Information Security Governance - Blackboard Inc - Assignment Example

Information Security Governance: a. Background Information about Blackboard Inc. Blackboard Inc. is known as the leading E-learning services and products in more than seventy countries of world. Its main offices are located in Netherland, and USA. Company has more than 2400 clients in all over the world. There are about 12 million current users of company’s services. Learning system of company is modeled in 11 languages. Blackboard’ success lies in connection with students, parents and teachers to perform their tasks. Blackboard has a team of software development for creation of the online programs. Post secondary, K-12, elementary and secondary education is the primary market of Blackboard in USA. A content management system enabled by the company is to create and manage the course contents in a digital format (Hoovers Inc., 2015). Its services pertain to students’ safety from mobile applications and IP video scrutiny. New established enterprises’ practices are affected by the Data security standards, PATRIOT acts and Sarbanes-Oxley act etc. Learning and teaching platform services are provided to make the successful implementation. Both, platform training and pedagogical training are given to increase the team effectiveness and capabilities respectively. Clients can access the enterprise services through mobile applications. Company connects the instructors, students and staff for key services anywhere and anytime. b. Information security setup in Blackboard Inc. Security has been the special asset of the company such as the Blackboard (Hoffman, 2011). Company provides the platform to its users by integrating the learning management capabilities and course with the security, student information and authentication protocols. Academic Suite of Blackboard has been noted in the WCET EduTools that has an option of encryption of entire user’s session through the SSL. Due to more options and flexibility in respect of security, potential clients are attracted. Blackboard is compatible with both outbound and inbound authentications that enables for a rich interaction with the external applications. In respect of all these measures, Blackboard Inc. system has option for accessing the system, where client can find the option to reset the forgotten passwords and other security related settings. Blackboard SP 9 is developed to fix the security issues of forgery prevention from cross site request and features of privacy-centric, protection of link injection and Cookies disclosure. Building block of Cookie disclosure gives prior consent of client for data collection and extent and nature of the data collection (Mora et al., 2014). c. Information security problem facing the Company Students raised the information security concerns. Even they access the Blackboard through putting a password; hackers might be able to enter the system without any authorization. Information overload issue is faced by many students because professors’ identification is not ensured when they post the information. Vulnerability that could allow the students to make changes in their grades and download the future assignments. It has been reported that phishing emails come from the Blackboard to its clients. This issue has been recently reported with a high severity. Although, no product has been affected by these phishing emails but users’ emails are continuously targeted. Web portal system of Blackboard has significant impacts of cost and waste the bandwidth when contents are downloaded or viewed (Bradford et al., 2007). d. Four Relevant Questions 1. What are the security holes for hackers to access the LMS; how they can be overcome by the Chief Security Officer of Blackboard Inc? 2. Describe the relationship between business/IT Alignment and IT Governance in Blackboard? 3. Do stakeholders of the Blackboard LMS suffer information security concerns from various versions released of company? How they can avoid any loss caused by incorrect installation of a Blackboard version? 4. How cost and bandwidth wastage can be controlled when accessing the contents from Blackboard LMS. Answers to Questions e. Answer 1 Security flaws have been reported by the Australian research company called as Securus in the Blackboard Inc LMS. According to a report, the online system used for classrooms contained flaws when criminals accessed the system to steal the confidential information. In these situations, university administrators did not confess the occurrence of any security breaches. Blackboard recognized that security holes existed that resulted into alter of customers on September 21, 2011. However, hackers could not access the login and privileged information. University officials were not concerned about the information security threats for future. Some of the academic institutes install the software patches when available to prevent the hackers’ attack on the system. Security awareness is also intensified by using the prevention techniques. It must be checked that whether any agent program is installed and entry of