Managing Controlled Unclassified Information in Research Institutions

In order to operate in a regulated world, researchers need to ensure compliance with ever-evolving landscape of information security regulations and best practices. This work explains the concept of Controlled Unclassified Information (CUI) and the challenges it brings to the research institutions. Survey from the user perceptions showed that most researchers and IT administrators lack a good understanding of CUI and how it is related to other regulations, such as HIPAA, ITAR, GLBA, and FERPA. A managed research ecosystem is introduced in this work. The workflow of this efficient and cost effective framework is elaborated to demonstrate how controlled research data are processed to be compliant with one of the highest level of cybersecurity in a campus environment. Issues beyond the framework itself is also discussed. The framework serves as a reference model for other institutions to support CUI research. The awareness and training program developed from this work will be shared with other institutions to build a bigger CUI ecosystem

Standardizing Instructional Definition and Content Supporting Information Security Compliance Requirements

Information security (IS)-related risks affect global public and private organizations on a daily basis. These risks may be introduced through technical or human-based activities, and can include fraud, hacking, malware, insider abuse, physical loss, mobile device misconfiguration or unintended disclosure. Numerous and diverse regulatory and contractual compliance requirements have been mandated to assist organizations proactively prevent these types of risks. Two constants are noted in these requirements. The first constant is requiring organizations to disseminate security policies addressing risk management through secure behavior. The second constant is communicating policies through IS awareness, training and education (ISATE) programs. Compliance requirements direct that these policies provide instruction about making compliant and positive security decisions to reduce risk. Policy-driven and organizationally-relevant ISATE content is understood to be foundational and critical to prevent security risk. The problem identified for investigation is inconsistency of the terms awareness, training and education as found in security-related regulatory, contractual and policy compliance requirements. Organizations are mandated to manage a rapidly increasing portfolio of inconsistent ISATE compliance requirements generated from many sources. Since there is no one set of common guidance for compliance, organizations struggle to meet global, diverse and inconsistent compliance requirements. Inconsistent policy-related content and instructions, generated from differing sources, may cause incorrect security behavior that can present increased security risk. Traditionally, organizations were required to provide only internally-developed programs, with content left to business, regulatory/contractual, and cultural discretion. Updated compliance requirements now require organizations to disseminate externally-developed content in addition to internally-provided content. This real-world business requirement may cause compliance risks due to inconsistent instruction, guidance gaps and lack of organizational relevance. The problem has been experienced by industry practitioners within the last five years due to increased regulatory and contractual compliance requirements. Prior studies have not yet identified specific impacts of multiple and differing compliance requirements on organizations. The need for organizational relevance in ISATE content has been explored in literature, but the amount of organizationally-relevant content has not been examined in balance of newer compliance mandates.The goal of the research project was to develop a standard content definition and framework. Experienced practitioners responsible for ISATE content within their organizations participated in a survey to validate definitions, content, compliance and organizational relevance requirements imposed on their organizations. Fifty-five of 80 practitioners surveyed (68.75% participation rate) provided responses to one or more sections of the survey. This research is believed to be the first to suggest a standardized content definition for ISATE program activities based on literature review, assessment of existing regulatory, contractual, standard and framework definitions and information obtained from specialized practitioner survey data. It is understood to be the first effort to align and synthesize cross-industry compliance requirements, security awareness topics and organizational relevance within information security awareness program content. Findings validated that multiple and varied regulatory and contractual compliance requirements are imposed on organizations. A lower number of organizations were impacted by third party program requirements than was originally expected. Negative and positive impacts of third party compliance requirements were identified. Program titles and content definitions vary in respondent organizations and are documented in a variety of organizational methods. Respondents indicated high acceptance of a standard definition of awareness, less so for training and education. Organizationally-relevant program content is highly important and must contain traditional and contemporary topics. Results are believed to be an original contribution to information/cyber security practitioners, with findings of interest to academic researchers, standards/framework bodies, auditing/risk management practitioners and learning/development specialists

Information Security Governance Simplified

Security practitioners must be able to build cost-effective security programs while also complying with government regulations. Information Security Governance Simplified: From the Boardroom to the Keyboard lays out these regulations in simple terms and explains how to use control frameworks to build an air-tight information security (IS) program and governance structure. Defining the leadership skills required by IS officers, the book examines the pros and cons of different reporting structures and highlights the various control frameworks available. It details the functions of the security department and considers the control areas, including physical, network, application, business continuity/disaster recover, and identity management. Todd Fitzgerald explains how to establish a solid foundation for building your security program and shares time-tested insights about what works and what doesn’t when building an IS program. Highlighting security considerations for managerial, technical, and operational controls, it provides helpful tips for selling your program to management. It also includes tools to help you create a workable IS charter and your own IS policies. Based on proven experience rather than theory, the book gives you the tools and real-world insight needed to secure your information while ensuring compliance with government regulations

