ICT-strategy for college students provided by Institution.pdf
ICT_Strategic_Plan-2013-17
1. Page | 0
ICT STRATEGIC PLAN
Information and Communication Technologies, Application Centre
2013 - 2017
ADEKUNLE AJASIN UNIVERSITY
Akungba Akoko, Ondo State
2. Page | 1
1.0 INTRODUCTION
The need for Adekunle Ajasin University to be 21st Century University and within the top 100
universities in the world has been made clear; thus, responding to this challenge and aim to
achieve its objectives within the next five (5) years by improving the quality of teaching,
research, innovation and commercialisation. One of the core services and critical factors to
confront these challenges is well implemented Information and Communication Technology.
In the past few decades, a concrete Strategic Plan and/or Road Map were not implemented
to set the direction of ICT initiatives at the university. As a result, many projects are
implemented through exhaustive and more cost effective approach. A Strategic Plan is now
created to fill this shortfall and to coordinate all ICT projects towards achieving the corporate
objectives of the university. AAUA ICT Strategic Plan outlines five key strategic initiatives,
namely:
To develop an advanced and established infrastructure and ICT services to support
teaching, learning and research University
To strengthening ICT to develop knowledge-based community
To improve and innovate ICT facilities to support the core of the University
To apply green ICT culture among the university community
To provide an environmentally integrated communication technology
ICT infrastructure has grown rapidly in the 21st century while some of ICT facilities had
reached or are approaching the end of their lifespan. As a result, re-structuring of the
infrastructure is vital. In five years to come, we hope to be able to set-up backbone network
up to 1Gbps with redundancy to provide the campus with high-performance networking
facilities.Thestrategicplan also outlines the establishment of a high performance Data Centre
for the convenience of the university. To improve the university’s administration, the ICT
strategic plan includes initiatives to improve operational effectiveness. Computing an
endways and systems integration have been identified as a primacy. Most of the operational
processes will be implemented in computer within the first three years.
3. Page | 2
This strategicplan alsooutlines a framework for supporting high-impact research through the
provision of grid computing and high performance computing. The ICT Strategic Plan will set
a clear direction paving the way to state-of-the art research and learning environment for the
university.
4. Page | 3
2. ABOUT THE UNIVERSITY’S ICT
2.1 INFORMATION & COMMUNICATION TCECHNOLOGIES, APPLICATION
CENTRE (ICTAC)
It is divided into the following sub-sections for much effectiveness:
Administrative Office
Application Centre (AC)
ICT Data Service (IDS)
Network and Data Centre Management (NDCM)
Support Centre and Client Service (SCS)
2.2 ROLES AND FUNCTIONS OF ICTAC
To support the AAUA core services, that is, research, innovation, publication and
teaching;
To shape the ICT strategy and monitor the formation of cyber-campus;
To implement various ICT policy;
To prepare IT/IS related services and campus infrastructure;
To provide ICT training and awareness activities for AAUA community;
And to develop and implement a computerised system.
2.3 ADMINISTRATIVE OFFICE
Administrative Officeis responsible for allICTadministrative matters such as ICTsensitization,
staff administration, staff developmental trainings and workshops.
2.3.1 BACKGROUND
Administrative Office is divided into three major units, namely:
Staff Administration and Development Unit
Building Maintenances and Inventory Unit
Procurement and Finance Unit.
5. Page | 4
2.3.2 FUNCTIONS
This office is responsible for all administrative matters, which include:
i. Implementation of administrative work: Help implement the human resources
planning, staff appointments, staff leave application, record staff competency,
management of students undergoing industrial training at ICTAC and other
administration relative to ICTAC and its members.
ii. Building maintenance and inventory recording: Ensure that every defective or
damage complaint in ICTAC is dealt with immediately and inventory of IT equipment
and other hardware/software in ICTAC and their distribution using ICTAC allocation
over campus are recorded.
iii. Implementation of procurement and financial monitoring: Manage and monitor
expenses so that it does not exceed the approved provisions; and prepare ICTAC’s
annual financial report or budget schedule. To manage and ensure the tender
documents and quotations from supplier is process by the right ICTAC division as
necessary. The office also manages implemented procurement and their relative
payments.
iv. Manage and monitor ICT Staffs’ development via training and workshop.
2.4 APPLICATION CENTRE (AC)
This division is responsible for the planning, development and management of various
applications such as Student Information System, E-Learning management systems as well as
Enterprise/Administrative Information Systems (such as HR Information System and Financial
Systems) for AAUA community as required across various administrative and academic
functions. The development project by Application Centre is more focus on the use of new
web technology for more open innovation.
This division while working as one unit, poses a few subdivision for simplicity and easy
management of various critical application such as the enterprise portal unit (e.g. Student
Registration Portal and e-learning Content Management Systems, Result and Transcript
Management Systems), Corporate Web Unit and Administrative Information Systems (e.g.
Human Resources Systems for Personnel and Financial Systems for Bursary).
6. Page | 5
2.4.1 BACKGROUND
The AC division of ICTAC has been established with a view to develop a collaborative web
portal application for AAUA community needs across various administrative and academic
functions.
On the whole, the advancement by the Application Centre is more focused on the use of new
web technology for AAU community needs a more open and innovative in reducing red tape.
