An analysis of Information Security Governance in the Universities in Zimbabwe Essay Example for Free

An analysis of study certification political science in the Universities in Zimbabwe tasteAbstractThe complexity and criticality of info auspices and its judicature demand that it be elevated to the highest organisational levels. Within a university setup, teaching assets intromit student and personnel records, health and financial cultivation, research data, learn and learning materials and all restricted and unrestricted electronic subr discloseine library materials. hostage of these education assets is among the highest priorities in terms of danger and liabilities, assembly line continuity, and protection of university reputations.As a critical pick, entropy moldiness be toughened like all some other(a) asset inborn to the survival and success of the organization. In this paper the source is going to discuss the claim for implementing reading pledge administration within asylums of higher education.Further than that, a discussion on how to best practice learning gage governance within the universities in Zimbabwe followed by an assessment on how far the Zimbabwean universities have implemented homework Security ecesis. A gang of questionnaires and interviews is going to be used as a tool to gather data and nearly recomm rarityations be stated towards the end of the paper. IntroductionGovernance, as defined by the IT Governance Institute (2003), is the set of responsibilities and practices exercised by the dining table and executive instruction with the goal of providing strategic direction, ensuring that objectives argon achieved, ascertaining that lucks are managed portionly and verifying that the attempts resources are used responsibly. Information guarantor governance is the organization by which an organization directs and stamp downs entropy surety (adapted from ISO 38500).It specifies the accountability framework and provides oversight to figure that lay on the lines are equal to(predicate)ly mitiga ted as rise as ensuring that surety strategies are aligned with business and consistent with regulations. To exercise impelling enterprise and schooling credential governance, boards and senior executives moldiness have a clear understanding of what to expect from their enterprises tuition protective covering computer weapons platform.They need to know how to directthe implementation of an study certificate measures programme, how to evaluate their witness status with regard to an existing trade protection programme and how to decide the schema and objectives of an telling warranter programme (IT Governance Institute, 2006). Stakeholders are becoming more and more concerned about the teaching hostage as news of hacking, data theft and other attacks happen more frequently than ever dreamt of.Executive centering has been showered with the accountability of ensuring an organization provides users with secure information organisations environment. Information gag e is not only a adept issue, but a business and governance challenge that involves adequate lay on the line management, reporting and accountability. Effective aegis requires the active involvement of executives to assess emerging threats and the organizations response to them (Corporate Governance Task Force, 2004). furthermore the organizations need to protect themselves a make believest the risks inherent in the use of information systems while simultaneously recognizing the benefits that can go down from having secure information systems. Peter Drucker (1993) stated The diffusion of technology and the commodification of information transforms the role of information into a resource equal in importance to the traditionally serious resources of land, labor and capital.Thus as addiction on information system increases, the criticality of information protection department brings with it the need for effective information certification governance. Need for Information Securi ty Governance within universities. A key goal of information pledge department is to reduce adverse impacts on the organization to an bankable level of risk. Information security protects information assets against the risk of loss, operational discontinuity, misuse, unauthorized disclosure, in annoyibility and damage.It also protects against the ever-increasing potential for civil or legal liability that organizations reflexion as a take of information inaccuracy and loss, or the absence of due care in its protection. Information security covers all information puzzle outes, physical and electronic, regardless whether they involve people and technology or relationships with calling partners, customers and third parties. Information security addresses information protection, confidentiality, availability and integrity throughout the life cycle of the information and its use within the organization.John P. Pironti (2006) suggested that among many reasons for information securi tygovernance, the most important unitary is the one concerned with the legal liability, protection of the organizations reputation and regulatory respect. With the university setup, all members of the university community are obligated to respect and, in many cases, to protect confidential data. Medical records, student records, certain employment-related records, library use records, attorney-client communication theory, and certain research and other intellectual shoes-related records are, subject to special exceptions, confidential as a matter of law.Many other categories of records, including faculty and other personnel records, and records relating to the universitys business and finances are, as a matter of university policy, treated as confidential. Systems (hardware and software) designed primarily to store confidential records (such as the Financial Information System and Student Information System and all medical records systems) require enhanced security protections and are controlled (strategic) systems to which doorway is closely monitored. Networks provide companionship to records, information, and other networks and also require security protections.The use of university information technology assets in other than a manner and for the purpose of which they were intended represents a misallocation of resources and, possibly, a misdemeanour of law. To achieve all this in todays complex, interconnected world, information security mustiness be addressed at the highest levels of the organization, not regarded as a technical