Bring Your Own Device (BYOD): Risks to Adopters and Users

Bring your own device (BYOD) policy refers to a set of regulation broadly adopted by organizations that allows employee-owned mobile devices – like as laptops, smartphones, personal digital assistant and tablets – to the office for use and connection to the organizations IT infrastructure. BYOD offers numerous benefits ranging from plummeting organizational logistic cost, access to information at any time and boosting employee’s productivity. On the contrary, this concept presents various safety issues and challenges because of its characteristic security requirements. This study explored diverse literature databases to identify and classify BYOD policy adoption issues, possible control measures and guidelines that could hypothetically inform organizations and users that adopt and implement BYOD policy. The literature domain search yielded 110 articles, 26 of them were deemed to have met the inclusion standards. In this paper, a list of possible threats/vulnerabilities of BYOD adoption were identified. This investigation also identified and classified the impact of the threats/vulnerabilities on BYOD layered components according to security standards of “FIPS Publication 199” for classification. Finally, a checklist of measures that could be applied by organizations & users to mitigate BYOD vulnerabilities using a set layered approach of data, device, applications, and people were recommended

Report of the 2014 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure

This event was supported in part by the National Science Foundation under Grant Number 1234408. Any opinions, findings, and conclusions or recommendations expressed at the event or in this report are those of the authors and do not necessarily reflect the views of the National Science Foundation

QoS Based Service Selection and Provisioning in Cloud Computing

Cloud computing has become a disruptive technology which has seen significant growth among consumers of various sizes. Consumers can now have access to seemingly unlimited computing resources over the Internet without making significant investment in computing infrastructure. Consequently, this trend has seen a rise in the number of cloud computing providers. Most of these providers offer various services to consumers, which are commonly classified into three main types of service provisioning models such as, Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Cloud computing providers offer multiple services to consumers using one or more of models. However, the large number of services offered by cloud providers introduces a new set of problems for the consumers. Consumers have to choose from a wide range of services and providers such that they meet consumers’ requirements. The problem is further complicated as a large number of consumers do not necessarily have adequate knowledge of cloud services’ concepts and terminologies. To add to the complexity, there is no standard benchmark for cloud services. Therefore cloud providers can package the same cloud services in different ways for consumers. Furthermore, there are no standard service level agreements defined for cloud services selection. Each cloud provider has different service level agreements which make consumer selection process more cumbersome. This research aims to bridge this gap by proposing and developing new methods and techniques that take into account different cloud services and providers as well as quality of services attributes that make it easier for consumers to rank and select cloud services which are tailored to their requirements. This thesis makes various contributions to the current state of knowledge in the cloud service selection and provisioning area. It proposes a new model in order to systematically represent the quality of service (QoS) attributes of cloud services that cover both technical and non-technical aspects of cloud computing. The new model succinctly represents QoS attributes which cloud consumers can easily use and understand when selecting cloud services. The thesis also proposes a new framework for cloud service selection which improves and simplifies the cloud service selection process. It takes into account the level of user’s knowledge of cloud computing technologies. The major benefit is to simplify the selection process for ‘Beginner’ cloud service consumers (who have little knowledge of cloud computing) by presenting the main QoS attributes to them with brief explanations. The other benefit is to give an Intermediate/Expert cloud service consumers an opportunity to go through more details of QoS sub-parameters. Unlike existing approaches, the ii framework developed in this thesis also ensures the credibility of the service selection by utilizing information from three different sources, including, information from cloud service providers’ websites, online monitoring tools and users’ reviews of cloud services. Furthermore, the framework integrates Service Level Agreement (SLA) which is an integral part of cloud services as it is important for the consumer to be able to view it as part of their decision making process. The framework is validated by developing a prototype tool using Python, MongoDB and Amazon AWS EC2 server. The tool is then evaluated using various real life scenarios to rank cloud service providers and also by comparing it against existing tools. The results show that the proposed tool outperforms existing tools using a set of criteria such as operability, mode of data selection and number of cloud providers among others for ranking and selecting cloud services

Status of Security Awareness In Business Organizations And Colleges of Business: An Analyses Of Training And Education, Policies, And Social Engineering Testing

The purpose of this study is twofold. The first purpose of this study is to investigate the status of security awareness training, IT-related policies, and the use of social engineering testing in business organizations. A second purpose of this study is to investigate the extent to which colleges and universities are offering security awareness topics as part of a student\u27s coursework or daily activities, specifically in colleges of business, to help determine the level of students\u27 security awareness exposure and preparedness for the work world. The colleges of business study examined demographics, what topics were being covered, how often, to whom offered, and in what departmental areas the topics were being offered. Data was collected from 85 subjects across multiple departments from 35 states. The organizational study used partial matrix sampling to examine demographics, details and specific practices of security awareness training, policies, user compliance, auditing and testing, and user perceptions. Participants consisted of 144 professionals involved with management of information or records from all sizes and types of organizations. Descriptive statistics and MANOVAs were calculated on both data sets. Results from the college of business study found that a substantial percentage of colleges of business may not offer security awareness training, but most faculty respondents recognized information security as an important concern and felt that students and faculty should receive more security awareness training. Although the study found a significant percentage of participants that reported no integration of security awareness topics in the curriculum, almost one-third of total respondents would like to increase coverage of security awareness topics within their courses. Results from the organizational study found that most organizations conduct security awareness training, but do not necessarily customize the format for different types of groups within the organization. Most respondents acknowledged information security as important, and felt motivated to follow security guidelines. The study revealed a need for increased use of social engineering policies, training, and testing along with a need to conduct periodic assessments of security awareness programs and components

