tHE continuous need for information security has become paramount over the years due the increasing number of information system security incidents encountered by various organizations in recent years. To combat these increased security breaches and threats, different measures were taken which include secure system design methods, introduction of different information management standards and technical controls (e.g. use of antivirus software, firewalls, intrusion detection system, intrusion prevention system etc.) and introduction of information security policies .
The primary function of management in an organization is to communicate the organization's direction, rules and regulations to employees through the use of policies. Hence information security policy is a documented policy focused on improving user (employee) security behavior in the organization to help secure information and thereby reduce the internal security threat and the level of security incidents and attacks experienced within the organization caused by its own staff or authorized information technology (IT) personals. These forms of threats also include employee errors, omissions, carelessness, negligence and at times deliberate
intentions against the company's information security policy depending on the level of expertise of the employee involved. Since the weakest link in information system security are the people (users) involved, IS security therefore requires that users are not only educated on security policies of the organization but also that they comply with IS security policies and guidelines put in place within the organization . It should be noted that different approaches for employee IS policy compliance have been proposed over the years.
In this term paper, the case study will be an academic environment (e.g. a University) and the main focus will be how to see to it that employees (academic and contract staff) comply with the information security policy in the organization. The implementation of this policy compliance will be done based on the primary roles and authorization level given to key individuals in the institution such as the head of departments, faculty board members, academic administrative head, dean of faculty and University IT manager and staff.
In essence the policy compliance will be narrowed down to the employees alone, in essence the students of the University are not included in this case study.
Body of the term paper
Unacceptable user behavior is one of the major factors that result into security breaches experienced in organizations. Individual user's behavior can be improved through the implementation of various interlocking techniques which work together to create a strong security culture within an organization and also help to strengthen the influence that security culture of an organization will have on the behavior of staff within the organization as pertains to information security-related issues .
One of the ways to ensure that appropriate actions and behavior of employees satisfy the IS policies of the organization, is to cultivate and encourage appropriate security-related behavior and culture which are in line with the vision of the organization.
In recent years, the introduction of IT into most organization work procedures has resulted into dependence on information technology for internal operations such as record keeping and documentation, external business transaction such as financial dealings with business partners and various forms of communication within the organization such as email. The interconnection of electronic devices (such as mobile and other networked equipment) has also been on the increase, so also the likelihood of theft, intrusion and other form of loss to occur. But surprisingly, most organization tend to be more focused and spend more money on the vulnerabilities to external threats, although recent industry research suggests that a good portion of security incidents originate from within the organization itself . Still, the organizational constraint that affects and disrupts the effectiveness of these technologies lies in the actions (behaviors) of employees who access, administer, use and maintain information resources, therefore appropriate security related behavior of system administrators, end users and others is necessary to enhance the effectiveness of information security.
The speed at which information can be shared and used, often without permission has necessitated the need for control and to protect personal and sensitive information through enhanced information security which has become the subject of provincial and federal law. The upsurge in the number of provincial and federal laws and regulations indicates legal standards that require colleges and universities to protect various data, they collect, store, process, use and disclose.
As mentioned earlier different approaches to information security compliance have been carried out, suggesting several factors that are crucial to information security policy compliance.
Universities and other academic institutions facing numerous growing legal obligation lists are often overwhelmed with how to comply with various laws and regulations; as such some universities have designated more than one department to handle information security compliance issues rather than using a unified approach as suggested by Adler (2006) .
According to Alder,
"â€¦for example, the health center or the University hospital may be tasked with Health Insurance Portability and Accountability Act (HIPAA) compliance, the register may be held responsible for the privacy of student educational records under the Family Educational Rights and Privacy Acts (FERPA) while the financial aid office or department using credit cards may focus on complianceâ€¦. with the Payment Card Industry Data Security Standard (PCIDSS)" .
Adler suggested the unified approach to information security compliance because of the increase in state (provincial) and federal laws and also conflicting state (provincial) laws encountered in some cases as found in the notice of security breach laws and when this occurs, he suggested that compliance "should focus on the most stringent law applicable to the affected data subjects" . Also by adopting the unified approach to information security compliance, higher education will manage the increasing numbers of information security compliance programs effectively after a thorough risk assessment and analysis.
