ITS Locations

Help Desk

Teaching Learning Center Room 128
Monday-Friday, 8am-5pm
Phone: (208) 885-4357 (HELP) 
helpdesk@uidaho.edu

Administration

ITS Administration Offices
Administration Building
Room 140
875 Perimeter Drive MS 3155
Moscow, ID 83844-3155
Phone: (208)885-6721
Fax: (208)885-7539

Media Center

Teaching Learning Center 131 
Phone: (208) 885-6411
Fax: (208) 885-0566
mediactr@uidaho.edu

Records Management

Office of Records Management
Student Union Building
Room 53
875 Perimeter Drive MS 4247
Moscow, ID 83844-4247
phone: (208) 885-2580
records@uidaho.edu

Current Hours of Operation
Mon: 7:30-4:30pm
Tue: 7:30-11:30am
Wed: 7:30-11:30am
Thur: 7:30-11:30am

Vandal Cards

Student Union Building
Room 124
875 Perimeter Drive MS 4256
Moscow, ID 83844-4256
Phone: (208) 885-7522
Fax: (208) 885-9208
vcoffice@uidaho.edu

Telephone Services

Administration Building 
Room 133
875 Perimeter Drive MS 3155
Moscow, ID 83844-3155
Phone: (208) 885-5800
Fax: (208) 885-7539
its-ts-admin@uidaho.edu

University of Idaho Security Review<br />Statement of Work

January 28, 2013

Goal and Scope of the Review

The team’s charge is to determine as best as possible the general state of technology and information security at University of Idaho.  While there will be abundant sharing of information and suggestions during the campus visit, the primary tangible product will be a written report consisting of:

  1. narrative comments and associated recommendations on each area evaluated, and
  2. recommendations extracted and provided as a list, prioritized as to relative importance.

The areas that will guide the review – domains – are listed below, and are adapted from the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) international standard ISO/IEC 27002:2005 on Information Security Management.  Other sources for generally accepted privacy and security practices will also be used to compare the University of Idaho circumstances in those various domains.  A pointer to the ISO standard and the various other relevant and useful references can be seen on the Indiana University page that describes IU’s equivalent program.

Domain 1: Risk Assessment and Treatment

A sound risk assessment strategy must identify, understand, and prioritize risks to information. Risk assessments can be time-consuming and costly, so should be performed based on the sensitivity or criticality of the information used in the system or process. Systems that process sensitive information must be assessed much more rigorously than those that do not. The resulting analysis should guide management decisions on which safeguards are needed to address (treat) identified risks. The goal is to minimize harm to the University and its community.

Domain 2: Policy

Organizational leadership must set a clear direction for information privacy and security in support of organizational goals and compliance with relevant laws and regulations. Policy is a key tool by which leadership documents, sets, and communicates this direction and expectations to the organization. Through issuing and maintaining policy, leadership demonstrates its support for and commitment to the philosophies and values embodied in policy. In the collegial setting, policy is often (though not always) arrived at through a consensus-building process. Information policy should be periodically reviewed and updated as needed to reflect changes in technology, laws, organizational approach, and other factors.

Domain 3: Organization

A management framework allows an organization to sustain and manage its information security and privacy infrastructure. Protecting a university’s information assets requires establishing a clear organizational structure and outlining responsibilities. This is especially important in large institutions with many autonomous internal units and external partners. In addition to clearly articulating these responsibilities, this framework should include appropriate safeguards to protect the information assets accessed or managed by external partners on behalf of the university.

Domain 4: Asset Management

To be effective, the University asset management strategy must include information assets as well as the university’s software, reputation, people, and services, in addition to its physical information technology equipment. It is important to identify, track, classify, and assign ownership for the most important assets to ensure they are adequately protected.

Domain 5: Human Resources

People play a fundamental role in information protection. An organization's security and privacy safeguards are no better than the people who implement and use them. Therefore, it is important to manage human resource security and privacy risks during all phases of an employee's association with the University: time prior to employment, during employment, at change of University employment, and when employment terminates. Safeguards such as adequate job descriptions and screening, user awareness and training, a disciplinary process, and an orderly exit process are key in guiding employees on operating securely and using information appropriately. They must also ensure that access privileges change when a user's relationship with the University changes.

Domain 6: Physical and Environmental

Physical and environmental safeguards are often overlooked but are very important in protecting information. Buildings and rooms that house information and information technology systems must be afforded appropriate protection to avoid damage or unauthorized access to information and systems. In addition, the equipment housing this information (e.g., filing cabinets, data wiring, laptop computers, portable disk drives) must be physically protected. Equipment theft is of primary concern, but other issues should be considered, such as damage or loss caused by fire, flood, and sensitivity to temperature extremes.

Domain 7: Communications and Operations Management

Information technology systems process large quantities of University data. These systems — which include computers, networking equipment, mobile devices, storage media, and other IT components — must be managed so as to protect information. The goal is to provide a robust, reliable, and secure IT infrastructure that lends itself to information protection. Meeting this goal requires implementing safeguards, including policies, standards, and procedures that guide how systems are operated and how the institution processes information.

Domain 8: Identity and Access Control

A robust and flexible identity and access control infrastructure is key to implementing appropriate information security and privacy. Identity controls must exist to establish a level of assurance that the individual using an asset is who she claims to be. Likewise, access controls must exist to provide appropriate access to information and systems, prevent unauthorized access, and enable accountability. User access management includes user registration, management of privileges granted to users, and password management. At the same time, users also need to be made aware of their responsibilities for maintaining effective access controls. These safeguards must apply irrespective of whether the information or systems are stored on or accessed from on- or off-campus locations.

