An analysis of Information Security Governance in the Universities in Zimbabwe Essay Example for Free

An analysis of cultivation auspices authorities in the Universities in Zimbabwe EssayAbstractThe complexity and diminutiveity of data gage and its governance demand that it be elevated to the highest organisational levels. Within a university setup, entropy assets include student and personnel records, wellness and financial randomness, research data, teaching and learning poppycocks and altogether restricted and unrestricted electronic library materials. pledge of these training assets is among the highest priorities in terms of happen and liabilities, concern continuity, and protection of university reputations.As a faultfinding resource, entropy essential(prenominal) be treated like any other asset essential to the survival and succeeder of the organization. In this paper the writer is going to discuss the bespeak for downing entropy Security Governance within institutions of higher education.Further than that, a discussion on how to best practice in fo Security governance within the universities in Zimbabwe followed by an sound judgement on how far the Zimbabwean universities have implemented nurture Security Governance. A combination of questionnaires and interviews is going to be used as a tool to gather data and some recomm polish offations argon stated towards the end of the paper. IntroductionGovernance, as defined by the IT Governance instal (2003), is the set of responsibilities and practices drilld by the board and executive direction with the goal of providing strategic direction, ensuring that objectives atomic number 18 achieved, ascertaining that dangers argon managed appropriately and verifying that the enterprises resources are used responsibly. Information pledge governance is the system by which an organization directs and controls info certificate (adapted from ISO 38500).It specifies the responsibility framework and provides oversight to chink that happens are adequately mitigated as well as ensuri ng that protective cover strategies are aligned with business and consistent with regulations. To exercise effective enterprise and information security governance, boards and senior executives must have a clear understanding of what to expect from their enterprises information security syllabusme.They need to know how to directthe implementation of an information security programme, how to appreciate their own status with regard to an existing security programme and how to decide the dodging and objectives of an effective security programme (IT Governance Institute, 2006). Stakeholders are becoming more and more concerned ab pop out the information security as mods of hacking, data theft and other attacks happen more frequently than ever dreamt of.Executive management has been showered with the responsibility of ensuring an organization provides exploiters with secure information systems environment. Information security is not only a technical issue, but a business and gover nance ch every last(predicate)enge that involves adequate risk management, reporting and accountability. Effective security requires the active sake of executives to assess emerging threats and the organizations response to them (Corporate Governance Task Force, 2004).Furthermore the organizations need to protect themselves against the risks inherent in the use of information systems plot of land simultaneously recognizing the benefits that can accrue from having secure information systems. Peter Drucker (1993) stated The diffusion of technology and the commodification of information transforms the role of information into a resource extend to in importance to the tradition on the wholey important resources of land, labor and capital.Thus as dependence on information system increases, the criticality of information security brings with it the need for effective information security governance. Need for Information Security Governance within universities. A severalize goal of inf ormation security is to reduce contrary impacts on the organization to an acceptable level of risk. Information security protects information assets against the risk of loss, operational discontinuity, misuse, unauthorized disclosure, inaccessibility and damage.It also protects against the ever-increasing electromotive force for civil or judicial liability that organizations face as a result of information inaccuracy and loss, or the absence of due care in its protection. Information security covers all information processes, strong-arm and electronic, regardless whether they involve people and technology or relationships with trading partners, customers and third parties. Information security addresses information protection, hole-and-corner(a)ity, availability and integrity passim the life cycle of the information and its use within the organization.John P. Pironti (2006) suggested that among many reasons for information securitygovernance, the most important one is the one concerned with the legal liability, protection of the organizations reputation and regulatory compliance. With the university setup, all members of the university community are obligated to respect and, in many cases, to protect confidential data. medical records, student records, certain employment-related records, library use records, attorney-client communications, and certain research and other intellectual property-related records are, subject to limited exceptions, confidential as a matter of law. umpteen other categories of records, including faculty and other personnel records, and records relating to the universitys business and finances are, as a matter of university indemnity, treated as confidential. Systems (hardware and software) designed primarily to inject confidential records (such as the Financial Information System and Student Information System and all medical records systems) require enhanced security protections and are controlled (strategic) systems to which access is fast monitored. Networks provide connection to records, information, and other networks and also require security protections.The use of university information technology assets in other than a manner and for the purpose of which they were intend represents a misallocation of resources and, possibly, a violation of law. To achieve all this in todays complex, interconnected world, information security must be addressed at the highest levels of the organization, not regarded as a technical specialty relegated to the IT