Griffith+MISI+799+Capstone+Final+Draft

Running Head: DATA SECURITY ACROSS MULTIPLE SOFTWARE PLATFORMS 1
An Examination of Data Security Across Multiple Software Platforms
By
Robert W. Griffith
M.Ed
Grand Valley State University, 2009
B.A.A
Central Michigan University, 2006
Advisor:
Dr. Douglas L. Blakemore
Full Professor
Accounting, Finance, and Information Systems Department
Summer Semester, 2015
Ferris State University
Big Rapids, MI

DATA SECURITY ACROSS MULTIPLE SOFTWARE PLATFORMS 2
DEDICATION
This is dedicated to my wife, Melissa, our dog, Chewie, and the rest of my family. Thanks to
Melissa for allowing me to continue pursing my education for the betterment of our family.
Thanks to Chewie for curling up under the table and keeping my feet warm while I worked
tirelessly into the night.

ACKNOWLEDGEMENTS
I would like to thank my committee chair for this capstone, Dr. Douglas Blakemore, and my
content expert, James Furstenberg. Through their support and guidance, I have been able gain
valuable experience and knowledge in the field of information security. I would also like to
thank my fellow classmate, Lee Bravender, who served as a sounding board for I hit a brick wall.
Finally, I would like to thank my good friend, Will Tomlinson, who reviewed my various
capstone drafts.

Table of Contents
List of Tables .................................................................................................................................. 6
Abstract........................................................................................................................................... 7
Chapter 1......................................................................................................................................... 8
Introduction of the Problem........................................................................................................ 8
Background of the Study ............................................................................................................ 8
Problem Statement...................................................................................................................... 9
Purpose of the Study................................................................................................................. 10
Rationale ................................................................................................................................... 10
Research Questions................................................................................................................... 10
Significance of the Study.......................................................................................................... 11
Definition of Terms................................................................................................................... 11
Assumptions and Limitations ................................................................................................... 11
Chapter 2....................................................................................................................................... 13
How are Security Settings Determined for Data that is Transferred Across Multiple Software
Platforms................................................................................................................................... 13
How do Data Owners Ensure Their Data is Secured in other Software Platforms................... 14
Chapter 3....................................................................................................................................... 18
Description of Methodology..................................................................................................... 18
Design of the Study................................................................................................................... 18

Research Question 1: How are security settings determined for data that is transferred
across multiple software platforms? ..................................................................................... 18
Research Question 2: How do data owners ensure their data is secured in other software
platforms? ............................................................................................................................. 19
Data Analysis............................................................................................................................ 20
Chapter 4....................................................................................................................................... 21
Research Question 1: How are Security Settings Determined for Data that is Transferred
Across Multiple Software Platforms......................................................................................... 22
Research Question 2: How do Data Owners Ensure Their Data is Secured in other Software
Platforms................................................................................................................................... 23
Chapter 5....................................................................................................................................... 27
Summary of Findings................................................................................................................ 27
Recommendations..................................................................................................................... 29
Further Study ............................................................................................................................ 30
References..................................................................................................................................... 31
Appendix A................................................................................................................................... 32
Appendix B................................................................................................................................... 33

List of Tables
Table 1 .......................................................................................................................................... 21
Table 2 .......................................................................................................................................... 22
Table 3 .......................................................................................................................................... 23
Table 4 .......................................................................................................................................... 24
Table 5 .......................................................................................................................................... 25

Abstract
Data security is an issue that all organizations should be focused on. With the amounts of data
that organizations have regarding individuals, it is important for those organizations to
implement policies that ensure security for all data that is being stored, and/or created. This is
especially true for higher education institutions that gather many types of data which includes
biographical (i.e. name, birthdate, addresses, gender, etc.), academic (i.e. grade point average,
class schedule etc.), and financial (i.e. billing amounts, payment types, etc.). Therefore, it is
important to examine the data security settings of higher education institutions to ensure data is
secured. This is especially true for institutions that utilize multiple software platforms for the
creation and storage of data. Specifically, this capstone will research the data security settings
and processes that have been developed at Ferris State University. Once the research is
completed, recommendations will be suggested to improve the data security settings and policies
for Ferris State University.

