INFORMATION SECURITY MANAGEMENT IN HIGHER EDUCATION

– An explanatory Analysis on Kenyatta University-

A RESEARCH PROPOSAL SUBMITTED TO THE SCHOOL OF HUMANITIES AND SOCIAL SCIENCES IN PARTIAL FULFILMENT OF THE REQUIREMENTS FOR THE AWARD OF THE DEGREE OF MASTERS

By

BlaiseJaboMibuga

C159EA/CTY/PT/25970/2013

AbstractThe aim of this study is to evaluate the management of information security at Kenyatta University, Considering the type of business universities carryout in general, they become storage of a huge number of information regarding their students and staff and other information related to various university programs. Nowadays universities rely on information technology systems for their important business operation, these include but not limited to administration, teaching, learning and research. Applying information technology to these core operations of university is both strategically and systematically important for the survival and resilience of these operations.

However the process of effectively implementing information security management is still a challenge in many universities due to the fact that each university has its own unique setting, culture and experiences that necessitate a focused study of this nature.

This study focuses at the information security practices and experiences at Kenyatta University in light of International Standards for information security as well as other significant concepts used to describe the standard requirements for information security. In the end the study demonstrated that despite sufficient finances, information security can still be problematic to the institution.

The study shows that key challenges like policy issues, organization culture, user awareness, staffing, top management support, ICT infrastructure faced by universities and academic institutions worldwide are the same challenges that Kenyatta University is facing.

The findings of this study contribute to existing literature on information security organizations, in particular higher education sector

Table of Contents

TOC o “1-3” h z u Abstract PAGEREF _Toc384380160 h 21.0. INTRODUCTION PAGEREF _Toc384380161 h 41.1.0 Background to the study PAGEREF _Toc384380162 h 41.1.1 Information dependency PAGEREF _Toc384380163 h 41.1.2 Information security and its University challenges PAGEREF _Toc384380164 h 51.2 Statement of the Problem PAGEREF _Toc384380165 h 51.3 Purpose of the study PAGEREF _Toc384380166 h 61.4 Research Questions/Hypotheses PAGEREF _Toc384380167 h 61.5 Justification and Significance PAGEREF _Toc384380168 h 71.6 Scope and Limitations PAGEREF _Toc384380169 h 71.7 Conceptual Framework PAGEREF _Toc384380170 h 7CHAPTER 2 LITERATURE REVIEW PAGEREF _Toc384380171 h 82.1.0 The changing face of Information Security Management PAGEREF _Toc384380172 h 82.1.1 Comparative description of Information security PAGEREF _Toc384380173 h 92.1.3 Confidentiality, Integrity and availability in Information Security PAGEREF _Toc384380174 h 102.1.4 International Information Security Standards PAGEREF _Toc384380175 h 112.1.5 Information Security Requirements PAGEREF _Toc384380176 h 132.2.0 A Précis to Information Security Management PAGEREF _Toc384380177 h 142.2.1 Risk Management PAGEREF _Toc384380178 h 152.2.2 Security policy PAGEREF _Toc384380179 h 162.2.3 Policy a Criterion to Information Security PAGEREF _Toc384380180 h 172.2.4 Challenges to the implementation of security policy PAGEREF _Toc384380181 h 172.2.5 Measurement of Security Management PAGEREF _Toc384380182 h 182.3 Information Security in the University Environment PAGEREF _Toc384380183 h 19CHAPTER 3 RESEARCH METHODOLOGY PAGEREF _Toc384380184 h 203.0 Introduction PAGEREF _Toc384380185 h 203.1 Research design PAGEREF _Toc384380186 h 213.2 Sampling Methods PAGEREF _Toc384380187 h 213.3 Purposive Sampling PAGEREF _Toc384380188 h 223.4 Data collection PAGEREF _Toc384380189 h 223.5 Analysis PAGEREF _Toc384380190 h 223.6 Reliability and Validity PAGEREF _Toc384380191 h 23References PAGEREF _Toc384380192 h 24

1.0. INTRODUCTION1.1.0 Background to the studyThe background to this study develops on the notion of modern universities’ growing reliance on information technology. This emerging reliance makes universities like any other institution to recognize the importance of managing effectively information security. Due to the complex environment of universities, managing and protecting information in universities involves a range of controls practiced through application of information security measurements. Today’s universities are very dynamic within their business environment, this dynamism calls also for evolution in information security practices. Thus it is very important to study the environment while trying to carry out information security management, in this case Kenyatta University.

