To protect information assets from accidental or intentional but unauthorized disclosure, modification, or destruction or the inability to process that information
- Security objectives
- Ensure the integrity and accuracy of the data
- Provide for privacy of proprietary, personal, privileged, or otherwise sensitive data
- Protect and conserve college information assets from natural and other hazards
- Ensure the ability to survive hazards
- Protect employees from unnecessary temptation to default on their responsibilities
- Protect innocent employees from suspicion in the event that another employee defaults on responsibilities
- Protect management from charges of imprudence if any compromise of security occurs
- Security policy
Security must begin with the establishment of a college-wide policy by the highest levels of management in the organization. This policy will set the direction for security and give broad guidance. Guidelines and instructions on security will be covered in more detailed supporting documents.
- Security staff
A security manager, with authority to act for the entire college, will be designated with responsibility for directing and coordinating the implementation of the college’s security policy. This individual will report to the president so that allegiance is to the total rather than to any one department or business function. Responsibilities of the security manager are to:
- Maintain a current up-to-date college-wide security policy
- Develop security awareness programs
- Publish detailed guidelines
- Assist department heads with implementation of the policy
- Coordinate security audits
- Recommend college operating unit security positions as required
- Information asset management
- All information will be accounted for and properly protected by a custodian program.
- The fundamental principle of custodial management deals with the identification of the individual who is responsible for a given information asset
- The individual administrator or department head or his/her agent who has management responsibilities of the asset is designated the custodian and is responsible for making recommendations to the security custodian with regard to:
- Who may use the asset
- The classification and level of protection given the asset
- Approving application controls and authorizing access to the asset
- Risk management, risk acceptance, and contingency planning with regard to the asset
- Management responsibility
All department heads and administrators must be intimately familiar with the college’s policies and guidelines and are responsible for ensuring that all employees are aware and abide by the established guidelines.
- Employee awareness
- All employees must be alert to the need for security. This awareness must come from management’s communication of the college’s policy and guidelines to all personnel. A clear understanding and commitment on the part of all employees to abide by the policy is necessary.
- A college-wide security awareness program will be the most cost effective action. It will be a part of the new employee orientation program. For existing employees, it will be instituted in a series of seminars and will be followed up with frequent reminders in college publications, on posters and in newsletters.
- There will be both scheduled and impromptu audits. The program will:
- Emphasize the importance of security
- Identify security controls in terms of job and function for all employees
- Identify control practices to be followed
- Encourage participants to suggest improvements to the control practices
- Specify the consequences of non-compliance
- Security requirements and management’s expectations of the employee will be included as a part of each employee’s performance plan. Job appraisals and performance reviews should provide feedback to the employee in measuring up to the protection of the college’s assets.
Hazards to information systems environment
- Hazards to the information system environment breaks down into two logical groupings:
- Natural hazards which include: fire, wind, rain, rising water, lightning and others
- Manmade hazards which include: errors, omissions, mischief, vandalism, arson, riot, war, fraud, embezzlement, theft, eavesdropping and others
- It has been found that accidental events account for the major exposure to data loss. Intentional acts may have more serious consequences per event, but occur less frequently.
- For the purpose of risk analysis, the college will:
- Specify a list of potential hazards (both natural and manmade)
- Apply practical experience and management judgment to identifying the college’s vulnerabilities to these hazards
- Assess and project the frequency of occurrence(s)
- Quantify the resultant annualized loss exposure to the college on the basis of each type of hazard and expected frequency of occurrence
- Prioritize the results on the basis of loss exposure
- Identify protective measures to reduce the vulnerability to hazards or the resultant effect of hazardous events
- Select protection on the basis of cost benefit tradeoffs
- Implement protection on the basis of benefit to the college
- Periodically, monitor all occurrences of hazardous events and evaluate the effectiveness of protective measures employed for reducing the college’s vulnerability to loss
- Protective measures to reduce vulnerabilities and exposure to either accidental or intentional events are placed into three categories:
- Physical security. Physical security practices include:
- Providing a safe place to work
- Controlling access to sensitive resources
- Detecting and communicating emergencies
- Limiting the damage resulting from emergencies
- Contingency planning. Contingency planning addresses three key areas:
- Emergency plans: The goal of the emergency plan will be to contain the damage and preserve the mission of the college during a disaster. It addresses such issues as early detection of the incident, safety of personnel, evacuation, shelter, and containment of the incident to a minimal effect.
- Backup plans: The goal of the backup plan is to provide a capability to carry out critical portions of the college’s mission between the occurrence of an interruption and complete recovery. It addresses such issues as user responsibility, assessment of the criticality of various functional areas of the college, identification of alternate sources to run critical college applications, and testing procedures.
- Recovery plans: The goal of the recovery plan is to provide a permanent restoration of the college’s mission. It addresses such issues as the information system manager’s responsibility, development of a strategy, resource identification, and testing procedures.
- The Contingency plan for each of these three areas will be completely documented and tested on a regular basis.