American University of Beirut: Report of the Faculty Working Group – FWG on the university’s Information Technology organization

Published on June 2016 | Categories: Documents | Downloads: 37 | Comments: 0 | Views: 145
of 5
Download PDF   Embed   Report

On May 14, 2013, President Peter Dorman formed a working group of faculty members (Faculty Working Group – FWG) to “review the protocols, policies, and procedures of the university’s Information Technology organization as they relate to the protection of e-mail database and archive integrity, including encryption, chain of custody and related matters. Additionally, the Group willreview the university’s current technical environment as it relates to the need to protect the privacy of data while conducting highly targeted confidential access to the university’s e-mail database and archives by authorized individuals granted such access by the President, and will recommend suchmeasures as may be appropriate to ensure the integrity and security of the university community’s confidential data.”..

Comments

Content

American University of Beirut Report of the Faculty Working Group – FWG on the university’s Information Technology organi ation Beirut !! "anuary !#$% Intro&uction On May 14, 2013, President Peter Dorman formed a working group of faculty members !aculty "orking #roup $ !"#% to &re'iew t(e protocols, policies, and procedures of t(e uni'ersity)s *nformation +ec(nology organi,ation as t(ey relate to t(e protection of e-mail database and arc(i'e integrity, including encryption, c(ain of custody and related matters. /dditionally, t(e #roup will re'iew t(e uni'ersity)s current tec(nical en'ironment as it relates to t(e need to protect t(e pri'acy of data w(ile conducting (ig(ly targeted confidential access to t(e uni'ersity)s e-mail database and arc(i'es by aut(ori,ed indi'iduals granted suc( access by t(e President, and will recommend suc( measures as may be appropriate to ensure t(e integrity and security of t(e uni'ersity community)s confidential data.0 1mail message of President Dorman to t(e members of t(e !"# and ot(ers, dated May 22, 2013%. +(e !"# was con'ened soon after 3uestions about email data pri'acy and security were publically raised e.g. during t(e 4enate meeting of /pril 22, 2013% by /56 faculty members w(o (ad learned t(at t(e *nternal /udit */% Office (ad obtained copies of t(e contents of faculty and staff email accounts on portable (ard dri'es, and t(at t(ese accounts could be accessed by t(e */ staff outside t(e confines of t(e *+ Data 7enter. +(e !"# members(ip consisted of8 Ma,en /l-#(oul Professor, !/4%, 9a(er Dawy /ssociate Professor, !1/%, *mad 1l(a:: /ssociate Professor, !1/%, /yman ;ayssi Professor, !1/< !"# 7(air%, and /lan 4(i(ade( Professor, !1/%.

'etho&s +(e working group re'iewed t(e following documents8 a draft policy on data pri'acy from t(e Office of t(e Pro'ost dated Marc( 22, 2013%, t(e current c(arter of t(e Office of *nternal /udit last updated May 13, 2013%, t(e pre'ious c(arter of t(e Office of *nternal /udit last updated Marc( 12, 2010%, /56net email% /ccounts Policy /ugust 4, 2003%, /56 Data 4ecurity Policy /56-*+-00000=, October 2012%, /56 /ccess 7ontrol Policy /56-*+-00003=, December 2012%, as well as ot(er draft, under-preparation, pri'ate *+ policies and procedures documents pro'ided by t(e 7(ief *nformation 4ecurity Officer 7*4O%. *n addition to a'ailable documents, t(e working group used t(e recent instance in'ol'ing t(e copying and transferring of email data as a case study to re'iew t(e processes by w(ic( data pri'acy and security are protected at /56, including t(e rele'ant decision (ierarc(y. +o do so, t(e working group began by identifying key indi'iduals from t(e /56 organi,ation c(art w(o are connected to data security and pri'acy and inter'iewed t(em. +en inter'iews were conducted, totaling more t(an 1= (ours of testimony during >une 2013. +(e indi'iduals w(o were inter'iewed were8 President Peter Dorman, Pro'ost /(mad Dallal, 7OO #eorge De6in, t(en-7*O ?ita ;(ayat, @P-Aegal /ffairs Peter

