University Security Plan

Data and information security is fundamentally important to any organization with an aim to protect its information from malicious attacks and cybercrimes. According to Miller, Voas & Hurlburt (2012), every organization defines and design security policies that help establish protection of its data and information as well as its employees. Establishing this security plan therefore, will enable the university to implement its security policies in order to protect students’ grades and information, which is the main asset for the plan. Furthermore, developing and implementing a proper security plan helps an organization to establish a policy that will help minimize the risks the organization may incur from security threats. It also minimizes the risks of data loss or leaks to unwanted people. Besides, security plan establishes a policy that declares information as a strong asset of an organization that needs protection from an authorized access both internally and externally (Miller, Voas & Hurlburt, 2012). It also sets proper guidelines, practices, and ensures effective end user compliance. In addition, it establishes rules that dictate user behavior as they interact with the system.

Scope

The university through the security plan has the mandate to protect the students’ information and grades from unauthorized access and manipulation as stated byYan et al (2012): the role of every organization is to develop security plans and policies that protect customer information from unauthorized access.  As a result, this security plan applies to all the students, university staff, and administrators, affiliate universities authorized to access institutional information, users of the university information resources, parents inclusive, as well as any third party agent of the university.

Students’ progress records and grades is very sensitive information that is at a higher risk of manipulation and access by unauthorized persons. The students have the pressure from themselves, parents, and professors who would want them to pose good academic records. This might influence them to hack the grading system in order to adjust their grades or their friends’ grades to meet their academic desire. On the other hand, corrupt university administrators may also unlawfully access the grading system to alter the grades. It is therefore, vital for the university to understand that the information that shall be stored in the grading system is very sensitive, vital and induces high-risk profile. Particularly, the important assets that the university aims to protect by the security plan include student grades and information, user computers, servers, passwords, configuration information, university networks and software. According to Yan et al (2012), every organization considers customer information as vital and the major informational asset that it needs to protect. Thus, the assets here included become the major assets for the university because they entail the customer information and progress records.

Risks Assessment

User Authentication and Access Control

User authentication and access control of information and data stored in the grading system database is very important as it promotes the safety of such data and information. The first asset to be regarded considering this area of security threat is user passwords. For any information to be guarded through authentication, passwords and user certificates have to be issued to protect unauthorized access by unwanted users (Yan et al, 2012). However, passwords are prone to risks, which are associated to confidentiality, availability, and integrity.  Firstly, hackers can guess or use brute force attack to hack the user passwords used to access the grading system. The accounts created in the grading system therefore, risk being accessed by unauthorized persons who may alter the student results and information in the database. Secondly, passwords are user generated security protocols that allow users to create their own passwords. This makes the asset vulnerable, as most users may not create strong and safe passwords to help secure their accounts.

On the other hand, certificate identification and authentication may be vulnerable to hackers who might infiltrate the university network and create fraudulent websites that seem to be for the university. In this case, the hackers may access the certificate authentication for the grading system and bring the system down or alter the grades and other valuable information. In return, the act will compromise the integrity, confidentiality, and availability of the information stored in the grading system by exposing it to wrong people

Server Security

The grading system uses user password logins into the server. The passwords are not secure as it poses cyber-attacks such as key logger and shoulder surfing attacks. According to (Miller, Voas & Hurlburt, 2012), key logger attacks allow unauthorized user to use a malware program to track the keystrokes of a user in order to obtain his or her identifications, password logins, which the server records in order to grant authentication of the grading system.  Moreover, key logger attack is possible especially with strong passwords, as they cannot protect the system against the attack.

In addition, the high number of uncontrolled users who access the server poses huge threats to the sensitive information and data stored in the servers that control the grading system. In order to develop an effective grading system, the university will have to create user accounts that can be accessed by the individual user computers. These accounts must be linked to the server where the operating system of the grading system is installed. Although each user will have authentication identification, sharing of, or forgetting such information is highly predictable, thus leading to security threats where wrong users can log into the server. If this happens, the unauthorized persons will compromise the integrity, availability, and confidentiality of the information stored in the server due to the unlawful access.

Software Security

A grade system uses computer software that manipulates tally, record, and grades student performances. It thus stores student personal information and progress records. Any unauthorized access to the software system causes interruptions that makes the system unsecure as it lacks availability, integrity, and authentication. System software is liable to attackers who can use command or SQL injections to stop or cause denial of service. The attackers inject the commands on the software codes, which are predominantly used. Once achieved, command injections may stop the software services like result grading and recording or even deny access to the software from the system servers. On the other hand, the cyber attackers may use malicious SQL codes that they inject into the software in order to modify or retrieve sensitive information stored in the software database (Yan et al, 2012). The SQL injections can also be used to bypass software login credential. These codes can obtain or delete student grades stored in the software database hence compromising the availability of such information.

Network Security

The grading system will use private Ethernet connections to allow free access by end users like students, staff, and third parties around the university. The use of private network is risky since it can attract malicious attackers who disguise as genuine users to log into the system network. The attackers may introduce system virus or malware that consumes the data and information stored in the system. This affects the integrity of the network itself, as it is vulnerable to cyber-attack and intrusion. Again, the university staff, students and any network user may cause threats to the network thus allowing attacks or malicious activities as they share result files across the network. This might be intentional or unintentional. Through phishing for instance, university students and staff may be tricked into clicking malicious files or links thus leading to loss or leak of student information stored in the grading system. Employees and students can also cause risk to the university network by installing unauthorized applications in their personal computers. Some of the applications are malwares imposed by hackers who would want to take control of the whole computer system in order to achieve particular information from the network. This kind of access denatures the confidentiality of the grading system and its functionality.

