In order to protect against accidental or intentional damage or loss of data, interruption of College business, or the compromise of confidential information we must classify data and establish minimum standards and guidelines to ensure a secure system.
Effective from: 02/02/17
This policy must be applied to all of the following: students, faculty, staff, contractors, consultants, temporary employees, guests, volunteers and all other entities or individuals with access to confidential information through the Modern College of Business and Science its affiliates/partners.
- Database Department
- Information Technology Support Department
Terms of Reference:
Access – Any personal inspection or review of the confidential information or a copy of the confidential information, or an oral or written account of such information.
Confidential Information – Information identified by the applicable laws, regulations or policies as personal information, individually identifiable health information, education records, personally identifiable information, non-public personal data, confidential personal information, or sensitive scientific or sponsored project information.
Data – Information generated in official College business. Information that is personal to the operator of a system.
Disclosure – To permit access to or release, transfer, distribute, or otherwise communicate any part of information by any means
Incident – A possibly reportable episode that may incorporate, however is not restricted to, the accompanying:
– Attempts to increase unapproved access to frameworks or information;
– Undesirable disturbances or Denial od Service;
– An infection spreading;
– Burglary, abuse or loss of electronic gear containing private data.
– Unapproved utilization of frameworks for handling or information gathering
– An office or unit can’t dispose of confidential of paper information in a proper manner.
– Unapproved changes to framework equipment, firmware and programming.
The Modern College of Business and Science must aim towards making a safe environment for all in terms of data confidentiality and personnel. Information Security professionals must employ techniques which can prevent any threat from exploiting any vulnerability as much as possible. Threats could target privacy, reputation and intellectual property along with lots of other data.
In order for the policy to be entirely effective and be able to know which data protect the data must be classified into 3 categories
- Category 1 – Data that can be freely distributed to the public.
- Category 2- Internal data only not meant for outsiders.
- Category 3- Sensitive internal only data that could affect operations if disclosed to public.
- Category 4- Highly sensitive internal data that could put an organization at financial or legal risk if disclosed to public.
Security Prevention Measures
Security prevention measures ensure security and prove comfort for the business and also the customers. Prevention measure could consist of many things.
- Existing Security Measures.
- Access control which ensure only allowed users granted permission to access the database may do so. This applies to accessing, modifying and viewing the data.
- Frequent SQL input validation tests are conducted in order to ensure no unauthorized users can access the database.
- Three separate cloud based servers are available, two of which are for back up purposes this ensures the availability of the data in the case of the intrusion on one of the servers.
- All servers are backed up daily.
- Database auditing is frequently conducted.
- Database log files are frequently checked to observe in case of any malicious activity.
- All database security is managed by a third party in order to ensure maximum security.
- In order to avoid Denial of Service (DOS) attacks which could affect the availability the web applications are put on different servers.
- Role-Based Control is used in order to make sure employees can only retrieve content from the database that they are authenticated and authorized to.
- Discretionary access control is only permitted to the database department as no other faculty or staff needs access or is permitted to access.
- Flaws which need reviewed
- Password policy is not implemented strictly to students which can result in the compromising of an account.
- Solution: Password Policy MUST be applicable to all therefore, database department must make it mandatory.
- No “honeypotting” is available.
- Solution: The necessary equipment and software should be purchased for this to be done. This will help the College avoid attacks in the case of SQL injection or any other database attack.
- No digital certificates are utilised when messages are sent across the website.
- Solution: Create system to have to send digital certificate/signature to ensure a better level of security.
- No certified security professionals are currently employed.
- Solution: Raise issue to Human Resources as a matter of concern and seek the hiring of a professional or train existing staff.
- Lack of awareness among staff and faculty regarding security in general.
- Solution: Conduct training for faculty and stuff on how to spot basic threat and potential intrusions etc.
*After these flaws are fixed, policy MUST be reviewed and updated.
iii) Added Policies
- Conduct penetration testing frequently and Risk Assesment, report must be generated, reviewed by Chief Information Security Officer (CISO). Vulnerabilities must be fixed.
- In the case of an incident CISO must be informed to take necessary action. Any employee failing to do so shall face disciplinary action.
- Database MUST use views rather than tables no ensure security, all entries must be predefined queries.
- Database remote access and other distance access must not be enabled by blocking ports such as the telnet port, FTP and others.
- Database password MUST be updated ever fortnight to ensure security of the password.
- Password strength policy must be implemented for the database ( min 8 characters, capital & small, numerical, special characters).
- Back Ups must also be done offsite and not only on the cloud.
- Backing up data of Category 3 & 4 as mentioned above must also be done on a certain specially encrypted drive and separate from normal back ups.
All the members of the College are responsible some extent of the security of their own data and other things. Below is what each group of individuals is responsible for.
A. Custodians are responsible for:
1. Information Security Procedures Establishment
2. Managing authorizations
B. Users are responsible for:
1. Abiding the College IT policy
2. Physical security
3. Information storage
4. Information spreading and sending
5. Method of disposal of info and devices
7. Computer security
8. Remote access
9. Logging off
10. Virus and malicious code protection
- C. Managers are responsible for:
1. All what users are responsible for
2. All that the custodians are responsible for
3. Sharing responsibility for information security with the employees they supervise
4. Establishing information security procedures
5. Managing authorizations
6. User training and awareness
7. Physical security
- D. Information Service Providers are responsible for:
1. More extensive information security requirements than individuals
2. Establishing information security procedures
3. Physical security
4. Computer security
5. Network security
6. Access controls
8. Contingency planning
- A. The CISO should always be monitoring the colleges database security system to ensure no flaws or loopholes and should propose tools or mitigation strategies. S/He must do the following:
1. Creating, reviewing, and revising policies, procedures, standards.
2. Ensuring security training and awareness.
3. Overall authority for College networks and systems security.
4. Incident handling, remediation, and reporting.
5. Collaborating with the Office of Internal Audit to ensure policy conformance.
Enforcement & Implementation
The required actions mentioned in the policies and rules must be carried out from the effective mentioned above, those who fail to comply and follow this policy shall face disciplinary action. This policy must be strictly implemented.