1.1.1 Information dependencyUniversities like any other institution rely on real time information to carryout and support its operations. For universities there is great dependence on information while teaching, learning and project/research purposes. Universities are known to be source of vast of crucial and life changing projects thus it holds a huge bunch of intellectual properties.

In order for universities to compete with other institution and stay on top of its game, they had to accept and implement information systems and technologies. Success of operations and activities in universities today are directly associated to effective information security management. This illustrates well direct reliance between the university and the use of information technology to safe guard the information that they depend on for their goals achievement.

1.1.2 Information security and its University challengesLike any other institutions, universities are gradually recognizing the significance of information security to protect and achieve their desired goals. This recognition is strengthened by acknowledgment of information as a valuable asset for achieving long term objectives. Anything of value and of great importance it is common sense that it will require applicable safeguard. In this thinking, it is relative then that universities must have and implement appropriate operational information security control mechanisms to guarantee the availability, non-repudiation, confidentiality and integrity of information, and this is done under the process of security management (Fulford and Doherty, 2003).

While information security is simple to mention, its practical implementation process in universities is not automaticallydirect, given the complexity of university environments. This complexity eventually brings about a downward shift of information security management within universities and can result in a number of complications (Kwok and Longley 1999). This can include a lack of senior management commitment as most university senior management is more focused on the academic and intellectual success, this lack of commitment by senior management brings about absence of authoritative figure of guidance which in turn problems with understanding how much security is required always rises. According to Kotulic et al., (2004), the challenges for universities prolongtheordinary technical diversity. There also exists a conditionthat information security must be in line with customary university cultural values, such as academic freedom and work practices, and to work in uniform with current universities’ objectives.

Effective information security managementguarantees a mere best quality of servicethis helps andsupports the institutional objectives. Information security is gradually being appreciated as an essentialinstitutional function requiring devoted management. Although technology itself is a major control applied to mitigate security risks, it is the management of security as a function that definesits definitiveachievement. The application of technology is most effective when aligned with the managerial goals. Therefore, effective security depends on effective management.

1.2 Statement of the ProblemUniversities gather and store important personal data about its staff and students. This data includes background data, phone numbers, e-mail addresses, home addresses, medical records from campus clinics, personal portfolios, grades, financial data including bank accounts, research projects, etc. all this data must be protected to ensure the core elements of information security; confidentiality, integrity, availability and non-repudiation.

When giving this information to the University, it is in the students, staff and other stakeholder’s optimism that this information will be accorded the right protection and used only for the purpose for which it is intended. However frequent cases happen where university’s information is intercepted by other people or exposed due to system and human error. According to Oracle (2008) hundreds of university data gets intercepted or become other parties’ knowledge due various information security breaches and this has cost a huge sum of money not forgetting defiling university’s image. (Beaver, 2010) talks of how a malicious software infected computers at Illinois university exposing quite a big number of student’s social security numbers. In February 2008 hackers broke into a Harvard University web server and accessed records of 10,000 people which included social security numbers (Chronicle, 2008). A student at University of Delaware in summer 2002 obtained unauthorizedaccess to the University’s computer system to give herself passing grades in three spring courses (Salomon, 2003).

At Kenyatta University, there have been several instances where laptops have been stolen, holding various confidential data on them. In addition, there have been numerous experiences of denial of service when students want to access mail portal, and not to forget that there have been cases of exposed passwords and other information security breaches.

According to Shropshire (2009) it is not always in the interest of universities to report information security breaches. Therefore there is more in this area than meets the eye; this study hencemostlyobjects at studying information security management at Kenyatta University.

1.3Purpose of the studyThe purpose of this study is to explore information security management at Kenyatta University. The aim is to come up with a true position of Kenyatta University in information security risks, practices and organization. The knowledge from the study can then be used by the Kenyatta University as a benchmark for dealing with risks to information security.

1.4 Research Questions/HypothesesThe study will answer the question: Does Kenyatta University meet minimum requirements for information security? Does Kenyatta University achieve baseline security of its information resources? However the study will also look to address other questions like:

• Can current information security practices ensure confidentiality, integrity and availability and non-repudiation of information resources?

• What role does the academic environment play in the management of information security?

1.5Justification and SignificanceAccording to EDUCAUSE report of 2004 Information security is a critical issue for institutions of higher learning; any data breach would cause loss of financials, image and degradation as an education institution. The number one significance of this study will attempt to clarify prevalent risks of information security to Kenyatta University management andICT section. The clarified magnitude of those risks willhelp ICT section to decide which risks should be tolerated and which ones should be addressed. The study provides a cohesive theoretical context that can be used by information security managers to effectively manage information security in organizations, the study also might help other small or large universities benchmark their information security issues not just Kenyatta University.