specialty relegated to the IT part. Information security is a top-down answer requiring a comprehensive security strategy that is explicitly linked to the organizations business offshootes and strategy.Security must address entire organizations processes, both physical and technical, from end to end. Hence, Information security governance requires senior management commitment, a security-aware culture, promotion of goo d security practices and compliance with policy. It is easier to buy a solution than to multifariousness a culture, but even the most secure system will not achieve a significant degree of security if used by ill-informed, untrained, imprudent or indifferent personnel (IT Governance Institute, 2006).In an interview the executive director and information security expert on IT Governance and cyber security with the IT Governance and Cyber Security Institute of sub-Saharan Africa, Dr Richard Gwashy Young has this to say remember inZimbabwe security is regarded as an expense not an investment (Rutsito, 2012). Benefits of Information Security Governance great information security governance generates significant benefits, including The Board of directors taking full responsibility for Information security initiatives Increased predictability and reduced uncertainty of business operations by lowering information security-related risks to determinable and refreshing levels Protection from the increasing potential for civil or legal liability as a result of information inaccuracy or the absence of due care.The structure and framework to optimize allocation of limited security resources Assurance of effective information security policy and policy compliance A quick foundation for efficient and effective risk management, process improvement, and rapid incident response related to securing information A level of assurance that critical decisions are not based on faulty information Accountability for safeguarding information during critical business activities.Compliances with local and international regulations will be easier Improved resource management, optimizing knowledge, information security and information technology infrastructure The benefits add significant value to the organization byImproving trust in customer/client relationshipsProtecting the organizations reputation diminish likelihood of violations of privacyProviding greater confidence when intera cting with trading partners Enabling new and better ways to process electronic transactions like publishing results online and online registration.Reducing operational prices by providing predictable outcomesmitigating risk factors that may interrupt the process The benefits of good information security are not just a reduction in risk or a reduction in the impact should something go wrong. Good security can improve reputation, confidence and trust from others with whom business is conducted, and can even improve force by avoiding wasted time and effort recovering from a security incident (IT Governance Institute, 2004). Information Security Governance OutcomesFive basic outcomes can be expected to result from developing an effectivegovernance approach to information security Strategic alignment of information security with institutional objectives diminution of risk and potential business impacts to an acceptable level set delivery through the optimization of security investme nts with institutional objectives Efficient utilization of security investments supporting organization objectives Performance measurement and supervise to check that objectives are metBest practicesThe National crosstie of Corporate Directors (2001), recognizes the importance of information security and recommends four essential practices for boards of directors. The four practices, which are based on the practicalities of how boards operate, are Place information security on the boards agenda.Identify information security leaders, hold them accountable and ensure support for them. Ensure the effectualness of the corporations information security policy through review and approval. Assign information security to a key committee and ensure adequate support for that committee. It is critical that management ensure that adequate resources are allocated to support the overall enterprise information security strategy (IT Governance Institute, 2006).To achieve effective information s ecurity governance, management must establish and maintain a framework to guide the reading and maintenance of a comprehensive information security programme. According to Horton, et al (2000), an information security governance framework generally consists of An information security risk management methodologyA comprehensive security strategy explicitly linked with business and IT objectives An effective security organizational structureA security strategy that talks about the value of information both saved and delivered Security policies that address each aspect of strategy, control and regulation A complete set of security standards for each policy to ensure that procedures and guidelines comply with policy Institutionalized monitoring processes to ensure compliance and provide feedback on forte and extenuation of risk A process to ensurecontinued evaluation and update of security policies, standards, procedures and risks.This kind of framework, in turn, provides the basis fo r the development of a cost-effective information security program me that supports an organizations goals and provides an acceptable level of predictability for operations by limiting the impacts of adverse events. In his article Kaitano (2010), pointed some characteristics of good corporate governance coupled with good security governance.These include and not limited to Information security creation treated as and organization wide issue and leaders are accountable. Leads to viable Governance, Risk and Compliance(GRC) Milestones It is risk-based and focuses on all aspects of securityProper frameworks and programs have been implementedIt is not treated as a cost but a way of doing businessRoles, responsibilities and segregation of duties are defined It is addressed and enforced by policyAdequate resources are committed and Staff are aware and trained It is planned, managed, measurable and calculatedIt is reviewed and auditedThe overall objective of the programme is to provide a ssurance that information assets are protected in ossification with their value or the risk their compromise poses to an organization. The framework generates a set of activities