In addition, AC caters to the need for a complete integrated application to support student’s
information processing cycles; with general academic application developed to support all
activities in an integrated manner starting from the process of application for admission of
candidates to graduation.
2.4.2 FUNCTIONS
Review and apply the open source of innovative technology to produce innovative and
efficient systems application.
Develop innovative web applications to enable AAU citizens improve productivity and
quality of work while making existing processes easier and cost effective.
Review, plan and develop integrative portal for research management and academic
activities for Staff and Students.
Review, plan and upgrade applications developed to meet the current technological
needs.
Develop enterprise-class application that supports University administrative process.
Manage integrity and integration of third-party application unto existing systems.
Provide technical consultancy and cooperate with other divisions within ICTAC and the
University Administrations in organising briefings and trainings for developed
application systems.
To study, plan, upgrade and maintain collaborative portal application to ensure
everything operates seamlessly and always meet current needs. For example, Email,
Portal, e-library, research information management system, central authentication
management system (single sign on) and others
7. Page | 6
To execute and manage system application developed in accordance to the
requirements of the core functionality of such unit, faculty and/or department.
2.5 ICT DATA SERVICE (IDS)
This division of ICTAC is responsible for collection and management of information and
records relating to both staffs’andstudents’ academic as well as co-curricular activities within
ICTAC and online.
2.5.1 BACKGROUND
IDS is established with the view of maintaining an accurate, up to date records collected
across the campus (via online or offline source) for effective statistics and use. The sub-
division collaborates with the institution’s Exams and Records, a statistical division of the
Academic Planning.
2.5.2 FUNCTION
• Manage and maintain the integrity and availability of student related data to
departments, governments and external agencies.
• Collate and analyse data across the University for future application and use.
2.6 NETWORK AND DATA CENTRE MANAGEMENT (NDCM)
The Network sub-division of ICTAC is responsible for the planning, development, provision,
management and maintenance of the campus area network as well as the internet services
including branch offices and sub-campuses. While Data Centre Management is responsible
for ensuring the availability, scalability and security of data and information in digital form
owned by the Institution in a usable form by all necessary parties.
2.6.1 BACKGROUND
The DCM, part of Network and Data Centre Management, is being established to store the
digital form of information owned by AAUA in a stable infrastructure and always within easy
8. Page | 7
reach highly available and safe secure in supporting the university’s core services. The main
roles of the NDCM:
1. Online monitoring and maintenance of internet and bandwidth of the network
within Main campus at 1000mbps (and City campus at 8mbps where necessary).
2. Monitoring and maintenance of hardware firewall, network box, intrusion
prevention system and Virtual Private Network (VPN).
3. Installation, maintenance and monitoring of the wireless network facilities for
students and AAUA staffs, which are currently, made up of a few units access point
(AP) and wireless controllers.
NDCM, working in collaboration with the strategic team, is also responsible for planning and
providing a disaster recovery site to face possible disaster and minimise the impact of
disasters on the core services of the university.
2.6.2 FUNCTION
• To design and implement network infrastructure implementation processes.
• To provide access to the internet access for the entire campus, including branch and
mini-campuses.
• Monitor network security, firewalls, VPN and critical hardware and software.
• Identify, plan, maintain, monitor and apply new technology that supports the
University ICT applications, services and data centre infrastructure to ensure high
availability, performance, capacity and security servers’ hardware.
• Identify and apply appropriate technology to enhance user experience while using the
application developed in-house with the appropriate technology. For example, the use
of enhanced Mail Server in terms of user experience with applications such as load
balancer technology (to increase availability) and spamfiltering technology (to reduce
junk emails).
• Manage agreements for software services, licence renewal and extension of warranty
for server, database and other critical software.
• To provide both wired and wireless network for staffs and students for data and
resource sharing such as networked printer, copiers and data storage.
9. Page | 8
• Manage and monitor the use of serving storage area network and virtualisation
infrastructure to achieve the objective of storage and data consolidation. Moreover,
manage backup and restore applications and databases.
• Provide DNS services to campus (aaua.edu.ng) and manage webhosting.
• Develop maintain and monitor the server infrastructure for the disaster recovery site;
contribute to the testing of the disaster recovery plan to test the application and
database recovery.
• To provide and maintain network services for facilities such as CCTV (Closed Circuit
Television), door access etc.
2.7 SUPPORT CENTRE|CLIENT SERVICE (SCS)
This division is responsible for planning, providing, organising, maintenance and repair of ICT
equipment such as computers, laptops and printers used by both academic and non-academic
staffs for teaching, learning and research purposes. In addition, SCS manages and monitors
ICT complaints and provides support to AAUA citizens via email, Client Service Counter/Office
and call our hotline.
2.7.1 BACKGROUND
This section was establishto provide support for prospective candidates making enquires with
respect to admission process. The success of this section brought great benefit to AAUA
citizens and the general University administration.
2.7.2 FUNCTION
• Acquire, distribute and upgrade the University’s ICT equipment such as desktops,
laptops and printers.
• Provide services that help users through counters, telephones, emails, online support
application, workshop computers and mobile teams.
• Provide computer and LCD project where necessary.
• Formulate and outline policies and regulations relating to the use and maintenance of
the University’s ICT equipment.
• Provide technical support and interface between the ICTAC and various Faculty.
• Provide technical advice regarding ICT equipment and their applications.
