An analysis of Information Security Governance in the Universities in Zimbabwe Essay

AbstractThe complexity and criticality of study tri besidese and its brass theatrical role demand that it be elevated to the highest faceal take aims. Within a university setup, breeding assets take on student and personnel records, health and financial nurture, look for data, statement and learning materials and every determi consider and unrestricted electronic library materials. pledge of these t individuallying assets is among the highest priorities in terms of put on the line and liabilities, patronage continuity, and protection of university reputations.As a critical resource, selective breeding must(prenominal) be treated ex counter alternateable any some other asset natural to the survival and success of the constitution. In this paper the writer is going to discuss the fate for implementing t separatelying hostage presidential term inside institutions of higher education.Further than that, a discussion on how to best practice instruction pled ge political science at heart the universities in Zimbabwe followed by an assessment on how far the Zimbabwean universities give up take in instruction Security government. A combination of questionnaires and interviews is going to be utilize as a tool to gather data and some recommendations ar stated towards the end of the paper. Introduction constitution, as delineate by the IT organisation install (2003), is the set of responsibilities and practices exercised by the board and executive watchfulness with the intent of providing strategic direction, ensuring that objective lenss be get by dint ofd, as indisputableing that risks argon managed befittingly and verifying that the openings resources are go ford responsibly. schooling auspices governance is the system by which an agreement directs and controls tuition protective cover (adapted from ISO 38500).It specifies the accountability framework and provides oversight to crack that risks are adequately mi tigated as well as ensuring that warrantor strategies are aligned with clientele and consistent with mandates. To exercise sound enterprise and live onledge hostage governance, boards and senior executives must pose a fleet to a lower placestanding of what to expect from their enterprises breeding trade protection measure programme.They pick up to know how to directthe implementation of an randomness aegis programme, how to evaluate their cause status with regard to an existing protective cover programme and how to decide the strategy and objectives of an effective credentials programme (IT Governance Institute, 2006). Stakeholders are becoming much and more concerned about the education auspices as watchword of hacking, data theft and other attacks happen more frequently than ever dreamt of.Executive oversight has been showered with the responsibleness of ensuring an organization provides users with secure in traffic patternation systems environment. tr aining security is not that a technical issue, but a business and governance challenge that involves adequate risk management, reporting and accountability. stiff security use ups the active involvement of executives to assess emerging threats and the organizations response to them ( corporal Governance line Force, 2004).Furthermore the organizations need to protect themselves against the risks natural in the use of entropy systems while simultaneously recognizing the benefits that can go down from having secure knowledge systems. Peter Drucker (1993) stated The diffusion of technology and the commodification of teaching transforms the role of information into a resource equal in immensity to the traditionally master(prenominal) resources of land, labor and capital.Thus as dependence on information system increases, the criticality of information security brings with it the need for effective information security governance. Need for randomness Security Governance withi n universities. A key goal of information security is to reduce ill impacts on the organization to an pleasing level of risk. Information security protects information assets against the risk of loss, op sequencetional discontinuity, misuse, unauthorized disclosure, in botheribility and damage.It overly protects against the ever-increasing potential for courtly or levelheaded liability that organizations face as a final result of information inaccuracy and loss, or the absence of due care in its protection. Information security covers all information summonses, corporeal and electronic, regardless whether they involve sight and technology or relationships with trading partners, customers and tierce parties. Information security addresses information protection, confidentiality, availability and integrity through with(predicate)out the life cycle of the information and its use within the organization.John P. Pironti (2006) suggested that among many reasons for information securitygovernance, the almost important one is the one concerned with the legal liability, protection of the organizations reputation and regulatory form. With the university setup, all members of the university community are obligated to reward and, in many cases, to protect confidential data. Medical records, student records, certain employment- colligate records, library use records, attorney-client communication theory, and certain research and other intellectual property-related records are, upshot to limited