and provide other input from his/her department.
The following is a brief overview of the process:
- Discovery of assets, procedures, and departmental policies.
- Analysis of assets, procedures, and policies.
- Identify threats and their likelihood of occurrence. Additionally, identify consequences and impacts of threats were they to occur.
- Enumerate recommendations for mitigating or eliminating risks of threats to satisfy university policies and state/federal laws.
- Help devise a plan and timeline, with appropriate departmental personnel, for addressing these threats.
After the risk assessment is completed, recommended solutions to identified threats are implemented. In some cases institutional policy or state/federal law may require follow-up risk assessments.
Employees handle and have access to protected information in order to perform their job duties. This includes permanent and temporary employees as well as student employees, whose job duties require them to access protected information or who work in a location where there is access to protected information. Departments are responsible for maintaining a high level of awareness and sensitivity to safeguarding protected information and should periodically remind employees of its importance. Seemingly minor changes to office layout and practices could significantly compromise protected information if a culture of awareness is not present.
A department representative is responsible for ensuring that staff are trained in the relevant policy concepts and requirements. Upon approval by the Coordinator, training templates and other materials may be tailored by each department to reflect their individual training needs. Training may be delivered in a variety of ways that meet the department’s objectives. Departments are responsible for maintaining records of staff that have received training and must be able to produce written copies upon request.
The Information Security Program is subject to periodic review and adjustment. The most frequent of these reviews occurs within Information Technology Security and Privacy where constantly changing technology and constantly evolving risks indicate the wisdom of regular reviews. Processes in other relevant offices of the institution such as data access procedures and the training program undergo regular review. It is the institution’s policy to conduct yearly security assessment reviews. The Information Security Program, as well as the related Data Retention Policy, are re-evaluated annually in order to ensure ongoing compliance with existing and future laws and regulations.
The institution’s policies are categorized under either Acceptable Use, Security, or World Wide Web to make it easier to identify those that pertain to a particular action or incident. Each policy includes the reason for that particular policy and identifies the stakeholders who will be directly affected, and therefore, should know the policy.
The acceptable use policies govern electronic devices and services, e-mail, and IT resources. Security policies include, among other things, authentication and authorization, data classification and governance, data security and access, incident response, and remote access. The World Wide Web policies stipulate what can and cannot be posted online and outline the appropriate use of social media in relation to the institution.
After reviewing the policies and regulations of this institution, it is obvious that care was taken in the authorship and implementation of each to ensure compliance with industry standards and regulations. Federal regulations, such as GLBA, FERPA, and HIPAA, were duly considered and incorporated when the security program was developed and the organizational structure was formatted to support the program’s relevance and its evolution to ensure security and compliance of data resources. The regular review of the program ensures that there is nothing lacking from the security policies and the institution’s training program ensures that all stakeholders are kept abreast, and accountable, of changes to the program.