11. Page | 10
System Analyst
ADEKUNLE AJASIN UNIVERSITY Akungba Akoko, Ondo State
PART A:
THE STRATEGIC PLAN
12. Page | 11
3.0 STRATEGIC PLAN
TO DEVELOP, ADVANCE AND ESTABLISH INFRASTRUCTURE AND ICT SERVICES TO SUPPORT
TEACHING, LEARNING AND RESEARCH
3.1 OBJECTIVES
The objective of the strategic plan is to allocate time range for the key development of the
AAUA’s information System to ensure that the developed strategyis adequately implemented
to meet the Institution’s business objectives.
Scalable, reliable and secure systems
Robust teaching and learning environment
Innovative development
Staff development and professionalism
Cost effective use of resources
3.2 PRINCIPLES
The implementation of the proposed IS strategy will take effect as soon as this IS
Strategy is adopted and approved by AAUA management. In view of this, this timeline
will take reference from the time of adoption of the proposed strategy.
Within the first few months, the Chief Information officer (CIO) and the information
systems team will be fully appointed and as well as governing group. Assembling the
IS team before the implementation of the strategy is to ensure that the design and
implementation of the systems are professionally done to avoid costly errors that will
pose a barrier to the success of this strategy.
Using facts from the design, all necessary hardware systems and software needed for
the implementation of this strategy should be procured and installed.
Moving into partnership with various technological and telecommunication
companies as soon as the relevant solutions is being implemented. This will enable
Adekunle Ajasin University fulfils its objective of 21st century learning environment to
its citizens while benefitting from the support of its partners.
13. Page | 12
3.3 IS STRATEGY TIMELINE FOR THE NEXT 5 YEARS
Timeline Activities Specific
Objective
Strategies Possible
Challenges
Cost
Estimates
Remarks
(Situationon
Groundi.e.
Facilities
Personnel)
1st Year
(2013/2014)
Development of Student
Registration Portal
Migration of Current/Old
Students data to new
portal
IT Strategic Plan/IT
Framework Development
Employed a Systems
Analyst and Outsource
part of the system
development
create a migration
process/pathway
Create a 5 year IT
Strategic Plan to link
strategic priorities with
capital budget priority,
training and operational
decisions
Lack of possible
professionals;
internet
availability
Approx.
N10Million
Completed
To be Stated
On-going
2nd Year
(2014/2015)
IT Career
Framework/Staff
Development
Create new IT career
framework including
prospective career path,
develop staff
improvement program.
Funding, lack of
well-structured
roadmap,
unstable power
supply
Approx.
N1.5Billion
(initial setup)
TBC
14. Page | 13
IT Infrastructure
Initiative: Project Phase I
Provision of effective
Internet service
connectivity.
Building of ICT Resource
Centre: including running
PCsfor e-library andCBT by
AAUA Citizens
3rd Year
(2015/2016)
IT Infrastructure Initiative
Project: Project Phase II
Application/Streamlining
Initiative (ASI)
Provision of campus-
wide PC and support
Categorise, evaluate and
improve IT applications;
Funding, lack of
skilled personnel
Approx.
N150Million
TBC
4th Year
(2016/2017)
Development of Student
Registration Portal
Portal Integration
Improve existing to meet
the current requirement
Integration of LMS and
Course timetable within
Portal
Funding,
knowledge of
Staff involved
Approx.
N10Million
TBC
5th Year
(2017/2018)
Network Connectivity
Project (NCP):
Wired/Wireless
Complete and On-going
maintenance campus
area network
implementation
Approx.
N15Million
TBC
15. Page | 14
4.0 STRATEGIC DIRECTION AND KEY DEVELOPMENT AREAS
AAUA’s demand on implementation of efficient information systems remain a continuous
process, having realised the important of this as a major contributor to the successful and
effective operational delivery upon which the majority of our business objectives rely.
An efficient and effective strategic management and governance systems coupled with a
strong organisational structure that bring about a good speed of action, decisive and use of
resources is a pre-requisite.
4.1 STRATEGIC INITIATIVES
AAUA will establish Chief Information Officer (CIO) or ICT Director, who will either be one of
the senior strategic level management personnel or an outsourced information technology
specialist. Re-structuring of an IS team and/or department under the supervision of the
Director, who will collaborate with external organisations to the deliver a successful strategic
goal.
The established Director will directly responsible for the management of the Information
System policies. The Information System will be reliable, functional and re-usable system,
align to the business goals and values for money while provide support for the AAUA citizens
focus. We will:
Establish close relationship with among AAUA citizens (Staffs and Students) by Set up
a platform that promotes effective proximity.
Put in placethe right instrument to measure and support the performance, technology
and people;
Develop and promote user community where students can relate with one another
like the traditional classroom or forum; while actively protect their privacy.
The Director and its team of staff will gain support from the institution in:
Promoting the business change and performance of the IS resource and technology
across the University;
Improving the communication platform cross-campus (such as network, intranet,
internet and other forms);
16. Page | 15
Providing a standardize way of dealing with common problem and customer complain
relative to the systems;
Working with other administrative staff members, senior level management and
departments/faculties all across the institution to develop and deliver a programme
of effective information systems as well as technological advancement and standard
that aligns the business strategic operations and objectives.