Chapter 1
Introduction of the Problem
Data security is becoming an issue of increasing concern. With the many types of data
that are collected, and input into various software platforms, it is important to ensure the utmost
security of that data. This is especially true for the types of data that are collected by colleges
and universities across the country. Typically, when applying for admission, prospective
students submit their name, date of birth, social security number, address(es), parent names,
gender, race, amongst many more categories.
Due to the amount of data that is collected, as well as the types of data that are being
created, these software platforms may be prime candidates for security concerns. In addition,
there are typically multiple software platforms used by a single institution. Not only does each
software platform collect (and typically create) data, it also transfers data amongst multiple
software platforms. In addition, each software platform will typically have its own set of
security settings, thus allowing an individual to have access to sensitive information in one
software platform, while limiting their access within a different platform.
Background of the Study
Although most individuals think of large companies such as Target or Home Depot when
they hear about data breaches, higher education institutions are not immune to such occurrences.
During the summer of July of 2013, Ferris State University was the target of an unauthorized
user accessing its web server, potentially giving access to personally identifiable records for
thousands of students, staff, and faculty. Due to data security breaches such as this, it is
important to research and develop solutions to ensure data security for higher education
institutions.

One of the most important areas to focus additional research in regards to higher
education is the use of multiple software platforms. Over the last several years, there have been
numerous software platforms developed for use at higher education institutions. These software
platforms cover a variety of student information areas including on-campus housing, billing,
meal access, student involvement, and many more. As stated by CDW (2014), interacting
software platforms often rely on each software platform connected, and are essential to the health
of the higher education institution. Based upon this, CDW (2014) recommends for the software
platforms to be reviewed, reconciled, and potentially reengineered/retooled to ensure data
security.
Problem Statement
As previously stated, there are multiple software platforms in use at higher education
institutions. Each software platform is responsible for the creation and storage of specific
student data. However, that data is also transferred between the multiple software platforms,
which can lead to potential concerns for the security of the data that is being transferred.
Specifically, there are concerns with how the data is secured as it is being transferred
across multiple software platforms. In some instances, the software platforms are self-hosted by
the institution, while other platforms are hosted offsite by a third party, usually the software
developer. Due to this, data is potentially being transferred offsite, which can lead to concerns
for the security of the data connections.
In addition, security settings can be set individually for each software platform. Because
of this, an individual could have access to data through one software platform, and be restricted
from seeing that data within a different software platform. As one could imagine, this presents a

concerning issue of how to ensure the correct individuals have access to the data needed, while
limiting the data they do not need.
Purpose of the Study
The purpose of this study is to increase the security (confidentiality and integrity) posture
of protected student housing data residing in disparate University owned applications. This
study will conduct an administrative review of departmental and university work processes and
policies and investigate the system/applications that store, access and transmit this data to review
for correct configurations and system level security settings.
Upon completion of the examination and evaluation, a report regarding the security
settings of each software platform will be generated. Based upon the report, a list of best
practices regarding data security across multiple software platforms will be generated, which will
allow data owners to have a better understanding of how to ensure data security.
Rationale
As previously stated, higher education institutions typically utilize more than one
software platform, which causes concerns for data security. Based upon current experience,
there are opportunities to determine the areas of concern for how data is secured when
transferred across multiple software platforms. Although Information Technology (IT) staff are
typically involved in the decision making process regarding software platforms, individual
departments may choose to ignore the advice and guidance offered by IT staff. This research can
provide an educational foundation for higher education staff who have limited knowledge of data
security but are tasked with implementing software platforms.
Research Questions
The research will answer the following questions:

