Information Security Update
There have been many welcome events in the area of information security over the past several months. I would like to thank the members of the NAU Information Security Committee, campus IT Professionals, and central IT staff for all of the time, advice, and effort they have committed to make many of the items mentioned here possible.
Info Security Program Approval
The NAU Information Security Program has been under development for the past year and was presented to the President’s cabinet for approval in April. I am happy to say that it was approved by President Haeger in August along with its initial budget request.
The Program will be focused on best practices as outlined by the International Information Systems Security Certification Consortium (ISC2)and the Educause & Internet 2 Computer and Network Security Task Force. The key areas outlined in the plan are:
- Security Management
- Risk Assessment
- Education and Awareness
- Incident Management
- Applications and Systems Development Security
- Telecommunications and Network Security
- Security Architecture and Models
- Access Control Systems and Methodology
- Enterprise Antivirus/SPAM Protection
- Operations Security
- Physical Security
- Business Continuity Planning
- Cryptography
Additionally, funding was provided for a new Information Security Analyst, Sr. position. This position will evaluate, design, and assist in the development and implementation of information security solutions for the adoption of security best practices at NAU. She/he will perform the technical procedures necessary for the safety of information systems assets and will provide consultation and training on technical security topics to campus IT professionals. The position will be posted in September.
Campus-wide Risk Assessment
A campus-wide computing asset survey and risk assessment was completed this spring with additional updates this summer. The three areas of the survey were:
- Classroom IT and audio/visual (A/V) support
- Desktop support for staff and faculty
- Server support for colleges and departments
The data on classrooms and learning spaces will be given to the Vice Provost for Undergraduate Studies, the Provost Advisory Council on Academic Computing, and the e-Learning Center. They will use it in an ongoing effort to establish technology standards for classrooms on campus.
The desktop support and server data will be used to find out how certain IT functions and services are handled throughout the campus. This is a necessary first step in conducting an Information Security risk assessment and helps to determine our security posture as part of the Information Security Program.
Info Security Audit Under Way
Every ten years the State Auditor General is required to conduct an audit of the Arizona Board of Regents and the oversight of the three state universities. One of the areas to be audited in this cycle is information security. We welcome the chance to get an outside assessment of our security posture. The feedback will help us to review and adjust the recently approved security program.
The auditors were on campus for three days in late July to conduct a preliminary assessment process and will continue to work with the campus through the next year in the completion of the audit.
Data Security Standards
May Affect Older Machines
An integral part of running the campus is the ability to accept credit card payments for tuition, fees, conference registrations, and other services. As such, NAU has a contractual obligation to fulfill the data security standards established by the purchasing card industry. The Purchasing Card Industry Data Security Standard (PCI DSS) is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. This comprehensive standard is intended to help us protect our customers’ credit card account information.
To comply with the standard we made several changes to our architecture with a focus on more secure transactions in our administrative systems. One change will no longer allow SSL2 (Secure Socket Layer) connections to our key administrative systems. SSL2 is an older protocol and has potential flaws associated with its use. SSL3 and TLS1 (Transport Level Security) connections are still permitted. This should have minimal impact on campus, but it may affect users of machines running operating systems more than ten years old. We apologize for any inconvenience this may cause, but this is a necessary update to our administrative security policies.
Security Scanning ABOR Priority
Vulnerability scanning for increased network and application security was one of the top three technology collaboration priorities recently approved by the Arizona Board of Regents. The recommendation came from a study and report of technology collaboration among the three state universities. This effort provides additional resources to monitor and protect our networks and applications.
SEC_RITY: Not Complete w/o U!
More individuals are using laptops and tablet PCs. It’s a great way to take your work with you. OnGuard Online recommends you follow these tips to protect your mobile computer and your identity:
- Treat it like cash.
- Get it out of the car; never leave it.
- Keep it locked; use security cable.
- Keep it off the floor—or at least between your feet.
- Keep passwords separate—not near the laptop or case.
- Don’t leave it “for just a sec”—no matter where you are.
- Pay attention in airports—especially at security.
- Use bells and whistles—if you’ve got an alarm, turn it on.
-Harper Johnson |