4.2 STRATEGIC PRINCIPLE AND INITIATIVES OF THE KEY DEVELOPMENT AREA
The IS department has identified and detailed below the several development areas of the
systems and business operations that will make a successful delivery of their business
objective through the department’s programmes. This will be support via a 5-year timeline.
In addition, involves managing the daily operations and effectiveness of resolving the
managerial issues.
4.2.1 PRINCIPLE
The core strategic areas will include:
Integrated Learning Management Systems (LMS) – to improve and promote
the research and learning both internal and external to the institution. This
system will create a teaching, learning and research platform for academic
excellence.
Integrated Student Information Systems (SIS) – This systemwill help identify,
improve and profile individual student (that is listing out any factors which may
influence their academic success and excellent such as educational
background, age,gender, location, lifestyle)in order to derive abetter analysis
on how best to approach them or meet their academic needs.
Automated Financial Control System – to monitor and manage the current
financial revenue online relative to the various payment realization. This helps
the Bursary department to effectively manage the institution finances. This
means our students and prospective student can make payment seamlessly at
all times without any disappointment as well as prevent them from mis-pay.
Integrated Payment Solution – the actual system that provides a platform
where, students can directly search, view and pay for whatever they owe. The
17. Page | 16
Bursary, Management and the Systems Administrator can also view and
manage student’s payment record (past, present and future).
Integrated Web Analytical Solution – to promote AAUA online presence and
increase its visibility in terms of the University’s official website; while
monitoring the access to the various portal for security purpose. The quick our
prospective students can search for information in Google and finds us the
better for our credibility and reliability with them. The web analytical system
helps to improve on our performance online through a data analysis of the
daily, weekly or monthly activities of the site.
Integrated Communication Systems – this will help promote the flow of
communication among AAUA citizens. This systemincludes chat board, online
helpline, and integrated email.
Integrated Forum and Chat Board System – to provide platform where our
students and prospective students with and diversify cultural differences and
values can relate to one another, share new ideas, review products and
services;even cooking recipes. The chat room support repudiation and protect
the privacy and data of the customers.
Integrated FAQ and Knowledge-based System – to provide platform where
our customers and prospective customers with and diversify cultural
differences and values can relate to one another, share new ideas, review
products and services; even cooking recipes. The chat room support
repudiation and protect the privacy and data of the customers.
Automated Help-Line and Call Back System – to improve guidance to the
customer and provide immediacy close enough to feeling of traditional
commerce.
Risk and Disaster Management System – increasing the awareness of the
organisation to direct effectively a broad range of ways to continue in business
operation in time of any form of disaster.
System will be design to actively support and improve student-focus – by directly or
indirectly putting the citizens (Staff and Students) on the driving seat.
It will be design to deliver and efficient and effective feedback to the end-user at all times.
18. Page | 17
5.0 BASIC SUPPLIER AND CONTRACT ENGAGEMENT
The effective management of supplier’s relationship and the contract is a vital key to the
success of AAUA’s IS Strategy. The ICT department forms strategic alliances with contractors
and suppliers from the IT service industry as highlighted in the “IT@AAUA” document by
Microgate. For instance, while Microgate is one of the main strategicpartner, Google will gain
access through the department as agreed to all necessary resources needed to implement
the system and launch aaua.edu.ng into the wide internet marketplace.
5.1 PRINCIPLES
The IS department and CIO to strategically work with suppliers through a strategic
procurement plan or framework to improve clarity of supply, roles while maintaining
best value.
It is vital for the organisation to establish and maintain an excellent working
relationship based on partnership and value for money with suppliers, and to promote
positive relations with the IT service industry.
With respect to the contract management, the department will maintain a balance
between oncampus IT Services and Outsourced services and function.
19. Page | 18
6.0 GENERAL ORGANISATIONAL POLICIES
Adekunle Ajasin University is committed to meeting all laws and regulations in the conduct of
their business within the State and beyond; hence, expects its citizens understand these
policies and how to conduct themselves while rendering services in the interest of the
institution.
1. Only authorized IT personnel can install or modify software on the University network
and can use external drives to transfer data on/from the network.
2. Remote access to the University network must be authorized and can only be carried
out for official purposes. Users must be aware and oblige to the terms and condition
involved with respect to the information systemsecurity and other IT policies.
3. All sensitive information concerning both Adekunle Ajasin University and its citizens
must be secured properly either on- or off-campus depending on the classification of
such information
4. All University equipment must be insured properly against theft, damage or loss.
5. Rights and privileges will be granted to staff based on their status/level, which will
enable them access information, which they need in other to carry out their duties.
End-users need to have a strong password for access to their systems and must keep
the passwords safe and personal.
6. Access to areas with sensitive information like the server room and storage rooms will
be controlled. Only authorized staff will be allowed and aware of the risks involved.
7. System access will be closely monitored so as to check any misuse of the information
systems and the data therein with the help of the intrusion detection systems.
8. All information being transmitted out of the local network must be encrypted and
authenticated using digital signatures.
9. Use of flash drives or CD-ROMs will not be permitted except when authorised.
10. All students’ details including contact details and bankcard details must be treated
with utmost confidentiality. This can only be released to authorized persons.
11. All information gathered by the information systems will be retained for a minimum
period in accordance with the law and disposed when due. This information must be
encrypted when being transmitted with the appropriate techniques.