1. How are security settings determined for data that is transferred across multiple
software platforms?
2. How do data owners ensure their data is secured in other software platforms?
Significance of the Study
Due to the varying degrees of understanding of data security amongst staff members at
higher education institutions, IT staff are charged with the difficult task of ensuring data security.
This task is compounded when there are multiple software platforms that require data security.
In addition, although IT staff understand the importance of data security, there can be gaps in the
understanding of why particular staff may be required and/or denied access to specific data.
Based upon these incongruities, there are often times in which data can be either too restricted, or
not restricted enough.
Definition of Terms
Data – information that is created and stored within a software platform, and typically is used to
represent specific student information
Software Platform – is a program used to create and store specific data
Security – manner in which data is protected, which can include technology, processes, or
training
Assumptions and Limitations
Assumptions:
• Ferris State University will allow for the examination and evaluation of the data security
policies that are currently in place.
Limitations:

• Research is limited to software platforms that are used at Ferris State University.
Although other higher education institutions may use the same set of software platforms,
those institutions may have different security policies in place. Therefore, this research
will be limited in its applications to Ferris State University. However, it may be used as a
guide for how to examine and evaluate data security at other higher education
institutions.
• May be limited in its ability to evaluate and examine data security at Ferris State
University due to access restrictions to the data security policies, and the software
platforms. However, since this research will focus on the setup of access control, and
what types of data are shared across multiple software platforms, this should not be a
major area of concern.
• Due to the narrow research topic regarding, previous research is limited. Therefore,
current research regarding this topic is limited.

Chapter 2
How are Security Settings Determined for Data that is Transferred Across Multiple
Software Platforms
With the continued increase in the amount of data being created and collected, the need
for data security also increases. With that in mind, it is vital that organizations understand the
importance of securing data used within their software platforms. Unfortunately, Sumithra and
Ramraj (2011) described the quality of security as less than desired. Due to this it is important
for security to be integrated throughout the software life cycle (Sumithra & Ramraj, 2011). In
order to ensure security is integrated within the life cycle, a checklist can prove valuable.
Sumithra and Ramraj (2011) include 26 items on their checklist including a formal security
review, establishing security metrics, setting access parameters, identifying input sources, and
testing for system integration.
Based upon the increased focus on security within software platforms, security should be
integrated throughout the software platform development. Unfortunately, that is not always the
case. As described by El-Hadary and El-Kassas (2014), security requirements can be viewed as
constraints of the functionality of software platforms, and cause those requirements to be pushed
aside. This ultimately causes concerns for the security of the data that is created or stored with
that software platform.
As a method to incorporate security throughout the software platform development, event
logs and audit trails allow for the monitoring of the software platforms once they have been
implemented. As described by Pandey and Mustafa (2012), a checklist can assist with the
process of determining what activities need to be monitored. In addition, it provides a
framework based upon the existing literature regarding best practices (Pandey & Mustafa, 2012).

Once the software platform has been implemented, the importance of data security
becomes a reality. With that in mind, there needs to be a level of governance to ensure the data
is protected. As described by Desai (2013), data protection laws are aimed at protecting user
rights and determining the location of data. Based upon this, the issue of jurisdiction becomes of
increasing concern, and will vary based upon the locations in which the data is stored. Desai
(2013) explains that global cloud services present challenges with variances in requirements
across jurisdictions. Because of this, it is important for the creation of a uniform set of policies,
which is currently being discussed by the European Union governing bodies. Unfortunately, this
approach may not be ideal, as the logistics of data movement is dynamic and ever changing.
How do Data Owners Ensure Their Data is Secured in other Software Platforms
One method used to ensure data security is through the utilization of access control lists
(ACL). ACLs allow security administrators to set privileges for users to access specific sets of
data. In addition, there are various types of ACLs, including role-based, discretionary, system,
multithread, or mandatory.
In support of data security, ACLs can be a powerful tool for administrators to specify
access for users, as well as define their abilities for the creation or modification of data. In
addition, some of those tools can be automated allowing an administrator to focus on other tasks.
One such tool is the utilization of mandatory access control lists, which is predefined and not
under control of the object owner (Kearns, 2006). In essence, the MACL can allow a user with a
specific access level the ability to read-only for lower levels, and write-access to equal or higher
levels, and sometimes disallow access altogether (Kearns, 2006).
In addition, there is concern for the flow of information with software platforms. Due to
this, it is important that access control addresses that concern. As described by Chou, Lo, and