Another study applied the deterrence argument that information security actions will deter users from committing unauthorized acts as suggested by Straub et al. (1993). This argument was also used to improve the quality of information security policies (von Solms and von Solms, 2004), promoting security awareness( Straub et al., 1990) developing structures of responsibility (Dhillion et al., 2007) and protecting access by motivation(Workman et al., 2008) . It should be noted that each of this study focuses on a specific issue related to users' compliance with information security policies.
Taking a look at another research done by Alfawaz et al (2010), which provide a sound basis that can be used to evaluate the security related behavior of an individual member in an organization and also the adequacies of existing security measures which leads to a more consistent set of security parameter which focuses on protection against individual non- compliance behavior .
However, the previous researches mention above did not consider the implementation of information security policy compliance based on the primary roles and authorization level given to key individuals in the organization. As mentioned earlier, in this case, we will be considering a University environment.
Academic institutions such as universities and colleges possession sensitive and valuable information, e.g., personal identifiable information, financial data, research developments, building plans and other sensitive information. Some of these information are protected by provincial and federal laws or at times are bound by contractual obligations that do not permit unauthorized use or disclosure. Failure to adhere to these terms could tarnish the image of the University; and could be subject to fines or necessary government sanctions may be invoked. Also, if University data system were tempered with or rendered unavailable, this could result into inability to do business with prospective business partners. The University then needs to put in place diligent employees with the right security-related attitude and right access to secure information as required for its level of sensitivity.
Roles, Authorization Level and Responsibilities
The primary roles, authorization level and responsibilities associated with implementation and compliance with information security policy in an organization are as follow .
Employees and Contractors
The employees and contractors are expected to access basically required information needed to carry out their day to day activities based on their required job functions and roles in the University work, ethics and procedures. They are to understand the implications of their actions and the level of sensitivity of the information they have access to through training and education. Information tagged as confidential or highly confidential such as protecting any computer used to conduct University business transaction (e.g. financial data) or computers that contain personally identifiable information, which must be handled in accordance to the University's requirements for protecting such information. They are expected to keep ID cards, access cards, physical keys safely and also expected to use, create and protect passwords according to the IT policy of the University. They are also required to report any noticeable breach in information to their respective supervisor. Most importantly they must acknowledge that they have read, understood and agreed to act according to the terms of the policy manual provided by the I.T department of the University in relation to their roles and job functions.
Technology /I.T Managers
The Technology/I.T manger are those who manage the computing and network environment that has to do with the processing, capturing, storing and transmission of information within the University. They are ultimately responsible for ensuring that integrity, confidentiality and availability as defined by the information guards are adhere to. They also ensure that every departmental practice and procedure is in accordance to the objectives of integrity, confidentiality and availability as stipulated in information security policies of the University. They are also to ensure that each departmental employee understands the security related requirements of their job functions such as to do with administration, storage, and transfer of information electronically, physically or otherwise. They develop, implement, operate and manage a secure technology environment. They also administer network and system accounts, access privileges and also implement configuration standards in a manner that complies with the University information security policies as specified by the information guardians. They are also responsible for making sure the infrastructure of communications network, computer networks and applications are secure.
They usually assume the major leadership roles in the University community such as Dean of the Graduate School, Director of Health Services, Dean of the College, Vice President Human Resources, Treasurer, University Librarian, Director of Graduate Studies etc. They manage information based on logical collections in the University. Information such as student academic records, medical records, employee payroll data, University financial records, client lists, personal identifiable information etc. For example, the Director of Health Services will serve as the information guardian and information collections pertaining to medical records of students and health information of staff are placed in the possession of the University Health Services. Most times, they work with departmental heads to determine the job functions, roles, groups, users are given permission to access specific information in the collection and in what manner they can access the information in terms of viewing, modification and update. They authorize members of staff to perform specific duties. The information guardians are held accountable for any action carried out by members of staff in their various departments. They also work along with the University I.T security officer and the Office of the General Counsel or the office in charge of legal matters arising from activities of the University to understand the restrictions on the access and use of information as stipulated by the provincial and federal laws and contractual obligations.
The human factor should also be examined when considering compliance with policy because it is important that employees behave and act responsibly to adhere to the University security policy which can be made possible technically but not limited to the auditing of individual user and groups to check the occurrences of security incidents from within the University .
