Enterprise Information Security Program

May 2003

 

1. Objective

This program is a collection of policy statements, an architecture model, and a description of the approach taken at the University of Iowa for information security.  Together, they describe administrative, operational, and technical security safeguards that must be implemented for systems that create, maintain, house, or otherwise use confidential or sensitive information. 

The objective is to provide Business Value:

Management is responsible for taking the necessary steps to identify internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of institutional data.  Risks may include, but are not limited to:

Responsibility for managing the Enterprise Information Security Program is described in Roles and Responsibilities for Information Security. This document will be reviewed and updated on an annual basis by the IT Security Officer.  Documentation supporting compliance with regulatory controls, (e.g., memoranda received from service providers attesting to their security safeguards), will be maintained by the IT Security Office.  

2. Administrative Controls

2.1 Risk assessment and management: Risk assessments are performed on critical information technology assets of the University of Iowa on a regular basis by both the University of Iowa Internal Audit department, and by the Office of the State Auditor.  Feedback includes a comprehensive report of actionable risk mitigation/remediation recommendations. The IT Security Office will perform risk assessments for management upon request.  In addition, a formalized process is under development for approving IT security plans prior to forming (contract) agreements, grants, and other relationships or collaborations with the University of Iowa.  This process includes an assessment phase. 

2.2 Incident Response:  The University of Iowa has an incident response capability which is documented at the Incident Response website, along with a policy describing escalation procedures for security incident resolution.

A project is underway to enhance the current environment, by forming a Computer Security Incident Response Team, and improving our capability to track and resolve security incidents.

2.3 Acceptable Use of Information Technology Resources: http://www.uiowa.edu/~our/opmanual/ii/19.htm describes the expectations for all members of the user community for appropriate use of technology, protection of privacy, and protection of academic freedoms.

2.4 Planning for security:  A control review should be performed before implementation of computer systems which house or handle confidential institutional information.  This may include

 

2.5 Personnel security: The Information Technology Services organization has implemented the following (draft) policy regarding pre-employment employee Background Checks.

3. Operational Controls

The Information Security Framework policy describes the expectations for the secure operation and control of institutional IT assets. It addresses the following issues:

3.1 General Principles

3.2 Information Access

Physical, Electronic, Automated Operations, and Contractors

3.3 Communication Security

3.4 Information Integrity Controls

Separation of Duties, System and Application Software, Change Controls, and Anti-Virus

3.5 Preventive Measures

Prevention, Backup, Emergency Operations, and Disaster Recovery

 

3.6 Information backup and recovery: The Backup and Recovery policy describes expectations for the backup processes and procedures to adequately protect institutional information.

4. Technical Controls

4.1 Identification:  The standard format for Login Identifiers (user names) is described at: Enterprise Login Standard.

 

4.2 Authentication: The UI has policies describing the Enterprise Authentication Service, and the requirements for Password Controls.

 

4.3 Access control: The UI Policy describing the classification scheme for institutional data, and the data handling controls required for each level of data, is in the Institutional Data Access policy.

4.4 Auditing: The Information Security Framework policy, Section 6.5 addresses auditing requirements for confidential institutional information.

5.    Information Security Architecture Model*:

 

Information Security Architecture Model

*adapted from Daniel Blum, The Burton Group, “Securing the Virtual Enterprise Network”, RSA Security Conference, 14 April 2003.

 

6. Campus Information Security Approach:

 

6.1 Implementation

  1. Highly Redundant – no single points of failure
    1. Hardware/equipment
    2. Physical space & network segments
    3. No “single person” system administration dependency
  2. Physical security
    1. Secure location
    2. Conditioned power & UPS
    3. Environmental controls (HVAC)
  3. Enable local services delivery layered over infrastructure services
  4. Very granular authorization/access controls available
  5. Enable enterprise-wide services delivery (directory enabled applications)
  6. Local service providers concentrate on service delivery rather than infrastructure

6.2 People

  1. Technical system administrators
    1. Collaboration, robust solutions 
    2. Cooperation, division of labor
    3. Responsive to changes
    4. Training/expertise requirements
  2. Improved user experience
    1. Availability of applications
    2. Reliability of services
    3. Consolidated login (simplified sign-on)

 

6.3 Policy

  1. Collaborative policy development to drive the technologies adopted
  2. Ability to reach broader compliance with security/privacy regulations (e.g., HIPAA, GLBA)
  3. Security procedures well thought out and communicated

 

Revised, V1.1,  5/23/2003

Copyright © 2005 The University of Iowa. All rights reserved.