Domain 9: Information Systems Acquisition, Development, and Maintenance

Information systems are at the heart of many University processes. It is therefore important that these systems be acquired, designed, implemented, and maintained with information protection in mind. Information security and privacy must be considered throughout the lifetime of a system, and appropriate and adequate safeguards must be put in place to protect information and information systems.

Domain 10: Incident Management

In spite of the most vigilant efforts to minimize them, events will occur that jeopardize the security and privacy of institutional and personal information. However, the institution's process of preparing for, preventing, detecting, responding to, and tracking these events has a significant impact on their frequency and severity. Appropriate policies and procedures are needed to provide an efficient and effective incident management strategy.

Domain 11: Business Continuity Management

Access to information and information assets can be partially or completely interrupted by natural disasters, accidents, equipment failures, or malicious activities. Appropriate business continuity planning — planning for the unexpected — must be undertaken to protect the availability of critical information resources and continuity of operations. Business continuity planning will promote the rapid recovery of University functions in the face of an adverse event, minimize the impact of such an event, and improve the University's ability to cope with the unexpected. The University's business continuity plans should be based on risk and focus on key information and information technology assets in the context of business needs.

Domain 12: Compliance

The University has a legal, moral and ethical responsibility to comply with applicable legal, regulatory, and contractual requirements with respect to safeguards over information and information assets. This also protects the University's reputation and minimizes the risk of the negative financial and other consequences associated with noncompliance. Because the University operates in such a complex legal, regulatory, and contractual environment, a formal framework is necessary to promote compliance. Such a framework should address legal compliance; compliance with internal policies, standards, and guidelines; and audit objectives.

Review Steps/Methodology

The review consists of three main parts:

  1. Pre-visit assessment.
  2. On-campus visit.
  3. Development of the report product.

Pre-Visit Assessment

Prior to the campus visit, technical members of the review team will perform scans and probes of the campus network to get a picture of what someone outside of the university might be able to detect and access.  This includes 1) an analysis of university computers implicated in any reports from external security sources; and 2) scans and light penetration attempts (as determined with the university security staff) to computers connected to the campus network and visible to the outside world.  The scans will be initiated from off campus to determine what an outside potential intruder might see, and will “touch” any computer that carries an Internet Protocol address assigned to the university, and connected to the public Internet.  Tools used will be open source, such as NMAP and NESSUS.

In addition, the team will review documents and information (e.g., web sites, educational and awareness materials, general guidance) available to the campus community and to the general public.

On-Campus Visit

The detailed schedule for the on-campus visit will be developed in advance as much as possible, and will consist of:

Faculty, Staff and Student Interviews

The security review team will interview a wide variety of individuals representing a broad cross-section of the university; including central IT management and staff, administrative staff (i.e., from business units such as registrar, library, payroll, etc.), students, faculty, and IT support staff from various organizational units.  From these interviews, the team collects broad information related to technical, physical, and administrative safeguards, but also attempts to gauge the reach of awareness on the variety of security issues facing campus community members. Reviews of internal scans conducted by University of Idaho for vulnerabilities will be included in discussions with IT management and staff.

From these interviews, the review team will draw conclusions not only about the university’s technical security posture, but also about the presence of (or lack of) a culture of security.

Facilities Tour and Physical Security Review

In addition to interviews, the security team also conducts a physical security review to assess the physical security of the IT infrastructure on the campus. This ranges from actual inspection of the data center(s) to spot inspections of the actual network infrastructure (e.g., network switch locations, wiring closets).

Report Product

While the review methodology belongs to the team, the report and any other related content will be the property of the university, and will be marked confidential (and can include whatever wording is consistent with the state’s open records law, if an exemption for the release of such information exists in that state code).  Development of the report will likely include several draft versions, as the team works to ensure that content accurately reflects the situation on the ground.

The report consists of three sections:

  1. Executive Summary, which provides a general rating (grade) and an overview of the findings,
  2. A detailed report of the findings, with imbedded recommendations, and
  3. An analysis of relative priority of the recommendations and comments about the reasoning for the priorities.

Previous university reports were on the order of 40 pages.

Cost Estimate and Timeline

Total costs will be informed by final travel/ground transportation and local lodging expenses, and by the number of days necessary to complete the agreed-upon review and scope.  Below is a breakdown of expected costs, for 4 team members, for a presumed visit of 3 days which includes day of arrival (first day evening arrival and dinner through third day evening departure):

Item Description
Cost per Item
Quantity
Extended Cost
Airfare
$550
4 persons
$2,200
Ground Transportation
$75
3 days
$225
Lodging
$120
4 persons 2 nights
$960
Meals (not otherwise provided by campus)
$50
4 persons 3 days
$600
Stipends - Team Members
$6,000
3 persons
$18,000
Stipend - Team Lead
$6,600
1 person
$6,600
Total Estimate
$28,585

The visit is tentatively scheduled for April 21 – 23, 2013.  Given time to digest collected information, some iterative clarification or corrections work, an in-depth prioritization of recommendations by the team, and report preparation, a tentative final report delivery date of June 28, 2013 should be expected.

Upon delivery of the final report, each team member will submit an invoice and a reimbursement request.  Payment of the total is due upon receipt.