Recommendation 8: IT Security, Policy and Business Continuity
The University of Maryland should deploy appropriate policies and effective enforcement means to secure the integrity of information technology resources, safeguard institutional information, protect the privacy of university community members in their use of IT, and ensure the continuity of the institution's IT resources and information repositories in the face of possible disaster scenarios.
Action Item 8.1 - Advisory Committees (8.1a), Expanded Policy Awareness Activities (8.1b), and Online Presence (8.1c)
The Division of IT must lead the way to define standards for device and information security and to communicate best practices and policies across the university community.
IT security is the responsibility of all members of the UMD community. However, that community relies heavily upon the expertise of the Division of IT to define standards based upon best practices and to develop and implement policies (and enforce them) to ensure that the community is best positioned to defend the integrity of the UMD environment. Motivations (i.e., sanctions, rewards, hybrid) to follow security practices must be defined for business-critical systems and those holding sensitive data.
Action Item 8.2 - Data Stewardship
The Vice President of IT working with university administration should review the current structure regarding data stewardship and determine whether that structure is appropriate to properly define and administer access to institutional data and to ensure that policies for such access are adequate and enforced.
There is a general belief that UMD's data stewardship processes are mature. Our stewards (with oversight for financial, student, human resources, research, and other critical information sets), guided by university policy on data administration, take their roles seriously and provide the necessary checks and balances to prevent frivolous access to sensitive information from both applications and data warehouse inquiries. There may be the perception that obtaining approval for access from these data stewards could be more timely; though it may be likely that most delays are a factor of negotiating either border cases or requests that intersect with several stewards. The work flows for this process were redone fairly recently so as to utilize Kuali Rice. The biggest shortcoming may be in the area of data presentation. Most of the tools currently in use are showing their age, and the user interface on the ad hoc query tool may not be sufficiently flexible. Modernization of query and presentation tools should be a key element of a business intelligence initiative (Action Item 6.3). However, a formal - and periodically updated - review of the current structure, definitions, processes, and tools would be prudent.
The Data Policy Advisory Committee (DPAC) is composed of membership from each division of the university, major providers and consumers of institutional data, and legal counsel. In cooperation with the Division of IT, DPAC will conduct a review of policies and practices related to the use and management of institutional data during calendar year 2013. No additional resources will be required.
Update March 2014
DPAC has completed its review of policies and practices related to the use and management of institutional data. Revisions to UMCP policy VI-22.00(A) UMD Policy on Institutional Data Management and VI-23.00(A) UMD Policy on Data Management Structure and Procedures were completed in November 2013.
Action Item 8.3 - Implementation of External Audit Recommendations
The Division of IT should complete review of the recently (2012) completed external IT Security Review and in collaboration through appropriately discreet conversation with the university community, develop an implementation strategy to address points of concern raised by that review.
The Vice President of IT should charge the Chief IT Security Officer and Policy Director in his office with the responsibility (and the authority) to assume control, leadership, and responsibility for developing a plan to implement recommended actions that resulted from the 2012 IT Security Review by the Research and Education Network Information Sharing and Analysis Center. This will include responsibility for addressing unauthorized access to UMD's IT infrastructure, unauthorized disclosure of electronic information, and any security/data breaches regardless of the university entity involved. It will also entail recommendation and specification of needed technology solutions to better manage network security and intrusion detection/prevention and the integrity of information residing on central and distributed data stores across the campus. It is not the case that all items identified by the external review will or should be adopted wholesale. Rather, in conjunction with collaborative governance prescribed in Action Items 8.4 and 8.7, appropriate items will acted upon.
The action items of this strategic plan address many of the outstanding issues from the external review in areas that include data center enhancements(Action Item 1.1), IT policy and practice development Action Items (8.4 and 8.7), assessment of risk Action Items (8.6 and 8.8), and additional audit controls (Action Item 8.5). A roadmap for implementation of remaining recommendations will be completed during the first quarter of calendar year 2013. The Standards and Best Practices committee (Action Item 8.7) will provide oversight to the execution of the plan. Many of the items in the review can be accomplished at minimum costs; others may require significant multi-year investment.