Lai (2005), the program execution by legal users does provide opportunities for potential attacks.
However, there are a few concerns in regards to shared memory, non-interference, and
combination leakage (Chou et al., 2005). Chou et al. (2005) describe the concern of shared
memory leakage through the use of individuals sharing chopsticks, which require the chopsticks
to be cleaned before being used again. Although this analogy may seem rudimentary, it
demonstrates the need for ensuring each user is allowed to use clean tools before proceeding.
The same analogy can also be used to describe non-interference. Specifically, each
individual is able to use any of the chopsticks, with the individual and chopsticks each having
their own access control rights, which are changed once an individual uses a specific set of
chopsticks (Chou et al, 2005). Chou et al. (2005) attempt to address this concern by the creation
of associated groups, which are aimed at restricting the indirect flow of information from outside
associated groups.
The final concern described is combination leakage, which is caused when an individual
is able to use a mathematical function to determine information based upon obtaining specific
information multiple times (Chou et al., 2005). In order to prevent this concern, access control
would prevent individuals from accessing information more than a specified amount of times, as
well as utilizing a rotation for the individuals who are accessing information within a given time
frame (Chou et al., 2005).
Unfortunately, one of the drawbacks of ACLs is the latency that is created due to the
additional computations needed (Abdulmohsin, 2009). In order to address this area of concern,
certain techniques should be utilized to ensure the optimization of ACLs. However, that task
may be easier said than done, as ACLs can be extensive. As described by Abdulmohsin (2009),
the task of optimizing ACLs is to reduce their size, which can also result in the reduction of

configuration errors. By combining the executed access rules, and removing others,
Abdulmohsin (2009) was able to optimize the typical ACL by 80%. Although this will increase
the optimization of an ACL, there is significant amount of setup required in the beginning stages.
An additional area of concern is role-based ACLs. As described by Ferraiolo, Sandhu,
Gavrila, & Kuhn (2001), there has been an increase in platform providers implementing role-
based ACL without a standard of how role-based ACLs should be structured. Due to
incorporating roles, role hierarchies, activation, as well as role constraints, role-based ACLs have
begun to become a generalized approach (Ferraiolo et al., 2001). Specifically, administration has
become easier, as it allows for the simple transition from one role to a different role when an
individual changes functions within an organization (Ferraiolo et al., 2001).
However, there are concerns with the administration of role-based ACLs, which is
especially true when using multiple software platforms. As described by Ferraiolo (2001), there
has been little consensus on role-based ACLs and which model should be used, as it would either
include or exclude too much. Based upon this, there has been a proposed standard to define the
basic elements with examples including users, roles, permissions, and objects (Ferraiolo et al.,
2001). By implementing a standard set of role-based ACLs, this will allow platform providers a
benchmark for their specific platform, as well as a better understanding of the terms for the
consumer purchasing the platform (Ferraiolo et al., 2001).
Although understanding the terms of role-based ACLs, understanding the functional
aspects of role-based ACLs is equally important. As described by Ferraiolo et al. (2001), the
core of role-based ACLs is that roles are created with specific permissions, and users are
assigned role(s) based upon their responsibilities. There can also be hierarchies applied to role-
based ACLs, which established roles based upon relationships within the users, specifically

supervisors and supervisees (Ferraiolo et al., 2001). There are also role-based ACLs aimed at
limiting the conflict of interest by limiting roles based upon membership within a separate role,
or limited to number of users within a specified role (Ferraiolo et al., 2001).

