ISO/IEC 27001:2005 Information Security Management

CASE STUDY GEORGIA STATE UNIVERSITY

Background
Georgia State University in Atlanta, Georgia earned certification to ISO 27001, becoming the first academic institution in the country to earn this distinction for internal departments within the University. Georgia State University, founded in 1913, has more than 27,000 students and 5,000 faculty and staff, according to Georgia States Chief Information Security Officer Tammy L. Clark, whose job it is to educate and advise campus users about information security practices and responsibilities. Additionally, her team of four staff members in the Division of Information Systems and Technology (IS&T) monitors the campus information technology (IT) infrastructure for evidence of attacks and intrusions; conducts incident and forensics investigations; assists campus departments with IT controls audits, risk and vulnerability assessments, and security reviews; and provides customized information security awareness training to staff, faculty, and students. The universitys Web site (www.gsu.edu) notes that the school has 52 degree programs that encompass 250 areas of study. The NCAA Division I school reported $459.5 million in revenue in the fiscal year of 2007. The university sector has always embraced a permissive culture of openness in order to facilitate teaching and learning, so for the most part as a sector we refrain from extensive content monitoring and other restrictive controls, and instead design our information security programs around data protection, compliance, and educating our users, said Clark, who is an ISO 27001 certified lead auditor. Thus, we always have ongoing challenges in preventing attacks and intrusions. At Georgia State University, we find that users who are security aware are our best defense against system compromises and data breaches.

THE SYSTEM
A key to Georgia States success to date was its phased incremental approach, Clark said, adding it was important to take a measured, strategic, and manageable approach to implementing ISO 27001. Her office has a very small staff and budget, and so it was important to size the initial certification scope appropriately. They plan to add additional units in subsequent years as part of the process of continual improvement. We were able to implement ISO 27001 with a small staff on a shoestring budget and make it happen. The ISO 27001 framework is actually very good for universities because it is comprehensive, uses existing resources, promotes cost containment, and takes into account physical as well as technological security. In the process of implementing the framework, the standards have you examine 133 separate controls that go across the gamut, she said. ISO 27001 provided guidelines and assistance in helping Georgia State to satisfy compliance requirements, such as HIPPA, which requires confidentiality for Protected Health Information (PHI), Visa PCI (credit card transactions), and GLBA (protection of financial data). By implementing an ISMS and becoming certified, the university saved money in terms of efficiencies and integrating information security into the core business processes of ISMS scope participants. ISO 27001 is a great standard for universities to embrace, Clark concluded. It will help you even if you have a small budget or few information security staff resources. It will help you improve your security posture dramatically, and it appears to be unique amongst the other prevailing information security governance frameworks in its strong emphasis on top executive participation and oversight of information security programs, as well as the focus on building a strong foundation of continuous improvements through management reviews, internal audits, corrective and preventive measures.

raising standards worldwide

Customer needs
Georgia State University has never had a security breach of confidential information, but it began considering ISO 27001, the international standard for implementing Information Security Management Systems (ISMS), because we wanted to standardize our information security methods and procedures, ensuring that they are measurable, repeatable, and auditable. Additionally, we wanted to find a way to better assist our Chief Information Officer in having the targeted information he needs to assure University business executives and academic leaders that our program is effective and cost efficient, Clark said. We believe that a top down focus, where our senior executives are actively involved and knowledgeable about our security governance structure, is critical. We also place a lot of emphasis on assisting our broad-based user population with improving their respective business processes through seamless integration of controls so that they will be more actively engaged in information security; its all about communication, cooperation, and collaboration. In 2005, Clark said they began their efforts with ISO 17799 and developed a security plan around the domains and control objectives identified in this standard as best practices for information security practitioners. Two years later, in conversations with the British Standards Institution (BSI), Georgia State decided it was time to pursue the certification route for two of its departments the Information Security Department within IS&T and the Office of Disbursements, which are audited frequently. Once these two departments have successfully completed their first surveillance audit, the university plans to add additional departments to the scope of their certification. This is a very careful approach, Clark acknowledged. We do our own work in-house and do not rely on consultants, primarily because a huge focus of this effort is building strong partnerships and collaborations with our University constituents. Clarks small staff also did not want to overreach in the beginning stages of their certification efforts.