Risk Register

Authentication and access control poses the most risk to the grading system. The use of password to authenticate users is prone to hackers who may use brute force attack to hack the grading system (Miller, Voas & Hurlburt, 2012). The second largest risk is key logger and shoulder surfing on the server. This is very prone due to the sensitivity and importance of the grades to students. Attacking the server will enable change of the results thus causing compromise its confidentiality. Again, the university network risks attack from phishing because of emails shared by students across the network. Lastly, the software may experience attack from SQL injections, as students would want to change or delete bad grades from the system. The table below summarizes the risks in order of their likelihood of occurrence.

Category

Risk Name

Probability

Impact

Justification

1. Authentication and access control

Brute force attack on passwords

High

High

Every authentication requires password which makes the probability high

Hacking authentication user identity certificate

Medium

High

The certificates are hard to hack as they can be built with firewalls

2. Server security

Access of individual user accounts by unauthorized persons

High

High

This is high since some users can forget or share their passwords by unauthorized users

Key logger and shoulder surfing attack on the server through user passwords

Medium

High

Key logger and shoulder attack is medium because the grading system contains firewall that reduces the success of the attacks

3. Network security

Staff, student and users sharing files and emails leading to phishing

High

High

This threat is high because the students and staff might want to share the grades across the network

System log in by malicious attackers

Low

High

Malicious attackers can be prevented by firewalls installed in the network thus limiting the attack

4. Software security

SQL injections and commands by malicious users on the software system leading to retrieval, deletion or change of information stored

Medium

High

This category of threat is average depending how the attackers get access into the system software

Security Strategies and Actions

User Authentication and Control

In order to avoid password drawbacks, the university should implement password less user authentications. This authentication allows users to log into the grading system through email verification that uses swoops technology. Swoops technology is cheap, effective, and efficient. Moreover, the technology ensures that no unauthorized users access the system through the emails. However, the email verification may not be as fast as the password authentication since it requires system automated response that allows the log in after verification of the log in request.

Server Security

Server security can be maintained with firewalls that provide encryption so that it restricts or blocks every port. Blocking computer ports reduces the risk of obtaining information by unauthorized users from the server. Through the Firewall, system administrator can control the information the grading system will expose to the network thus protecting sensitive information from unauthorized users or hackers. Besides, it provides server configuration.

Software Security

Antivirus that does regular scanning to online and offline files will be used to protect the grading system. Antivirus help fight malware imposed by hackers thus keeping the software security. Moreover, antivirus provides consistent scanning of the software to remove and correct junk files. It also prepares any software damages that might hinder software operation.

Network Security

The university network should be protected with antimalware and antivirus software. These programs scan malwares and viruses, worms, Trojans and other security threats that come with files and from hackers. The antivirus helps to remove the malwares from both the server and user computers as they come from the shared information and files (Yan et al, 2012). This in turn assists to protect the network from any threats. Again, the antivirus prevents viruses introduced into the server network by hackers and other attackers.

Implementation Plan

Managers, operators, and administrators who will coordinate to ensure that the security plan is completely implemented will undertake the implementation process. First, the server administrator should install firewalls around the server and help monitor its security. In addition, the end users should implement operational control of their email addresses since it is the main authentication into the user accounts through which the grading system is accessed. On the other hand, the IT manager for the grading system is responsible for the information security standards and should ensure that all risks are minimized (Griffith Information Security Policy Schedule).

Residual Risks

The grading system may face threats from system break down caused by poor coding of the server html. The system operates like an artificial intelligence; hence, lack of proper coding of the software may lead to system collapse resulting into loss of information and student records.

Resources

The resources needed for the implementation of the grading system includes, Student Information System Software, server, personal computers for software operators and end users, Ethernet network, antivirus software, and firewall applications (Griffith Information Security Policy Schedule). In addition, the university will need to employ system operator, IT security manager, system administrator, and chief digital officer who will from time to time provide status update on audit actions and offer security recommendation regarding the risks.

Maintenance and Training

Once installed, corrective maintenance will be conducted on the grading system software to correct discovered problems before the system is tried out. Again, the university should conduct adaptive maintenance to ensure the software functions properly in a changed environment. Lastly, the grading system will be put under preventive maintenance to identify and correct latent faults before they increase.

On the other hand, training of the students, staff, and all end user will ensure that they understand the functionality of the grading system. This training will discuss the user adaptability and usability of the program together with the pros and cons of the software. Training also helps to ensure that the software works effectively to improve access of the results by students.

Appendix: Plan Revision History

Date of Change

Responsible

Summary of Change

7/2/2016

IT security manager

Installation of routers of the grading system to hostels and lecture halls to enable the students use the university network easily to access the grading system in their laptops and smart phones

17/12/2017

System administrator

The system administrator through the approval of the university senate changed the system grading from letters to percentages. This would ensure reliability of the results

3/3/2018

Chief digital officer

Created and approved guest login accounts to allow parents access and view results of their children. The accounts were created with strong password authentication to limit malicious activities and access by unauthorized persons

References

Griffith Information Security Policy Schedule: http://policies.griffith.edu.au/pdf/Information-Security-Policy-Schedule-A-Roles-Standards-Operational-Procedures.pdf

Miller, K. W., Voas, J., & Hurlburt, G. F. (2012). BYOD: Security and privacy considerations. It Professional, 14(5), 53-55.

Yan, Y., Qian, Y., Sharif, H., & Tipper, D. (2012). A survey on cyber security for smart grid communications. IEEE Communications Surveys and tutorials, 14(4), 998-1010.