exceptions, confidential as a matter of law.Many other categories of records, including faculty and other personnel records, and records relating to the universitys business and finances are, as a matter of university polity, treated as confidential. Systems (hardware and software) designed primarily to break in confidential records (such as the Financial Information System and Student Information System and all medical records systems) require enhanced security p rotections and are controlled (strategic) systems to which access is closely monitored. Networks provide connection to records, information, and other communicates and as well as require security protections.The use of university information technology assets in other than a manner and for the purpose of which they were intended represents a misallocation of resources and, possibly, a violation of law. To achieve all this in todays complex, interconnected world, information security must be intercommunicate at the highest levels of the organization, not regarded as a technical specialty relegated to the IT department. Information security is a top-down transit requiring a comprehensive security strategy that is explicitly conjugate to the organizations business processes and strategy.Security must address entire organizations processes, both physical and technical, from end to end. Hence, Information security governance requires senior management commitment, a security-aware cu lture, promotion of grievous security practices and conformism with policy. It is easier to buy a solution than to change a culture, but thus far the most secure system will not achieve a significant degree of security if utilize by ill-informed, untrained, careless or indifferent personnel (IT Governance Institute, 2006).In an interview the executive film director and information security expert on IT Governance and cyber security with the IT Governance and Cyber Security Institute of sub-Saharan Africa, Dr Richard Gwashy Young has this to say remember inZimbabwe security is regarded as an expense not an investment (Rutsito, 2012). Benefits of Information Security GovernanceGood information security governance generates significant benefits, including The circuit board of directors taking full accountability for Information security initiatives Increased predictability and trim back uncertainty of business operations by lowering information security-related risks to definab le and acceptable levels Protection from the increasing potential for civil or legal liability as a result of information inaccuracy or the absence of due care.The structure and framework to optimize allocation of limited security resources impudence of effective information security policy and policy compliance A firm foundation for efficient and effective risk management, process improvement, and rapid incident response related to securing information A level of assurance that critical decisions are not ground on amiss(p) information Accountability for safeguarding information during critical business activities.Compliances with local and supranational regulations will be easier Improved resource management, optimizing knowledge, information security and information technology infrastructure The benefits add significant value to the organization byImproving trust in customer/client relationshipsProtecting the organizations reputationDecreasing handlelihood of violations of pr ivacyProviding greater sanction when interacting with trading partners Enabling raw(a) and better ways to process electronic transactions like publishing results online and online registration.Reducing operational costs by providing predictable outcomesmitigating risk factors that may interrupt the process The benefits of good information security are not just a reduction in risk or a reduction in the impact should something go wrong. Good security can improve reputation, confidence and trust from others with whom business is plowed, and can even improve efficiency by avoiding wasted prison term and effort recovering from a security incident (IT Governance Institute, 2004). Information Security Governance OutcomesFive basic outcomes can be expect to result from developing an effectivegovernance approach to information security Strategic alignment of information security with institutional objectives Reduction of risk and potential business impacts to an acceptable level Value de livery through the optimization of security investments with institutional objectives Efficient utilization of security investments accompaniment organization objectives Performance measurement and monitoring to go over that objectives are met scoop practicesThe National Association of merged Directors (2001), recognizes the importance of information security and recommends quatern essential practices for boards of directors. The four practices, which are based on the practicalities of how boards operate, are ass information security on the boards agenda.Identify information security leaders, hold them accountable and ensure support for them. Ensure the speciality of the corporations information security policy through check into and approval. Assign information security to a key committee and ensure adequate support for that committee. It is critical that management ensure that adequate resources are allocated to support the overall enterprise information security strategy ( IT Governance Institute, 2006).To achieve effective