DDoS agent on the system traffic must be observed. Therefore, anti-Trojan and antivirus software must be installed and updated regularly on the system. Security is kept up to date to protect the system from entry of malicious code insertion in the network (EC-COUCIL, 2010). In order to attain the organizational goals, Chief Security Officer must ensure the security of personnel and equipments. The CIO sets out the plans and wide policies to acquire and manage the information systems. CIO in Blackboard Inc. can take decisions to align the functions of company to its business partners. Information is the major source of company Blackboard and CIO needs both business and technical skills (Stair & Reynolds, 2012). CIO is importantly called the facilitator of the information security. After, risks from hackers are identified in the Blackboard Inc. CIO should obtain the risks’ impacts. Without the model of security governance, it is not clear that who is supposed for risk acceptance. CIO needs to build the strategy for information security to meet the business requirements and develop the managerial and technical controls against the hackers’ risks. External risks to Blackboard LMS include as malicious code, unauthorized access, information probing, service disruption, misuse of services, espionage and hoaxes. All these vulnerabilities are directly or indirectly related with hackers’ activities. In order to control and prevent the external risks from Blackboard LMS, the CIO of service using company should consider the following measures. 1. Firewall device must be used for monitoring and restricting the external attacks. Firewall services are modified to stop the information, attacks and viruses from external sources. 2. Intrusion detection and Prevention system is also used for identifying any attack if it occurs there on the system. Although, it does not stop the attack but creates the alert for users. Shortcomings of intrusion system have been met in the intrusion prevention system. It stops or prevents the attack occurring from external sources. 3. Server Hardening: Server house the main programs, files and software installed. When an attack passes through firewall and not identified by intrusion system and prevented by intrusion prevention system, at this point server hardening works. Server hardening means the update of all protocols and patches that stop any external attack (Bidgoli, 2006). Security Planning: Potential, tactical and strategic plans are connected together and each type of plan provides the varying focus towards the security enhancement for the Blackboard Inc. Appropriate planning by CIO is made on the projects with respect to whether short term or long term goals are met or not. CIO role also exists in the following given form. Developing the appropriate structure of Blackboard that is appropriate towards the business’ needs. Operating procedures, departmental objectives and goals must be established. Because new investment increases for Blackboard, and CIO needs to communicate and assess the risks related with the new investments. Business continuity and disaster recovery plan must be developed and executed for Blackboard Inc LMS. Re-engineering of information technology must be assessed with new recommendations of improvements. CIO may leverage the COBIT for assessment of the IT processes in Blackboard including problem management, change management and software development life cycle (SDLC). Management of infrastructure groups and internally function performed for security are complicated operations (ISACA, 2015). External and internal hackers require the network access to perform their illegal activities. Hackers send the spam emails that entice the users to provide the confidential information about username and password. Sometimes users are encouraged to see the bait websites that contain the infected programs. CIO can use a set of tools for controlling and monitoring the activities on the network such as the intrusion and detection system. These tools or piece of software will monitors the log activities performed from users and report the activity, which does not conform to standards and procedures set by the software. If such activity is found then system activates its response to track back a real source of this breach. System administrator must initiate the security procedures before any such incident occurs (Vacca, 2013). Customers’ information protection is ensured through a feedback system, and all vulnerabilities are confidentially and responsibly intimated to investigate and respond the every vulnerability. Because of diverse software and hardware configurations, applications are connected to a third party. Software modifications are done through the analysis, before these are implemented across the different versions of products. Blackboard applications should run efficiently in testing facilities as well as customers’ environments. On client side, data security is also ensured through prompt and scheduled software updates (Blackboard Inc, 2015). f. Answer 2 Aims behind implementation of IT governance