that supports fulfillment of this objective. Principles for information security within the UniversityIn their article titled Information Security Policy Best Practice Document, Hostland et al (2010) pointed out some guiding principles for information security within a university setup. The following are some of the principles they mentioned 1. Risk assessment and managementThe universitys approach to security should be based on risk assessments and should be continuously done and the need for protective measures evaluated. Measures must be evaluated based on the universitys role as an establishment for education and research and with regards to efficiency, cost and practical feasibility. An overall risk assessment of theinformation systems should be performed annually. Risk assessments must identify, quan tify and prioritize the risks harmonise to germane(predicate) criteria for acceptable risks.Risk assessments should be carried out when implementing changes impacting information security. Some recognized methods of assessing risks like ISO/IEC 27005 should be employed. Risk management is to be carried out gibe to criteria approved by the management at University. Risk assessments must be approved by the management and if a risk assessment reveals unacceptable risks, measures must be implemented to reduce the risk to an acceptable level. 2. Information security policyThe Vice Chancellor should ensure that the information security policy, as well as guidelines and standards, are utilized and acted upon. He must also ensure the availability of sufficient training and information material for all users, in order to enable the users to protect the universitys data and information systems.The security policy should be reviewed and updated annually or when necessary, in accordance with principles described in ISO/IEC 27001. However, all important changes to universitys activities, and other external changes related to the threat level, should result in a revision of the policy and the guidelines relevant to the information security. 3. Security organizationThe Vice Chancellor is responsible for all government contact. The university should appoint CSO (Chief Security Officer). Each department and section should also be responsible for implementing the units information security. The managers of each unit must appoint separate security administrators. The fipple flute Academics has the primary coil responsibility for the information security in tie-in with the student registry and other student related information.The IT Director has executive responsibility for information security in connection with IT systems and infrastructure. The Operations manager has executive responsibility for information security in connection with structural infrastructure. He also h as overall responsibility for quality work, while the operational responsibility is delegated concord to the management structure.The Registrar Human Resources also has executive responsibility for information security according to the in the flesh(predicate) Data Act and is the controller on a daily basis of the personal information of theemployees. The Registrar Academics and Research Administration have also executive responsibility for research related personal information. Universitys information security should be revised on a fix basis, through internal control and at need, with assistance from an external IT auditor. 4. Information security in connection with users of Universitys services Prior to employment security responsibility and roles for employees and contractors should be described.A stage setting check is should also be carried out of all appointees to positions at the university according to relevant laws and regulations. A confidentiality agreement should be signed by employees, contractors or others who may gain access to spiritualist and/or internal information. IT regulations should be accepted for all employment contracts and for system access for third parties. During employment, the IT regulations for the universitys information security requirements should be in place and the users responsibility for complying with these regulations is to be emphasized.The IT regulations should be reviewed on a regular basis with all users and with all new hires. All employees and third party users should receive adequate training and modify regarding the Information security policy and procedures. Breaches of the Information security policy and accompanying guidelines will normally result in sanctions. Universitys information, information systems and other assets should only be utilized for their intended purpose. Necessary private usage is permitted. Private IT equipment in the universitys infrastructure may only be connected where explicitly permitted. All other use must be approved in advance by the IT department.On termination or change of employment, the responsibility for termination or change of employment should be clearly defined in a separate routine with relevant circulation forms. The universitys assets should be handed in at the conclusion of the need for the use of these assets. University should change or terminate access rights at termination or change of employment. A routine should be present for handling alumni relationships. Notification on employment termination or change should be carried out through the procedures defined in the personnel system. 5. Information security regarding physical conditionsIT equipment and information that require protection should be placed in secure physical areas. Secure areas should have desirable access control toensure that only authorized personnel have access. All of the Universitys buildings should be secured according to their classification by using adequate se curity systems, including suitable tracking/logging. Security managers for the various areas of responsibility should ensure that work performed by third parties in secure zones is suitably monitored and documented.All external doors and windows must be closed and put to sleeped at the end of the work day. On securing equipment, IT equipment which is very essential for daily activities must be protected against environmental threats (fires, flooding, temperature variations). Information classified as sensitive must not be stored on takeout computer equipment (e.g. laptops, cell phones, memory sticks). If it is necessary to store this information on portable equipment, the information must be tidings protected and encrypted in compliance with guidelines from the IT department.During travel, portable computer equipment should be treated as carry-on luggage. Fire drills should also be carried out on a regular basis. 