The University of Iowa Information Security Program

May 2003

Revised: December 2004, November 2006

 

1. Overview and Objective

This program is a collection of policy statements, an architecture model, and a description of the approach taken at the University of Iowa for information security.  Together, they describe administrative, operational, and technical security safeguards that must be implemented for systems that create, maintain, house, or otherwise use confidential or sensitive information.

The objective is to provide Business Value:

• Applications are delivered to more individuals, in a more timely manner, and with better/definitive data

• Broader deployment of services and data increases both its value and the institution's risk

• Information security is crucial to this distributed environment

• There are many layers of security involved, each managed in concert with the rest to provide “Defense in Depth”:

1. Physical access to systems
2. Server or host controls
3. Client or workstation controls
4. Data access controls (confidentiality)
5. Policy & Procedures
6. Network controls
7. Employee practices
 

Management is responsible for taking the necessary steps to identify internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of institutional data.  Risks may include, but are not limited to:

• Unauthorized access to confidential information

• Compromised system security as a result of access by an intruder

• Interception of data on the network

• Physical loss of data center or computer equipment

• Errors or corruption introduced into systems

• Inadequate system administration practices

Responsibility for managing the Information Security Program is described in Roles and Responsibilities for Information Security. This program description will be reviewed and (if necessary) updated on an annual basis by the IT Security Officer.  Documentation supporting compliance with regulatory controls, (e.g., memoranda received from service providers attesting to their security safeguards), will be maintained in the IT Security Office.

2. Administrative Controls

2.1 Risk assessment and management: Risk assessments are performed on critical information technology assets of the University of Iowa on a regular basis by both the University of Iowa Internal Audit department, and by the Office of the State Auditor.  Feedback includes a comprehensive report of actionable risk mitigation/remediation recommendations. The IT Security Office also performs risk assessments for management upon request.  In addition, a formalized process has been developed by the IT Security Office and is available for reviewing and approving IT security plans prior to forming agreements, grants, and other relationships or collaborations with the University of Iowa.  This process includes an assessment phase.

2.2 Incident Response:  The University of Iowa has an incident response capability which is documented at the Incident Response web site, along with a policy describing IT Security Incident Escalation procedures for security incident resolution.  Activities to enhance our support environment, formation of a Computer Security Incident Response Team for crisis situations, and continuous improvement in our capability to track and resolve security incidents are on-going.

2.3 Acceptable Use of Information Technology Resources: http://www.uiowa.edu/~our/opmanual/ii/19.htm describes the expectations for all members of the user community for appropriate use of technology, protection of privacy, and protection of academic freedoms.

2.4 Planning for security:  A control review should be performed before implementation of computer systems which house or handle confidential institutional information.  This may include

• a technical security evaluation to ensure appropriate safeguards are in place and operational

• a risk assessment, including a review for regulatory, legal, and policy compliance

• a contingency plan, including the data recovery strategy

 2.5 Personnel security: The University of Iowa implemented a policy regarding pre-employment Criminal Background Checks in December 2005.  All employees are presented and must accept a confidentiality statement annually.

3. Operational Controls

The Information Security Framework policy describes the expectations for the secure operation and control of institutional IT assets. It addresses the following issues:

3.1 General Principles

3.2 Information Access

Physical, Electronic, Automated Operations, and Contractors

3.3 Communication Security

3.4 Information Integrity Controls

Separation of Duties, System and Application Software, Change Controls, and Anti-Virus

3.5 Preventive Measures

Prevention, Backup, Emergency Operations, and Disaster Recovery

 

3.6 Information backup and recovery: The Backup and Recovery policy describes expectations for the backup processes and procedures to adequately protect institutional information.

4. Technical Controls

4.1 Identification:  The standard format for Login Identifiers (user names) is described at: Enterprise Login Standard.

 

4.2 Authentication: The UI has policies describing the Enterprise Authentication Service, and the requirements for Password Controls.

 

4.3 Access control: The UI Policy describing the classification scheme for institutional data, and the data handling controls required for each level of data, is in the Institutional Data Access policy.

4.4 Auditing: The Information Security Framework policy, Section 6.5 addresses auditing requirements for confidential institutional information.

5.  Information Security Architecture Model*:

*adapted from Daniel Blum, The Burton Group, “Securing the Virtual Enterprise Network”, RSA Security Conference, 14 April 2003.

 

6. University of Iowa Information Security Approach:

 

6.1 Implementation of Critical Systems

1. Highly Redundant, with no single points of failure

1. Hardware/equipment

2. Physical space & network segments

3. No “single person” system administration dependency

2. Physically secured

1. Secure location

2. Conditioned power & UPS

3. Environmental controls (HVAC)

3. Enables local services delivery layered over infrastructure services

4. Very granular authorization/access controls are available

5. Enables enterprise-wide services delivery (directory enabled applications)

6. Local service providers concentrate on service delivery rather than supporting infrastructure

6.2 People

1. Technical system administrators will

1. Collaborate, provide robust solutions 

2. Cooperate, employ division of labor

3. Be responsive to changes

4. Reflect training/expertise requirements

2. User experience is improved through

1. Higher availability of applications

2. Better reliability of services

3. Consolidated login (simplified sign-on)

6.3 Policy

1. Collaborative policy development is employed to drive the technologies adopted (See IT Policy Website)

2. Ability to reach broader compliance with security/privacy regulations (e.g., HIPAA, GLBA)

3. Security procedures are well thought out and communicated

 

UI Home | UI A-Z Search | UI Phonebook/Email | Contact Us

Copyright © The University of Iowa. All rights reserved.