Chapter 3
Description of Methodology
This section will describe the methodology that will be used to complete the research
questions posed in chapter one. Specifically, the research will be quantitative in nature and will
be conducted through a survey that will be distributed to specific staff members at Ferris State
University. The specific staff members will be chosen based upon their role within the
organization, and their designation as a ‘data owner’. These ‘data owners’ are designated as the
staff members who are responsible for specific data which is created, stored, and transferred
among the multiple software platforms at Ferris State University.
This methodology was chosen to allow for the collection of data directly from individuals
who are responsible for ensuring the security of protected data on campus. A survey will also
allow for specific questions to be developed that will address the research questions. Once
completed, the survey responses should provide a strong foundation for the development of best
practices to ensure data security across multiple platforms.
Design of the Study
In order to distribute the survey in an efficient and effective manner, Survey Monkey will
be used. By utilizing Survey Monkey, the survey will be available in an electronic format, which
allows for individuals to submit the completed survey in a timely manner. In addition, Survey
Monkey offers a variety of tools that will assist with ensuring an adequate response rate, as well
as a method to analyze the results, which will be discussed in the next section.
Research Question 1: How are security settings determined for data that is
transferred across multiple software platforms? In order to answer research question
one, questions will be developed that focus on data security settings. These questions

will be combined with the questions developed to answer research question two, and will be
given as one survey. Once the survey has been developed and tested, it will be distributed to
individuals who have been classified as data owners by the Ferris State University’s Data
Security Administrator, and is considered a sample of convenience. After the individuals have
been selected, they will receive an e-mail with a summary of the research purpose. The e-mail
will also detail the instructions on how to complete the survey. In order to ensure an adequate
response rate, individual responses will be anonymous, which should encourage individuals to
answer the questions in an honest manner. A detailed view of the e-mail sent to the individuals
is provided in Appendix A. All individuals will be given seven days to complete the survey.
After four days, the individuals who have not completed the survey will be sent a remainder e-
mail. One day before the survey is to be completed, another e-mail will be sent to any
individuals who still have not completed the survey. Survey questions 3 - 6, and 9 are used to
answer research question 1, as they are used to determine security settings in software platforms.
Research Question 2: How do data owners ensure their data is secured in other
software platforms? In order to answer research question two, questions will be
developed that focus on how data and the data owners interact with other data and data
owners. As described under question one, individuals will be selected by their designation as a
data owner. Those individuals will then receive an e-mail describing the research, and how to
complete the survey. All responses will remain anonymous, and individuals will be given two
weeks to complete the survey, with remainders sent at one week, and one day before completion
of the survey. Survey questions 7, 8, and 10 – 18 are used to answer research question 2, as they
address how data is secured in multiple software platforms. Survey questions 1 and 2 are
demographical questions used to determine the types of data supervised by the respondents.

Data Analysis
Since the survey will be administered via Survey Monkey, analysis will be conducted by
means of Survey Monkey’s online tools. These tools include a summary for each survey
question, as well as individual responses for each question. By utilizing the provided tools, it
will allow for a detailed analysis of each question, and how many responses are similar or
dissimilar.
The data analysis will begin once the two week survey has been completed. Once all
responses have been collected and analyzed, the responses will be kept for approximately one
year from the date of the submission of the final capstone draft. All responses will be kept via
the Survey Monkey account that will be established, and will be deleted at the established date.
In anticipation of the survey results, it is expected that the responses will highlight how
data is secured (or unsecured) within multiple software platforms. In addition, the survey
responses should indicate any areas in which there is concern for data security, and therefore
prompt for the development of best practices. If it is determined that the current settings
regarding data security are sufficient, best practices will be developed based upon these settings.
If the current settings are determined to be insufficient, a list of recommendations will be
developed to address the specific settings that are insufficient. The recommendations will be
based upon