6. IT communications and operations managementPurchase and installa tion of IT equipment and software for IT equipment must be approved by the IT department. The IT department should ensure documentation of the IT systems according to universitys standards. Changes in IT systems should only be implemented if well-founded from a business and security standpoint. The IT department should have emergency procedures in order to minimize the effect of unsuccessful changes to the IT systems. usable procedures should be documented and the documentation must be updated following all substantial changes. Before a new IT system is put in production, plans and risk assessments should be in place to avoid errors. Additionally, routines for monitoring and managing unforeseen problems should be in place. Duties and responsibilities should be separated in a manner reducing the misfortune of unauthorized or unforeseen abuse of the universitys assets.Development, testing and maintenance should be separated from operations in order to reduce the risk of unauthorized access or changes, and in order to reduce the risk of error conditions. On system planning and acceptance, the requirements for information security must be taken into precondition when designing, testing, implementing and upgrading IT systems, as well as during system changes. Routines must be developed forchange management and system development/maintenance.IT systems must be dimensioned according to capacity requirements and the load should be monitored in order to maintain upgrades and adjustments in a timely manner as it is especially important for business-critical systems. Written guidelines for access control and passwords based on business and security requirements should be in place.Guidelines should be re-evaluated on a regular basis and should contain password requirements (frequency of change, minimum length, character types which may/must be utilized) and regulate password storage. All users accessing systems must be authenticated according to guidelines and should h ave unique combinations of usernames and passwords. Users are responsible for any usage of their usernames and passwords. Data GatheringA structured questionnaire adapted and modified from previous questionnaires used by Corporate Governance Task Force, (2004) was used as the main instrument to gather data. Of the check 13 universities in Zimbabwe, 9 managed to participate in this research. The questionnaires were completed by the Executive Dean, IT Director, Operations Manager or Chairperson for the department. Section I Organizational Reliance on ITThe first section was designed to swear out in determining the institutions reliance on information technology for business continuity. tabularise 1 Characteristics of OrganizationQuestionsScores/Frequency01234dependence on information technology systems and the Internet to conduct academic, research, and outreach programs and offer support services9Value of organizations intellectual property stored or transmitted inelectronic form2 7The sensitivity of stakeholders (including but not limited to students, faculty, staff, alumni, governing boards, legislators, donors, and funding agencies) to privacy234Level of regulation regarding security (international, federal, state, or local regulations) 1431Does your organization have academic or research programs in a sensitive area that may make you a target of violent physical or cyber attack from any groups?5121Total score196722 advance very Low = 0 Low = 1 Medium = 2 High = 3 Very High = 4 Section II Risk concernThis section assesses the risk management process as it relates to creating an information security strategy and program. display panel 2 Information SecurityRisk sagaciousnessQuestionsScores/Frequency01234Does your organization have a documented information security program?252Has your organization conducted a risk assessment to identify the key objectives that need to be supported by your information security program?243Has your organization identified c ritical assets and the utilisations that rely on them?225Have the information security threats and vulnerabilities associated with each of the critical assets and croaks been identified?2421Has a cost been assigned to the loss of each critical asset or function?1332Do you have a written information security strategy?2421Does your written information security strategy include plans that seek to cost-effectively reduce the risks to an acceptable level, with minimal disruptions to operations? 4221Is the strategy reviewed and updated at least annually or more frequently when significant changes require it? 2331Do you have a process in place to monitor federal, state, or international legislation or regulations and determine their applicability to your organization? 22321Total1016261416Scoring Not apply = 0 Planning Stages = 1 Partially utilise = 2 Close to Completion = 3 in full Implemented = 4 Section III PeopleThis section assesses the organizational aspects of the information se curity program. evade 3 Information Security Function/OrganizationQuestionsScores/Frequency01234Do you have a person that has information security as his primary duty, with responsibility for maintaining the security program and ensuring compliance? 4311Do the leaders and staff of your information security organization have the necessary experience and qualifications? 522Is responsibility clearly assigned for all areas of the information security architecture, compliance, processes and audits? 3411Do you have an ongoing training program in place to build skills and competencies for information security for members of the information security function? 2232Does the information security function report regularly to institutional leaders and the governing board on the compliance of the institution to and the effectiveness of the information security program and policies? 2331Are the senior officers of the institution ultimately responsible and accountable for the information security program, including approval of information security policies?342Total16171470Scoring Not Implemented = 0 Planning Stages = 1 Partially Implemented = 2 Close to Completion = 3 in full Implemented = 4 Section IV ProcessesThis section assesses the processes that should be part of an information security program. Table IV Security Technology StrategyQuestionsScores/Frequency01234Have you instituted processes and procedures for involving the security personnel in evaluating and addressing any security impacts before the purchase or introduction of new systems? 