Update March 2014
There were 112 recommendations, of which 72 have been addressed and completed, 17 are in progress, 16 have not yet been started, and 7 were not accepted.
Action Item 8.4 - IT Policy Framework (8.4a) and IT Policy Committee (8.4b)
The University Libraries and the Division of IT should lead the university to develop clear and forceful policies to address the management and protection (integrity) of sensitive and business-critical information (data), including the university's permanent electronic records, and the security IT infrastructure resources upon which that information resides. The Division of IT should also establish an IT policy advisory team composed of a variety of faculty and staff from across the university to assist in the review and formation of appropriate IT policies.
IT security is the responsibility of all users. The development and enforcement of security policies should be done in cooperation with the various departments. These policies will depend upon the clear articulation of institutional values and an understanding of how the institution will make judgments when its values are in conflict. For example, an individual has a right to personal privacy while the institution has an obligation to keep some records of individuals' activities and to protect itself against actions of individuals. A key step in the formulation of policy will be the development of a shared vision of information and IT based on the beliefs and values of the university community: academic freedom, collegiality, openness, and so forth.
Because development of IT policies can bring the university face-to-face with fundamental issues about its values, the process will require broad support from throughout the institution and will call for leadership at the highest levels of the university. Because the implementation of IT policies involves an ongoing process of interpretation and oversight, it will need a sustained commitment of leadership, attention, staff, and resources.
An IT policy framework must be established to facilitate the creation and promulgation of new policies. During the spring of 2013, a process will be developed to allow for the restructuring of existing IT policy and the establishment of new policy.
An IT Policy Committee composed of campus faculty and staff will be commissioned during the first half of 2013 to work with the Division of IT on the development and maintenance of campus-wide policies related to the use, management, and protection of information technology resources. There are no additional costs associated with these activities, although there may be fiscal impact as the result of policy creation or enhancement.
Update March 2014
The policy committee will be constituted in Spring 2014. An inventory of required and recommended policy topics will be prepared based upon the newest release of USM security guidelines.
Action Item 8.5 - Output of Action Items 8.4 and 8.7
Specific programmatic mechanisms should be reviewed and enhanced where needed to assure IT security and protection of information privacy.
Some details will depend in part upon the development of policy, but some aspects of security mechanisms are required for any policy to be effectively implemented. These include:
- Audit and controls: to verify that policy is being followed and to determine if mechanisms are working and correctly deployed.
- Education and awareness: to ensure that parties are aware of their responsibilities and to help engage everyone involved in managing and using information and IT resources as part of the university's security plan.
- Risk assessment: to determine the need for protection, to specify mechanisms of protection, and to help prioritize choices of protection.
The university must provide the resources to ensure network security and meet the demands of federal and state regulations.
The output of the IT Policy Committee (Action Item 8.4) and the Security Advisory Team (Action Item 8.7) will drive the specific mechanisms that will be implemented under this action item. The work of those groups will produce requirements to enhance security of networks, servers, desktops, mobile devices, and users.
Update March 2014
Significant investments were made over the past year in the area of vulnerability assessment and audit log collection and correlation. Additional recommendations will emerge when the working groups begin in Spring 2014.
Action Item 8.6 - Campus-Wide Physical Security Assessment
Specific physical mechanisms must be assessed and enhanced where needed to secure business-critical servers and access to sensitive information.
While network security is important to maintaining the integrity of our data and systems, the security of our data needs to be addressed at the individual and departmental levels as well. Data must be kept safe from breaches at all levels. The Vice President of IT's office should immediately prepare a report on the status of physical security of the university's information servers -- with special attention to an assessment of such servers not located within the direct control of the Division of IT. Recommendations based upon the results of this assessment should be drafted and presented to the UMD community.
