Creating a University Security Policy

Creating a University Security Policy

C. Scott Hawsey

Colorado State University Global

ISM527-1: Cyber Security Management

?May 21, 2023

?

Creating a University Security Policy

In today's interconnected world, universities face increasing threats to their valuable information assets. Therefore, universities must establish a security policy to safeguard against unauthorized access, data breaches, and potential risks. This paper aims to outline a comprehensive security policy tailored explicitly for universities, which includes three essential components: the Acceptable Use Policy, Risk Assessment Policy, and Remote Access Policy. By implementing these policies, universities can create a secure computing environment, define acceptable behavior and usage of resources within the academic community, proactively identify and mitigate risks, and ensure secure remote connectivity for faculty, students, and staff. Together, these policies form a strong foundation for protecting information assets, mitigating potential vulnerabilities, and upholding the availability, integrity, and confidentiality of critical data within the university environment.

Acceptable Use Policy

The Acceptable Use Policy (AUP) is a vital component of an organization's security policy, providing clear guidelines and expectations for the appropriate use of computer systems, networks, and digital resources. The AUP defines acceptable behavior, sets boundaries, and outlines the responsibilities of users when accessing and utilizing organizational resources. By establishing an AUP, organizations aim to prevent misuse, unauthorized access, and potential threats that could compromise the security and functionality of their systems. In addition, this policy helps protect sensitive data. It maintains the organization's reputation and promotes a productive and respectful work environment by defining acceptable practices for internet usage, software installations, email communications, and other digital activities. Compliance with the AUP is crucial for all employees, contractors, and other individuals granted access to the organization's resources to ensure a secure and efficient computing environment.

When developing an Acceptable Use Policy, universities must carefully consider essential elements that address responsible and secure usage within their academic community. Universities may incorporate policies or codes of conduct. The AUP serves to ensure adherence to legal requirements and to protect the integrity of computer networks and users. Within a university's AUP, it is common to include these key stipulations. These include refraining from engaging in activities that violate any applicable laws, avoiding actions that disrupt the security of computer networks or users, seeking permission before posting commercial messages to Usenet groups, abstaining from sending unsolicited junk emails or spam, refraining from engaging in mail bombing attacks that flood servers, respecting intellectual property rights, mandating users to report any attempts to breach accounts, acknowledging the potential consequences of violating the AUP, and emphasizing compliance with relevant laws through periodic audits. By incorporating these elements, universities can establish clear expectations and guidelines to foster responsible and secure usage of their resources within the academic community. (TechTarget, 2022)

Risk Assessment Policy

The IT Risk Assessment Policy serves as a critical component of the organization's overall risk management strategy. Its purpose is to ensure compliance with relevant federal and state laws and regulations while safeguarding the confidentiality and integrity of the University's IT resources. By implementing this policy, the organization aims to make informed decisions regarding risk tolerance and acceptance. The policy applies to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors who utilize the University's IT resources, regardless of whether they are individually controlled, shared, stand-alone, or networked.

Under this policy, the Senior IT Officer, or their designees, is granted the authority to conduct regular information security risk assessments. These assessments aim to identify areas of vulnerability and initiate appropriate remediation measures. In addition, the University adopts formal Information Security Risk Management (ISRM) programs that systematically identify and manage risks. The Senior IT Officer oversees the ISRM program, including developing and maintaining related policies, procedures, standards, and reports. The program is tailored to University priorities, staffing, and budget considerations.

Risk assessments conducted under this policy must identify, quantify, and prioritize risk acceptance and objectives relevant to the University. The results of the assessments guide decision-making and determine appropriate management actions and priorities for addressing information security risks. This includes implementing necessary controls to mitigate these risks. The assessment process involves systematically estimating the magnitude of risks (risk analysis) and comparing calculated risks against predefined risk criteria to determine their significance (risk evaluation).

Due to constant changes in security requirements and the risk landscape, risk assessments are to be conducted periodically. These assessments address evolving threats, vulnerabilities, impacts, risk evaluations, and data classification. It is essential for risk assessments to be undertaken systematically, producing comparable and reproducible results. They should have a clearly defined scope and may incorporate relationships with risk assessments conducted in other relevant areas. By adhering to this policy, the organization strives to proactively manage and mitigate information security risks in a structured and effective manner. (Fordham, 2020)

Remote Access Policy

The remote access policy is critical to secure and control remote connectivity to university resources. One aspect of this policy is the Encryption Policy, which defines the rules for encrypting and decrypting data. Encryption is essential for maintaining the confidentiality, integrity, and availability of information within the University. By implementing encryption measures, the University can protect sensitive data from unauthorized access and ensure that data remains secure during transmission and storage.

