1

Safe Harbor University: Enterprise Information Security Architecture

Aris Nicholas

Brandon Ivey

Kent Yang

Master of Science Cyber Security Operations and Leadership, University of San Diego

CSOL 520: Secure System Architecture

Assignment 2: Group 4

Prof. Umesh Varma

May 23, 2022

 2

Table of Contents

Safe Harbor University: Enterprise Information Security Architecture 1

Enterprise Goals and Objectives 3

Organizational Success Factors 4

Technology Goals 4
Technology Success Factors 5

Security Goals 6
Security Success Factors 6

Policies 8

Procedures 9

Standards 9

Guidance 11

Risk Appetite 12

Compliance requirements 13

Summary 14

References 15
 3

Safe Harbor University: Enterprise Information Security Architecture

Safe Harbor University's (SHU) mission is to provide the highest quality education for

Oceanic Studies. When the Covid pandemic occurred in the United States in January of 2020 and

shutdowns began in March of 2020, SHU learned the hard way that traditional in-class

instruction was not viable. Furthermore, SHU also desired to move to education and learning

online to keep pace with the modern world. To achieve this, SHU is committed to the

development of an online Learning Management System (LMS). This paper aims to define the

Enterprise goals, Technology goals, and Security goals so that policies, procedures, standards,

guidance, risk, and compliance requirements can be identified to support the development of the

SHU’s LMS.

Enterprise Goals and Objectives

The Enterprise Goals and Objectives are scoped to the business of delivering the highest

quality education for Oceanic Studies. Here are the high-level Enterprise goals:

1. Continuity of delivering the highest quality education.

2. Sustained growth in the University, students, faculty, and research.

3. Education is equally accessible to all.

The Enterprise goals outlined above are to ensure that SHU as an Educational Enterprise

operates well into the next century by continuing to meet the demands and challenges of a

modern world. Second, for the University to grow, the University must be able to increase

student enrollment, hire the best faculty, and perform innovative research. Third, education must

be equally accessible to all students regardless of gender, ethnicity, or disability. Before we

 4

discuss the Technological goals that will act as enablers for the business goals, we will review

the Organizational Success Factors.

Organizational Success Factors

The key to defining success factors is that the success factor is measurable. To measure

the first goal of being a leading educational institution in Oceanic Studies, the college rankings

for SHU must be within the top 5 Universities according to independent reviews by third-party

publications such as U.S News Best Colleges. Measuring the sustained growth in the University,

students, and faculty goals are tracked from the enrollment numbers and employment records

year to year. Furthermore, the growth in research is measured by the grant awards, published

works, and patents received. Measure the accessibility of education goals by evaluating the

diversity of the faculty and student body using data collected on the student body and faculty

makeup.

Technology Goals

The technology goals are explicitly scoped to the solution for an online LMS and its

interface to external systems for authentication and enrollment verification. Here are the high-

level goals:

1. The software solution will be web-based.

2. The software solution will be an online learning management system.

3. The software solution must scale to support increasing curriculum and students.

4. The software solution must integrate with existing systems and services, enrollment

verification, and authentication services.

5. The software solution will be available to users 24/7.

 5

To provide more context on the stated goals, to support the first goal of a web-based

solution is to have a system that supports multiple users on multiple platforms. The second goal

for an online LMS as a software solution is to ensure educational content delivery to support the

primary business goal of continuity in education delivery when the in-class option is not viable.

The third goal of application scaling is to support increasing online courses, faculty, and

students; therefore, consideration for a containerized application deployed to the cloud will help

to mitigate scalability requirements. The last goal of integrating with existing systems and

services to support the authentication and enrollment verification ensures the LMS software

aligns with functionality with existing infrastructure services such as single sign-on and

enrollment verification.

Technology Success Factors

At the highest level, a measurable technology success factor for a web-based application

is a threshold uptime of 99.95%, allowing for 4 hours of downtime per year

(downtimemonkey.com, 2018). The measurable technology success factor for LMS is a remotely

hosted solution (Software as a Service SaaS) that supports course content development and

management for 200 online course offerings. Additionally, the SaaS solution should be able to

support over 15,000 users (students, faculty, admin), which is the size of a medium college

(CollegeData & CollegeData, n.d.). To meet the success factor for scalability to increase in

course content and students, the LMS SaaS can dynamically scale to support additional courses

and users without increasing on-premises hardware infrastructure but understanding that

managed services cost with cloud providers may increase. Lastly, a measure of success in

integration with existing services and systems such as authentication and enrollment verification

are that it has no negative impact on the operations of existing systems.