part. Information security is a top-down process requiring a comprehensive security dodging that is explicitly linked to the organizations business processes and strategy.Security must address entire organizations processes, both physical and technical, from end to end. Hence, Information security governance requires senior management commitment, a security- aware culture, promotion of good security practices and compliance with policy. It is easier to buy a solution than to change a culture, but level the most secure system allow not achieve a significant degree of security if used by ill-informed, untrained, careless or unbiassed personnel (IT Governance Institute, 2006).In an interview the executive director and information security expert on IT Governance and cyber security with the IT Governance and Cyber Security Institute of sub-Saharan Africa, Dr Richard Gwashy Young has this to say remember inZimbabwe security is regarded as an expense not an investment (Rutsito, 2012). Benefits of Information Security GovernanceGood information security governance generates significant benefits, including The Board of directors taking full responsibility for Information security initiatives Increased predictability and reduced uncertainty of business operations by lowering information security-related risks to definable and acceptable levels Protection from the increasing potential for civil or legal liability as a result of information inaccuracy or the absence of due care.The structure and framework to optimize allocation of limited security resources sureness of effective information security policy and policy compliance A firm foundation for efficient and effective risk management, process improvement, and rapid incident response related to securing information A level of assurance that critical decisions are not found on faulty information Accountability for safeguarding information during critical business activities.Compliances with local and international regulations will be easier Improved resource management, optimizing knowledge, information security and information technology infrastructure The benefits add significant value to the organization byImproving swear in customer/client relationshipsProtecting the organizations reputationDecreasing likelihood of violations of privacyProviding greater confidence when interacting with trading partners Enabling raw and better ways to process electronic trans actions like publishing results online and online registration.Reducing operational costs by providing predictable outcomesmitigating risk factors that may delay the process The benefits of good information security are not just a reduction in risk or a reduction in the impact should something go wrong. Good security can improve reputation, confidence and trust from others with whom business is conducted, and can even improve efficiency by avoiding boney time and effort recovering from a security incident (IT Governance Institute, 2004). Information Security Governance OutcomesFive basic outcomes can be evaluate to result from developing an effectivegovernance approach to information security Strategic alignment of information security with institutional objectives Reduction of risk and potential business impacts to an acceptable level Value delivery through the optimization of security investments with institutional objectives Efficient utilization of security investments swani ng organization objectives death penalty measurement and monitoring to ensure that objectives are metBest practicesThe National Association of Corporate Directors (2001), recognizes the importance of information security and recommends four essential practices for boards of directors. The four practices, which are based on the practicalities of how boards operate, are Place information security on the boards agenda.Identify information security leaders, hold them accountable and ensure support for them. Ensure the effectiveness of the corporations information security policy through review and approval. Assign information security to a key committee and ensure adequate support for that committee. It is critical that management ensure that adequate resources are allocated to support the overall enterprise information security strategy (IT Governance Institute, 2006).To achieve effective information security governance, management must establish and maintain a framework to guide the development and maintenance of a comprehensive information security programme. According to Horton, et al (2000), an information security governance framework generally consists of An information security risk management methodologyA comprehensive security strategy explicitly linked with business and IT objectives An effective security organizational structureA security strategy that duologue about the value of information both protect and delivered Security policies that address each aspect of strategy, control and regulation A complete set of security standards for each policy to ensure that procedures and guidelines comply with policy Institutionalized monitoring processes to ensure compliance and provide feedback on effectiveness and mitigation of risk A process to ensurecontinued evaluation and update of security policies, standards, procedures and risks.This kind of framework, in turn, provides the tooshie for the development of a cost-effective information security progra m me that supports an organizations goals and provides an acceptable level of predictability for operations by limiting the impacts of adverse events. In his article Kaitano (2010), pointed some characteristics of good corporate governance coupled with good security governance.These include and not limited to Information security being treated as and organization wide issue and leaders are accountable. Leads to viable Governance, Risk and Compliance(GRC) Milestones It is risk-based and focuses on all aspects of securityProper frameworks and programs have been implementedIt is not treated as a cost but a way of doing businessRoles, responsibilities and segregation of duties are defined It is addressed and enforced by policyAdequate resources are committed and Staff are aware and trained It is planned, managed, measurable and measuredIt is reviewed and auditedThe overall objective of the programme is to provide assurance that information assets are protected in accordance with their v alue or the risk their compromise poses to an organization. The framework generates a set of activities that supports fulfillment of