Building ISO 27001 Certified Information Security Programs

Last reviewed: April 2019

Case Study

Designing and Maintaining an ISO/IEC 27001 Certified Information Security Management System (ISMS) and an ISO/IEC 22301 Certified Business Continuity Management System (BCMS) 

Background

The University of Tampa achieved its first-ever ISO/IEC 27001:2013 certification in 2015. The current campus organizations participating—known as the scope of the information security management system—are Information Technology & Security (ITS), Human Resources, and the academic cybersecurity lab infrastructure. There are future plans to incrementally increase the scope to include additional university organizations. Companies like Workday, Cisco, Microsoft, and others (especially cloud providers) also certify their information security programs against the ISO 27001 and new 27018 standards to demonstrate their commitment to data security and effective information security practices and controls.

The University of Tampa must undergo annual surveillance audits and re-certify their ISO 27001 information security management system (ISMS) every three years. ITS is also earning certification in April 2019 for their ISO 22301 business continuity management system (BCMS), and will later seek certification for their ISO 20000 IT Service Management System (SMS) in 2020. ISO 22301 and ISO 20000 are compatible standards to ISO 27001 that assist enterprise technology and security organizations in developing effective and mature business processes, with well-defined strategic and tactical goals and operations.

Two major benefits for universities and colleges of all sizes include the ability to standardize your information security, business continuity, and service desk processes against best practices to ensure they are effective and comprehensive and to mature and operationalize all of your information security, business continuity, and IT Service Desk processes over time. If you do not seek certification, it’s fine to aim for compliance. Compliance can take time to achieve, but offers a way for you to build a series of incremental, consistent goals and objectives that you can master each year. Once you do decide on certification, it’s not a destination but a journey. You would find that even after you are certified, there are always more improvements to be made.

Description

The University of Tampa (UT) is a medium-sized, private liberal arts and business-oriented institution that has been in a pronounced period of growth in enrollments, facilities construction, addition of key majors and degrees in cybersecurity and other business areas, automating business and academic processes, and improving data protection. Dr. Ronald Vaughn has served as President of UT since the mid 1990's and is very involved in promoting excellent data security practices, as are the rest of the senior staff at UT. This has led to a large amount of progress in a very short time period.

Tammy Clark serves as the university’s Vice President of Information Technology & Security, handling both the chief information officer and chief information security officer roles, is a member of the president’s senior staff group, and reports directly to Dr. Vaughn. She developed the university’s information security program from the ground floor starting in mid-2012. Throughout 2016, she re-engineered and combined various technical organizations at the university into the Information Technology & Security organization, with three key areas underneath it: Enterprise Solutions, Information Security, and Information Technology Operations. This also involved realigning staff roles and responsibilities, as well as including data security accountabilities in every ITS staff members’ job description and annual evaluations.

UT's information security program was standardized from the start around ISO/IEC 27000, a series of popular international information security standards that provide recommended practices and requirements for establishing effective information security programs, since 2012. These standards are compatible with NIST, HIPAA, PCI DSS, and many other industry guidelines and requirements. Organizations are certified ISO/IEC 27001:2013 compliant. This standard provides requirements for developing and improving an ISMS. ISO/IEC 27002:2013, a standard that provides recommendations pertaining to security controls that reduce information security risks, was applied across the university to assist with elevating security awareness, promoting data protection, and prioritizing information security risks and controls.

A few examples of how university executives support and assist with maintaining an effective ISMS:

Preparation for ISO 27001 Certification: The Information Security team works extensively with organizations in the ISMS scope in conducting controls gap assessments (ISO/IEC 27002), educational sessions on ISO 27001 requirements, and over 12 audit preparation sessions. Each audit participant receives an "ISO 27001 Prep Kit" that identifies key information about the information security management system and certification audits.

An extensive ISMS electronic manual was prepared that outlines how all ISO 27001 requirements (including 114 appendix A controls) are effectively met. The manual also contains required documentation such as:

Benefits

Standardizing management of UT's information security program around the ISO 27000 family of standards ensures that decisions are made in a strategic and measured fashion and are closely aligned with business and academic goals, as well as the university's objectives.

ISO 27000 is a business-centric standard that provides guidance in developing key initiatives that resonate with university business and academic leaders, rather than taking an IT-centric approach that minimizes their participation. The approach is also holistic and comprehensive, taking into account people, process, and technology issues and considerations.

Human resources and ITS made numerous improvements in documenting and implementing controls and key processes. Staff became more intentional about ensuring their practices were targeted at safeguarding data. Many of the changes they made were practical (e.g., to customize applications of recommended controls in the ISO standards), where previously decisions were more ad hoc or based on convenience.

Why did we decide to become ISO/IEC 27001:2013 certified, and what will happen in the future?

UT's president fully supports this endeavor, and promotes it campus-wide and to the board of trustees as evidence of due diligence and the strong commitment to manage a comprehensive, cost-effective, risk management based information security program. UT's information security program integrates business and academic goals and objectives that matter to key university stakeholders. Business and academic leaders appreciate collaborative efforts to make data security improvements that often result in more efficient processes in business areas, as well. Many university departments are retaining the services of cloud software-as-a-service (SaaS) providers, and information security policies require that all university organizations work with ITS in evaluating their proposed vendor contracts, SLAs, security controls, audits, PCI compliance, etc.

Shortcomings
Implementation Challenges

At the beginning, it was a somewhat daunting journey, as the information security program was under development and the legacy IT organization did not have much in the way of documentation or a comprehensive approach to security controls. Information security partnered with a newly-created project management office to provide a structured approach, which allowed ITS leaders to integrate ISO 27001 documentation and controls requirements within their areas during predefined time periods spread out over two years.

Future Plans

As mentioned earlier in this case study, there are plans to certify against two additional ISO standards, and an ongoing commitment to retaining the ISO 27001 certification. President Vaughn feels that in addition to obvious benefits that can be gained, retaining this certification also provides UT with a competitive edge in an era of numerous information security and technology related disruptions, problems, and uncertainties across every sector in our society.

References

Return on Investment

Since the information security program's humble beginnings in late 2012, many improvements have been made across the university, resulting in a security-aware culture. Additionally, the IT organization has closed many security gaps that were present between 2012 and 2014. UT's president has provided his full support behind the information security program to expand and continue with ISO/IEC 27001 certification in the future. The university’s data protection capabilities have risen exponentially. And additional information security solutions put in place to protect the university's community against key threats – such as phishing – have been very successful in lowering the number of incidents experienced at UT.

The Business Continuity Management System goals received support and funding from the president and board of trustees, as we reside in an area that is susceptible to hurricane activity every year. The university’s disaster recovery program has been in place for many years, but there were insufficient mechanisms to assist with business continuity and recovery. Now, the university has replicated their data center architecture (subset) to an off-campus hurricane protected colocation facility, as well as in the cloud (Azure). Finally, the data center is being decentralized into four protected buildings on campus over the next three years, rather than residing in the original flood prone location. If hurricane activity should cause damage on campus to the ITS infrastructure, business activities can be resumed within an hour from the colocation facility. The facility also offers workspace for critical staff throughout an emergency.

The Service Management System is proving to be a great investment as we move into expanding online education. With students from over 52 countries that are enrolled at UT, as well as new all-online programs being offered, there has been an expansion of services to assist the community, including online chat (and later chat bots), as well as more ways for users to self-access the help they need.

Replicable

5 (on a scale of 1 to 5, where 5 is Highly Replicable)

Effectiveness

5 (on a scale of 1 to 5, where 5 is Highly Effective)

Category
Submitted By

Tammy Clark, Vice President of Information Technology and Security, University of Tampa


Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).