20. Page | 19
12. All employees should be aware of their responsibilities, corporate and legal duties -
most especially issues concerning the sharing of university’s information both within
and externally.
13. Employees will be fully trained on how to make the best use of the systems.
14. Access control to the systems with security on the network willbe properly monitored
and review periodically to avert any unlawful intrusion or attacks on the organizations
network and resources.
15. Adequate plans will be put in place for any denial of service attack. This will be
maintained and tested periodically for accuracy.
16. All contracted third party companies must agree to these policies guiding the
information security and deliver all services to promote the AAUA standards.
17. All rights to access University’s information and systems must be revoked from
employees once they resign to avoid any risk that might arise from their continued
access.
18. Any breach to the information security of the institution must be reported to the IT
Director as soon as possibleto carry out necessaryinvestigations,gather evidence and
restore systems.
19. AAUA’s employees must at all-time deliver proper customer satisfaction and have the
utmost goal and objectives of the company at heart.
21. Page | 20
System Analyst
ADEKUNLE AJASIN UNIVERSITY Akungba Akoko, Ondo State
PART B:
STRATEGIC SECURITY
PLAN
22. Page | 21
5.0 SECURITY THREAT ANALYSIS
This section is concern about various vulnerabilities and anything that may be a threat to the
security of data, systems and university’s business target.
5.1 OBJECTIVES
To identify the different security threats to AAUA information system.
To analyse the likelihood of occurring and the impacts on AAUA’s business.
5.2 PRINCIPLES AND ANALYSIS
The possible security threats that Adekunle Ajasin University may be exposed to are classified
into three major groups: Physical threats, online threats and Systems threats.
5.2.1 Physical Threats:
These are threats associated with physical attack or abused or unauthorised access to the
system either by internal or external individuals. These threats can come in different forms.
Unhappy Employees/Contractors: Disgruntled employee and/or contractors might
mismanage sensitive information as regard AAUA and its citizens. There are moderate
chances that this threat might occur; however, data lost due to this can cost millions.
Theft/Loss of Laptop/movable systems: Loosing laptops or removable storage
devices containing AAUA’s data and valuable information will likely put University at
security risk. However, there is a moderate chance of this happening and the cost of
loss of mobile items and data stored may be minimal or expensive depending of the
university’s policy on use of removable devices.
Unauthorised Access: This is concerned with an unauthorised user(s) gaining access
to the institution’s information System with an intention to breach the IS security for
malicious advantage. The likelihood of this happening is moderate where proper
security implementation is in place. Since there will be strict access control to the
server room yet one can never rule out sabotage and internal collaborations. The cost
of people gaining unauthorised access canbe very high for Adekunle AjasinUniversity.
23. Page | 22
5.2.2 ONLINE THREATS
The AAUA’s online presence and business transaction such as selling of forms is going to
expose it to different forms of online security threats. These threats are identified below.
Malicious Code Injection: Spyware, malware, virus can be used to attack information
system since users can inject malicious codes via vulnerable web form input. The
possibility of this threat happening is extremely high and its impact can be pricey.
Phishing: AAUA is also susceptible to phishing attacks. Since AAUA’s contacts such as
email address and website are known to the public. The probability of this threat
happening and its impact is high; not just to the institution but to its stakeholders as
well as prospective students.
Flooding and Smurfing: This is capable of denying AAUA’s citizens services internally
and externally. The chance of this occurring is high and so is the cost of denial.
Pharming and Spoofing: AAUA’s citizens could be redirected to fraudulent websites
where they may lose their valuable data and money. Like other online attacks, the
possibility is higher, even for a well-known institution as this and the cost is high too.
5.2.3 SYSTEM THREATS
Theseare attacks on AAUA operating systemand the installedofflineand online solutions.
For instance, attack on the University Portal, University Local Area Network, and internet
service and so on. There is a moderate chance that this threat will occur where there is a
proper security solution against some of the malicious codes mentioned above and
system software.
24. Page | 23
6.0 SECURITY PLAN
This section of the strategydetails the security plan of Adekunle AjasinUniversity with respect
to the threat identified in the previous chapter. There are two types of plan for it to be more
effective as detailed in section 6.1 and 6.2 below.
6.1 PHYSICAL SECURITY PLAN
The physical security plan provides suitable and cost-effective use of their people and
equipment in order to prevent and/or minimize loss device and/or equipment; or physical
damage from misuse, abuse, waste, exploitation, spying, sabotage, disruptive activities and
other criminal intent. This plan sets minimum standards for securing both the activities of
AAUA and its assets.
6.1.1 STRATEGIC PRINCIPLE AND INITIATIVES
After successfully assessing the security and the vulnerability risks that can directly or
indirectly affectthe institution, sets ofsecurity of policies,plans and procedures is put in place
to:
Protect against service theft such as unnecessary use of company telephone for
personal purpose, abuse of holiday and sick period, abuse of staff discount card;
Protect against misuse of University ICT resources such as computers, networks and
internet and other resources e.g. electricity, gas and electrical components, vehicle,
phones, radio phones;
Protect against access to restricted area.
With the current establishment of Chief Security Officer, the security department to control,
monitor and maintain the security of its physical environment as well as the resources that is
in directly or indirectly connection to it.
Other core immediate security plans are as follows:
Installation of Closed Circuit Television – CCTV to monitor the street and properties
such as the entrance, fire exits, the passage, lecture room, and every other
environment which cannot be guarded or monitored by human at a time.
