Understanding Information Security Problems and Measures in Universities - Research Paper Example

 Introduction: Considering the increasing level of risks prevailing within organizations and the corporate world, the need for efficient security can be realized in regard to the protection of the assets as well as information in different organizations. Management of such organizations thus makes sincere efforts to determine the risks that might impact the organizational security and performance as a whole. This requires building of proper strategy and taking effective measures for the prevention of the anticipated risks. Management of organizational risks through effective measures of risks also facilitates a company’s positive profits of margin. The importance of the security industry has thus been increasing providing protective measures to assets as well as information of an organization (Vellani, 2007, p.2). Effective management of security is more essential for the protection of information since information systems are at risk to threats. Such risks might occur as a result of some destruction caused to the information or the systems. Organizational employees might also be responsible and information could be hampered by some errors in their actions. Threats have the capability to lead to risks of security and if not managed or controlled, can damage the assets or information creating losses for an organization (Vacca, 2010, p.6). Thus in the present times, in regard to the factors of risks prevailing in organizations against assets and information, the significance of effective security measures can be realized. The industry working to provide the measures of security is also highly demanding as a result of the need for security. The present study focuses on the North Carolina Agricultural and Technical State University Information Security Plan, and makes a critical analysis to understand how much the plan proves to be effective in its measures. North Carolina Agricultural and Technical State University Information Security Plan: If the information security plan for the North Carolina Agricultural and Technical State University is considered, it can be observed that the university has very well made arrangements for the protection of the information and data of the students, faculty as well as the other staff members of the university. For the purpose, responsibilities are distributed across the different departments. As the plan suggests, the users, the administrators, the owners of the information and the network security have their duties mentioned in the plan (North Carolina Agricultural and Technical State University Information Security Plan, 2008, pp.1-4). Some of the basic responsibilities that are mentioned in the plan for the members of the university include maintaining confidentiality of the information, keeping passwords that are strong enough and not easily detectable, changing passwords at a regular interval for the purpose of safety, reporting any kind of fault realized to the concerned authority, not misusing the information of the university, keeping backups of the data on which the user is working, as well as accommodating with the rules and policies of security considered by the federal, state or the university systems. The security plan also involves planning for strategies such that the university management is capable of handling cases of threats occurring in the information system. The legal rules and the principles of ethics in relation to the safeguard of the information are also clearly mentioned and made understood to the users. Users are even provided with training measures such that they can follow the rules and methods effectively (North Carolina Agricultural and Technical State University Information Security Plan, 2008, pp.1-3). The network security of the organization has responsibilities for maintaining the security of all the information that are in connection with the network. This includes proper registration of all devices or machines used for working on different information. Also, the operating systems are considered to be the latest ones. Antivirus software is incorporated in the systems and before the machines or any information system is used, the security plan ensures the approval of the information technology department. The security plan of the university has detection processes that are capable of detecting any kind of disturbances occurring in the overall system based on which the management can undertake the necessary preventive and protective measures. The plan also includes informing The Department of IT Security & Audit in case of occurrence of any incident that needs to be handled through suitable measures (North Carolina Agricultural and Technical State University Information Security Plan, 2008, pp.3-4). Taking in to consideration the competitive world and the increasing problems of hacking and cyber attacks, it is necessary that any plan objected towards security measures needs to be assessed and updated as per the growing needs of the organization. This can be done on an annual basis or as and when required. Thus a policy of revision can prove to be highly significant in the context of following an updated policy of security for the protection of information and data within an organization (Hostland et al, 2010, p.11). A review process would enable management of an organization to realize the required changes in the process depending on the latest security condition. Since changes continuously occur in the internal as well as in the external system, hence remaining updated in these respects is significantly important and beneficial for an organization. Understanding Information Security Problems and Measures in Universities: The issue of security has no association in particular with the information technology or information systems. Rather, security is a separate function of every organization including universities that include the protection of all essential information and data associated with the organization. Primarily the security issues arise as a concerned step against the cyber attacks that include spam, hacking, or theft of data. The security measures against such activities are the responsibility of the main IT department of an organization. However each and every system might not be under the control of the central system and thus individual systems need to have their protective policies. Generally the lack of such needed security arises owing to the authority of an organization not being enough responsible in