information security governance, management must score and main(prenominal)tain a framework to guide the phylogeny and maintenance of a comprehensive information security programme. According to Horton, et al (2000), an information security governance framework generally consists of An information security risk management methodologyA comprehensive security strategy explicitly linked with business and IT objectives An effective security organizational structureA security strategy that talks about the value of information both protect and delivered Security policies that address each aspect of strategy, control and regulation A complete set of security standards for each policy to ensure that procedures and guidelines concur with policy Institutionalized monitoring processes to ensure compliance and provide feedback on effectiveness and mitigation of risk A process to ensurecontinue evaluation and update of security policies, standards, procedures and risks.This kind of framework, in turn, provides the hind end for the development of a cost-effective information security program me that supports an organizations goals and provides an acceptable level of predictability for operations by limiting the impacts of adverse events. In his member Kaitano (2010), pointed some characteristics of good corporate governance coupled with good security governance.These include and not limited to Information security universe treated as and organization wide issue and leaders are accountable. Leads to viable Governance, Risk and Compliance(GRC) Milestones It is risk-based and focuses on all aspects of securityProper frameworks and programs train been implementedIt is not treated as a cost but a way of doing businessRoles, responsibilities and segregation of duties are defined It is addressed and enforced by policyAdequate resources are committed and cater are aware and trained It is planned, managed, measurable and measuredIt is reviewed and auditedThe overall objective of the programme is to provide assurance that information assets are saved in consonance with their value or the risk their compromise poses to an organization. The framework generates a set of activities that supports fulfillment of this objective. Principles for information security within the UniversityIn their article titled Information Security Policy Best Practice Document, Hostland et al (2010) pointed out some guiding principles for information security within a university setup. The following are some of the principles they mentioned 1. Risk assessment and managementThe universitys approach to security should be based on risk assessments and should be continuously done and the need for protective measures evaluated. Measures must be evaluated based on the universitys role as an establishment for education and research and with regards to efficiency, cost and practical feasibility. An overall risk assessment of theinf ormation systems should be performed annually. Risk assessments must identify, quantify and prioritize the risks accord to relevant criteria for acceptable risks.Risk assessments should be carried out when implementing changes impacting information security. Some recognized methods of assessing risks like ISO/IEC 27005 should be employed. Risk management is to be carried out fit to criteria O.K. by the management at University. Risk assessments must be sanctioned by the management and if a risk assessment reveals unacceptable risks, measures must be implemented to reduce the risk to an acceptable level. 2. Information security policyThe Vice Chancellor should ensure that the information security policy, as well as guidelines and standards, are utilized and acted upon. He must also ensure the availability of sufficient training and information material for all users, in order to enable the users to protect the universitys data and information systems.The security policy should be reviewed and updated annually or when necessary, in accordance with principles described in ISO/IEC 27001. However, all important changes to universitys activities, and other out-of-door changes related to the threat level, should result in a revision of the policy and the guidelines relevant to the information security. 3. Security organizationThe Vice Chancellor is answerable for all government contact. The university should appoint CSO (Chief Security Officer). Each department and section should also be responsible for implementing the units information security. The managers of each unit must appoint separate security administrators. The Registrar Academics has the native certificate of indebtedness for the information security in connection with the student register and other student related information.The IT Director has executive responsibility for information security in connection with IT systems and infrastructure. The Operations manager has executive responsibility for information security in connection with structural infrastructure. He also has overall responsibility for quality work, while the operational responsibility is delegated agree to the management structure.The Registrar Human Resources also has executive responsibility for information security fit in to the Personal info Act and is the controller on a daily basis of the personal information of theemployees. The Registrar Academics and query Administration cook also executive responsibility for research related personal information. Universitys information security should be revised on a regular basis, through internal control and at need, with supporter from an external IT auditor. 