The primary driver behind the decision to seek certification was the ability to demonstrate due diligence and effectiveness in protecting the universitys confidential information. We wanted to show top executives at Georgia State that information security adds value and is a core part of the universitys business. We are cost effectively securing the environment, and were aligning our objectives with the business and academic strategic goals of the University. Clark also stated that ISO 27001 provides the university with a transparent method of integrating necessary controls into existing business processes, noting that it allows them to show that the universitys information security program is a business enabler.

BSIs Role
Georgia State selected BSI, the worlds largest certification body, to conduct its certification audits after considerable research and hearing about BSIs work and standards. Following an initial conversation with BSI, Clark decided to take an ISO 27001 Lead Auditor course from BSI to become knowledgeable about the standards requirements. I felt like they had a really good approach in the way they review standards, and I like working with the company, she said. I have a lot of faith in them. Obviously, they do a wonderful job of training folks and helping them understand how to effectively implement the standard. As Georgia State is the first university in the country to earn certification for internal departments, they were in unchartered waters, and BSI helped them navigate through the process. Clark said it is important to have a robust and effective information security program, but she also wanted to be in a position to help other universities with implementing information security governance and standardizing their information security programs.

raising standards worldwide

Implementing ISO 27001 was a significant cultural paradigm shift at the University, according to Clark. Information security at a university should not be viewed as an information technology problem for the technical staff to address, but instead as a core function of the enterprise, and all departments of the university play an important role and are an integral part of the objective to ensure information protection and security. Through the comprehensive process of implementing an Information Security Management System (ISMS), the staff members included in the scope of the universitys ISMS began to realize that everyone is responsible for ensuring information security, not only the IT and Information Security departments. For instance, one of the financial organizations within the scope of the certificate detected that its staff would leave confidential paperwork on their desks when they went home at night. Even though their offices were locked, sometimes the cleaning crew would come into those offices at night and then forget to relock them when they were done. As a result of this discovery, the unit created a clear-desk policy. This had nothing to do with technology, but it led to an important efficiency that helps Georgia State protect information better, said Clark. The ISO 27001 process puts tremendous focus on a comprehensive approach to security; not just technology, but the synchronization of people, processes, and technology. ISO 27001 really helps business staffs and top

Georgia State also leveraged benefits from ISO 27001 through security reviews. As part of this process, the university requires anyone on campus who wants to buy software or hardware totaling more than $5,000 to submit an IT Procurement Review to the Chief Information Officer. At that point, the Information Security Department reviews the project request as a preventive measure prior to the purchase. This procedure helps to reduce risk to the university, and it has significantly increased and enhanced awareness of security on campus. A tangible benefit the university has experienced since 2004 involves a drop in the number of security incidents. In 2004, the university could experience upwards of 50 security incidents a day, but four years later that number has dropped to two or fewer a week. Clark was quick to point out that tremendous efficiency cannot solely be attributed to the ISO process, but the ISMS has made a noticeable difference. We are no longer chasing after hackers; we manage security and manage risk. Were standardizing the practice of information security. It is a whole different way of thinking.

BSI Management Systems 12110 Sunset Hills Road, Suite 200 Reston, VA 20190-5902 USA Tel: 1 800 862 4977 Fax: 1 703 437 9001 Email: inquiry.msamericas@bsigroup.com www.bsiamerica.com

BSI Management Systems Canada 6205 Airport Road, Suite 102 Mississauga, ON L4V 1E1 Canada Tel: 1 800 862 6752 Fax: 416 620 9911 Email: inquiry.canada@bsigroup.com www.bsigroup.ca

The BSI certification mark can be used on your stationery, literature and vehicles when you have successfully achieved certification.

BSI Group:

Standards

Information

Training

Inspection

Testing

Assessment

Certification

BSI/USA/151/MS/0908/E

Benefits

executives to better understand the importance of integrating necessary controls into business processes because it is not a techno-centric approach, but rather a business-focused system of security improvements, Clark added.