taking the appropriate measures of information security. The primary responsibility being that of the main department of IT’s, the individual roles of the personnel, the staffs, and the users often seem to be lacking (Anderson, 2011). Organizations need to reduce the factors of risk since risks or threats particularly in relation to information or data, tend to destroy information completely and create huge losses to the organization. Thus information risk management is significant for every organization. Information systems might encounter risks from physical damage, interaction between personnel, malfunctioning of the machines, cyber attacks that may be internal or external to the system, misuse of information, loss of data, and occurrence of error in applying any process. If proper risk management and security systems are available in an organization, the threats might be detected before they occur, and thus preventive measures can be taken by the management authority to protect all necessary data and information (Vacca, 2010, p.11). In organizations like universities, privacy policies are highly significant that take care of the privacy of information about the students, their names, addresses, contact numbers, login identities of their personal networks, and other associated data. Several reasons have been obtained owing to which the cyber attacks occur in universities. University students tend to use the numbers of social security as their identity numbers. They download music, videos and other entertainment files that may not be safe for the security function of the machine. Databases found in universities generally include information that is personal to a student or other staff members. Moreover access to such information occurs almost all the time increasing the factor of risks and threats. The manner in which the information systems are used in universities, make them more vulnerable to the cyber attacks (Anderson, 2011). Thus realizing the kind of information being used and stored in the information systems and machines in universities, it can be realized that such systems require protection in order to protect the information and prevent misuse of the data by hackers or any other person causing damage to the system as a whole. This not only implies that universities require to incorporate security measures in their systems, but it also means that the organizational members which in case of a university would involve the students, the faculty and the other staff members, need to take a responsible role in maintaining their privacy at the utmost level possible. If the members are themselves ignorant of the security measures and the policies that they are supposed to follow, then it becomes more difficult for the authority to prevent such cyber attacks and destruction of information. Users need to be strict in regard to their following the security plans that their institute or organization prepares. Analysis of the Security Plan of the North Carolina Agricultural and Technical State University: The security plan of the North Carolina Agricultural and Technical State University as has been already studied and mentioned earlier in the report, reflects that the plan has considered the significant facts and requirements for the protection of the information. It can be understood that a university needs to have sincere measures towards the safeguard of the electronic information. The security goals of the university need to be focused towards complying with the security policies, rules and laws, to be dedicated in performing the individual responsibilities, to have controlling measures over the use and share of information, to be able to manage situations of crisis without hampering the progress of any work, to guarantee the safeguard of personal data, to conform with the required standards of information security and thus employ an effective security strategy for protection of information (Hostland et al, 2010, p.10). Thus Hostland et al presented a study that reflects on the appropriate security measures for an organization. This clearly applies to the universities as well, that require similar security with respect to their protection of information and working data. University students, faculty and the staff members not only access the information systems within the university for academic purposes, but the systems are also used for personal purposes as well. Thus the security or the protection measures seem to be essential for both preventing cyber attacks on the professional as well as personal information. While students may be using their personal data for sharing or for other purposes, their personal details in relation to name, address, contacts, other identifications, passwords, may be hacked if the information security systems are not efficient for the particular machine or system being in use. The management of the information security proves to be significant in this respect since without an efficient management process the success of an information security system would not be possible. In the case of North Carolina Agricultural and Technical State University, a factor that has been significantly taken into consideration of the security plan is the involvement of all the members in association with the university, in performing their responsibilities to make the security applications possible on the huge databases and information of the university members. If the responsibility of the users is considered, the university has very carefully included measures that would facilitate the security of the information. The rules for the users complying with the laws of the state and the university, as well as their responsibilities to conform to the security measures (North Carolina Agricultural and Technical State University Information Security Plan, 2008, p.1) can be understood to have positive impacts on the university. However, one measure that the university might incorporate in their process is to properly train the users such that they are clear in their minds regarding the needs of the security systems. If they understand the needs themselves, it would become easier for them to follow the rules. Although such training measures are applied in the university, they would prove to be more effective if controlling measures are accompanied along with the processes. If the responsibilities of the administrators are taken into consideration, all the responsibilities including compliance with the laws, maintaining confidentiality of information, making data available and