The security and integrity of information and of IT resources depends upon having appropriate policies. The quality of any security system can only be evaluated in terms of how well it satisfies the requirements for protection, privacy, and so forth that are defined in IT policies.

Action Item 5.01
The CIO should complete review of the recently received IT Security Audit, and develop an implementation plan to address points of concern raised by the auditors.

A central figure within the Office of the Chief Information Officer (OCIO)—as currently designated the OCIO IT Policy and Security Officer—should be given the authority to assume control, leadership, and responsibility of developing an implementation plan for actions resulting from the IT Security Audit. Likely, this will include responsibility for making responses to unauthorized access to the University’s information technology infrastructure, unauthorized disclosure of electronic information, and security breaches regardless of the office involved. It will also entail specification of needed technology solutions to manage network security and the integrity of information residing on centralized and distributed resources across the institution.

Action Item 5.02
The University should develop clear and forceful policies to address the integrity (management and protection) of information (data) and the security of IT infrastructure resources on which that information resides.

IT security is the responsibility of all of its users. The development and enforcement of security policies should be done in cooperation with the various departments.
These policies will depend upon the clear articulation of institutional values, and an understanding of how the institution will make judgments when its values are in conflict.

For example, individuals have a right to personal privacy, while the institution has an obligation to keep some records of individuals’ activities, and to protect itself against some actions of individuals. A key step in the formulation of policy will be the development of a shared vision of information, and information technology based on the beliefs and values of the University community: academic freedom, collegiality, openness, and so forth

Because the development of IT policies can bring the University face-to-face with fundamental issues about its values, the process will require broad support from throughout the institution and will call for leadership at the highest levels of the University. Because the implementation of IT policies involves an ongoing process of interpretation and oversight, it will need a sustained commitment of leadership, attention, staff, and resources.

return to top

Action Item 5.03
Specific programmatic mechanisms are needed to assure IT security and the protection of information privacy.

Some details will depend in part upon the development of policy, but some aspects of security mechanisms are required for any policy to be effectively implemented. These include:
Audit and controls: to verify that policy is being followed and to determine if mechanisms are working and correctly deployed.
Education and awareness: to ensure that parties are aware of their responsibilities and to help engage everyone involved in managing and using information and IT resources as part of the University’s security plan.
Risk assessment: to determine the need for protection, to specify mechanisms of protection, and to help prioritize choices of protection.

The University must provide the resources to ensure network security and meet the demands of federal and state regulations.

return to top

Action Item 5.04
Specific physical mechanisms must be in place to secure servers and access to sensitive information.

While network security is important to maintaining the integrity of our data and systems, the security of our data needs to be addressed at the individual and departmental levels as well. Data must be kept safe from breaches at all levels. The Office of the CIO should immediately prepare a report on the status of physical security of the University’s information servers – with special attention to an assessment of such servers not located within the direct control of ITS. Recommendations based upon the results of this assessment should be drafted and presented to the LSU community with haste.

return to top

Action Item 5.05
Data backups should be done to ensure the continuity and the future availability of data of all sorts: administrative, academic, and research.

Beyond concerns about a disaster or catastrophic loss (as described in Action Item 5.08), there are strong concerns about the ability of the institution—especially given highly distributed forms of institutional and quasi-institution data records—to recover from a loss of “live” production data. Aside from back-up procedures of main institutional data, it is not clear that there is a solid regimen for frequently, periodic, individual back-ups of data servers, workstations, and other valuable and important files. There certainly is no consolidated back-up service in place, or set policy governing protection of these information assets. Along with the security and access assessment mentioned in Action Item 5.04 above, ITS should further assess the state of the institution’s back-up and recovery of mission critical information and supportive data sets, especially those that reside outside of ITS central systems. Recommendations based upon the results of that assessment should be drafted and presented to the LSU community with haste.

return to top

Action Item 5.06
A plan should be developed and implemented to effect the removal of the social security number as the primary personal identifier in University information systems.

The rise in incidences of identity theft and the presence of new legislation makes it imperative that measures be taken to protect data and information in an effort to reduce the risk of the University inadvertently contributing to this problem. The use of immutable identifiers such as social security number in combination with name creates just such a risk for the University. Immutable identifiers that are not under the control of the University should not be used as primary identifiers, or keys, in any University information systems.

Action Item 5.07
The CIO should convene a Committee on Institutional Data and conduct regular meetings with the goal of defining data administration and access policies for institutional data.

The Family Educational Rights & Privacy Act (FERPA) has long been used by the Registrar and UIS as a guide for the protection and security of data and information maintained by the University. The University Registrar has done exemplary service in leading these efforts for more than 30 years. With the addition of new legislation such as the Health Information Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and, at the state level, SB 205 known as the “Database Security Breach Notification Law,” the security of information has become much broader than the protection of student information and requires the involvement of units that manage many different types of data now covered by these additional pieces of legislation.

return to top

Action Item 5.08
ITS should complete an IT disaster recovery and business continuity plan with input from the LSU community and support from senior-level management at the University.

Like no other time in our history, the events of 2005 in Louisiana demonstrate the need for an effective plan to continue University operations in the event of a major disaster. We must benefit from the experience we witnessed, of our University colleagues in New Orleans. We learned that information technology truly is a strategic asset of the institution, and loss of the IT environment, services, and data can cripple an institution. Therefore, ITS must be prepared for the recovery of critical services so that LSU can continue to function in the aftermath of a disaster – whether that disaster be limited to the data center, the campus, or impacting more broadly the Baton Rouge region. Funding will determine to what level and in what time frame recovery will be possible. Funding for disaster should be prudent, but in line with both the extent of risk and the level of expectations of LSU administration, and the campus community.

The plan should provide for:

• Revisions in existing processes and procedures with regard to data management and data center operations;
  
  
• A “lifeboat” strategy to provide IT support for the University in the event of temporary evacuation of campus is required as an impact of a city-wide or regional disaster;
  
  and
  
  
• Increasing levels of recovery based on priorities for restoring key services and infrastructure. A disaster recovery plan for IT should be developed and tested.

Data back-up sites for disaster recovery and business continuity should be located in areas not likely to suffer the same impacts as the LSU campus (e.g., hurricanes). Disaster recovery planning and the assessment of risks and priorities should include both centrally-managed systems and distributed systems maintained on the campus or in various departments.

return to top

Action Item 5.09
The IT Policy and Security Officer should establish a Security Advisory Team comprised of a variety of departmental staff from academic and administrative units.

Security is a shared responsibility that requires diligence from all parties involved. Communication is a critical element in the extensive coordination required to maintain a successful security program. Establishing a Security Advisory Team will enable not only the implementation of security policies, but also gain additional objective input for security plans and actions. Establishing such a team will demonstrate ITS's interest in engaging expertise from the campus community beyond the ITS organization. Security will become a leading-edge issue in establishing relationships between ITS and other units on campus.

return to top