Evaluating organizational research climate to assess research integrity

Failure of the scientific research enterprise to adequately define and respond to research misconduct and detrimental research practices constitutes a significant threat to scientific research. Lapses in research integrity erode trust in the scientific process and have serious consequences, potentially reducing funding sources, research subject willingness to participate, and research quality. Few studies have examined the empirical issues surrounding the role of culture and climate in promoting research integrity. This means there is a limited understanding of the organization's role in research integrity and how we can utilize that knowledge to build targeted education interventions and organizational change initiatives. The first aim of this dissertation study was to quantify differences in perceived climate between academic units to measure heterogeneity or homogeneity of research integrity across subunits in a multi university academic system, including a healthcare system. Second, to determine whether the additional pressure of maintaining rankings affect research integrity among universities of a multi-university system that are and are not members of the American Association of Universities (AAU). Using a validated, online survey, SOuRCe, 2,183 participants representing a variety of statuses within the research enterprise across a four-campus university system participated in the study. This study found that the subunit and department/program accounted for more than half of the variance explained in each of the SOuRCe scales. Gender and age impacted the scales while campus and ethnicity did not. Further research with interventions at the department level will help guide change initiatives targeted at specific levels of the organization to promote research integrity.Includes bibliographical references

Exploring the influence of organisational, environmental, and technological factors on information security policies and compliance at South African higher education institutions: Implications for biomedical research.

>Magister Scientiae - MScHeadline reports on data breaches worldwide have resulted in heightened concerns about information security vulnerability. In Africa, South Africa is ranked among the top ‘at-risk’ countries with information security vulnerabilities and is the most the most cybercrime-targeted country. Globally, such cyber vulnerability incidents greatly affect the education sector, due, in part, to the fact that it holds more Personal Identifiable Information (PII) than other sectors. PII refers to (but is not limited to) ID numbers, financial account numbers, and biomedical research data. In response to rising threats, South Africa has implemented a regulation called the Protection of Personal Information Act (POPIA), similar to the European Union General Data Protection Regulation (GDPR), which seeks to mitigate cybercrime and information security vulnerabilities. The extent to which African institutions, especially in South Africa, have embraced and responded to these two information security regulations remains vague, making it a crucial matter for biomedical researchers. This study aimed to assess whether the participating universities have proper and reliable information security practices, measures and management in place and whether they fall in line with both national (POPIA) and international (GDPR) regulations. In order to achieve this aim, the study undertook a qualitative exploratory analysis of information security management across three universities in South Africa. A Technology, Organizational, and Environmental (TOE) model was employed to investigate factors that may influence effective information security measures. A Purposeful sampling method was employed to interview participants from each university. From the technological standpoint, Bring Your Own Device (BYOD) policy, whereby on average, a student owns and connects between three to four internet-enabled devices to the network, has created difficulties for IT teams, particularly in the areas of authentication, explosive growth in bandwidth, and access control to security university servers. In order to develop robust solutions to mitigate these concerns, and which are not perceived by users as overly prohibitive, executive management should acknowledge that security and privacy issues are a universal problem and not solely an IT problem and equip the IT teams with the necessary tools and mechanisms to allow them to overcome commonplace challenges. At an organisational level, information security awareness training of all users within the university setting was identified as a key factor in protecting the integrity, confidentiality, and availability of information in highly networked environments. Furthermore, the University’s information security mission must not simply be a link on a website, it should be constantly re-enforced by informing users during, and after, the awareness training. In terms of environmental factors, specifically the GDPR and POPIA legislations, one of the most practical and cost-effective ways universities can achieve data compliance requirements is to help staff (both teaching and non-teaching), students, and other employees understand the business value of all information. Users which are more aware of sensitivity of data, risks to the data, and their responsibilities when handling, storing, processing, and distributing data during their day to day activities will behave in a manner that would makes compliance easier at the institutional level. Results obtained in this study helped to elucidate the current status, issues, and challenges which universities are facing in the area of information security management and compliance, particularly in the South African context. Findings from this study point to organizational factors being the most critical when compared to the technological and environmental contexts examined. Furthermore, several proposed information security policies were developed with a view to assist biomedical practitioners within the institutional setting in protecting sensitive biomedical data