Enhancing information systems security in an academic organization

Abstract

The purpose of this paper is to describe an approach to enhance the security in a research organization. The environment is very specific and unfavorable. Each site is directly connected to Internet. Many people are non permanent. The users are individualistic but also implied in worldwide cooperation. A large openness and many services are required. The security record is very bad but standard solutions cannot be directly applied. First we evaluate the threats keeping in mind the representation of the world we have (i.e. where we put the index in a scale from friendly to hostile), what are the assets to protect (respectability, research results), the cost of an incident. In a second step we define and implement a security policy. It is more an organizational than a technical problem (the firewall is not the panacea). The first target is people. The management must be involved. The technical staff must be trained, participate in a supporting network. The user must know the rules to follow (charter). An important point is to make the architecture manageable. Considering the security at the first stage of a project, separating and isolating the systems in different networks, standardizing allows to focus on few exposed systems. Before buying expensive hardware and software some simple actions as implementing filters in the routers can be performed. The third step is to measure how the security policy is efficient. Some tools can help: analysis of the reported incidents (logs), intrusion detection and simulation. This feedback leads to a new assessment of the risks and an adaptation of the policy. The security is a dynamic process. To raise he security level the investments were put on some key actions: training and education which were developed inside the organization, architecture (partition of the network, filters), measuring the security.