this objective. Principles for information security within the UniversityIn their article titled Information Security polity Best Practice Document, Hostland et al (2010) pointed out some guiding principles for information security within a university setup. The following are some of the principles they mentioned 1. Risk assessment and managementThe universitys approach to security should be based on risk assessments and should be continuously done and the need for protective measures evaluated. Measures must be evaluated based on the universitys role as an establishment for education and research and with regards to efficiency, cost and practical feasibility. An overall risk assessment of theinformation systems should be performed annually. Risk assessments must identify, quantify and prioritize the risks according to germane(predicate) criteria for acceptable risks.Risk assessments should be carried out when implementing changes impacting information security. Some recognized methods of assessing risks like ISO/IEC 27005 should be employed. Risk management is to be carried out according to criteria approved by the management at University. Risk assessments must be approved by the management and if a risk assessment reveals unacceptable risks, measures must be implemented to reduce the risk to an acceptable level. 2. Information security policyThe Vice Chancellor should ensure that the information security policy, as well as guidelines and standards, are utilized and acted upon. He must also ensure the availability of sufficient training and information material for all users, in order to enable the users to protect the universitys data and information systems.The security policy should be reviewed and updated annually or when necessary, in accordance with principles depict in ISO/IEC 27001. However, all important changes to universitys activities, and other external changes related to the threat level, should result in a revision of the policy and the guidelines relevant to the information security. 3. Security organizationThe Vice Chancellor is responsible for all government contact. The university should appoint CSO (Chief Security Officer). Each department and section should also be responsible for implementing the units information security. The managers of each unit must appoint recrudesce security administrators. The recording equipment Academics has the primary responsibility for the information security in connection with the student registry and other student related information.The IT Director has executive responsibility for information security in connection with IT systems and infrastructure. The Operations manager has executive responsibility for information security in connection with structural infrastructure. He also has overall responsibility for quality work, while the operational responsibility is delegated according to the management structure.The Registrar Human Resources also has executive responsibility for information security according to the Personal Data Act and is the controller on a daily basis of the personal information of theemployees. The Registrar Academics and Research Administration have also executive responsibility for research related personal information. Universitys information security should be revised on a regular basis, through internal control and at need, with assistance from an external IT auditor. 4. Information security in connection with users of Universitys operate Prior to employment security responsibility and roles for employees and contractors should be described.A background check is should also be carried out of all appointees to positions at the university according to relevant laws and regulations. A confidentiality agreement should be signed by employees, contractors or others who may gain access to sensitive and/or internal information. IT regulations should be accepted for all employment contracts and for system access for third parties. During employment, the IT regulations for the universitys information security requirements should be in home plate and the users responsibility for complying with these regulations is to be emphasized.The IT regulations should be reviewed regularly with all users and with all new hires. All employees and third party users should receive adequate training and updating regarding the Information security policy and procedures. Breaches of the Information security policy and concomitant guidelines will normally result in sanctions. Universitys information, information systems and other assets should only be utilized for their intended purpose. Necessary private usage is permitted. Private IT equipment in the universitys infrastructure may only be connected where explicitly permitted. All other use must be approved in advance by the IT department.On exhalati on or change of employment, the responsibility for termination or change of employment should be intelligibly defined in a separate routine with relevant circulation forms. The universitys assets should be handed in at the conclusion of the need for the use of these assets. University should change or terminate access rights at termination or change of employment. A routine should be present for handling alumni relationships. Notification on employment termination or change should be carried out through the procedures defined in the personnel system. 5. Information security regarding physical conditionsIT equipment and information that require protection should be placed in secure physical areas. Secure areas should have suitable access control toensure that only authorized personnel have access. All of the Universitys buildings should be secured according to their classification by using adequate security systems, including suitable tracking/logging. Security managers for the vari ous areas of responsibility should ensure that work performed by third parties in secure zones is fitly monitored and documented.All external doors and windows must be closed and locked at the end of the work day. On securing equipment, IT equipment which is very essential for daily activities must be protected against environmental threats (fires, flooding, temperature variations). Information classified as sensitive must not be stored on portable computer equipment (e.g. laptops, cell phones, memory sticks). If it is necessary to store this information on portable equipment, the information must be password protected and encrypted in compliance with guidelines from the IT department.During travel, portable computer equipment should be treated as carry-on luggage. Fire drills should also be carried out on a regular basis. 