 6

Security Goals

The security goals are tied to the technological goals previously stated. Namely, web

application, hosted service, and integration with preexisting authentication and legacy enrollment

verification systems. Here are the high-level goals:

1. Confidentiality is achieved through authentication, access, and disclosure (NIST, n.d.).

2. Integrity through "guarding against improper modification or destruction and includes

ensuring information non-repudiation and authenticity (NIST, n.d.)."

3. Availability of the system is 24/7 to users (students, faculty, and admin).

4. Communications with external systems are secure.

The first three security goals align with components of the security triad and are meant to

guide an organization's security policies and procedures (What Is the CIA Triad? Definition and

Examples, 2021). The last security goal covers communications with external systems,

specifically the requirement for authentication and enrollment verification.

Security Success Factors

Security success factors are achieved when the system meets the CIA triad of

Confidentiality, Integrity, and Availability. Confidentiality is measured by successfully

implementing user authentication with policies in place to ensure authorized access. Successful

implementation of role-based access distinguishes different user roles such as Faculty, Student,

and System Administrator is also part of Confidentiality. Confidentiality is also measured by

how well user data is protected from unauthorized disclosure. Integrity can be measured by how

secure the data is when protected from modification or destruction through encryption, whether

in transit or at rest. Additionally, how well communications and digital work are safeguarded and
 7

authenticated can be evaluated based on the implementation of digital signing. Availability

requirements can be evaluated through the system's ability to meet minimum threshold uptime

requirements measured over time. Finally, access to external systems must be secure and

measurable through system testing.

 8

Policies, Procedures, Standards, Guidance and Risk Appetite

The following policies, procedures, and standards provide guidance on the objectives and

the appropriate actions necessary for obtaining the goals stated in the previous sections. Also,

SHU will be able to determine the amount of risk it is willing to take to offer a comprehensive

and engaging online learning platform. In addition to the risk, there must be appropriate security

measures in place to maintain compliance for faculty and staff using the systems in place.

Policies

The university’s policies protect the integrity of the SHU’s mission, reputation, and

operations, and support the management of the risks.

Business

To ensure quality education and culture, the university embraces diversity and inclusion.

The university is committed to the principle of non-discrimination and does not tolerate

discrimination or harassment based on race, color, national origin, sex, handicap, religion,

creed, ancestry, belief, age, veteran status, sexual orientation, or gender identity. (Carnegie

Mellon University, 2022)

Technology

The university and its IT Administration prohibits unauthorized usage of the systems in

the program particularly accessing any user account, logins, documents, or data without any

authorized permissions.

Cybersecurity

Any information from the systems that is stored, transmitted and authorized for faculty

and students of the university shall be appropriately secured.

 9

Procedures

SHU’s procedures are processes to support our given policy objectives within the

university. Also, here are a few procedures that will support your goals within the context of

Business, Technology and Cybersecurity.

Business

The university requires all employees to complete an anti-discrimination education

awareness course otherwise a result in disciplinary action will take place from the university.

Technology

Regarding unauthorized or inappropriate usage or access with the systems in the

program, any persons from the IT administration within the university may temporarily suspend

or block access to any account if deemed necessary.

Cybersecurity

The university is required by various state and federal regulations to investigate any

incidents that may involve any student’s breach of Personally Identifiable Information (PII).

Standards

The Standards are prescriptive, and its purpose is to document the measures required to

adhere to a given policy. (Moyle, E. and Kelley, D; 2020, November) In this section,

specifications of the SHU’s standards which support the Business, Technology and

Cybersecurity goals are mentioned.

Business

The standards here are implemented by a non-discrimination policy from the university.