2331Do you have a process to appropriately evaluate and classify the information and information assets that support the operations and assets under your control, to indicate the appropriate levels of information security? 12321Are written information security policies consistent, easy to understand, and readily available to administrators, faculty, employees, students, contractors, and partners? 2331Are consequences for disobedie nce with corporate policies clearly communicated and enforced? 13231Do your security policies effectively address the risks identified in your risk analysis/risk assessments? 234Are information security issues considered in all important decisions within the organization? 3231Do you constantly monitor in real time your networks, systems and applications for unauthorized access and anomalous behavior such as viruses, malicious code insertion, or break-in attempts? 13311Is sensitive data encrypted and associated encryption keys properly protected? 23211Do you have an authorization system that enforces time limits and defaults to minimum privileges?2223Do your systems and applications enforce session/user management practices including automatic timeouts, lock out on login failure, and revocation?2322Based on your information security risk management strategy, do you haveofficial written information security policies or procedures that address each of the following areas?Individual emp loyee responsibilities for information security practices4311Acceptable use of computers, e-mail, Internet, and intranet2322Protection of organizational assets, including intellectual property2232Access control, authentication, and authorization practices and requirements 12312Information sharing, including storing and transmitting institutional data on outside resources (ISPs, external networks, contractors systems) 21321Disaster recovery contingency planning (business continuity planning)1134Change management processes2322Physical security and personnel clearances or background checks1332Data backups and secure off-site storage1134Secure disposal of data, old media, or printed materials that contains sensitive information234For your critical data centers, programming rooms, network operations centers, and other sensitive facilities or locations234Are multiple physical security measures in place to restrict forced orunauthorized entry?1233Is there a process for issuing keys, codes, and/or cards that require proper authorization and background checks for access to these sensitive facilities?2133Is your critical hardware and wiring protected from power loss, tampering, failure, and environmental threats?144Total1745585047Scoring Not Implemented = 0 Planning Stages = 1 Partially Implemented = 2 Close to Completion = 3 Fully Implemented = 4 DiscussionAs shown by the total scores on Table 1, a majority of the university has a very high reliance on the IT in their services. This is depicted by the structure and characteristics of the university. Information risk assessment and management leaves a view to be desired by the universities. Most the universities have partially implemented such programs.A gravid number of employees in the IT departments of most universities do no have sufficient skills to implement good information security governance. Most universities lack the leaders who have the rightful know how on the subject. In sumto that, there is no a repres entative in the council who will be an IT expert, hence most leaders lack interest and initiatives on information security.Due to lack of full responsibility of information security by the leaders, to implement processes for information security might also be a challenge especially to the IT department as normally is the department given the responsibility. ConclusionThere is a need for institutions to convey focusing on proper information security governance.For a start organization such as the Government, the Computer Society of Zimbabwe, Zim Law Society, POTRAZ, ICAZ, IIAZ, Zimbabwe Institute of Management and other industry governing bodies should put their heads unneurotic and define the appropriate legislations that mandates information security governance either by referring to existing international frameworks (PCI-DSS, SOX, COSO, ITIL, SABSA, Cobit FIPS, NIST, ISO 27002/5, CMM, ITG Governance Framework) or by consulting local information security and business professional s to come up with an information security governance framework.As the Zimbabwean economy is slowly sprouting, the art of information security governance in the universities should also take a leap. The adoption information security governance will ensure that security will become a part of any university and thus customers confidence will be boosted.ReferencesDrucker, P. Management Challenges for the 21st Century, Harpers Business , 1993. Corporate Governance Task Force, Information Security Governance label to Action, USA, 2004. IT Governance Institute, Board Briefing on IT Governance, 2nd Edition, USA, 2003, www.itgi.org. IT Governance Institute, Information Security Governance charge for Boards of Directors and Executive Management, 2nd Edition, USA, 2006. ISO/IEC 38500 Corporate Governance of Information Technology, 2008. IT Governance Institute, COBIT 4.0, USA, 2005, www.itgi.orgIT Governance Institute, COBIT Security Baseline, USA, 2004, www.itgi.org National Association of Corporate Directors, Information Security Oversight Essential Board Practices, USA, 2001 John P. Pironti,Information Security Governance Motivations, Benefits and Outcomes, Information Systems Control Journal, vol. 4 (2006) 458. 21. Rutsito, T. (2005) IT governance, security define new era The Herald, 07 November. Kaitano, F. (2010) Information Security Governance Missing Link In Corporate Governance TechZim. http//www.techzim.co.zw/2010/05/information-security-governance-missing-link-in-corporate-governance accessed 02 May 2013.Horton, T.R., Le Grand, C.H., Murray, W.H., Ozier, W.J. Parker, D.B. (2000). Information Security Management and Assurance A Call to Action for Corporate Governance. United States of America The Institute of versed Auditors. Hostland, K, Enstad, A. P, Eilertsen, O, Boe, G. (2010). Information Security Policy Best Practice Document. Corporate Governance Task Force, (2004). Information Security Governance Call to Action, USA