25. Page | 24
Identity Card for Staffs and Information Service Personnel – to help identify the right
person or staffaccessing orusing what they should be accessing andusing.In this way,
the security personnel will recognise an ICT support engineer from the HR personnel
and can issue the right pass to where they need to access.
Authorised and Restricted Areas – label the areas (such as the server room, power
(electricity, oil and gas) house, generator room, file room e.g. Exams and records)
which only need to be accessed by specialist personnel as restricted areas.
Electronic Door Locks – apart from CCTV cameras watching the restricted areas,
electronic door lock with password will be installed on the doors so that only the right
personnel with the right password access what.
Integrated intruder and BurglarAlarm - install alarms that are directly connected to
the nearest police station to alert the Police in case of attempt burglary or tampering
of the resource when nobody is around.
People Security Awareness Training – having understood that most security breaches
come directly from within, Adekunle Ajasin University establishes security awareness
training to educate allstaffs and students where necessary, the importance of security
towards the success ofthe institution and how to identify and report any forms of risk,
breach and vulnerability.
Use of Personal Electronic Device in direct or indirect connection with the
University’s resources – to prevent the staffs except for the senior managers from
plugging devices such as USB key in the institution’s computer; laptop and other types
of smart device into the concern’s network without exceptional clearance from both
the ICT and one of the senior manager.
Secure Disposal of Document with Sensitive Data or Information – establishment on
in-house disposal. The function of which is mainly to securely dispose of documents
and equipment with sensitive data or information such as system configuration
manual, old contract and agreements with supplier, staff ID/access card. This will
protect the institution from potential attacker or even competitor who might want
such information for devious reasons.
26. Page | 25
6.2 SYSTEM SECURITY PLAN
We are analysing the existing systems and analysing security vulnerabilities existing in the
databases. AAUA needs to secure the data collected from the online end-users ensuring that
the information collected are not misused and is secure. When user information is being
transmitted, hackers with unknown motives that could result in data loss may steal it.
Therefore, its utmost, the integrity of user information.
The criteria of securing the channel lies in various factors; one amongst them is data being
secure when transfer over a public channel likeinternet. Thus, AAUA ensure it serves a secure
technology.
The top factors in systemsecurity:
1. Confidentiality: The Data collected by AAUA will be confidential and only disclosed to
authorised personnel who need to make use of it as approved by the management.
2. Integrity: Step to ensure that the recipient decides the data provided is correct.
3. Authentication: AAUA needs to be sure that the user requesting to “perform an
action” is a valid person and is whom he/she claims to be.
4. Authorization: AAUA’s systems needs to be sure that the user requesting to “perform
an action” has the right approval and privilege to do so.
5. Availability: The data/information as regards to AAUA must be available on user
demand.
6. Non-repudiation: AAUA assures non-duplication of data to avoid denial of any action
done by the user.
The entire process of transaction is categorized into various steps like user login, user-
registration, online Payment, purchasing merchandise and so on.
The data provided by the end-user will be encrypted and decrypted using suitabletechniques;
and this helps in securing the process and allows the AAUA business to expand more and
leading to a very successful establishment of its goal and vision.
6.2.1 STEPS THAT AAUA WILL TAKE TOWARDS THE SYSTEM SECURITY PLAN
Antivirus - AAUA will ensure every system has antivirus so that the important data is secure.
27. Page | 26
DNS Placement – AAUA will split DNS into two parts. One for external queries and the other
for internal resource queries.
Firewalls and Encryptions – Encryption and firewalls will secure AAUA from any intrusion.
Proxy Servers – This will help AAUA connect with LAN to the internet sharing connection with
other machines within the institution.
Password and security codes - AAUA will make sure every system and application is secured
with passwords.
Audit Logins – This will help AAUA in auditing user logins as to how many times do the user
logs in to the account within the institution.
System Audits - AAUA will keep a check on the systems frequently to see if the software and
systems are up to date.
USB Ports – The USB ports within the store will be blocked so that no in-store important data
is migrated to any unauthorized source.
6.3 SECURITY STRATEGY TIMELINE
For the University to put inplace and implement this information security strategy proficiently
there is need for the entire process involved to be mapped out in a timeline as follows:
1. Immediate review of AAUA status and an information security team set up within 3
months to initiate the developed security strategy as approved by the management.
2. The designand architecture of the physicaland systemsecurity plan is looked into and
formalized. Installations and implementation to be carried out before the end of 6
months from the date of commissioning this strategy having in mind that this security
features is prerequisite for the business transactions.
3. Training of staff to be aware of the security features and policy guiding their
performance will be done immediately the installations are complete within the next
six months although periodic workshops and training will still be carried on for the
next 5 years to cater for new employees and any system alterations.
4. Maintenance of the systems will be after 6 months when we presume that all systems
are now running. This will be carried out regularly with the next 5 years to evade any
eventuality of systembreakdown.
28. Page | 27
5. This security system will be assessed after 2years and beyond to take note of the
effects on the business venture and enhancements put in place.
Below is a diagrammatic layout of the security strategy timeline:
Now – 6 months Near term
6 months – 1 year
Mid term
1 year – 2 years
Long term
2 years to 5 years
Set-up of
Information
Security team
Initiating the
security plans
Security systems
installation
Implementation of
the systems
Staff training
FURTHER TRAINING OF EMPLOYEES
MAINTENANCE OF SYSTEMS AND REVIEWS
Assessment of
the systems.