May, 5ni'ersity /uditor /ndrew 7artwrig(t, t(en-/ssociate 7*O >oe Bage, 7*4O #(assan Bitti, *nterim Manager - *+ 4ystems and 4torage 4ami( /:rouc(, and Manager of *+ +elecom ?ima /ssi. "it( t(e permission of t(e inter'iewees, all meetings eCcept two t(e meeting wit( @P-Aegal /ffairs and t(e meeting wit( t(e 5ni'ersity /uditor% were audio-recorded. /lt(oug( t(e !"# met wit( t(e 5ni'ersity /uditor, t(e re3uest by t(e group to meet wit( t(e *+ /udit Managers at t(e */ Office was denied. +(e !"# was also denied access to w(at it deemed to be rele'ant documents t(at were in t(e possession of t(e */ Office and t(e @P-Aegal /ffairs. /fter a t(oroug( analysis of t(e contents of documents, inter'iews, and meetings, a 'erbal report was presented by t(e !"# to President Dorman and Pro'ost Dallal in a meeting t(at took place on >une 1D. +(e !"# also met wit( t(e President and t(e Pro'ost on >uly 31, October 4, and October 22, 2013. (ey Fin&ings A) General E +(ere is currently no policy at /56 t(at deals eCplicitly wit( data pri'acy.

E /lt(oug( t(e /56 7ode of 7onduct for 5sers of 7omputing 4ystems and *nternet 4er'ices mentions t(at t(e &5ni'ersity reser'es t(e rig(t to conduct a full audit t(at may include an inspection of t(e contents of t(e sub:ect)s user files0, t(ere is currently no policy at /56 t(at deals eCplicitly wit( access to email-boCes by non-owners. E 1mail records are considered property of /56< t(ey can be accessed w(en deemed necessary by t(e */ and w(en suc( access is appro'ed by t(e President. E *n t(e conteCt of aut(ori,ation and data access, serious administrati'e decisions were made 'erbally wit( no official written communication. E 7ommunication c(annels among */, *+, and t(e upper administration President, Pro'ost, @ice Presidents% were lacking in certain critical instances, w(ic( led to inaccurate information propagation and impeded decision-making.

B) Information Technology *rgani ation E +(e eCisting security procedures for log and e'ent management of email and telecom systems are not ade3uate. E +(e eCisting security procedures for accessing information arc(i'es for in'estigati'e purposes are not ade3uate c(ain of custody of p(ysical disks, password protocols, access to data outside data center, destruction of copies, etc.% E +(ere (a'e been efforts since t(e end of 2012 to re'ise and upgrade policies and procedures related to information and *+ security< t(ese efforts are mainly led by t(e 7*4O.

E +(ere is lack of clarity in terms of t(e di'ision of roles and responsibilities related to information security regulation and implementation between *+ and 7*4O.

+) Internal Au&it E *n accordance wit( its c(arter, t(e */ Office (as wide-reac(ing powers, w(ic( include aut(ority to access all 5ni'ersity documents or communications, w(et(er print or electronic, and under necessary circumstances wit(out prior notification of parties in'ol'ed. +(ese powers were eCercised wit(out a clear mec(anism for o'ersig(t during t(e audit in'estigation. E 7onstructi'e and open communication between */ and *+ was obstructed by an apparent mutual lack of trust between t(e two offices. E 4ince >anuary 2012, t(e */ Office (as regularly recei'ed p(one logs of all outgoing and incoming calls to /56 campus eCtensions eCcluding campus (ousing%.

,) Recent Inci&ent of +opying an& Transferring the AUB -mail ,ata.ase outsi&e IT ,ata +enter E +(e e'ents took place wit(in t(e timeframe /pril 4 to /pril 1F, 2013.