The university prohibits unlawful discrimination, harassment, and retaliation in

education, admissions, and access to or treatment in its programs, services, benefits,

 10

activities, and all terms and conditions of employment at the University in accordance

with state and federal laws as amended including Title IX, Title VII, Section 504 of the

Rehabilitation Act of 1973. The non-discrimination policy applies to the members of the

University community, including all employees, students, applicants for admissions and

employment, contractors, volunteers, and visitors. (UMass Lowell, 2022)

Technology

Students will protect their individual login access to all university systems from any

unauthorized use and should only be able to access personal or public information.

Cybersecurity

○ To identify and mitigate risk to PII, the university will conduct Privacy Impact

Assessment (PIA). These assessments will analyze what data is getting collected, the

purpose of collecting the data, how the data will get used, who will have access to the

data, and how that data will be secured (National Institute of Standards and Technology,

2010)
 11

Guidance

The guidance section and its documents represent additional, non-prescriptive and

supplemental information provided from the university, the faculty and or IT stakeholders

stemming from its policies, procedures, and standards.

Business

Additionally, the university will follow the guidance from all federal and state laws

prohibiting discrimination. The university prohibits any discrimination based on race, national

origin, sex, handicap, age, religion, or marital status against a student or an employee at the

university.

Technology

Under the guidance of the authorized usage of the university’s information systems, users

are prohibited to violate the policies of unauthorized and inappropriate behavior including

information that is accessible through external network sources.

Cybersecurity

○ The university will follow ‘NIST Special Publication 800-122 Guide to Protecting the

Confidentiality of Personally Identifiable Information (PII)’ to supplement its procedures,

processes, and standards. This document provides recommendations regarding

operational safeguards, privacy-specific safeguards, security controls, and incident

response to breaches regarding PII (National Institute of Standards and Technology, n.d.).

Risk Appetite

The Risk Appetite Statement summarizes the University’s tolerance for risk in each of

the university goals in business, technology and cybersecurity. Risk appetite is an interaction of
 12

the University’s risk appetite, risk profile and capacity to take risks. (Charles Sturt University,

2022)

Business

The University has a low-risk appetite from any behavior from faculty or students that

involves discrimination, harassment, and non-compliance. (Charles Sturt University, 2022)

Technology

The University’s risk appetite is very low tolerance for risks arising from inappropriate or

unauthorized release or use of private data for all faculty and students. (Charles Sturt University,

2022)

Cybersecurity

The university’s stand on information and security risks is currently cautious and low risk

appetite. The university takes these matters ensuring the security and privacy of all faculty and

students very seriously.

Compliance requirements

Maintaining regulatory compliance and obtaining additional certifications protects

student data, ensures all students get accommodated in pursuing an education, and provides a

learning opportunity where the university can improve its security practices and use technology

to achieve its goals. The university should adhere to the following regulations.

The Americans with Disabilities Act (ADA) holds the university accountable for

ensuring that all students can access content hosted on the LMS and make accommodations for

students with disabilities. The four principles of the Web Content Accessibility Guidelines guide
 13

meeting that requirement. Content on the LMS must be perceivable, operable, understandable,

and robust. The content on the LMS must be interpretable to the user's senses and provide an

alternative form of communicating the information to account for disabilities. The features of the

LMS must be able to be understood/ performed by any user and can integrate with assistive

technologies (W3C Web Accessibility Initiative, n.d.)

Under the Family Educational Rights and Privacy Act (FERPA), the university needs to

prevent unauthorized disclosure of students’ Personally Identifiable Information (PII) regarding

education records. Preventing unauthorized disclosure of PII requires enacting security controls

for user authentication to verify the identity of parties requesting the disclosure of the data (U.S.

Department of Education, n.d.).

Obtaining A SOC 2 Certification is not enforced by Federal regulation and is only valid

for 12 months. Maintaining this certification ensures the university has done its due diligence in

protecting its attack surface and has up-to-date security practices. A SOC 2 compliance audit

scrutinizes how the university security practices abide by the following principles.

● Privacy - How the LMS uses, retains, and disposes of PII. (Imperva, n.d.)

● Security - How the system prevents unauthorized access, theft/removal of data, misuse of

the software, and improper disclosure of information (Imperva, n.d.)

● Availability - Validates the system has the capability to mitigate threats such as

environment failure and power outages (Imperva, n.d.)

● Processing integrity - Ensures that data entered in the system is valid and authorized.

(Imperva, n.d.)