are to attain the better alignment between information technology and business of company Blackboard Inc. This question ultimately defines that how the IT governance implementation in its structure, relational mechanisms and processes enables the IT business alignment for Blackboard Inc. Concept of Business alignment with IT strategy has been a complex topic, because several studies and publication are aimed to unravel the topic. Balanced approach for managing the IT strategies, business strategies and IT processes is applied. Alignment with the business strategies and IT processes can enable the company to drive and achieve the change. Examining the association between alignment and IT governance, potential antecedents for alignment are required (Haes & Grembergen, 2009). In current era of technology, IT and business have been closely related and share the complementary approaches and provide the continuous and improved insight to the company. However, gap between alignment of business and IT exists due to allocation of insufficient resources. Maximizing the business value of Blackboard Inc. requires the more investment in IT portfolio management. Business management that owns the separately or joint with other parties make decisions in selecting the investment for the IT portfolio that can bring the changes. Business managers in Blackboard must acquire the requisite skills, training and experience in respect of the organization. Business managers have the cursory knowledge about the information technology. Information technology managers will have to become more strategic in order to work at a high level in the organization in execution of strategic plans and corporate business. Alignment of IT and business must be ensured throughout the entire life cycle to develop the strategic and business plans. Strategic plans and business must derive input from IT to leverage the opportunities and assess the risks and dependencies related with the information technology. High level of alignment between business and IT, CIO of company should communicate to higher management to assimilate the new technologies. It will improve the outcomes from incorporation of new technologies (Kuruzovich et al., 2012). In an article, Larsen (2014) focused on talking about strategic alignment and leadership, but practically a huge difference existed. Blackboard Company was called an organization that has profound difference. Blackboard Inc. as a provider of online education is also using the subset of COBIT to provide the framework to manage the WebCT merger that is another entity in marketplace of e-education. Both ISO and COBIT are used as reference frameworks for information security governance. The COBIT addresses the information security issues. COBIT has 34 processes and each process in further divided in a set of the detailed control objectives (DCOs). If all processes are handled properly, then good IT governance results from COBIT. Since IT solutions are integrated into business processes, but COBIT’s applications vary on the infrastructure complexities and existing system of Blackboard (Mora et al., 2014). g. Answer 3 Learning Management System of Company has a course management and virtual learning system. Company has the platform of web-based server that contains the course management and scalable design for integration of students’ information system as well as authentication protocols. There have been several iterations since the development of learning management system. However, company’s LMS and other products have challenges for stakeholders as given in the following. Increased usage level of clients requires the appropriate scalability and maintenance. Uninterrupted and seamless migration paths Although, LMS created many advantages for users but it contained the concerns for stakeholders. Success of LMS is highly dependent upon the stakeholders’ identification and involvement in the system. A LMS becomes outdated due to advancement and technology changes. Routine updates are required to secure the system and provide services that need the downtime for its maintenance. The LMS remains off during the downtime, students and instructors cannot access the services. The system will require the services of trained people to address the information security concerns of stakeholders (Squillante et al., 2014). Cloud version of Blackboard LMS has been launched in summer 2014. Software-as-a-Service (SaaS) for new version of LMS has features of managed hosting and on-premise editions. LMS new offerings are cloud-based. Institutions using the Blackboard’s new cloud services have different requirements. Blackboard Inc. LMS helps the modes of services delivery, because SaaS also gives options of working in the hosting environment. Blackboard administration claimed that a new service of SaaS model gives the automatic updates (Schaffhauser, 2014). In a survey of 720 faculty, students and staff about the Blackboard, it was found that Blackboard system was harder to learn. Majority of faculty members found that course management was the inflexible and time-consuming. Majority