1.6 Scope and LimitationsThe study has the following delimitations:

The study will not go into detailed intrusion systems, system configurations and their implications on security

The study will not look at system development, application development and their effects on security.

The study is specific to management of information security in a university context- this case Kenyatta University.

The study acknowledges that information security is a moving trend, therefore insights found in this are subject to change.

1.7Conceptual FrameworkThe conceptual framework of this study expoundson the impact of information security management operational higher education institutions. There are different types of higher education institutions e.g. Universities, colleges and many others

Higher education institutions have to deal with enormous number of internal and external risks relating to information security management. Information security containsrisks that can affect the smooth running of the business of an organization. These risks can be like unauthorized use, backup failure, inappropriate operational procedures, insufficient organizational personnel embedding and loss of data, unauthorized access, destructive hacks etc. It is of great significance that higher education institutions make smooth running of its operations by properly managing information security risks and threats because these operations are like the forces, which character the organization towards success and failure.

The core purpose of this report is to analyze and evaluate the overall management of information security, its assessment and management from different perspectives and itseffect on the business of a higher education institution .There are three perspectives that one can view information security management i.e. administrative, technical and physical. Our focus is to cover the information security management within theadministrative and technical perspectives.

CHAPTER 2 LITERATURE REVIEW2.1.0The changing face of Information Security Management For any change, be it technical or theoretical, it is always helpful to know exactly where you are coming from, your current position and where you are headed. , by applying looking at the changing face of information security in a historical perspective might help us understand the current issues experienced in the field of information security management. Von Solms (2000) offers such a viewpoint by proposingthat development of information security hasgone through three distinct generational ‘waves’. Von Solms proposes that the first generation, the ‘1st wave’, which he calls the ‘technical wave’, occurredin the early 80’s and was characterized by a very technical approach to information security. Soon the change would come because even during this stage, the technical administrators recognizedthat for them to strive they needed the active involvement of the management. The ‘2ndwave’, which came as the recognition of the management by the IT administrators came in the mid-88 and was knows as the ‘management wave’. The wave wascharacterized by acumulative interest and involvement by management in information security. This wave supplemented the technical wave and increased the importance of information security.Yet, while this enhancedinformation security, a greater sympathetic approach was still needed – specially, in the measurement and valuing the effectiveness of information security. This helped in measuring and comparing information security against a baseline, as well as measure and compare against other institutions. The measurement and comparisons led to the ‘3rdwave’, called the ‘institutional wave’. This is the existing wave today. This third wave is represented by the recognition of and interest in, international standards, codes of practice, security certification, cultivating a corporate security culture, and dynamic and continuous security measurement.

Besides these generational waves, information security has also been described from a very high conceptual level as broadly involving both ‘technical controls’ and ‘leadership’. Therefore, besides technology, the actual leadership of security approaches, involving overall governance and management, is a major feature of security. Other definitions have attempted to explain information security in more detail, by including the interrelationships between the areas of information security in a broader manner.

2.1.1 Comparative description of Information securityAccording to Andress (2011) Information security involvessecuring information and information systems from unauthorized access, use, disclosure, disruption, modification and destruction. Whitman and Mattord (2011) goes on to describe security as the state of being secure or free from danger and describes information security as a layer among other layers of computer security like physical security, personnel security, operations security, communications security, and network security. All the above authors reckon the significant characteristic of information securitybut do however have their differences when it comes to identifying the criticality of its characteristics. For Whitman and Mattord (2011) Confidentiality, Integrity, Utility and Possession are the main critical characteristics of information security while Andress (2011) recognizes Confidentiality, Integrity, and Availability, Possession, Authenticity, and Utility as the main critical characteristics.

Confidentiality deals mostly with responsibilities of preventing any unauthorized access or reading of other people’s personal data but this should not in any way be mistaken to privacy; which for it, is associated with a person’s control over his or her personal data (Renaud and Galvez-Cruz, 2010). While universities have a duty to keep private information confidential, Oblinger (2003) observes the need to provide access to computer systems, networks, and scholarly resources to students, staff and stakeholders is essential both for individual success and organizational success. Therefore the issue is about access of the right information to the right users. There are international standards that guide how to keepinformation secure so that its Confidentiality, Integrity, and Availability are not violated.