Chapter 4
This chapter will review the research that was completed in regards to data security
processes at Ferris State University. Specifically, the research highlights the types of data in
question, how access to data is determined, how access is monitored, and the methods used to
ensure data security.
The survey was sent to six individuals who have been identified as data owners as
described in chapter three. Of the six individuals, four of the individuals completed the survey,
equaling a 66% response rate.
In order to understand the types of data that each respondent is responsible for, the first
questions asked for the types of data they supervised. Table 1 details the types of data that are
supervised by each respondent. There was also an option to manually enter a response, which
one respondent did, however, the respondent was adding to the answer for question number
seven.
Table 1
Table Describing Supervised Data
Type of data # of respondents
Biographical (i.e. first name, last name, date of birth, etc.) 3
Academic (i.e. G.P.A., major/minor, course credits, etc.) 3
Financial (i.e. billing, payment method, etc.) 2
Other 1

The respondents also answered whether the data they supervised was protected by the
Family Education Rights and Privacy Act (FERPA), to which 100% of the respondents indicated
their data was protected by FERPA.
Research Question 1: How are Security Settings Determined for Data that is Transferred
Across Multiple Software Platforms
One of the main purposes of this study is to determine how the security settings ensure
that data is secured across multiple software platforms. Specifically, software security needs to
be a focus of the individuals supervising data, and the users that are able to access their data.
According to the survey results, 75% of the respondents indicate they approve each individual
that requests access to their data. In addition, 75% of the respondents limit the number of
individuals that are allowed access to their data.
While the initial approval of each should be a top priority for data owners, periodic
reviews of the access given to users is just as vital. This is due to potential changes in user’s
responsibilities, or how they are accessing the data. Based upon the information provided in
Table 2, 75% of the respondents indicated they review user access at least every three-six
months.
Table 2
Table Describing Access Reviews
Timeframe for access review # of respondents
Monthly 1
Three – six months 2
Six months of more 0
Never – or not on a regular basis 1

As important as it is to know the users that have access to their data, data owners need to
know the specific software platforms that access their data. As reported in the survey, 75% of
the respondents indicate that third-party software is allowed to access their data. In addition,
75% of the respondents indicated they know the third-party software platforms that are able to
access their data. Although 25% of the respondents indicated they did not know the third-party
software that has access to their data, this may be explained by the previous response in which
25% of the respondents indicated that third-party software platforms are not allowed to access
their data.
Research Question 2: How do Data Owners Ensure Their Data is Secured in other
Software Platforms
Additionally, having the ability to monitor and audit when data is altered by users is
critical for data owners to ensure the security of data. As reported by the data owners, 100%
indicated they are able to monitor and audit data that has been altered. As illustrated in Table 3,
50% of the respondents indicated they only audit the data being accessed every three – six
months, with the other 50% only auditing the data every six months, or never.
Table 3
Table Describing Data Audits
Timeframe for data audits # of respondents
Monthly 0
Never – or not on a regular bases 1

In addition to auditing the data, data owners may occasionally limit the time frame a user
is able to access data. Although this may be an option for data owners, only 25% indicated they
do limit the time frame that data can be accessed. However, as briefly described at the beginning
of this chapter, one of the data owners did indicate they limit user access based upon the class
that user may be associated with. Data access can also be limited to the location in which a user
can be when accessing data. This would be used to limit users from accessing data from an off-
campus location that may not be on a secured network. However, only 25% of the data owners
reported limiting user access based upon their location.
As indicated by the previous survey results, the data owners may not be monitoring
access on a regular basis. Due to this, it is also important for data owners to be alerted if
improper access has occurred. However, only 50% of the respondents have indicated there is a
method for alerting when improper access has occurred.
It is also important that each user has a unique account to access the software platforms.
As illustrated in Table 4, all of the respondents have indicated that each user has a unique
account.
Table 4
Table Describing User Accounts
Creation of user account # of respondents
Yes – everyone must have a unique account 4
Seldom – there are a few unique accounts but mostly shared account 0
No – there are no unique account 0