6. IT communications and operations managementPurchase and installation of IT equipment and software for IT equipment must be approved by the IT department. The I T department should ensure documentation of the IT systems according to universitys standards. Changes in IT systems should only be implemented if well-founded from a business and security standpoint. The IT department should have emergency procedures in order to minimize the effect of unsuccessful changes to the IT systems.Operational procedures should be documented and the documentation must be updated following all substantial changes. Before a new IT system is put in production, plans and risk assessments should be in place to avoid errors. Additionally, routines for monitoring and managing unforeseen problems should be in place. Duties and responsibilities should be separated in a manner reducing the possibility of unauthorized or unforeseen abuse of the universitys assets.Development, testing and maintenance should be separated from operations in order to reduce the risk of unauthorized access or changes, and in order to reduce the risk of error conditions. On system planning and acceptance, the requirements for information security must be taken into consideration when designing, testing, implementing and upgrading IT systems, as well as during system changes. Routines must be actual forchange management and system development/maintenance.IT systems must be dimensioned according to capacity requirements and the load should be monitored in order to apply upgrades and adjustments in a timely manner as it is especially important for business-critical systems. Written guidelines for access control and passwords based on business and security requirements should be in place.Guidelines should be re-evaluated on a regular basis and should contain password requirements (frequency of change, minimum length, character types which may/must be utilized) and regulate password storage. All users accessing systems must be authenticated according to guidelines and should have unique combinations of usernames and passwords. Users are responsible for any usage of their usernames and passwords. Data GatheringA structured questionnaire adapted and modify from previous questionnaires used by Corporate Governance Task Force, (2004) was used as the main instrument to gather data. Of the total 13 universities in Zimbabwe, 9 managed to participate in this research. The questionnaires were completed by the Executive Dean, IT Director, Operations Manager or Chairperson for the department. Section I brass instrumental Reliance on ITThe get-go section was designed to help in determining the institutions reliance on information technology for business continuity. Table 1 Characteristics of OrganizationQuestionsScores/Frequency01234Dependence on information technology systems and the Internet to conduct academic, research, and outreach programs and offer support services9Value of organizations intellectual property stored or transmitted inelectronic form27The esthesia of stakeholders (including but not limited to students, faculty, staff, alumni, governing boards, legislators, donors, and funding agencies) to privacy234Level of regulation regarding security (international, federal, state, or local regulations) 1431Does your organization have academic or research programs in a sensitive area that may make you a target of violent physical or cyber attack from any groups?5121 chalk up score196722 make headway Very Low = 0 Low = 1 Medium = 2 High = 3 Very High = 4 Section II Risk ManagementThis section assesses the risk management process as it relates to creating an information security strategy and program. Table 2 Information SecurityRisk AssessmentQuestionsScores/Frequency01234Does your organization have a documented information security program?252Has your organization conducted a risk assessment to identify the key objectives that need to be supported by your information security program?243Has your organization identified critical assets and the functions that rely on them?225 energise the information security threats and vulnerab ilities associated with each of the critical assets and functions been identified?2421Has a cost been assigned to the loss of each critical asset or function?1332Do you have a written information security strategy?2421Does your written information security strategy include plans that seek to cost-effectively reduce the risks to an acceptable level, with minimal disruptions to operations? 4221Is the strategy reviewed and updated at least annually or more frequently when significant changes require it? 2331Do you have a process in place to monitor federal, state, or international legislation or regulations and determine their applicability to your organization? 22321Total1016261416Scoring Not Implemented = 0 plan Stages = 1 Partially Implemented = 2 crocked to Completion = 3 Fully Implemented = 4 Section III PeopleThis section assesses the organizational aspects of the information security program. Table 3 Information Security Function/OrganizationQuestionsScores/Frequency01234Do yo u have a person that has information security as his primary duty, with responsibility for maintaining the security program and ensuring compliance? 4311Do the leaders and staff of your information security organization have the necessary experience and qualifications? 522Is responsibility distinctly assigned for all areas of the information security architecture, compliance, processes and audits? 3411Do you have an ongoing training program in place to build skills and competencies for information security for members of the information security function? 2232Does the information security function report regularly to institutional leaders and the governing board on the compliance of the institution to and the effectiveness of the information security program and policies? 2331Are the senior officers of the institution ultimately responsible and accountable for the information security program, including approval of information security policies?342Total16171470Scoring Not Implement ed = 0 Planning Stages = 1 Partially Implemented = 2 Close to Completion = 3 Fully Implemented = 4 Section IV ProcessesThis section assesses the processes that should be part of an information security program. Table IV Security Technology StrategyQuestionsScores/Frequency01234Have you instituted processes and procedures for involving the security personnel in evaluating and addressing any security impacts before the purchase or introduction of new systems? 