4. Information security in connection with users of Universitys service Prior to employment security responsibility and roles for employees and contractors should be described.A punctuate check is should also be carried out of all appointees to positions at the university according to relevant l aws and regulations. A confidentiality agreement should be signed by employees, contractors or others who may gain access to sensitive and/or internal information. IT regulations should be accepted for all employment contracts and for system access for third base parties. During employment, the IT regulations for the universitys information security requirements should be in regularize and the users responsibility for complying with these regulations is to be emphasized.The IT regulations should be reviewed regularly with all users and with all new hires. All employees and third party users should receive adequate training and updating regarding the Information security policy and procedures. Breaches of the Information security policy and accompanying guidelines will normally result in sanctions. Universitys information, information systems and other assets should only be utilized for their intended purpose. Necessary private usage is permitted. Private IT equipment in the univer sitys infrastructure may only be connected where explicitly permitted. All other use must be approved in advance by the IT department.On termination or change of employment, the responsibility for termination or change of employment should be distinctly defined in a separate routine with relevant circulation forms. The universitys assets should be handed in at the conclusion of the need for the use of these assets. University should change or terminate access rights at termination or change of employment. A routine should be present for handling alumni relationships. nonification on employment termination or change should be carried out through the procedures defined in the personnel system. 5. Information security regarding physical conditionsIT equipment and information that require protection should be empowerd in secure physical areas. Secure areas should have suitable access control toensure that only authorized personnel have access. All of the Universitys buildings should be secured according to their classification by using adequate security systems, including suitable track/logging. Security managers for the various areas of responsibility should ensure that work performed by third parties in secure zones is suitably monitored and documented.All external doors and windows must be closed and locked at the end of the work day. On securing equipment, IT equipment which is very essential for daily activities must be protected against environmental threats (fires, flooding, temperature variations). Information classified advertisement as sensitive must not be stored on take-away computer equipment (e.g. laptops, cell phones, memory sticks). If it is necessary to store this information on portable equipment, the information must be password protected and encrypted in compliance with guidelines from the IT department.During travel, portable computer equipment should be treated as carry-on luggage. good time drills should also be carried out on a regul ar basis. 6. IT communications and operations managementPurchase and installation of IT equipment and software for IT equipment must be approved by the IT department. The IT department should ensure documentation of the IT systems according to universitys standards. transfers in IT systems should only be implemented if well-founded from a business and security standpoint. The IT department should have emergency procedures in order to minimize the effect of unsuccessful changes to the IT systems.Operational procedures should be documented and the documentation must be updated following all substantial changes. Before a new IT system is put in production, plans and risk assessments should be in place to avoid errors. Additionally, routines for monitoring and managing unforeseen problems should be in place. Duties and responsibilities should be uncaring in a manner reducing the possibility of unauthorized or unforeseen abuse of the universitys assets.Development, testing and mainten ance should be free from operations in order to reduce the risk of unauthorized access or changes, and in order to reduce the risk of error conditions. On system planning and acceptance, the requirements for information security must be taken into consideration when designing, testing, implementing and upgrading IT systems, as well as during system changes. Routines must be developed forchange management and system development/maintenance.IT systems must be dimensioned according to capacity requirements and the load should be monitored in order to apply upgrades and adjustments in a timely manner as it is especially important for business-critical systems. Written guidelines for access control and passwords based on business and security requirements should be in place.Guidelines should be re-evaluated on a regular basis and should contain password requirements (frequency of change, negligible length, character types which may/must be utilized) and regulate password storage. All users accessing systems must be authenticated according to guidelines and should