ITS Security’s mission is to establish a vibrant security program that effectively safeguards the University’s information resources and at the same time supports the goals and objectives of the institution.
Some of our major initiative this year included
- Establishing direction through policy and procedures for information risk management, including both information security and operational recovery.
- Completing a Business Impact Analysis exercise to establish key systems that support the University’s business.
- Completing Phase II of the ITS Information Technology Disaster Recovery Plan.
- Developing, maintaining, and executing a risk management monitoring and compliance process using CoBIT.
- Promoting and improving prevention and risk reduction through awareness, training, education, collaboration, and consultation.
- Ensuring that incident handling, response, and follow-up occur in an effective and coordinated manner.
- Fostering and maintaining communications with information stakeholders with the establishment of ITS web site.
- Meeting and exceeding the State University System’s information security requirements.
- Promoting a safe, secure and enabling environment for teaching, instruction and research, through policies, technology and awareness.
Policy and Procedures
The policy and procedures are cornerstones and guiding principals of our information security program. The following IT Security policies and procedures are in effect:
- Enterprise Information Systems Security and Control 2008-01 outlining the following objectives:
- Ensure the University community IT resources are appropriately protected from destruction, disruption, alteration or unauthorized access, disclosure and misuse of information.
- Ensure that IT resource protections are accomplished in a manner consistent with the business and workflow requirements of the University and best practices of the industry.
- Ensure the security and confidentiality of individual stakeholder’s information as defined in 16 CFR Part 314; protect against any anticipated threats or hazards to the security or integrity of such information; and, protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any individual stakeholder.
- Managing ITS Security Incidents
- Setting up Network Access
- Setting up or Changing iRattler Access
- Terminating a User’s iRattler Access
- Terminating a User’s Network Access
- Training an iRattler User
Business Impact Analysis
A Business Impact Analysis (BIA) was completed during the fall of 2008. This is the first step in the business continuity planning process and included the activities:
- Assessment and prioritization of significant business functions/processes, including their interdependencies;
- Identification of the potential impact and probability of disruptions of information services, technology, personnel, facilities and services provided by third-parities resulting from uncontrolled events, including;
- Natural events such as fires, floods, severe weather, air contaminants, and hazardous spills;
- Technical events such as communication failure, power failure, equipment and software failure, transportation system disruptions, and water system disruptions;
- Malicious activity including fraud, theft or blackmail; sabotage; vandalism and looting; and terrorism;
- Determine maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime.
Information Technology Disaster Recovery Plan (IT/DRP)
Using the results of the Business Impact Analysis, ITS completed the process of developing our disaster recovery plans for critical systems housed at Perry-Paige Data Center and Network Operations Center.
Disaster recovery planning is essential to ensure continued operations in the face of a significant disaster such as fire, flood or man-made disaster. Without well-documented plans and adequate preparation, disaster recovery cannot be guaranteed within an acceptable timeframe.
Executing our risk management monitoring and compliance process using CoBIT.
A major factor in passing all IT audits and SACSCOC probation involved integrating risk management with IT’s modified CoBIT control framework. IT Security continues to verify and validate that all key controls are working properly. Our processes also assisted in the analysis of PeopleSoft security access levels and assisted efforts during the upgrade of the PeopleSoft Human Capital Management applications to version 9.1.
100% of Key Controls are in Place
Identify areas of improvement in the current PeopleSoft environment. This included the items identified by the AG as well as other areas. An extensive module by module analysis was conducted to identify where improvements could be made and to ensure all access was appropriate.
Identify the new or changed features in PeopleSoft (9.0). The application upgrade provided new and/or changed functionality. This new and/or changed functionality needed to be analyzed to ensure adequate security was applied when implemented.
Combine these into the “new” PeopleSoft Security Matrix. The items discussed above need to be brought together so that a new PeopleSoft Security Matrix representing the desired security settings can be implemented with the 9.0 upgrade.
Document “Business Rules” to support the “new” PeopleSoft Security Matrix. One of the contributing factors to the concerns identified by the AG was the lack of a security strategy that documented why accesses were set up a certain way and what should be considered for future updates. To provide a strong foundation for the existing security set-up and a basis for on-going changes documentation of the “business rationale” needs to be done.
Coordinate implementation of the new security set-up with the business user. The effort to implement the new security set-up needs significant coordination between the FAMU ITS function, integration consultants, and end user is necessary. This includes processes to maintain the integrity of security going forward.