In addition to encryption, the remote access policy addresses the importance of information security, confidentiality, and email policies. These policies protect the University's data and information assets from various cyber-security threats, such as unauthorized access, data theft, accidental disclosure, computer viruses, and malware attacks. By establishing clear guidelines and precautions, the remote access policy helps mitigate risks associated with remote access. In addition, it ensures that faculty, students, and staff understand their responsibilities in safeguarding university information.

Physical and virtual device security is another crucial aspect covered by the remote access policy. As reliance on remote access increases, securing physical and virtual devices becomes essential to prevent unauthorized access to sensitive data. The policy outlines measures for securing physical devices, including hardware plugged into an electrical outlet or connected with wires. Additionally, it addresses the security of virtual devices, referring to software applications that can be installed remotely without a physical connection. By implementing security measures for both types of devices, the University can protect sensitive data from unauthorized access and potential breaches.

An essential component of the remote access policy is the access hierarchy. This aspect defines the access privileges and authentication levels required for remote users to connect to university resources. Access privileges specify which users or user groups have the right to connect remotely, while authentication ensures that the conditions for connection are met. In addition, the policy sets guidelines for configuring remote computers based on physical location, network type, and device use. By implementing an access hierarchy, the University can control access to sensitive resources and protect them from unauthorized modification or disclosure.

Connectivity guidelines are outlined within the remote access policy to ensure that remote access to the University's data is controlled and secure. These guidelines include restrictions on remote access by individuals located outside the university community, requirements for using VPNs, MFAs, and other secure means of connection, and a list of approved applications that can be used for remote connections. By following these guidelines, the University can minimize the risk of unauthorized access and protect the confidentiality and integrity of its data.

Password protocols are also addressed within the remote access policy to enhance security. The policy emphasizes using strong passwords with a minimum length of eight characters, combining upper- and lower-case letters, numbers, and symbols. It also requires regular password changes and prohibits password reuse within a specified timeframe. By implementing these protocols, the University ensures that remote access accounts are protected by strong passwords, reducing the risk of unauthorized access.

Lastly, the remote access policy aligns with the Acceptable Use Policy (AUP), which sets forth the rules and guidelines for properly using university resources. Within the AUP, specific provisions regulate remote access through protocols such as Remote Desktop Protocol (RDP) connections. These provisions establish the expectations for outside individuals connecting remotely to the university system and ensure that remote access is conducted consistently with the organization's security standards and practices.

By incorporating these elements into the remote access policy, the University can create a secure computing environment, protect sensitive data, and promote responsible and controlled remote access to its resources. (ISO Templates and Training, 2022)

Conclusion

In conclusion, establishing a comprehensive security policy is paramount for universities in today's interconnected world. By implementing policies such as the Acceptable Use Policy, Risk Assessment Policy, and Remote Access Policy, universities can proactively address the increasing threats to their information assets. These policies provide guidelines for responsible and secure usage of resources, identify, and mitigate risks, ensure secure remote connectivity, and protect the confidentiality, integrity, and availability of critical data. By adhering to these policies, universities can create a safe and productive computing environment for faculty, students, and staff while effectively managing and mitigating potential vulnerabilities. With a strong security foundation in place, universities can confidently navigate the ever-evolving landscape of information security and safeguard their valuable information assets.

?

?

?

?

References:

What is an acceptable use policy (AUP)??(2022, June 13). techtarget.com.?https://www.techtarget.com/whatis/definition/acceptable-use-policy-AUP

Fordham. (2020, May 5).?IT risk assessment policy. Fordham University.?https://www.fordham.edu/homepage/6557/risk_assessment_policy/

Remote access policy. (2022, February 3). ISO Templates and Training.?https://iso-docs.com/blogs/iso-27001-isms/remote-access-policy

Access restricted. (n.d.). Access Restricted | Shield Security.?https://ipkeys.com/blog/nist-risk-assessment-report/

Whitman,?M.?E., & Mattord,?H.?J. (2018).?Management of information security. Cengage Learning.