Although each user is required to have a unique account, there can be the possibility that
users can have multiple sessions open simultaneously. This may be used by users that are
attempting to bypass security settings. As reported by the respondents, 100% indicated there is
no limit to the number of instances in which a user can be logged into the software platform
simultaneously.
Although the potential for users having multiple sessions open simultaneously is a valid
concern, there can be policies implemented that negate some of the concern for data owners.
Specifically, minimum password requirements for user accounts can limit the ability of outside
individuals to compromise the security of a user’s account. As reported by the respondents,
100% indicated there are minimum requirements for a user’s password. In addition, having users
that are trained in regards to the university’s security policies is vital. As reported by all of the
respondents, they have indicated that all users do receive training.
Finally, there can be incidents in which data may be compromised by security incidents.
While the university should have policies in place that limit the possibility of such an incident, it
is just as important to have policies that negate the impact an event may have on the university.
Specifically, having accurate backups of the data is extremely important. As illustrated by Table
5, the respondents indicate that all types of data are backed up on a regular basis.
Table 5
Table Describing Data Backups
Timeframe for backups # of respondents
Monthly 4

Although the respondents have indicated an understanding of the importance of data
security, there are areas in which data security could be improved. Those areas will be discussed
further in chapter 5. In addition, recommendations will be develop to address the areas that need
improvement to ensure data security.

Chapter 5
This research was designed to study data security, and how data is secured when it is
transferred across multiple software platforms. Specifically, this research sought to answer the
following questions as first outlined in chapter 1:
1. How are security settings determined for data that is transferred across multiple
software platforms?
2. How do data owners ensure their data is secured in other software platforms?
This chapter will provide a summary of the research findings, recommendations for best
practices to ensure data security, and suggestions for future study.
Summary of Findings
Data security is an issue that every individual should be concerned with. Personal data
can be obtained by individuals other than the individual in which it references, and use it for
malicious means. As indicated in the previous chapter, the data security settings researched in
this study pertains to biographical, academic, and financial data.
Although individuals may take every precaution to ensure their data is secure, those
precautions can be negated by inadequate security settings by the organization collecting and
storing that data. Therefore, it is important that data owners implement security settings to
ensure the safety of data.
As previously described, 75% of the data owners studied approve each user that is
allowed access to their data, as well as limits the numbers of users that are allowed access to
data. Additionally, 75% of the data owners review user access at least every six months, with
25% reviewing the access on a monthly basis. Policies such as these ensure that users are not
able to access data that are not within their role or responsibilities.

In addition, the data owners have indicated that they are aware of the third-party software
platforms allowed to access their data, thus limiting the potential for non-verified software
platforms to access data. Knowing the software platforms that have access to data, is just as
important as knowing the users that have access to data.
Although security settings are designed to limit the potential for security breaches, there
can be incidents in which a user does not act in accordance to those security settings. Therefore,
it is also important to be able audit when data is altered or access by a user. Unfortunately, the
data owners indicated that the data is only audited every three – six month, or in some instances,
never.
There have also been instances in which users are accessing data when not at the
workplace. These types of instances raise concern as to the reasoning why users would be
accessing data away from the workplace. To limit these instances, data owners can occasionally
limit the timeframe in which a user’s access is valid. However, only 25% of the data owners
have indicated that this practice is implemented.
Additionally, it is important to be alerted when improper access does occur.
Unfortunately, 50% of the data owners have indicated there is no method to alert when improper
access has occurred. This may be explained by not having the ability to limit the number of
sessions a user is able to have open simultaneously. Although each user is required to have a
unique account, a user could give their credentials to an unauthorized user, and both could be
logged on simultaneously.
Although there are settings and/or policies that could be revised to improve data security,
there are measures in place to ensure accurate backups of data are created. As indicated by all