The Division of IT will lead a campus-wide survey of computing environments in order to assess the physical security of those locations and the campus' posture as a whole. A survey instrument, derived from government standards, will be developed during Spring 2013. With the cooperation of the campus IT community, the survey will be conducted during summer/early fall of 2013, with a final report issued by the end of calendar year 2013. This activity will consume an FTE for the duration of the project.
Update March 2014
The survey instrument has been completed and is being tested against Division of IT facilities. The details of the campus-wide assessment will be discussed at an upcoming meeting of the University Technology Coordinating Committee and distributed shortly thereafter.
Action Item 8.7 - Security Advisory Committee
The Division of IT and Office of the Vice President of IT should establish a security advisory team composed of a variety of department staff and faculty from across the university to assist in the review and formation of appropriate IT security practices.
Security is a shared responsibility that requires diligence from all parties involved. Communication is a critical element in the extensive coordination required to maintain a successful security program. Establishing a Security Advisory Team will not only enable the implementation of security policies, but also increase the level of objective input for security plans and actions. Establishing such a team will demonstrate the Division of IT's interest in engaging expertise from the university community beyond central IT. Security will become a leading-edge issue in establishing relationships between the Division of IT and all university units.
A Security Advisory Committee (SAC) will be constituted during the spring of 2013. The committee will provide oversight for the implementation of recommendations of the Division of IT external security review. As the IT Policy Committee produces policy, the SAC will recommend best practices and formal standards of the implementation of those policies. The work of the SAC will be ongoing.
Update March 2014
The Security Advisory Committee, made up of IT practitioners from throughout the university, will be charged to draft formal best practices and standards that are in compliance with USM Security Guidelines. This committee will be launched in Spring 2014.
Action Item 8.8 - Review and Revision of Existing Risk Management, Business Continuity, and Disaster Recovery Efforts
The Division of IT should review the IT Disaster Recovery and Business Continuity Plan (DR/BCP) with input from the university community and support from senior-level leadership at the university.
While often fully addressed only after a major disaster or emergency brings an enterprise operation to its knees, the university must update and demonstrate an effective plan to continue critical university operations in the event of an outage of any magnitude. Information technology is a strategic asset of the institution, and loss, in part or total, of the IT environment, services, and data can cripple the institution. Therefore, the Division of IT and local IT units must be prepared for the recovery of critical services so that the university can continue to function in the aftermath of an outage due to a manmade disaster or an act of God -- whether the impact is limited to the data center, the campus, or the entire region. Sustained funding will determine to what level and in what time frame recovery can be possible. Funding for disaster recovery should be prudent, but in line with both the extent of risk and the level of expectations of UMD administration and the campus community. The plan should provide for:
- Revisions in existing processes and procedures with regard to data management and data center operations;
- Adequate backup power for critical university data centers; and
- Increasing levels of recovery based on priorities for restoring key services and infrastructure. A disaster recovery plan for IT should be developed and tested.
Data back-up sites for disaster recovery and business continuity will continue to be maintained in areas likely not impacted by the same events as UMD. Disaster recovery planning and the assessment of risks and priorities should include both centrally managed systems and distributed systems maintained on the campus or in various departments.
The Division of IT will undertake a review and revision of existing risk management, business continuity, and disaster recovery efforts. Such an activity has already begun and will proceed on all fronts through calendar year 2013. These efforts will be coordinated with similar activities currently under way at the campus-wide level. All of these projects are cyclical and should continue on an ongoing basis.
Update March 2014
The Division of IT has been participating in campus-wide risk management, business continuity, and disaster recovery activities. Within the division, comprehensive disaster recovery exercises were completed at the end of 2013 and are being conducted on a regular basis to ensure that staff is familiar with the required tasks and that gaps are identified. A revised risk management framework is under development.