Friday, June 20, 2008

Information Security at Colleges and Universities

When you read the reports of information security breaches at The Breach Blog (see http://www.breachblog.com) and SC Magazine (see http://breach.scmagazineblogs.com),
one of the most remarkable patterns is the frequency of breaches
occurring in colleges and universities.
Source:
Scott Wright's Security Views

While it is true that many of the published breaches took place at colleges and universities, it is important to realize that institutes for higher education are typically more open and willing to share information with the outside world than many corporations of a similar size would be. Do not forget that even a small college may have upwards of 10,000 users (students, faculty, administration and staff). Those numbers go up significantly when the larger universities are also included.


The most important core value of research and education is Academic
Freedom. Academic freedom is usually described as the right of each
individual member of the faculty of an institution to enjoy the freedom
to study, to inquire, to speak his mind, to communicate his ideas, and
to assert the truth as he sees it. In the United States, the
professor's academic freedom is often defined in terms of full freedom
in research and in the publication of the results, in classroom
discussion of his subject, and in the exercise extra-murally of his
basic rights as a citizen [See: Dictionary of the History of Ideas]

In
other words, the nature of Academic Freedom almost requires that
members of Faculty are provided with any access that they request.
There is no need for administration to assess the request, or even do a
risk analysis of the implications it may have. Academic Freedom
provides faculty members with the right to study what they feel
necessary, which usually also means in the way the feel necessary.

Scott
provides the example of restricting access to institutional
directories. Even that is hard. The scientific method relies on
peer-review is it primary means of quality control. Reaching out to
peers to request reviews, participation in conferences, or otherwise
provide constructive feedback to them is essential. For the
administrative side of life, the same is true. Students are expected to
be able to contact members of administration for a large variety of
issues, ranging from financial aid to enrollment, or IT support.
Restricting access to local users only, or requiring remote users to
log on to a web site is often seen as a very unfriendly way of doing
things. Especially private universities, which rely heavily on student
tuition, will go to great lengths to keep students happy.

Faculty will not adjust to information security policies and procedures. Rather, information security policies and procedures must adjust to Faculty. This realization may be the most important lesson that a university administrator must learn. Without it, he will fail.

Scott also wrote:

It can be a challenge to secure
such a large and complex environment, but by breaking the problem down
and addressing the issues one step at a time, the rate of security
breaches can certainly be improved to a less embarrassing frequency.
The
most critical success factor when dealing with universities is
patience. An information security professional typically spends most of
his time away from his desk, talking to stakeholders and explaining
what information security is about, and why they do it. Because of the
high degree of autonomy that faculty members have, and the often
decentralized nature of most colleges, implementing (technical)
controls like restricting access to a directory is typically a very
lengthy process that requires an enormous amount of awareness raising,
lobbying, and convincing.



The good news is that an increasingly growing number of schools have
realized that information security is important. Not only because of
increasing legislation and regulation (most colleges must comply with
GLBA, HIPAA, PCI/DSS, FERPA, and a few more), but more so because of an
increasing expectation of students that their information is secure,
while at the same time having full and unlimited access to very
high-speed networks. Remember, students are the largest source of
revenue for universities, and that fact is very well known. Meeting
students expectation is a critical success factor. Schools who fail to
do that will be faced with dropping enrollment numbers, and as a direct
result, with less revenues.



No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.