reliable, create appropriate strategies for handling cases of risks or threats (North Carolina Agricultural and Technical State University Information Security Plan, 2008, p.2) create strong reflections of the management of the authority of the university in the security processes of information. However, in this context, it also seems necessary to have a monitoring and control process to have a check as to whether the administrators are performing their responsibilities sincerely or lacking in it. Such a controlling measure might be able to make the management of the information security process more efficient since most cases of cyber attacks occur owing to the lack of the proper security measures being adopted and regulated by the individual machines which might be the responsibility of the individual personnel. A controlling measure would also help to detect if any changes are required in the existing security system and the management can decide steps accordingly. As far as the responsibilities of the data owners are concerned for the university, it can be obtained that they play a major role in the decision making process of the security systems. They are in charge of making the users know about the legal issues, and related principles, and following all duties regarding the allowance or rejection for access to different available information. Their responsibilities also involve separation and distribution of duties to the different members for the purpose of the security management. The training of the users is also conducted by these personnel (North Carolina Agricultural and Technical State University Information Security Plan, 2008, p.3). These responsibilities of the data owners as included in the security plan can be realized to have significant positive impacts on the university’s security system. If the mentioned rules of the plan are efficiently and effectively performed by the data owners, then the security of information within the university can be managed to a great extent. Also, the plan of the university in regard to the justifiable usage of the users who have the required authority seems to be effectively administered towards the process of security. The process of correct registrations, approvals, configurations and protections of the different machines and information systems are strictly included in the security plan of the university. The concerns for the inclusion of the firewall and other anti-virus systems within the machines, and the opportunity for the users to report immediately to the concerned authority in cases of emergencies (North Carolina Agricultural and Technical State University Information Security Plan, 2008, pp.3-4) prove that the security plan for the university has taken into consideration the major factors required for an enhanced security system. The overall information security plan of the university thus reflects a picture of a secured and managed authority of the organization towards the prevention and protection of information and data in the university. Another major factor that the university needs to focus and keep incorporated in its security plan is a review process of the plan at a certain interval of time. As already mentioned earlier in the report, such a review process would enable the university to realize the differences between the currently required policy of security and the existing policy. If a difference is observed, the management of the university can immediately make the necessary improvements and revise the entire security plan for the betterment of the organization. A revision policy would not only keep the university updated but would also ensure that the team of management includes new measures and systems of security in their policy and plan for better and improvised ways of information security. The overall security plan of the university proves to be focused towards an enhanced information security system. If the few factors as mentioned above are also maintained along with the plan, it can be realized that the university and its authority would prove to have an efficient information security management. However, the most important factor is that the members of the university including the students, the faculty, or the other staff members need to perform their roles sincerely with utmost responsibility and sincerity such that the management of information security can be considered and prove to be a success thus protecting the university’s information and data from any kind of destruction or loss. Conclusion: The increasing competition in the world having its impacts on all organizations as well as in universities, there is a greater need that such organizations keep themselves updated in all respects. The context of information security and its management is highly significant since the rates of cyber attacks and activities like hacking and spam are ever increasing. Safeguard measures involving anti-virus software and other protective measures are therefore made available for the protection of information and prevent loss of data. The above reflected study was based on the security plan of the North Carolina Agricultural and Technical State University that presents an enhanced plan towards the security of information within the university. The responsibilities of the different members of the university have been clearly mentioned in the plan and are focused towards a successful implementation of the plan. If proper reviewing and monitoring policies are considered and the individual members consider their responsibilities sincerely, then the university can be expected to efficiently manage their information security and protect their data and preventing any losses from cyber attacks to their university. References 1) Anderson, A. (2011), Effective Management of Information Security and Privacy, educause, Retrieved on December 10, 2011 from: http://www.educause.edu/EDUCAUSE+Quarterly/EDUCAUSEQuarterlyMagazineVolum/EffectiveManagementofInformati/157387 2) Hostland et al (2010), Information Security Policy, terena, Retrieved on December 10, 2011 from: http://www.terena.org/activities/campus-bp/pdf/gn3-na3-t4-ufs126.pdf 3) North Carolina Agricultural and Technical State University Information Security Plan (2008), ncat, Retrieved on December 10, 2011 from: http://doit.ncat.edu/images/files/securityplan.pdf 4) Vacca, J.R. (2010). Managing Information Security, Maryland Heights: Syngress 5) Vellani, K.H. (2007). Strategic security management: a risk assessment guide for decision makers, Oxford: Butterworth-Heinemann Read More