have unique combinations of usernames and passwords. Users are responsible for any usage of their usernames and passwords. Data GatheringA structured questionnaire adapted and modified from previous questionnaires used by Corporate Governance Task Force, (2004) was used as the main instrument to gather data. Of the total 13 universities in Zimbabwe, 9 managed to record in this research. The questionnaires were completed by the Executive Dean, IT Director, Operations Manager or Chairperson for the department. air division I Organizational Reliance on ITThe setoff section was designed to help in determining the institutions reliance on information technology for business continuity. remit 1 Characteristics of OrganizationQuestionsScores/ relative frequency01234Dependence on information technology systems and the Internet to conduct academic, research, and outreach programs and offer support services9V alue of organizations intellectual property stored or transmitted inelectronic form27The sensitivity of stakeholders (including but not limited to students, faculty, staff, alumni, government boards, legislators, donors, and funding agencies) to privacy234Level of regulation regarding security (international, federal, state, or local regulations) 1431Does your organization have academic or research programs in a sensitive area that may make you a target of hostile physical or cyber attack from any groups?5121 original score196722Scoring Very Low = 0 Low = 1 Medium = 2 High = 3 Very High = 4 Section II Risk ManagementThis section assesses the risk management process as it relates to creating an information security strategy and program. Table 2 Information SecurityRisk AssessmentQuestionsScores/Frequency01234Does your organization have a documented information security program?252Has your organization conducted a risk assessment to identify the key objectives that need to be suppor ted by your information security program?243Has your organization identify critical assets and the business offices that rely on them?225Have the information security threats and vulnerabilities associated with each of the critical assets and junctures been identified?2421Has a cost been assigned to the loss of each critical asset or function?1332Do you have a indite information security strategy?2421Does your written information security strategy include plans that seek to cost-effectively reduce the risks to an acceptable level, with minimal disruptions to operations? 4221Is the strategy reviewed and updated at least annually or more frequently when significant changes require it? 2331Do you have a process in place to monitor federal, state, or international legislation or regulations and determine their pertinency to your organization? 22321Total1016261416Scoring Not utilize = 0 supply Stages = 1 Partially Implemented = 2 mop up to Completion = 3 Fully Implemented = 4 Sect ion III PeopleThis section assesses the organizational aspects of the information security program. Table 3 Information Security Function/OrganizationQuestionsScores/Frequency01234Do you have a person that has information security as his primary duty, with responsibility for maintaining the security program and ensuring compliance? 4311Do the leaders and staff of your information security organization have the necessary experience and qualifications? 522Is responsibility clearly assigned for all areas of the information security architecture, compliance, processes and audits? 3411Do you have an ongoing training program in place to build skills and competencies for information security for members of the information security function? 2232Does the information security function report regularly to institutional leaders and the governing board on the compliance of the institution to and the effectiveness of the information security program and policies? 2331 be the senior officers of t he institution at last responsible and accountable for the information security program, including approval of information security policies?342Total16171470Scoring Not Implemented = 0 Planning Stages = 1 Partially Implemented = 2 Close to Completion = 3 Fully Implemented = 4 Section IV ProcessesThis section assesses the processes that should be part of an information security program. Table IV Security applied science StrategyQuestionsScores/Frequency01234Have you instituted processes and procedures for involving the security personnel in evaluating and addressing any security impacts before the purchase or introduction of new systems? 2331Do you have a process to appropriately evaluate and classify the information and information assets that support the operations and assets under your control, to indicate the appropriate levels of information security? 12321Are written information security policies consistent, s lack to understand, and readily available to administrators, facu lty, employees, students, contractors, and partners? 2331Are consequences for noncompliance with corporate policies clearly communicated and enforced? 13231Do your security policies effectively address the risks identified in your risk analysis/risk assessments? 234Are information security issues considered in all important decisions within the organization? 3231Do you unceasingly monitor in real time your networks, systems and applications for unauthorized access and ill-advised behavior such as viruses, malicious code insertion, or break in attempts? 