29. Page | 28
System Analyst
ADEKUNLE AJASIN UNIVERSITY Akungba Akoko, Ondo State
PART C:
STRATEGIC DISASTER
RECOVERY PLAN
30. Page | 29
7.0 DISASTER RECOVERY THREAT ANALYSIS
7.1 OBJECTIVE
To identify the potential disaster threats that is capable of truncating AAUA business
activities and thereby put its goals in jeopardy.
To analysethe threats in terms of their likelihood to happen and their possible impacts
on AAUA business.
7.2 PRINCIPLES
Disaster threats to AAUA academic activities will be analysed under three headings: Security
threats, System threats and Natural Disaster.
7.2.1 NATURAL DISASTER
These threats are not manmade. They occur spontaneously on their own and is beyond the
control of the institution.
Flood: Serious flood can destroy structures, goods, information systems and
sometimes lives.
Earth Quake: This can occur anywhere at any time and as such, AAUA is vulnerable.
Accidental Fire outbreak: It is possible for any of AAUA building (department, faculty,
hostel) to suffer from unexplained fire outbreak that can claim valuable properties
and sometimes lives.
7.2.2 SECURITY THREATS
These could be physical threat or online threat. The threat could also be external or from
within AAUA.
Physical threats: the Inistitution is susceptible to all forms of physical threats both
from within or outside ranging from theft (robbery), unauthorized access,andinduced
fire outbreak, industrial action to sabotage from dishonest or sacked employees.
Online threats: As highlighted in our security strategy, online threats are multifaceted
and AAUA is vulnerable. It can come in form of malicious codes (virus) injection, denial
31. Page | 30
of service, phishing, etc.
7.2.3 SYSTEM THREATS
These are threats that are likely to affect AAUA application infrastructure base and its e-
commerce applications. A systemthreat that makes the software/applications to malfunction
or to stops working will paralyze its daily activities.
7.3 THREATS ANALYSIS
Natural Disaster
Flood: Flood is not common in NIGERIA and as such, the probability of this happening
is low. However, the increasing concerns about global warming could increase the
chances of flood disaster. In the event of flood affecting AAUA, the impact is going to
be high as It could lose valuable properties worth hundreds of thousands of Naira.
Earth Quake: Earth Quake is not also common in NIGERIA and so the likelihood of an
earth Quake affecting AAUA is moderately low. If however, the Institution may suffers
an earth Quake disaster, depending on the areas affected, AAUA could lose all of its
assets (worth millions of Naira). Employees’ lives could also be lost.
Heavy Snow/Rain: Heavy snow is common in NIGERIA. Though heavy snow is unlikely
to cause serious damage to AAUA assets, it is likely to disrupt some of its business
activities such as deliveries. Such delays could cost the institution hundreds of
thousands of Naira.
Accidental Fire outbreak: Sometimes, fire outbreak can occur accidentally and could
make the institution lose some of its business assets. The likelihood of this occurring
is moderate and depending on the extent of damage, the cost of replacing damaged
assets andthe possibledelays can run in thousands or hundreds of thousands of Naira.
Hurricane Wind: This is not common in NIGERIA but has the potentials of causing
serious damage to AAUA business. Destruction and disruption due to hurricane could
cost AAUA thousands of Naira.
Security Threats
32. Page | 31
Online Threats: The nature of these threats are such that it could make AAUA to lose
its valuable data and that of its customers, cause system to malfunction, deny AAUA
customers services and even make AAUA to lose its customers. The probability of this
threat occurring is high. In addition, the cost of lost data, reduced customer base,
period stayed out of business while fixing problems and the like could run into
hundreds of thousands of Naira.
Physical threats: The probability of this threat occurring in AAUA is moderate. The
cost of lost AAUA mobile machines, data lost due to lost machines or unauthorized
access to AAUA systems, days/hours stayed out of business due to industrial disputes
in AAUA could run into hundreds of thousands of Naira.
System Threats: The chances of this threat occurring in AAUA is moderate. Purchasing and
re-installing new software and applications and days or hours stayed out of business while
sorting out systemproblems could cost AAUA thousands of Naira.
BUSINESS CONTINUITY PLAN
Adekunle AjasinUniversity sets minimum standards of what actions is to be taken or response
to follow should any form of threat highlighted in the previous section took place.
Chief Strategic Safety Officer: will be one of the Senior Staff and/or board member
responsible for general overseeing of the AAUA’s business continuity and disaster recovery
plans and process; monitors and reviews process in alliance with both the Strategic
Coordination Manager and Strategic Recovery Manager.
Strategic Coordination Manager: is responsible for coordinating staffs and resources
requested by the recovery team in time of disaster or failure as well as provide advice for
availability of service.
Strategic Recovery Manager: will receive alert and notification of disaster or failure and
follow through necessary due recovery process to get the organisation back to its feet.
STRATEGIC PRINCIPLE AND INITIATIVES
33. Page | 32
In order of successful continuity plan, AAUA will look into possible failure scenarios and
proposed solution.