of students were not found proficient with the use of new technology. Older students were found to be non-experienced with the new technology as compared to the resident students. However, troubleshooting the issues of users is not focused too much in the Blackboard system. Initial version released in year 2001 was found to be compatible to only Microsoft servers and users of other than Microsoft server were confused about the services. Many critics have commented on the Blackboard’ programs and applications developed for particular operating systems. Most of critics of Blackboard’s web portal services say that mobilized technology is advantageous than traditional usage of technology. Open source technologies are also offering good services to customers. A record expense has been taken from colleges and universities using the Blackboard LMS. Initial subscription charges of Blackboard LMS are low but increase as a user integrates more functions to the Blackboard LMS. These causes have produced various drawbacks for faculty members, students and staff members from academic institutions (Bradford et al., 2007). There is an urgent transition of Flagship learning management system to single instance of Cloud. Every client on the same application and same version is a hard task for Blackboard, but necessary for a viable forward development. Dual advantage exists in the native cloud applications, but management of changes and updates are the serious headaches. All development and research sources should be devoted to the latest outcomes. In order to support the legacy applications on varying local servers and their infrastructures means that sources can be deployed for client care and product development. Thus a clear roadmap is required of migration of customers and technology to the cloud (Kim, 2012). Another issue that most of users of company’s LMS have informed is the slow connectivity of the LMS. However, this issue can be resolved if hosting university or colleges manage the internet connection with a high speed. New versions have support for modern browsers Internet Explorer, Safari, Firefox and Chrome. Blackboard LMS 9.1 has core features and deep capabilities that produce the more intuitive and focused deliverable for clients. Service Pack 14 has been developed by the collaboration of designers, administrators, students and educators. h. Answer 4 E-learning services are not so cheap as well as cost-effectiveness. Online delivery of education for colleges and universities has made economic issues more concerning. Due to rise in recent prices, commercial LMS have become relatively more investing. Cost of LMS from system to system varies. Teachers and administrators are loaded with the high academic work and also concern with cost associated for teacher and student interaction for distance learning. Cost associated with teachers and students’ interaction is increased with the increase in number of students. Time spent on the online interaction of teachers with students also increases.  Baggaley & Belawati (2010) also pointed out that many private institutes also used commercial LMS but they did not prove to be sustainable due to their high cost. Because private sector universities and colleges have limited funds and cannot provide successively required expenditure. Owing to a high cost of LMS, private sector institutes have started the use of open source software for LMS. Beijing University started the use of company’s academic suite for some courses. However, it could not be continued more due to technical agreement with the service provider and high cost. A rough estimate of expenditures on use of company’s LMS was noted as 20% to 30% for registered users. A high cost was paid for annual licensing of the system’s proprietary. University of Dar Es Salaam deployed the Company’s LMS in 1998 and used it for 10 years. They decided to use the Open Source Software LMS KEWL. They preferred the Moodle OSS LMS. Open Source Software LMS have become popular since last ten years, because of their lower cost of maintenance. Some of the users of OSS LMS have argued that OSS LMS are highly organized and support for human skills’ creativity, collaboration and learning (Munaku, 2011). Bandwidth and connection issues are associated with the LMS execution of courses. Sometimes, offline facilities are applied to address the connectivity concerns. However, offline support requires the establishing the structure that works as a helping system. Increased bandwidth has enabled the users to integrate the learning contents. All content documents including the audio and video materials provide the interactive demonstrations and connect to a single course shell. Limited bandwidth availability produces more concerns for Blackboard Inc. Unwanted patches are introduced in the system, which can be removed if latest patches of Company are uploaded. When a worm enters the system it consumes the huge amount of the bandwidth as it sends out pings and at this point antivirus update is difficult. If an unwanted program intrudes the system, it causes the overload