Information security is not the primary calling of the University of Illinois—the university’s overarching mission is being a world-class teaching and research institution. But what if a security incident drained away millions of dollars from the university budget? What teaching and research would have to be cancelled to pay for it? What tools could we not purchase? What renowned faculty would we be forced to forego hiring?
FACT: The average cost of a single data breach in 2015, according to the Ponemon Institute’s annual study, was about $4 million.
This includes costs for:
- Forensic Investigations
- Lawsuit judgments and settlements
- Notification of affected individuals
- Media/PR management
- Credit monitoring costs
- Repairing the security flaw
- Legal fees
- Restoring/rebuilding systems
Then there are the indirect costs associated with a data breach, such as loss of business—what grants would we lose or have to pay back after a major loss of data?
There is also a loss of productivity associated with security incidents, as researchers are unable to access their data for many weeks, systems may be locked away as criminal evidence, and as other university personnel are directed away from their normal activities to deal with the incident.
The 2013 data breach at the retailer Target has cost the company about $300 million so far. What would the university need to cut from the budget to pay for that? Addressing information risk up front is a much less expensive way to deal with the problem, one that maximizes the university’s ability to pursue its primary mission.
What is Illini Secure?
Illini Secure is the information security program at the University of Illinois at Urbana-Champaign. It was created with two aims in mind:
- Settle the “best practices” question by tying information security requirements to an externally recognized framework of security controls
- Present information security to senior administration as a business risk item, rather than as a security issue
How does Illini Secure achieve these goals?
The Urbana campus received about $300 million in federal grants in FY2015—most from agencies required to comply with the Federal Information Security Management Act (FISMA). FISMA designates the National Institute of Standards and Technology (NIST) as the organization responsible for developing standards and guidelines to implement FISMA.
For this reason, Illini Secure has adopted the NIST framework as best aligning with the risk goals of the university. Each of the new IT Security Standards maps back to one or more NIST requirements.
The second purpose of Illini Secure is to collect data in regular "snapshot" assessments to develop metrics for decision makers that will help them to quantify the return on the security investment, and balance the cost of information security against the risk of loss.
Accordingly, the following Information Security Standards have been developed and implemented as requirements for all persons who use university technology resources, including all university students, faculty, researchers, staff, vendors, guests, affiliates, collaborators, etc.
The requirements pertain to all University data and IT resources owned, leased, operated or provided by the Urbana Campus, whether directly connected to university infrastructure or present in off-campus resources such as personally-owned devices, devices owned by another organization, or “cloud” providers of services, data storage, and infrastructure.
The standards are:
- DAT01 – Institutional Data Security Standard
- DAT02 - Information Access Control Standard
- IT01 – Disaster Recovery Standard
- IT02 – Infrastructure Security Standard
- IT03 – Network Security Standard
- IT04 – Server Security Standard
- IT05 – Identity Management Standard
- IT06 – Malicious Software Protection Standard
- IT07 – Application Development Security Standard
- IT08 – Development Process Standard
- IT09 – Vendor Management Security Standard
- IT10 – Client Computer Security Standards
- IT11 – Mobile Device Security Standard
- IT12 – Digital Communications Security Standard
- IT13 – Web Application Security
- IT14 – Security Incident Management
- IT15 – Storage Media Security Standard
- IT16 – Security Training Standard
- IT17 – Asset Management Standard
- IT18 – Software License Management
Questions about implementation should be directed to firstname.lastname@example.org