GEORGIA INSTITUTE OF TECHNOLOGY Information Security Review
The Georgia State Data and Research Center (SDRC) was created as a public service institute of the Georgia Institute of Technology. The Georgia A+ Education Reform Act now requires the Center to collect non-complaint student data from the local school districts on the behalf of the Georgia Department of Motor Vehicle Safety. This responsibility requires the Center to report information regarding non-compliance of students to the Department of Motor Vehicles. The Teenager and Adult Driver Responsibility Act application had been running for approximately one year. Additionally, the Center is currently required to develop and run a Statewide Comprehensive Educational Information System to provide a flow of comprehensive individual student and personnel information between local and regional educational entities. The Reform Act requires that all of this information be safeguarded to ensure that student and personal privacy is protected.
Project Description BerryDunn was engaged to conduct an information security review at the Georgia SDRC. The objective of the review was to: • Provide management with an independent assessment of the SDRC’s information security controls, policies, and procedures. • Identify weaknesses in existing practices. • Determine the effectiveness of existing and planned safeguards. The scope of the review included SDRC’s security organization, network security, firewall security, physical and environmental security, and application security. • BerryDunn conducted the review primarily through:
CASE STUDY PROJECT OUTCOMES: 1. BDMP identified opportunities for bringing the Georgia State Data and Research Center (SDRC) information security controls and management practices more in line with industry best practices in order to further enhance the overall control environment at the SDRC. 2. The final report and recommendation divided findings into five review areas. For each finding within each of the five review areas, BDMP assigned a priority and an estimated number of man-hours that management should budget and allocate resources to implement the recommendation.
• Interviews with support personnel • Review of documentation • Observation of operations • Review of configurations, security settings, permissions, and access authorities for the operating environment included in the review • BerryDunn used manual review procedures and native and third-party utilities to perform specific tests of the system security settings
Why do an Information Security Review? News stories frequently emerge about public or private institutions that have experienced security breaches or other physical or environmental issues related to systems security. Public or private colleges and universities need to make an ongoing effort to be proactive in developing sound security and risk management controls.
GAIN SECURITY
TO LEARN MORE CONTACT: Clint Davies at (207) 541-2322 or visit www.berrydunn.com/ highered