Information systems are at the heart of many university processes. It is therefore important that these systems be acquired, designed, implemented, and maintained with information protection in mind. Information security and privacy must be considered throughout the lifetime of a system, and appropriate and adequate safeguards must be put in place to protect information and information systems.
Safeguards for Domain 9, Information Security & Privacy Program
Security and privacy requirements of information systems
Information protection must be addressed as information systems are considered, evaluated, developed, purchased, and deployed. Incorporating security early in the design phase - and later in the implementation and maintenance phases - of a project is necessary to ensure security and privacy have been "baked in" rather than "sprinkled on" after implementation. This is true irrespective of whether the systems are purchased, used from community or open source collaborations, or developed by the university.
A third party information systems security and privacy assessment procedure is coordinated by Purchasing, the University Information Security Office, and the Committee of Data Stewards.
Additional safeguards for purchasing information systems from third parties are outlined in the "External Parties" section of Domain 3: Organization.
Policy I-580: Risks of Potential Identity Theft in the Use of Stored-Value and Payroll Deduct requires applications that involve stored-value accounts and payroll deduct accounts for the purchase of goods and services on and off-campus, and payroll debit cards used by a limited number of university employees, to provide an automatic email response to an Account Card Holder at any time that his or her address is changed within the university's electronic systems.
Correct processing in applications
Information must be reliable and correct in order to support sound business decisions. Applications must not only correctly process information, but they must also appropriately validate input data to prevent the introduction of erroneous data and to prevent the exploitation of vulnerabilities within the application and supporting systems. Likewise, applications must output correct, reliable, and verifiable information to ensure they are processing data as intended.
Information must be afforded appropriate protection while at rest or in transit. The most common method for providing this protection is to use encryption. Encryption is the process of taking normal text (plaintext) and making that plaintext unintelligible to anyone other than those possessing the correct key to unlock the encryption. Appropriate encryption-related policies and procedures should be implemented that are directly tied to the information's classification and sensitivity levels.
- Protecting Data | IU Information Policy Office
- Encryption Explained | IU Information Security Office
- At IU, what is PGP Whole Disk Encryption (WDE)? | IU Knowledge Base
- What is BitLocker? | IU Knowledge Base
- The basics of VPN at IU | IU Knowledge Base
- Using IU's SSL VPN service for off-campus connections | IU Knowledge Base
- About IU Secure and IU HSN Secure wireless | IU Knowledge Base
- When should I use SSL on my web server? | IU Knowledge Base
- What is the tool that disables LM/NTLMv1, and where can I get it? | IU Knowledge Base
Security of system files
Operating system files, applications, source code, and databases are core components of all technology-based information systems deployed at the university. These components must be protected appropriately, lest they be modified or otherwise used to put information at risk. Attention must also be given to development and test system files to ensure they do not jeopardize sensitive production (i.e., actual or "real") data.
Security in development and support processes
As systems move through the normal development, test, and production stages, appropriate safeguards must be put in place to ensure they are implemented in a controlled and coordinated fashion.
Technical vulnerability management
Vulnerabilities are often discovered in the design and/or implementation of operating systems and applications. Since these vulnerabilities can jeopardize the security of the information processed by these systems, it is important that they be identified and remediated promptly. Appropriate policies and procedures should be implemented to promote the timely identification and correction of vulnerabilities, particularly those that pose a significant risk to sensitive information.
- How can I have my IU-networked computer scanned for security vulnerabilities? | IU Knowledge Base
- Secunia Personal Software Inspector (PSI) | IU Information Security Office
- Web Application and Network Host Vulnerability Scanners | IU Information Security Office
- Stay up to date with Information Security & Privacy. Connect with us. The University Information Security Office also provides regular, timely Security Bulletins.
Summary of domain objectives
The primary objectives of this domain are to ensure:
- security is an integral part of information systems
- security requirements are identified and agreed upon prior to development and/or implementation
- errors, loss, or unauthorized modification or misuse of information are prevented
- safeguards are established to validate input data, internal processing, and output
- cryptography is used to protect information
- policies are established on the use of cryptography
- encryption key management is addressed in policy and procedures
- system files and source code are secured appropriately
- production data are not exposed in development and test environments
- security of software and information is maintained
- adequate safeguards in systems project and support environments
- risks are reduced from technical vulnerability exploitation
Information Systems Acquisition, Development, and Maintenance | EDUCAUSE/Internet2 Information Security Guide