2331Do you have a process to appropriately evaluate and classify the information and information assets that support the operations and assets under your control, to indicate the appropriate levels of information security? 12321Are written information security policies consistent, easy to understand, and readily available to administrators, faculty, employees, students, contractors, and partners? 2331Are consequences for noncompliance with corporate policies clearly communicated and enforced? 13231Do your security policies effect ively address the risks identified in your risk analysis/risk assessments? 234Are information security issues considered in all important decisions within the organization? 3231Do you constantly monitor in real time your networks, systems and applications for unauthorized access and anomalous behavior such as viruses, malicious code insertion, or break-in attempts? 13311Is sensitive data encrypted and associated encryption keys properly protected? 23211Do you have an authorization system that enforces time limits and defaults to minimum privileges?2223Do your systems and applications enforce session/user management practices including automatic timeouts, lock out on login failure, and revocation?2322Based on your information security risk management strategy, do you haveofficial written information security policies or procedures that address each of the following areas?Individual employee responsibilities for information security practices4311Acceptable use of computers, e-mail, In ternet, and intranet2322Protection of organizational assets, including intellectual property2232Access control, authentication, and authorization practices and requirements 12312Information sharing, including storing and transmitting institutional data on exterior resources (ISPs, external networks, contractors systems) 21321Disaster recovery contingency planning (business continuity planning)1134Change management processes2322Physical security and personnel clearances or background checks1332Data backups and secure off-site storage1134Secure disposal of data, old media, or printed materials that contains sensitive information234For your critical data centers, programming rooms, network operations centers, and other sensitive facilities or locations234Are four-fold physical security measures in place to restrict forced orunauthorized entry?1233Is there a process for issuing keys, codes, and/or cards that require proper authorization and background checks for access to these sensit ive facilities?2133Is your critical hardware and wiring protected from power loss, tampering, failure, and environmental threats?144Total1745585047Scoring Not Implemented = 0 Planning Stages = 1 Partially Implemented = 2 Close to Completion = 3 Fully Implemented = 4 interventionAs shown by the total scores on Table 1, a majority of the university has a very high reliance on the IT in their services. This is picture by the structure and characteristics of the university. Information risk assessment and management leaves a lot to be desired by the universities. to the highest degree the universities have partially implemented such programs.A large number of employees in the IT departments of most universities do no have sufficient skills to implement good information security governance. Most universities lack the leaders who have the rightful know how on the subject. In additionto that, there is no a representative in the council who will be an IT expert, hence most leaders lack i nterest and initiatives on information security.Due to lack of full responsibility of information security by the leaders, to implement processes for information security might also be a challenge especially to the IT department as normally is the department given the responsibility. Conclusion there is a need for institutions to start focusing on proper information security governance.For a start organization such as the Government, the Computer friendship of Zimbabwe, Zim Law Society, POTRAZ, ICAZ, IIAZ, Zimbabwe Institute of Management and other industry governing bodies should put their heads together and define the appropriate legislations that mandates information security governance either by referring to existing international frameworks (PCI-DSS, SOX, COSO, ITIL, SABSA, Cobit FIPS, NIST, ISO 27002/5, CMM, ITG Governance Framework) or by consulting local information security and business professionals to come up with an information security governance framework.As the Zimba bwean economy is slowly sprouting, the art of information security governance in the universities should also take a leap. The adoption information security governance will ensure that security will become a part of any university and thus customers confidence will be boosted.ReferencesDrucker, P. Management Challenges for the 21st light speed, Harpers Business , 1993. Corporate Governance Task Force, Information Security Governance Call to Action, USA, 2004. IT Governance Institute, Board Briefing on IT Governance, 2nd Edition, USA, 2003, www.itgi.org. IT Governance Institute, Information Security Governance Guidance for Boards of Directors and Executive Management, 2nd Edition, USA, 2006. ISO/IEC 38500 Corporate Governance of Information Technology, 2008. IT Governance Institute, COBIT 4.0, USA, 2005, www.itgi.orgIT Governance Institute, COBIT Security Baseline, USA, 2004, www.itgi.org National Association of Corporate Directors, Information Security Oversight Essential Board Pra ctices, USA, 2001 John P. Pironti,Information Security Governance Motivations, Benefits and Outcomes, Information Systems Control Journal, vol. 4 (2006) 458. 21. Rutsito, T. (2005) IT governance, security define new era The Herald, 07 November. Kaitano, F. (2010) Information Security Governance Missing Link In Corporate Governance TechZim. http//www.techzim.co.zw/2010/05/information-security-governance-missing-link-in-corporate-governance accessed 02 May 2013.Horton, T.R., Le Grand, C.H., Murray, W.H., Ozier, W.J. Parker, D.B. (2000). Information Security Management and Assurance A Call to Action for Corporate Governance. United States of America The Institute of Internal Auditors. Hostland, K, Enstad, A. P, Eilertsen, O, Boe, G. (2010). Information Security Policy Best Practice Document. Corporate Governance Task Force, (2004). Information Security Governance Call to Action, USA