With the above three major sections involved, the information security policy should state in clear terms the roles and responsibilities and the terms and conditions of employment should require appropriate compliance with the laid down security policy and that all staff should sign a confidential agreement and that all necessary program for staff training should be introduced. The findings of audit reports, risk analyses, staff/contractor surveys and user participation meetings as well as code of practice for information security management in line with ISO 27002.
Information Security Compliance Assessment
Implementing an information security compliance assessment program that is effective and responds to the dynamic nature of different organizations can be very challenging but having a structured procedure could be of a good advantage to help comply with different standards and legislation, such as the ISO 27002 and Sarbanes-Oxley Act of 2002.
When combined with risk assessment process and IT asset management strategy, the steps listed below were suggested by M. Rasmussen (2006) and can help organization achieve information security compliance .
Documentation of Policy and Control Environments
The organization should start by identifying how they document their compliance process and IT control architecture. Organizations without the right governance model of policies and control in place will have a difficult time communicating, enforcing, monitoring or responding to incidents. Having the proper policy and control architecture for compliance provides the framework for operation within the IT environment. The overall compliance documentation should be implemented through a control framework such as Information Systems and Audit Control Association's Control Objectives for Information and related Technology (CobiT) and is also expected to document all corporate IT policies, controls, standards and procedures that are in line with the compliance requirements and objectives. The organization is required to update and maintain all documentation, make use of all operation control and compliance platforms that helps to manage effective the corporate IT policies and compliance controls.
Assigning Appropriate Compliance Management Oversight.
Efficient information security compliance oversight in an organization must achieve the purpose of the defined compliance program with should act as a corporate function that has adequate authority and governance which also has a proper avenue of communicating important compliance efforts to all concerned operational areas. It is advisable that the board and the senior executives develop this structure and review it as often as needed for effectiveness.
The compliance oversight model should have the executive and the board accountable for compliance, the IS compliance responsibility should be assigned to an oversight manager (chief information officer) with enforcement authority and also define reports and metrics for operational IT control and compliance.
Require Personal Screening and Access Control
Care should be taken in giving access to information and business processes to an individual that possess unethical behavior when it concerns security related roles. To ensure that appropriate and authorized access is firmly established across the board, the organization should conduct a background check on employees, contractors and business partners before granting them access to sensitive corporate data, the organization should use identity management and provisioning when giving access to IT systems, it should implement access controls based on individual job functions, roles and responsibilities, it should revoke access on termination of contract or employment and also conduct routine review to check for unethical behavior in personnel and business partners with access to sensitive resources.
Compliance through Training and Communication
The organization should invest in effective compliance training programs that help to promote and deepen the tradition of compliance with information security policy among its staff and also be comfortable with the compliance level of its business partners.
Implementation of Regular Monitoring and Auditing of IT controls
The organization should implement regular monitoring and auditing of IT controls manually or through automated process which validates that control is in place and it is effective. The controls to monitor that may affect information security compliance include operational and technical controls. When control cannot be automated, self-assessment controls should be conducted through workflows on compliance management systems.
Enforcing Consistent Control Environment
Enforcing the control environment in a consistent manner allows the internal controls to be applied adequately throughout the organization and its business processes and policy enforcement. It is through this process that the organization's culture of compliance is achieved according to the organization's aim. Establishing appropriate incentives to endorse strong ethical and compliance behavior, adhering to disciplinary actions, encouraging open communication and non-compliant reporting and evaluation process are some of the factors to enforce control environment.
Preventing and Responding to Incidents I.T Controls
Effective I.T compliance program helps to prevent and respond to compliance if violated. To prevent and respond to incidents the organization must have a control deficiency response plan, have an incident response team available, obtain legal counsel from a trusted (knowledgeable) source when incidents occur.
The above mentioned steps will not only assist with compliance of information security but also measure consistency in compliance which can be achieved with the use of policy. Also organizations should establish a formal risk assessment process so as to be able to have a more comprehensive approach towards information security management .
The various roles and authorization level given to various individuals in the organization must continue to work as a team and be prepared to review and continually reinforce best practice through a scheduled and continuous education of security compliance program of the entire staff of the University.
For future work, I propose that more research be done on individual components and effects in various business settings.
This paper has been written under the kind feedback of Assistant Professor Ron Ruhl. I am thankful to him for his support and dedication to his students.