As far back as the Confirmation classes I took when I was in middle school (which I remember being called Junior High School), I’ve always thought of the first five books of the Bible as setting the baseline for how people should act. Our pastors and teachers called these books The Pentateuch, which comes from combining two Greek words that mean “five books” or “five scrolls.” These books were written by Moses, the leader of the Israelites who escaped from Egypt to head over to The Promised Land, and who received guidance from God on a frequent basis.
The University of Wisconsin System Administration published five information security policies which form the baseline for operating within our information systems and networks in 2016 with updates in 2017. The difference between the Pentateuch and these Information Security policies is simple, Moses did not have a formal internal audit procedure or a team of auditors (theologians feel free to comment here).
UW–Madison is currently beginning the first audit of the five policies and associated procedures that regulate some complex information security concepts:
- UW System Administrative Policy 1030 – Information Security: Authentication and Procedure 1030A establish specific minimum standards for authentication and authentication management across the University of Wisconsin System. This policy is designed to ensure that the UW System manages authentication in a consistent manner and to appropriately safeguard account-based access to information assets.
- UW System Administrative Policy 1031 – Information Security: Data Classification and Protection and two procedures; 1031A Data Classification and 1031B Data Protections; which collectively establish a method of categorizing data assets based on risk to the University of Wisconsin System and to establish specific minimum standards for data handling across the UW System. This policy also ensures that the UW System manages data in a consistent and appropriate manner.
- UW System Administrative Policy 1032 – Information Security: Awareness which ensures that all individuals and organizations that access University of Wisconsin System information technology assets are exposed to information security awareness materials and have a level of understanding commensurate with their role within the UW System.
- UW System Administrative Policy 1033 – Information Security: Incident Response which requires the creation of an information security incident response procedure at each University of Wisconsin System institution. This policy facilitates the consistent implementation of the procedures necessary to detect and react to information security incidents, determine their scope and risk, respond appropriately to the incident, mitigate the risks, communicate the results to all stakeholders, and reduce the likelihood of the incident from reoccurring.
- Regent Policy Document 25-3 – Acceptable Use of Information Technology Resources which outlines the expectations of the Board of Regents regarding the acceptable use of IT resources by authorized users and to establish the parameters for the use of IT resources.
The UW System Administration Internal Audit team helped UW–Madison by deferring the originally scheduled audit window from January 2018 to Fall 2018. This provided relief from potential “audit fatigue” as we were undergoing a detailed risk assessment by a third party vendor at that time. After several initial meetings intended to pinpoint audit focus areas that would provide helpful information and recommendations to the auditors, the audit is about to begin the field work phase.
During my nearly 40 years in the telecommunications, information technology and cybersecurity fields, and having been both audited and an auditor, I expect audits and actually welcome the opportunity to have someone look over my shoulder – which helps me focus on the process and strategy that drives continual improvement. Where some may fear that an audit will uncover a closet full of dirty laundry, I prefer to look at an audit as an opportunity to learn where and how we can make adjustments that result in more efficient operations, greater security, and reduced risk. If we happen to save money and time in the process, all the better!
Audit vs. Inspection
In contrast with an inspection where one can expect a specific grade which leads to the inevitable search for solutions and scapegoats, an audit should be instructive. This includes the learning that takes place in both the lead up to the event and in processing through the results. We should strive to be operating as if we were being audited every day. I remember a wise leader who consistently reminded me that “you can only expect what you inspect.”. The context there is that inspections sometimes place you in hypothetical situations that reveal flaws you need to improve upon, or face tough consequences. Audits should reflect how you operate according to doctrine.
What can you do to help?
The UW–Madison community should understand the policy and procedures and, to the extent possible, be compliant. There is always room to deviate in special situations where advice is sought and consent to deviate is negotiated. Managing risk is a way of life in the diverse business case and technology arena that we enjoy at UW–Madison.
You can help by being mindful of the policies and procedures, operate within them when possible, and seek to document deviations and implement acceptable compensating measures to those deviations. For example, not every information system is compatible with multi-factor authentication. When you need to operate outside that critical security control, make sure that you have strong credentials (also known as a strong password or pass phrase) to protect access.
For any situation where you have questions, the Office of Cybersecurity is here to help.
Compliance is not security…
While we strive for compliance, we need to remember that simply complying with a set of rules may not always be the best state for security. Know what the rules are and as you need to deviate, consult the security experts to help find ways to compensate for not using the approved security controls.
It’s all about the data. Security first, compliance next!
As always, I appreciate your feedback. Simple rules – be nice, be fair and be honest.
Please email your thoughts to email@example.com and we will periodically post them with helpful answers.