Advising Higher Education - Georgia Institute of Technolocy

Information Security Review, Georgia Institute of Technology

Project Outcomes:

 

  • BDMP identified opportunities for bringing the Georgia State Data and Research Center (SDRC) information security controls and management practices more in line with industry best practices in order to further enhance the overall control environment at the SDRC.
  • The final report and recommendation divided findings into five review areas.  For each finding within each of the five review areas, BDMP assigned a priority and an estimated number of man-hours that management should budget and allocate resources to implement the recommendation.

 

Background:

 

The Georgia SDRC was created in 1997 as a public service institute of the Georgia Institute of Technology. In subsequent years, SDRC’s roles and responsibilities expanded. For example, the Georgia A+ Education Reform Act now requires the Center to collect non-complaint student data from the local school districts on the behalf of the Georgia Department of Motor Vehicle Safety.  This responsibility requires the Center to report information regarding non-compliance of students to the Department of Motor Vehicles.  This Teenager and Adult Driver Responsibility Act application has been running for approximately one year.  Additionally, the Center is currently required to develop and run a Statewide Comprehensive Educational Information System to provide a flow of comprehensive individual student and personnel information between local and regional educational entities.  The Reform Act requires that all of this information be safeguarded to ensure that student and personal privacy is protected.

 

Project Description:

 

Berry, Dunn, McNeil & Parker (BDMP) was engaged to conduct an information security review at the Georgia State Data & Research Center (SDRC).  The objective of the review was to:

  • Provide management with an independent assessment of the SDRC’s information security controls, policies, and procedures.
  • Identify weaknesses in existing practices.
  • Determine the effectiveness of existing and planned safeguards.

 

The scope of the review included SDRC’s security organization, network security, firewall security, physical and environmental security, and application security.

BDMP conducted the review primarily through:

  • Interviews with support personnel
  • Review of documentation
  • Observation of operations
  • Review of configurations, security settings, permissions, and access authorities for the operating environment included in the review 
  • BDMP used manual review procedures and native and third party utilities to perform specific tests of the system security settings

 

Why do an Information Security Review?

News stories frequently emerge about public or private institutions that have experienced security breaches or other physical or environmental issues related to systems security.  Public or private colleges and universities need to make an ongoing effort to be proactive in developing sound security and risk management controls.