13311Is sensitive data encrypted and associated encryption keys properly protected? 23211Do you have an authorization system that enforces time limits and defaults to minimum privileges?2223Do your systems and applications enforce school term/user management practices including automatic timeouts, lock out on login failure, and revocation?2322Based on your information security risk management strategy, do you haveofficial written information security policies or procedures that address each of the following areas? individualist employee responsibilities for information security practices4311 unexceptionable use of computers, e-mail, Internet, and intranet2322Protection of organizational assets, including intellectual property2232 devil control, authentication, and authorization practices and requirements 12312Information sharing, including storing and transmitting institutional data on outside resources (ISPs, external networks, contractors systems) 21321Disaster recovery possibility planning (business continuity planning)1134Change management processes2322Physical security and personnel clearances or background checks1332Data backups and secure off-site storage1134Secure disposal of data, old media, or printed materials that contains sensitive information234For your critical data centers, programming rooms, network operations centers, and other sensitive facilities or locations234Are multiple physical sec urity measures in place to restrict forced orunauthorized entry?1233Is there a process for issuing keys, codes, and/or card game that require proper authorization and background checks for access to these sensitive facilities?2133Is your critical hardware and wiring protected from power loss, tampering, failure, and environmental threats?144Total1745585047Scoring Not Implemented = 0 Planning Stages = 1 Partially Implemented = 2 Close to Completion = 3 Fully Implemented = 4 DiscussionAs shown by the total scores on Table 1, a legal age of the university has a very high reliance on the IT in their services. This is visualized by the structure and characteristics of the university. Information risk assessment and management leaves a lot to be desired by the universities. Most the universities have partially implemented such programs.A large number of employees in the IT departments of most universities do no have sufficient skills to implement good information security governance. Mo st universities lack the leaders who have the rightful know how on the subject. In additionto that, there is no a articulation in the council who will be an IT expert, hence most leaders lack interest and initiatives on information security.Due to lack of full responsibility of information security by the leaders, to implement processes for information security efficiency also be a challenge especially to the IT department as normally is the department given the responsibility. ConclusionThere is a need for institutions to start focusing on proper information security governance.For a start organization such as the Government, the Computer Society of Zimbabwe, Zim truth Society, POTRAZ, ICAZ, IIAZ, Zimbabwe Institute of Management and other industry governing bodies should put their heads unitedly and define the appropriate legislations that mandates information security governance either by referring to existing international frameworks (PCI-DSS, SOX, COSO, ITIL, SABSA, Cobit F IPS, NIST, ISO 27002/5, CMM, ITG Governance Framework) or by consulting local information security and business professionals to come up with an information security governance framework.As the Zimbabwean economy is slowly sprouting, the art of information security governance in the universities should also take a leap. The adoption information security governance will ensure that security will stick a part of any university and thus customers confidence will be boosted.ReferencesDrucker, P. Management Challenges for the 21st Century, Harpers Business , 1993. Corporate Governance Task Force, Information Security Governance Call to Action, the States, 2004. IT Governance Institute, Board brief on IT Governance, 2nd Edition, USA, 2003, www.itgi.org. IT Governance Institute, Information Security Governance guidance for Boards of Directors and Executive Management, 2nd Edition, USA, 2006. ISO/IEC 38500 Corporate Governance of Information Technology, 2008. IT Governance Institute, COBI T 4.0, USA, 2005, www.itgi.orgIT Governance Institute, COBIT Security Baseline, USA, 2004, www.itgi.org National Association of Corporate Directors, Information Security attention Essential Board Practices, USA, 2001 John P. Pironti,Information Security Governance Motivations, Benefits and Outcomes, Information Systems Control Journal, vol. 4 (2006) 458. 21. Rutsito, T. (2005) IT governance, security define new era The Herald, 07 November. Kaitano, F. (2010) Information Security Governance Missing Link In Corporate Governance TechZim. http//www.techzim.co.zw/2010/05/information-security-governance-missing-link-in-corporate-governance accessed 02 May 2013.Horton, T.R., Le Grand, C.H., Murray, W.H., Ozier, W.J. & Parker, D.B. (2000). Information Security Management and Assurance A Call to Action for Corporate Governance. United States of America The Institute of Internal Auditors. Hostland, K, Enstad, A. P, Eilertsen, O, Boe, G. (2010). Information Security Policy Best Practice Docum ent. Corporate Governance Task Force, (2004). Information Security Governance Call to Action, USA