● Confidentiality - Analyses how encryption, network/application firewalls, and intrusion

detection are used to protect data (Imperva, n.d.)

 14

Summary

In summary, the stakeholders of the university, through the framework of enterprise

information security architecture, will be able to achieve the goals in maintaining a high-quality

education, adapting to an online learning environment for all students, since enrollment at Safe

Harbor University (SHU) was highly affected through COVID 19 Pandemic.

With this, the information is provided in the context of organizational requirements,

priorities, risk tolerance and related factors, to help ensure the enterprise architecture reflects

both current and future business needs of the university. (Tierney, 2022, January)

References

Boise State University. (2022, February). System Acceptable Use Standard. OIT Governance, Risk &

Compliance. Retrieved May 22, 2022, from https://www.boisestate.edu/oit-itgrc/it-standards-

category/system-acceptable-use-standard/
 15

Carnegie Mellon University. (2022). University Policies. Retrieved From

https://www.cmu.edu/policies/administrative-and-governance/code-business-

ethics-conduct.html

CollegeData & CollegeData. (n.d.). College Sizes: Small, Medium, or Large? CollegeData. Retrieved

May 22, 2022, from

https://www.collegedata.com/resources/the-facts-on-fit/college-size-small-

medium-or-large

downtimemonkey.com. (2018, April 25). How much downtime is acceptable for a website.

https://downtimemonkey.com/blog/how-much-downtime-is-acceptable.php

First Coast Technical College. (2022). FCTC.edu. Non-Discrimination Policy. Continuous Notification of

Non-Discrimination. Retrieved From https://fctc.edu/policies/eeo-non-discrimination-policy/

Heriot Watt University. (2019, September). Risk Appetite Statement. Retrieved From

https://www.hw.ac.uk/documents/Risk-appetite-statement.pdf

Imperva. (n.d.). SOC 2 Compliance. https://www.imperva.com/learn/data-security/soc-2-compliance/

Indiana University, (2022). Misuse and Abuse of Information Technology Resources. Retrieved From

https://policies.iu.edu/policies/it-02-misuse-abuse-it-resources/index.html

Moyle, Ed and Kelley, Diana. (2020, November). Packt Publishing. Practical Cybersecurity Architecture:

A guide to creating and implementing robust designs for cybersecurity architects. pp 58-69

NIST. (n.d.). Confidentiality - Glossary | CSRC. NIST.Gov. Retrieved May 22, 2022, from

https://csrc.nist.gov/glossary/term/confidentiality#:%7E:text=The%20term

%20’confidentiality’%20mea

s%20preserving,personal%20privacy%20and%20proprietary

%20information.&text=The%20property%

0that%20data%20or,to%20unauthorized%20persons%20or%20processes.
 16

NIST. (n.d.). Special Publication 800–122: Guide to Protecting the Confidentiality of Personally

Identifiable Information (PII). Retrieved May 22, 2022, from

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf

Tierney, Mike (2022, January). Netwrix.com. Blog. What Is Enterprise Information Security
Architecture? Retrieved From https://blog.netwrix.com/2022/01/18/what-is-enterprise-
information-security-architecture/
University of Massachusetts, Lowell. (2022). University of Massachusetts Administrative Standards for

Nondiscrimination and Harassment Policy. Retrieved From

https://www.uml.edu/HR/Equal/Guidelines-Procedures/UMass-Admin-Stand-for-

Nondiscrimination-Harassment.aspx>

University of Nebraska system. (2022). Internal Audit & Advisory Services. Risk Appetite. Retrieved

From https://nebraska.edu/offices-policies/internal-audit-and-advisory-services/

risk-appetite

University of Oklahoma. (2022) Non-discrimination policy. Retrieved From Non-Discrimination Policy

(ou.edu)

U.S. Department of Education. (n.d.). Protecting Student Privacy. Studentprivacy.Ed.Gov. Retrieved May

22, 2022, from https://studentprivacy.ed.gov/resources/identity-authentication-best-practices

What is the CIA Triad? Definition and Examples. (2021, November 10). SecurityScorecard.

https://securityscorecard.com/blog/what-is-the-cia-triad#:%7E:text=Confidentiality%2C

%20Integrity%2C%20and%20Availability.,organization’s%20security%20procedures%20and

%20policies.