DISASTER/FAILURE CIRCUMSTANCES
Information and Data Service Failure – this involve maintenance, upgrade and/or
failure in IT hardware resources such as the network, servers, computer and the
software resources including bespoke application such as the online shopping
software which may result in the service disruption.
Communication Failure – disruption resulting from maintenance or failure of
telecommunication resources such as telephone line, emails, fax.
Utility Failure – unavailability of power source such as electricity, gas and oil. This also
involve fault with physical access security, CCTV camera, heating and lighting systems
Logistic Failure – this relates with unavailability of transportation as result of
breakdown or accident, unexpected delivery failure.
Media Security – bad press via disgruntling employee or customer and media based
on services disruption.
Staff Unavailability – due to industrial strike action by AAUA staffs and/or other
contract partner such as the third party company managing student payment portal.
Staff on leave, off sick or significant loss of life.
PROPOSED SOLUTION
The proposed solutions to the possible disaster or failure will include the following:
Provision of information and Data Service Back up Procedures. Backing up of
information and essential data to a remote offsite service every half-hour.
Provision of alternative Server Solution, a secondary domain server with the same
information and function that kicks-in when the primary server breaks down.
Availability of alternative power supply unit such as generator and UPS.
Employ the services of Public Relations Officer to act as spoken person for the
company and manager the amount and dissemination of necessaryinformation to the
public.
34. Page | 33
Temporary Staffing to be sourced for in time of staff unavailability while have on-site
delivery personnel on stand-by should the contracting company failed
Establishment of policies and procedures on health and safety, fire as well as of all
staff with respect to hazard, fire and health and safety.
PHYSICAL AND ENVIRONMENTAL RECOVERY PLAN
AAUA, taking deeper looks into its continuity and recovery plan, drew out the following steps
to take in order to recover from both physical and environmental disaster either human
induced or natural.
Parking Control – to make sure the fire exit is clear at all times in case of emergency,
know and regulate who comes in and goes out of the environment.
Integration of Post Room and Delivery Point - have a post room (located at every
faculty office separate from the University delivery point) that controls postage and
acceptance of mails both internal and external; this helps reduce the amount of
external personnel gaining access into the Institution’s property. The post room will
perform mail sorting and screening while the delivery point will be the main collection
from anybody outside of the institution.
Installation of HVAC Systems– heating, ventilation and air conditioning systems in all
classrooms, libraries, CBT halls, and server rooms.
Installation of Fire detector and Fire Exit Door – to detect, and activate the release of
the fire doors in time of fire outbreak and explosion.
Others recovery strategies include establishment of alternative storage house for AAUA
data centre off site.
CRITICAL BUSINESS PROCESSES.
In the context of AAUA, these are the processes, which AAUA will find it extremely hard to
operate in the event of any disaster. They are:
35. Page | 34
1. Financial Reporting systems:
They need to be able to accept online payments at all times when customers want to
pay online for goods. They need to be able to accept payments in store at all times,
mange accounts of customers and suppliers. They need to be able to produce the
daily, weekly and monthly financial reports as at and when needed.
2. Management information systems:
They should be able to generate data in real time from tills and all point of sales data
from allthe branches and the e-commerce siteof AAUA to aidin fasterdecision taking
by management. Management needs to take decisions as regards when to order for
stocks, daily sales income and shop profitability at all times.
3. The IT systems put in place for AAUA should be quite efficient to deliver a fast,
effective and high quality service to AAUA citizens such as services desk, student
portal. This will reduce queues in store and fast request time to servers so that
customers do not spend much time while trying to make orders online.
These mentioned processes remain significant in the day-to-day business operations
of AAUA and any lapse in any of these areas will make them loss money and cause a
great deal of customer dissatisfaction. This will affect the organisational objective of
being the leading online shopper and affect the estimated turnover if solutions are
not proffered with immediate effect
DISASTER RECOVERY PLAN
There could be a sudden disaster in case of an unexpected event with AAUA and so there is a
sure need of contingency and disaster recovery plan that can be used by AAUA in any kind of
emergency. Disasters might include fire, flood, thefts, accidents, IT incidents or power
failures, which can effect AAUA in a massive way.
36. Page | 35
The disasters can be divided into three categories:
Natural Disaster: (flood, fire, hurricane, etc)
Human Disaster: (operator error, malicious attacks, etc)
Environmental Disaster: (Power failure, Software error, etc)
One of the most occurring disaster is the IT disaster when the network or the server goes
down. AAUA needs to have the BDC promoted to the PDC to restore the data with backup.
Subscribing with different internet subscribers, which could give backup in case of network or
connectivity loss.
In case of fire which is one of the natural disasters, AAUA will have to setup fire alarms. Do
the fire training with staff/people. Wirings and plug points should be regularly checked, and
electrical problems should be immediately reported.
If there is a flood being one rare natural disaster; however, AAUA should take necessary
precautions against it. Thus, all water pipes should have regular checks with periodic
maintenance. AAUA needs to insured against natural disasters.
Accidents are mostly to occur any time during the day where in AAUA will try to keep up the
minimum level. Three types of accidents staff, students or third party accidents could
influence AAUA in any manner with business.
Theft is one another common disaster that AAUA could face, and so it is important to take
precautions. AAUA should make use of strong lock systems, which could be attached to
alarms. The cash in the store/ AAUA should be kept away safe after closing. There should be
security with alarms and cameras all around AAUA.