E Prior to t(e email database incident of /pril 2013, copies of email log files containing communication patterns, wit(out t(e full email data% were pro'ided by *+ to @P-Aegal /ffairs. E /lso prior to t(e email database incident, */ was proposing to mirror t(e complete email system of /56 in order to obtain immediate real-time access to mailboCes. ?eal-time access was also re3uested to t(e telep(one logs. E *n t(e conteCt of a time-sensiti'e in'estigation w(ereby confidentiality is critical, */ needed to access a specific mailboC from a specific period of time. 6ecause t(e needed mailboC data was stored on an encrypted arc(i'al tape, it was not readily accessible. E 4ince t(e format in w(ic( t(e data stored on tape did not allow for targeted retrie'al of a specific mailboC, t(e entire email database was restored to (ard disk. +(e total si,e of t(e retrie'ed email data was more t(an 3 +erabytes. +(e data was copied in duplicate on two eCternal (ard disks, and reencrypted wit( new passwords. E +(e data on eac( disk was encrypted wit( a two-part password. One (alf of t(e password was wit( a staff member in *+ and two staff members in */, w(ile t(e ot(er (alf was wit( anot(er staff member in */ and @P-Aegal /ffairs. E MailboCes of all faculty and staff users on Microsoft 1Cc(ange were retrie'ed from t(e backup

tapes of December 2012 and >anuary 2013 directly onto t(e encrypted disks. +(e re3uest was initiated by */ on /pril 4 and t(e copying was completed by *+ on /pril 10. E *n an email to t(e upper administration on /pril 11, 7*4O 3uestioned t(e appropriateness of remo'ing t(e email arc(i'e on disk from t(e *+ Data 7enter. E /sserting t(at *+ did not possess t(e needed software tool to eCtract specific mailboCes from t(e disks in a form t(at would allow t(e establis(ment of an audit trail, */ took possession of t(e disks and mo'ed t(em to t(e */ office. E */ did not approac( *+ to find a tec(nical solution to eCtract t(e specific mailboCes wit(in t(e Data 7enter instead of copying all mailboCes on (ard disks and mo'ing t(em to t(e */ office outside t(e *+ Data 7enter premises. E 7*4O was instructed to comply and pro'ide t(e two (ard disks to t(e */< t(e (ando'er took place on /pril 12 in t(e e'ening. E / protocol was de'eloped between 7*4O and */ before t(e (ando'er took place on /pril 12< (owe'er, t(e protocol was not fully implemented as agreed. E */ reported t(at t(e two disks were in its custody for t(ree days. +(e disks were placed in a safe inside t(e */ office. +(e two audit managers in'ol'ed in t(e in'estigation (ad access to t(e safe. E +wo disks were destroyed in t(e presence of */ staff only, on t(e e'ening of /pril 1F. 7*4O and an *+ staff member were in'ited to attend, but did not find it necessary to do so because t(e disks (ad no 'erifiable c(ain of custody, and could not confirm t(at t(e disks being destroyed were t(e original and only copies of t(e database. E +(e disks serial numbers were not documented by *+ and t(e data on disks was not (as(ed to guarantee integrity of data, due to lack of time. E @P-Aegal /ffairs was pro'ided a legal opinion t(at */)s access to all mailboCes was in-line wit( eCisting Aebanese laws. +onclusions an& Recommen&ations E +(e *+ en'ironment at /56 is not properly protected< t(ere is a se'ere lack of pri'acy-related knowledge, policies, and procedures, and an absence of integrity-preser'ed logging and alerting mec(anisms. o ?ecommendation8 De'elop policies and procedures to protect t(e pri'acy of data for members of t(e /56 community, including (ardening of associated logs. +(ese policies s(ould also re3uire t(at persons under in'estigation be notified wit(in a defined period if t(eir data was accessed, and s(ould re3uire t(at faculty and staff users of /56 *+ systems be made aware t(at t(eir data may be accessed by aut(ori,ed uni'ersity officials. 4uc( aut(ori,ation s(ould stem from a committee c(arged wit( t(is duty. E ?egarding data security and pri'acy, communication between */, *+, and t(e upper administration

lacks clarity, timeliness, and documentation. o ?ecommendation8 / protocol s(ould be de'eloped to ensure efficient, well-documented communication. E +(e mailboC data needed for t(e */ in'estigation could (a'e been retrie'ed from disks wit(in t(e *+ Data 7enter premises w(ile maintaining confidentiality. +(ere appears to (a'e been no 'alid reason for */ to remo'e t(e disks from t(e Data 7enter. o ?ecommendation8 / policy s(ould be de'eloped w(ic( disallows remo'al of data from t(e *+ Data 7enter wit(out specific :ustification and aut(ori,ation.

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close