the data owners, backups of the data occurs monthly. With this policy in place, if there were an
instance of data being malicious altered by a user, data may be restored from a previous backup.
Recommendations
Although many of the settings and/or policies address many of the concerns related to
data security, there are still areas for growth and improvement. By implementing some best
practices, the data security should be greatly improved.
1. Develop role-based access control lists.
2. Complete reviews of user access on a specified schedule, preferably no less than once
every three months.
3. Implement schedule to audit data access, preferably no less than once every three
months.
4. Implement security settings to limit user access within a specific time frame (i.e.
Monday through Friday, 8a – 5p).
5. Implement security settings to limit user access based upon location (i.e. on-campus
versus off-campus).
6. Implement security settings limiting the ability of users to have multiple sessions
opened simultaneously.
7. Implement data security training for all users, including having users complete the
training on a periodic basis.
Although some of these best practices may be limited based upon the settings available
within the specific software platforms, they provide a foundation for data security settings. In
addition, it should be understood that these best practices will require implementation over a
period of time, and cannot be implemented instantly.

Further Study
Although the research was able to highlight the areas of strength, as well as areas of
growth in regards to data security, there are areas in which additional research needs to be
completed. Specifically, there are additional questions that would serve as a follow-up to the
questions in the survey.
Although the respondents were asked if they approve of each user that requests access,
there could be follow-up regarding how data owners approve each request. In addition,
respondents were asked if they limit the number of users allowed access. However, respondents
should be able to elaborate on how they limit the number of users, and how the specific number
of users allowed is determined.
Respondents were also asked if they knew the software platforms that access their data.
However, there could be clarification on the specific software platforms accessing data, as well
as which software platforms are accessing which data. This would demonstrate the data owners
understanding of the various software platforms in use.
In addition, the methods for how data is tracked could be elaborated on. This would also
include the methods used for alerting data owners about improper access. By having a thorough
understanding of these methods, recommendations could be developed to address potential
security concerns.
Finally, as data security continues to be an area of concern, the settings and policies
described throughout this paper will need to be reviewed and revised. These settings and
policies should be considered a living document that allows for flexibility and growth as
additional technologies are developed and implemented.

References
Al Abdulmohsin, I. M. (2008, September 20). Techniques and algorithms for access control list
optimization. Computers and Electrical Engineering, 35, 556-566.
CDW. (2014). Software asset management: Practices for success. In EdTech. Retrieved from
https://www.edtechmagazine.com/higher/sites/default/files/document_files/Software-
Asset-Management-Practices-For-Success-145537.pdf
Chou, S., Lo, W., & Lai, C. (2005, October 17). Information flow control in multithread
applications based on access control lists. Information and Software Technology, 48, 717-
725.
Desai, D. (2013, January). Beyond location: Data security in the 21st century. Communications
of the ACM, 56(1), 34-36.
El-Hadary, H., & El-Kassas, S. (2014, March 3). Capturing security requirements for software
systems. Journal of Advanced Research, 5, 463-472.
Ferraiolo, D. F., Sandhu, R., Gavrila, S., & Kuhn, D. R. (2001, August). Proposed NIST standard
for role-base access control. ACM Transactions on Information and System Security,
4(3), 224-274.
Kearns, D. (2006, April 19). All about ACLs; Rights and privileges to system resources. Network
World.
Pandey, S. K., & Mustafa, K. (2012, January). Security assurance through efficient event log and
audit trails. Journal of Global Research in Computer Science, 3(1), 27-30.
Sumithra, A., & Ramraj, D. (2011, February). A checklist based framework for software security
risk management. Computer Technology and Applications, 2(2), 304-308.

Appendix A

Appendix B

Griffith+MISI+799+Capstone+Final+Draft

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (10)

Similar to Griffith+MISI+799+Capstone+Final+Draft

Similar to Griffith+MISI+799+Capstone+Final+Draft (20)

Griffith+MISI+799+Capstone+Final+Draft