2.1.3 Confidentiality, Integrity and availability in Information SecurityWhitson (2003) suggests that the major features of security management are assuring the confidentiality, integrity and availability of information (Commonly known as the ‘CIA’ model of security). The confidentiality, integrity and availability of security are a relatively commonly accepted ‘model’, whereby security can be viewed as involving a process to provide information with the CIA principles. Until recently, the CIA model has been well-thought-outas the ‘cornerstone’ of security.However, increasingly it is considered insufficient in taking into account many of the other important aspects of security. Despite the relatively wide embracement and overall recognition of the CIA model as a security model, research suggests that this model is now too simple to describe more than the basic elements of security. For instance, elements like accountability and responsibility are not addressed by the CIA model.

This is explained perhaps by the fact that the CIA model was developed in the era of computing, where information security was generallyperceived a technical function. The IT environment is now extensivelyunlike the early computing days and hence the effectiveness of the CIA model is in question. The CIA model reflects early approaches that were very technically oriented. Lacking in the CIA model is the new requirement to have a business focus incorporated by an accountability and responsibility orientation; i.e. information security should be driven from a business objective approach not just a technical approach. Moving information security out of the IT domain is necessary to include a wider business perspective, and more human related activities.

Whitson (2003) contends that security is primarily achieved through risk analysis, security policies, procedures and documentation, providing training and awareness and preparing for disaster avoidance and recovery. Comparatively, Andersen (2001) and Von Solms (1999) include in their definition substantial organizational involvement of stakeholders and the application of recognized security standards. It is obvious at this point that even if the CIA model were uniformly accepted, it is too basic now to properly represent security. Additionally, it does little to guide the way in which security should primarily be achieved, including the activities and functions involved, and as such would probably result in a lack of agreement on this.

Information technology keeps changing every now and then, despite the emergence of CIA and other standards, models and frameworks, there lacks a commonly held view and practical implementation of a standard approach to the management of information security. It is almost as if organizations are caught somewhere between a technical view of information security at one end, and its integration within business governance at the other end.Applying the lack of consensus to the development of a practical conceptual framework for information security management thus becomes even more difficult, perhaps due in part to the evolving uniqueness of requirements for different organizations. So while some authors agree loosely on the functions within security management (Siponen and Kajava, 1998; Andersen, 2001; Von Solms, 1999), actually applying information security functions and standards effectively within the organizational context of the higher education sector is still a complex issue.

2.1.4 International Information Security StandardsAccording to Moore (2001) standards provides objective criteria for information security choices, information security practitioners who make decisions withoutbasing on standards and practices they end up with undeservedelementsthat may include ignorance, predisposition, perceived constraints, and personal motives. Several internationally-recognized information security standards exist that address various aspects of information management. Below is a brief summary of standards that are applicable and related to information security according tothe Australian standards, Hong Kong Government Special Administrative Region (2008), as well as ISO Online

Standard Purpose Description

ISO/IEC

27001:2005 Information Security

Management System

(ISMS) Requirements Specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving documented ISMS.

ISO/IEC

27002:2005 Code of Practice for

Information Security

Management Addresses: security policy,

organization of information

security, asset management, human resource security, physical and environmental security, communications and operations management, access control, information security incident management, business continuity plan, resilience plan

ISO/IEC 15408 Evaluation Criteria for I.T Security.

Helps evaluate, validate, and certify security assurance of a technology product against a number of factors. Hardware and software can be evaluated against this standard.

COBIT Control Objectives for

Information and related Technology. A framework that links IT initiatives to business requirements.

ITIL or ISO/IEC

2000 series Information

technology

Infrastructure Library Dwells on the service processes of IT and considers the central role of the user.

From the above table, it is obvious that all the listed standards are important in relation to the information security field. For the task at hand in this paper, it seems that ISO/IEC 27002:2005 and ISO/IEC 27001:2005 are moresignificant because they are thestandards that are directly addressed information security management. However the Australian government and the Hong Kong government (2008) advises that an enormous effort from management down to end users would be required to implement controls that are incompliance with a particular standard, in other words the management must make sure that the chosen standard must be applicable andpractical for their particular organization.

2.1.5 Information Security RequirementsThere are numerousconcerns that characterize information security. However the number of requirements needed to address those concerns varies from standard to standard or author to author but the main issues are common in most publications. The following list is according to ISO/IEC 27002:2005, standard (ISO/IEC, 2005), SP800-14 (NIST, 1996), SANS Institute (Cross, 2000), SP800-35(NIST, 2003), and FIPS PUB 200 (NIST, 2006);

• Security Policy

• (User) Awareness and Training

• Access Control, Identification and Authentication, Configuration Management and

Maintenance

• Physical and Environmental Protection

• Incident Response, Disaster Recovery Planning, Contingency Planning

• Personnel Security

• Organization of Information Security

• Risk Management

These issues represent the baseline for assessing information security. For this paper in its literature, these requirements will be discussed under information security management as a collective because its interaction with theserequirements in the organization of information security. However the paper will look at Security policy and Risk management in particular.

