5.23 Security

Background

SCSU has been a leader in introducing information technology to support the delivery of instruction and in the delivery of service to the campus. Along with the use of such technology is the need for security. Security as it relates to information technology is a multi-faceted issue.

Physical security is associated with locked doors to server rooms, controlled access to electronic classrooms, physically protecting desktop and laptop computers from theft, protecting sensitive equipment in labs and large projection screens from damage or vandalism, and restricting access to network infrastructure.

Data access security identifies who it is that owns certain data sets, who can access or use the data for legitimate business reasons, and the procedures and statues that regulate the use of the data.

The concept of authentication is associated with security. Authentication speaks to how an individual is identified so that the individual may gain access to appropriate resources. It speaks to who is it that can get an account, how the account is maintained, how the password is constructed, and when it must be changed. Students, faculty, and staff are faced with using two possible identifiers to attempt authentication at SCSU: the SCSU ID and the HuskyNet ID. This can be confusing and can appear to be unnecessarily complicated.

Security within applications such as ISRS, WebCT, HuskyNet, and other third-party environments must be monitored for effectiveness, weaknesses must be reported, and version updates must be applied to ensure security and access control to critical applications.

Proper and timely backup of critical data file, anti-virus and anti-hacking initiatives, formal and written policies and procedures, and enforcement of such policies are additional security issues. There is also a need for a clear and consistent incident reporting process in response to technology-related complaints of activity originating from or otherwise involving SCSU technology resources.

The MnSCU Chancellor’s Office currently has an Information Security Office, supported by a high level Information Security Steering Committee, which is coordinating a multi-year effort to develop a strong and clear security program for the central office and the campuses of the system. The MnSCU Office of Internal Auditing has also taken a heightened interest in security issues associated with information technology. SCSU, as a system campus, will be expected to be in step with these system-wide security measures, and SCSU will have additional issues as a large and complex university.

Goals

Over the next five years, SCSU will review its security policies, procedures, guidelines, and training to ensure that the appropriate level of information technology security is in place and functioning at the appropriate level. This will include

  • formalizing the information technology security roles and responsibilities at SCSU
  • coordinating efforts with other technology-related policies, incident reporting, and response efforts
  • maintaining active SCSU involvement in the Chancellor’s Office security initiative
  • upgrading security measures where necessary
  • facilitating broad discussion across technology and management groups regarding security issues and solutions
  • providing an information technology security environment that is viewed as a "best practice" with the correct balance between security and access
  • engaging the broader campus community in the security discussion through communication and training.

Specific Actions and Timeline

A security committee, including technologists from LR&TS and CIS-AdC, will be formed and charged with dealing with the high-level security issues identified in this plan, with developing detailed actions items and acting on them. The committee will be expected to facilitate broad campus involvement, awareness, and training.

  • The committee will follow the standard timeline (see 5.0) for carrying out and reporting on specific actions necessary to accomplish the goals for security in this part of the technology plan.
  • During the 2007/2008 academic year, the committee will produce a final report on security and a planning document for the next five-year plan. These will be submitted to TLTR by February 1, 2008, for review.

Resources

Significant human resources will be required to understand current security issues, to upgrade the security environment where needed, and to bring the entire campus to a higher level of understanding and appreciation.

The amount and type of resources to reach the appropriate security level for this university will be defined through a formal risk assessment initiative, which will better determine the current state of information technology security at SCSU.

Evaluation

  • Have information technology security roles and responsibilities been formalized?
  • Have information technology security policies and security incident reporting been coordinated with other technology related policies, incident reporting and response efforts?
  • Is SCSU viewed as an active player in the system-wide security initiative out of the Office of the Chancellor?
  • Have security measures been implemented and/or upgraded where appropriate?
  • Has the awareness of security related issues been raised to a higher level across the technology support staff and management groups?
  • Is the security program at SCSU current, robust, and of "best practice" quality?
  • Is the broader campus community engaged in and do they understand security issues?
  • Has the committee submitted a final report in Spring 2008?
  • Has the committee made recommendations for the next cycle of technology planning?

Revised: May 2003