How do you gauge the strength of your information security plan?
- Ask these 10 questions to determine how well your data is protected
- Plan for the short term as well as the long term
- Become agile, alert, responsive, and realistic to create the level of security your institution needs to thrive
Information with any value will always be at risk. Even institutions with world-class security systems know that a breach is still possible, even likely. The best strategy? Make like the Boy Scouts and be prepared.
In the previous two blogs, I reviewed the importance of first understanding the threats and then assessing your institutional risk. The next step is to plan. Plan for the short term, as well as the long. Plan for how you’ll reduce risk … and how you’ll address the inevitable breach. And continually revise your plan to keep pace as threats, legal requirements, and technology evolve.
To gauge the strength of your information security plan, answer the following 10 questions:
1. Do we know our security requirements?
In order to plan, budget for, and implement an effective security programme, you must first understand (1) what needs to be protected and (2) what it will take to do the job right.
This includes taking an inventory of:
- your institution’s data and information assets;
- the technology, people, and processes that affect how that information is stored and shared;
- your partners/other external parties and their security posture; and
- the tools and capabilities required to safeguard your assets.
Even systems and data that are not under the direct control of your central IT team should be included in this audit. The institution is responsible for protecting all of its information assets, regardless of ownership, so your plan must be comprehensive.
2. Are we staying up to date on legal and regulatory requirements?
In addition to your own internal requirements, there are a range of legal and regulatory requirements governing data privacy and protection. Requirements may vary by state, country, or type of institution, but failure to comply can impact your funding and reputation.
The best strategy for staying current and compliant is to create a strong partnership between your IT and legal departments. Don’t leave it to technical staff to interpret the law. Your legal department is best equipped to:
- understand and monitor local, state, federal, and international regulations
- put regulations in context as to how they relate to your institution and the level of risk involved
- help manage compliance
Practical tip: Make sure your legal, technical, and administrative teams are working together to prepare for the EU’s new General Data Protection Regulations (GDPR)—which goes into effect in May 2018.
3. Do we have adequate policies and standards?
Every school should have a clear set of policies and standards governing how institutional data gets used, stored, and shared. For example:
- Develop an “Acceptable Use” policy that dictates what employees and other users can or can’t do on the institution’s network and systems
- Set standards for how often passwords must be changed and how strong they must be
- Create policies governing the use of personal devices on campus
The SANS Institute—a non-profit organisation serving security professionals across multiple industries—offers templates for creating and implementing a range of information security policies.
All employees should be educated and expected to follow institutional policies and standards. Ensure other users are informed of their responsibilities as well. Some organisations have a formal certification process for new employees—or all employees at regular intervals—to ensure compliance.
4. Are we tightly managing identity and access?
Identity and access management is about giving the right people access to the right information at the right time. If you don’t keep a tight rein on who’s accessing what, you leave multiple entry points for hackers.
For example, here are two common scenarios that put many institutions at risk:
- There are dozens of systems across campus that aren’t linked and require separate IDs and passwords. To make life easy, staff tend to use the same password for a low-security system (like a survey app) as they do for a high-security system (like payroll). A hacker then only needs to break into the survey app to gain entry into payroll.
- There isn’t a clear process for changing or removing credentials when employees switch roles or leave the institution. Perhaps a disgruntled former employee can still access financial information or a staff member who has moved to a new department can still access information that’s no longer relevant to her job.
Ultimately, institutions need a unified, centralised system for managing identity and access—one that is well integrated into daily business processes.
5. Have we engaged senior management and the board?
Security is not just a technology challenge, it’s a business imperative. Given the large potential impact of a data breach, senior management and board members must be highly engaged in information security planning. IT alone cannot weigh risk vs. cost or ensure a culture of compliance at every level of the institution.
When faced with decisions such as whether to fund scholarships or network security, senior leaders need to understand exactly what’s at stake and accept responsibility for their decisions.
6. Are we providing adequate ongoing education?
As I discussed in the first blog in this series, lack of awareness and education about security threats is one of the biggest risks for most institutions.
You must have a well-documented and adequately resourced plan for ongoing information security training. This could include everything from mandatory courses on phishing and malware to regular e-blasts on the latest threats to annual certification programmes.
Educause offers a number of free resources institutions can use to educate faculty, staff, and students about cybersecurity.
7. Are we careful when choosing partners?
When retail giant Target experienced a massive data breach in 2013, it was not their own network that hackers broke into but rather the network of a heating and air conditioning sub-contractor that had worked at a number of Target stores.
No one remembers the name of that HVAC company, but they surely remember Target as a company that loses personal data. Target also paid a heavy financial price to rectify the situation and appease customers. The key takeaway? You are ultimately responsible for your students’ and employees’ personal data, even when—especially when—it’s being shared with third party vendors. So choose partners wisely.
Ask potential partners the same hard questions about the security of their information systems as you do about your own. Discuss auditing and compliance up front. Put processes in place to hold them accountable. If they can’t meet your standards, look for someone who can.
8. Are we using appropriate technology?
Technology can greatly enhance information security. The key is to modernise and simplify.
Sometimes moving forward means first looking backward. Take time to identify and retire legacy systems and business processes that are needlessly cumbersome. Complexity only makes it harder to monitor and control who is accessing what. Streamline the steps you use to grant system and data access, as well as those used to close the loop once an employee moves on. Retire out of date systems that no longer receive security patches.
As you build out your information security programme, pick the right tools for each job. For example, if you have a highly secure environment, using non-standard laptops or allowing contractors network access might not be wise. On the other hand, if you’re securing a simple web site with limited connection to other systems, don’t overcomplicate the security solution. Using resources wisely is key to winning the security battle on multiple fronts.
9. Do we aggressively follow up on incidents?
We live in a world where data breaches are ‘when’ not ‘if.’ That’s why responding appropriately to security incidents is as important as preventing them.
Gather data on incidents that will help you reduce recurring issues or prevent more damaging impact. Establish routines and best practices, so that you can mobilise quickly in the event of a breach. Review and analyse your trends. Data can also help you make the case for spending more money on things like firewalls or network intrusion detection.
10. Are we making continuous investments?
Information security is an ongoing practice, not a one-time implementation. You will never be fully protected, because there will always be new threats. But with careful planning—and a sustained investment of resources—you can effectively mitigate risk.
Make sure that your annual and long-term budget for information security reflects its level of importance to your business. Help decision makers understand the link between data protection—or lack thereof—and successful recruiting, advising, fundraising, and other key functions. Stay actively engaged with industry forums and workgroups to understand evolving threats and security best practices.
Get comfortable with discomfort
Planning for something to go wrong, in a world where what can go wrong is constantly changing, is, in a word, uncomfortable. But if you can get comfortable with discomfort—becoming agile, alert, responsive, and realistic—you can create the level of security that faculty, staff, and students need to thrive.
Read the complete infosec blog series.