2.2.0 APrécis to Information Security ManagementThe term itself raises the attention to a structured process for the implementation andongoing management of information security in an organization (Vermeulen & Von Solms, 2002). There are numerous appraisals for information security, conferring to (Nyanchama & Sop, 2001); Information security is a key component in modern enterprise planning and management due to the role of IT in today’s enterprise. (Nyanchama & Sop, 2001) goes on to note that organizations continue to struggle not only with the organizational environment complexity but also with management of rising diverse technologies that are being brought aboard to the organization. Significant changes in the use and purpose of computers since their introduction has had a direct impact on the types of computer security related issues (Vermeulen & Von Solms, 2002). The ultimate goal of information security management is to turn an organization’s security policies into security requirements that can be codified, implemented, enforced and measured (Tracy, 2007) and in other words assuring its credibility as program in an organization.

In the world today, there are debates to what really brings credibility of information security programs in organizations, looking at the observation of Kadam (2007); he suggests that credibility of the entire information security program in an organization relies on a well-drafted information security policy. Policies and procedures provide the guidelines for operational, physical, and technical security and allow these forms of security to be formally addressed (Vermeulen & Von Solms, 2002). Martin, Bulkan, &Klempt (2011) advises that a holistic view to an information security management system deals with all aspects regarding a secure information environment, being policies, standards, guidelines, codes of practice, technology, human, legal and ethical issues. Perhaps this is a direct concurrence with Chao &Tang (2003) thatsuggeststhat policy, risk analysis, risk management, contingency planning, and disaster recovery are important information security issues. Hong et al (2003), while recognizing that information security management contents do vary with different researchers and institutions stresses that information security is a function of policy, risk management, internal control, information auditing, and contingency management.

However Kadam (2007) notesthat organization will have to do much internal convincing the whole organization can believe in the importance of information security policy and proceed committedly. In other words establishing a security mentality is not a straight-forward matter. Kadam (2007) therefore proposes that a business impact assessment would help understand organizational information security better and also help top management to realize the indispensable position of information security in the business. Hong et al (2003) suggest that organizations should refer to information security standards andestablish security strategies for security control. Tracy (2007), while concurring with Hong et al (2003), further suggests that existing tools must be taken into account in the strategyformulation. ‘It is necessary to ensure that all users act in a certain prescribed manner when using IT systems and information’ (Vermeulen & Von Solms, 2002:1). Vermeulen and Von Solms (2002) define such act of providing procedures that dictate user behavior as operational security and contend that this human aspect makes information security more complex than computer or IT security. In fact a study by Mouratidis, Jahankhani, and Nkhoma (2008) found that the user posed one of the greatest security risks to a system. Hansche (2001) and Ernest &Young (2004) as cited in Tsohou et al (2008) agree with this observation especially in the absence of proper training and awareness. All this reminds us the words of Lobree CISSP (2002) that putting together a strong security model to protect internal resources from hackers, crackers, and other hooligans is not enough unless there is validation and verification of users, authentication of information, effective business resumption plans to avoid compromise of the model. There is thus need to manage the user. A study by Post & Kagan (2006) reveals that increased communication from the security team to employees (users) increases security perception. Post & Kagan (2006) however warn that increased security presence would increase interference with employee (user) tasks and therefore recommend interviewing users when introducing restrictive security to ensure that the new security measures do not unduly interfere with their jobs. Normally such security measures are a response to risks identified in the organization. In other words security measures are part of risk management as risk interventions.

2.2.1Risk ManagementPerhaps by now it is clear that no institution can now survive without carrying out risk management and assessment, universities, then like any other institution need risk management aspart of the security process. NIST (2002) describes risk management as the process of identifying risks, assessing risks, and taking steps to reduce the risks to an acceptable level. Furthermore risk is defined as the identification, analysis, assessment, control, and avoidance, minimization or elimination of unacceptable risk. According to NIST (2002) the principle goal of an organization’s risk management process should be to protect it and its ability to perform its mission and not just IT systems. NIST further observes that risk management allows IT managers to balance the operational and economic costs of controls and involves three related tasks namely risk assessment, risk mitigation, and evaluation and assessment. On the other hand, according to (Whitman and Mattord, 2011) Risk Assessment is the identification, evaluation and estimation of the levels of risks involved in a situation, their comparison against benchmark