Question

1. In terms of Cybersecurity, discuss about your Comprehensive Information Security and Privacy Program (500 Word)

Answer 1

Cyber security or information technology security are the techniques of protecting computers, networks, programs and data from unauthorized access or attacks that are aimed for exploitation.

Information security, sometimes shortened to infosec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or at least reducing the probability of unauthorized/inappropriate access, use, disclosure, disruption, deletion/destruction, corruption, modification, inspection, recording or devaluation, although it may also involve reducing the adverse impacts of incidents. Information may take any form, e.g. electronic or physical., tangible (e.g. paperwork) or intangible (e.g. knowledge). Information security's primary focus is the balanced protection of the confidentiality, integrity and availability of data (also known as the CIA triad) while maintaining a focus on efficient policy implementation, all without hampering organization productivity.

Several reasons argue in favor of universities focusing on privacy and security. First, the university and its constituents need a single source of accountability, responsibility, and ownership. Without this single contact, members of the university community don’t know the person or department to contact with problems. As a result, issues either go unreported or are reported to several different parties who don’t necessarily share information. Because no single person or group is aware of all the issues reported, the university risks not recognizing the magnitude of threats or responding appropriately. Each issue is handled in isolation and treated as an anomaly.

Universities must define who within their community has the leadership role in developing and implementing policies necessary to minimize unauthorized access to sensitive information. A single contact with the responsibility for assuming leadership in the event of an information leakage needs to be identified. This individual or body also needs to be responsible for electronic security. Someone needs to provide consistent information privacy and security leadership if many departments have their own policies and systems outside of a central IT organization.

econd, legal compliance calls for a focus on privacy and security. Several regulations require institutions to protect privacy. The Family Educational Rights and Privacy Act (FERPA) of 1974, for example, mandates electronic and physical protection of student information. Additionally, a privacy officer is required under FERPA. The Gramm-Leach-Bliley Act requires protection of financial data. Universities must comply with the Safeguard rule, which includes creation of a “comprehensive information security program.” Health records are protected under the federal Health Insurance Portability and Accountability Act (HIPAA). There are still other legal obligations including compliance with European Union Data Protection Directive and other international laws; California and other state laws enacted to establish notice obligations in case of a security breach; and Federal Trade Commission regulations regarding electronic records.

Failure to ensure information security and privacy may result in financial and legal consequences to the university and individual representatives. Potential consequences include law suits from students, monetary damages for violations of FERPA, loss of federal funding, and criminal and civil penalties.

Of the 14 institutions surveyed, 30 percent had formal security awareness programs. They used presentations, brochures, posters, postcards, and videos to communicate with the campus community. Programs demonstrated an increased emphasis on security outreach, education, and evangelizing. For example, they offered network authentication procedures as part of registration, video presentations and posters about virus protection, and security awareness seminars with faculty and staff on securing and protecting PCs and data.

A growing number of universities now have a Social Security number policy (eliminating them as student identifiers), Web site privacy policy, and an IT policy on security and privacy standards.

A significant opportunity for improvement exists in the handling of information security and privacy within universities. Students, employees, parents, and alumni have expressed concerns with existing privacy and information security on campus. Security and privacy issues must be tracked and addressed at the policy level, and accountability for compliance must be clarified. Privacy and security policies should be created and widely communicated. Compliance with increasing regulatory demands related to security and privacy must be understood and kept current. Unless the handling of security and privacy improves, universities can expect increasing incidents of privacy violation, potentially generating adverse publicity, loss of funding, and lawsuits.

Security should be viewed as a means of implementing a privacy policy, but when these goals conflict, the university must have some way of establishing priority. Creation of a formal position or committee can help the community make the right decisions regarding information privacy and security. The key areas an officer or committee will need to address are policy creation and enforcement, community education, and incident response handling.