Information technology systems process large quantities of university data. These systems – which include computers, networking equipment, mobile devices, storage media, and other IT components – must be managed so as to protect information. The goal is to provide a robust, reliable, and secure IT infrastructure that lends itself to information protection. Meeting this goal requires implementing safeguards, including policies, standards, andprocedures that guide how systems are operated and how the institution processes information.
Safeguards for Domain 7, Communications & Operations Management
Assessing security and privacy risks
Written operating procedures should be developed to ensure the correct, consistent, and secure functioning of systems, particularly for systems that are critical to the well being of the institution. Supplemental standards and procedures should also be established that guide the selection of system safeguards and assign responsibility for the system and its components.
University Information Technology Services (UITS), Enterprise Infrastructure Division, manages the university-wide infrastructure for technology services and software applications.
UITS Data Center Operations support IU network infrastructure, information systems, and research computing clusters through power, backup power, generator, and cooling infrastructure.
The UITS Data Center Standards outline Indiana University Data Center guidelines and standards, including equipment installations, data center access, and operational procedures.
An overview of security measures taken at the Data Center is outlined in UITS Data Center Security.
UITS Change Management Process outlines the process of communicating, coordinating, scheduling, and monitoring change to UITS resources. The main goal of UITS Change Management is to ensure the appropriate communication of change events, but it also provides a process that protects UITS from changes that are potentially disruptive, in conflict or of unacceptable risk.
Third-party service delivery management
The university enters into many agreements with third parties who process information or perform services on behalf of the institution. These agreements, particularly those that involve critical or sensitive information, must be managed appropriately. Sometimes, including appropriate language in the third party agreement/contract is adequate to satisfy due diligence expectations. However, there are instances - particularly when the data is extremely critical or sensitive, or when there have been extenuating circumstances with a specific third party - where the university will take a more proactive approach to monitoring or evaluating the third party to ensure compliance with our data protection requirements. Because of the resource requirements for such a hands on approach, this type of oversight will be rare.
Safeguards for third party service delivery management are outlined in the "External Parties" section of Domain 3: Organization, and the "Third Party Vendors" sections of Domain 5: Human Resources.
A third party security and privacy assessment procedure is coordinated by Purchasing, the University Information Security Office, and the Committee of Data Stewards.
System planning and acceptance
A key factor in ensuring the availability of systems is to make certain they have adequate capacity to perform the task at hand. If systems are underpowered or undersized, performance suffers which impacts the university's efficiency. Planning and testing should be performed to determine if the system has adequate resources before it is deployed and while it is in use. Projections should be performed to guide future system enhancements.
UITS Intelligent Infrastructure offers centralized, virtual systems which supply the infrastructure and network capacity necessary to host applications, while optional disk storage on UITS enterprise-class SANs (storage area networks) ensures files are extremely secure and always available.
Protection against malicious software
Software is at the heart of all information technology systems. Its sole purpose is to manipulate data that is processed by the thousands of hardware (i.e., physical) devices that are deployed throughout the university. Unfortunately, miscreants are hard at work developing software to be used for malicious purposes. Since software has access to most - if not all - sensitive information used by the university, we must implement safeguards that can help prevent, detect, and remove malicious software.
IUware Online offers a wide variety of security software for no charge to IU faculty, staff, and students, including:
- Microsoft Baseline Security Analyzer
- Microsoft Security Essentials
- How can I have my IU-networked computer scanned for security vulnerabilities? | IU Knowledge Base
Back-up
Systems must be managed appropriately to ensure continued availability of information. Information can be damaged or rendered unavailable through a number of means, including storage device failure, malicious software, or accidental deletions and modifications. Extra copies – or backups - of the information should be made in the event that information is lost or damaged and needs to be restored. Appropriate safeguards must be established to document, implement, and test the backup process as well as protect the information stored on the backup media.
- At IU, what is UITS Data Center Operations? | IU Knowledge Base
- UISO Article: Off Site Backups
Network security management
Information transmitted across the university network and the Internet must be adequately protected to avoid data corruption, manipulation, or interception. In addition to processing institutional data in the traditional sense, data networks are increasingly being used for voice and video conversations. Furthermore, while not initially designed as such, the university's data network is being used for patient care, personal safety, and other critical services. Therefore, the university network, including its related networking systems and services, must be appropriately managed and controlled.
Media handling
Electronic and printed media that contain institutional data must be handled appropriately. This is particularly true for removable and portable media (e.g., "thumb" drives, CDs, tapes, cell phones, printed reports, etc.) as the risk of loss or theft is higher. Appropriate safeguards should be established that not only protect the media, but also guide how the media is shared during its useful life and disposed of once it is no longer needed. The number and rigor of these safeguards should be based on the sensitivity level of the information contained on the media.
Media that contain sensitive data pose a high risk due to loss or theft. Be sure to review Protecting Data and Securely Removing Data for how to appropriately secure media.
See Domain 6: Physical and Environmental Security, section on Equipment Security, Disposal and Redistribution for information on securely removing data, protecting data in copiers and multifunction devices, and other related topics.
Encryption is a key safeguard used to protect data on electronic media:
- What is BitLocker? | IU Knowledge Base
Electronic commerce services
The university is comprised of many business, service, and entertainment units that perform buying and selling on a daily basis. In many cases, industry standards - such as the Payment Card Industry Data Security Standards (PCI-DSS) - place significant requirements on how these activities may be performed. The systems that support this commerce must be managed to limit the financial liability placed upon the institution and to ensure adequate routing and approvals are obtained. This is particularly true for those transactions that reflect substantial purchases or sales.
Monitoring
The ability to detect unauthorized system activities and other threatening events is important to promote the security and privacy of information. Systems that provide critical services or process information must have appropriate auditing procedures in place to protect the system. Established privacy policies must be adhered to when establishing these auditing and monitoring safeguards to ensure they align with the university's philosophies and values.
Some types of data, including those involved in Electronic Commerce Services, are required to be monitored for unauthorized system activities and other threatening events.
Be aware that monitoring can introduce certain privacy harms; learn how to address these by applying privacy principles. Study the IU privacy policies to ensure you are not violating privacy policy at IU, prior to commencing a monitoring project. A few privacy resources are highlighted here:
Summary of domain objectives
The primary objectives of this domain are to ensure:
- correct and secure operation of systems
- responsibilities and procedures for management and operation of systems are established
- segregation of duties, where appropriate, are implemented
- development, test, and production environments are separated
- appropriate information security and service delivery in line with contractual agreements
- risk of system failures are minimized
- availability of adequate capacity to deliver required system performance
- current and future system resource requirements (capacity) are planned and documented
- integrity of software and information
- safeguards are implemented to prevent, detect, and remove malicious code
- integrity and availability of information and information technology are maintained
- backup policy and procedures are documented, implemented, and tested
- protection of information transmitted in networks
- protection of information technology components in network
- unauthorized disclosure, modification, removal or destruction of assets are prevented
- interruption of mission and business activities are prevented
- media are controlled and physically protected
- operating procedures are established to protect information
- security of information and software exchanged within university and with external entities, including information and physical media
- information exchanges are based on formal exchange policy, exchange agreements, and compliant with legal requirements
- security of information and physical media during exchanges
- security of electronic commerce services
- unauthorized information processing activities are detected
- systems are monitored and recorded
- the effectiveness of controls are checked and conformity to access policy is verified