of system and results into system’s crash. It becomes a security incident as required data is not more available (Calder and Watkins, 2012). Some suggestions for security of company’s network are required. Firewall must not function like a router to protect the company at present. Institutions’ servers connected to NetBIOS are permitted from the off-campuses. Company’s policies have permitted the resistance towards any modification for faculty members. New patches must be introduced and installed on the secured network. Both, Blackboard and institutions using company’s services must work in a collaborative way and use available sources to meet the challenges ahead. Conclusion In this paper, a mini case about IT governance on the company Blackboard Inc. has been established. Blackboard Inc. is a major player of online provider of learning and teaching contents. Blackboard LMS has been a chosen area where different IT governance principles are discussed. Although, paid LMS web-based portals are developed with a high number of features, but lack some of features, which critics point out in favor of products and services from other companies. Information security is the fundamental objective of the company that has been questioned by many users. Business alignment with IT is another area where company invests to provide best services and achieve their business goals. Stakeholders’ concerns from incorrect installation and configuration have been briefly discussed. In the final section of paper, cost and bandwidth issues of company are detailed discussed. Online users of LMS have trends towards the Open Source Software LMS due to above given concerns. References Baggaley, J., & Belawati, T. (2010). Distance Education Technologies in Asia. New Delhi SAGE Publication Ltd. Blackboard Inc. (2015). Vulnerability Management Commitment and Disclosure Policy for Blackboard Learn, Available from http://www.blackboard.com/Footer/Security-Policy.aspx Accessed on 08-04-2015. Bidgoli H. (2006). Handbook of Information Security, Key Concepts, Infrastructure, Standards and protocols, California, John Wiley & Sons Inc. Bradford, P., Porciello, M., Balkon, N., & Backus, D. (2007). THE BLACKBOARD LEARNING SYSTEM. The Journal of Educational Technology Systems, 35, 301-314. Calder A., and Watkins S. (2012). T Governance: An International Guide to Data Security and ISO27001/ISO27002, London. Prentice Hall. EC-Council. (2010). Ethical Hacking and Countermeasures: Threats and Defense Mechanisms. New York: CENGAGE Learning. Haes, S. D., & Grembergen, W. V. (2009). An Exploratory Study into IT Governance Implementations and its Impact on Business/IT Alignment. Information Systems Management, 26, 123-137. Hoffman, S. J. (2011). Teaching the Humanities Online: A Practical Guide to the Virtual Classroom. New York: M.E. Sharp Inc. Hoovers Inc. (2015). Blackboard Inc. company profile, Available from http://www.hoovers.com/company-information/cs/company-profile.Blackboard_Inc.0bd3701ec022817b.html Accessed on 10-04-2015. ISACA (2015). COBIT Case Study: Blackboard Uses Powerful Tool to Navigate Change, Available from http://www.isaca.org/Knowledge Center/cobit/Pages/Blackboard-Inc-.aspx Accessed on 07-04-2015. Kim, J. (2012). Blackboards Challenge, from https://www.insidehighered.com/blogs/technology-and-learning/blackboards-challenge Accessed on 09-04-2015. Kuruzovich, J., Bassellier, G., & Sambamurthy, V. (2012). IT Governance Processes and IT Alignment: Viewpoints from the Board of Directors Paper presented at the 2012 45th Hawaii International Conference on System Sciences, Maui, HI. Larsen, A. (2014). In pursuit of alignment, from http://www.rainmakerfiles.com/2013/11/08/in-pursuit-of-alignment/ Accessed on 08-04-2015. Mora, M., Gómez, J. M., Garrido, L. & Pérez, F. C. 2014. Engineering and Management of IT-based Service Systems: An Intelligent decision making support system approach, Oldenburg, Springer. Munaku, M. (2011). Experience of Course Migration from Blackboard to Moodle LMS – A Case Study from UDSM (pp. 1-15): University of Dar Es salaam. Schwager, M. (2011). University not affected by security holes in Blackboard software, from http://www.gwhatchet.com/2011/10/10/university-not-affected-by-security-holes-in-blackboard-software/ Accessed on 06/04/2015. Schaffhauser, D. (2014). Blackboard Unveils Cloud Version of Learn from http://campustechnology.com/articles/2014/10/01/blackboard-releases-cloud-version-of-learn.aspx Accessed on 09/04/2015. Squillante, J., Wise, L., & Hartey, T. (2014). Analyzing Blackboard: Using a Learning Management System From the Student Perspective. Mathematics and Computer Science Capstones, 1-51. Stair, R., & Reynolds, G. (2012). Fundamentals of Information Systems. Boston: CENGAGE Learning Inc. Vacca, J. R. (2013). Computer and Information Security Handbook. Waltham: Elsevier Inc. Yin, L. R., Lien, N., & Werner, J. M. (2010). Learning in Virtual Groups: Identifying Key Aspects of a Course Management System Affecting Teamwork in an IT Training Course. Information Technology, Learning and Performance Journal, 25(2), 30-41. Read More