Spam blocking, firewall protection, raising awareness among staff....What are you doing to ward off sabotage in cyberspace?
By Karla Hignite
At the same time, the high-profile nature of identity theft alone has captured the attention of administrators and board members who understand the real danger that a leak of confidential information presents for institution stakeholders. For that reason, colleges and universities are also taking stock of the kind of information collected and stored.
Reed College stopped using Social Security numbers to identify its 1,400 students more than a decade ago, well before concerns about identity theft hit the mainstream media. Other institutions are aggressively following course. California State University–Fullerton recently completed a five-month campuswide conversion to give its 32,000 students new unique identifiers. “It’s been an ongoing process, because Social Security numbers were embedded in almost every system we have,” says Amir Dabirian, CSU–Fullerton’s interim chief information technology officer.
Beyond loss of identity, institutional leaders also understand IT security threats in terms of lost productivity. “Whether buying a sandwich or a book, checking grades, or taking a quiz, technology underlies so much of how we do business these days that any extended interruption to those processes presents real financial risks for a campus,” says Henry DeVries, vice president for administration, finance, and information services at Calvin College, Grand Rapids, Michigan. In the fall of 2003, Calvin averted a virus outbreak that afflicted many other campuses by equipping returning students with the latest version of antivirus software to install on their computers before accessing the campus network. That required $10,000 to purchase a site license and several weeks to burn CDs containing the software and instructions. More significant, says DeVries, were the time and resources saved by preventing a massive outbreak that could have left huge segments of the campus network down for days.
The Security-Demand Spiral
Although IT security expectations have grown at many institutions, budgets have not. John Bruggeman selected an off-the-shelf solution to filter the 12,000 incoming e-mail messages received daily at Hebrew Union College–Jewish Institute of Religion, of which more than half are spam. Even so, says Bruggeman, director of information systems for HUC–JIR, Cincinnati, the lowcost solution represents $3,600 from this year’s budget that he won’t get to spend on other projects such as faculty testing of new equipment in the main campus technology lab.
Time has been another casualty. “I spend about 30 percent of a typical day on security issues,” he says. As one of five IT staff at HUC–JIR’s four locations, Bruggeman functions as the IT director and the IT security department. “On a daily basis I monitor current threats and vulnerabilities via Internet lists, monitor firewall logs, and verify that our anti-spam filter isn’t keeping out legitimate e-mails.”
Dabirian has likewise witnessed a shift of time and money toward IT security efforts. “Five years ago, this institution did not have an IT network security line item,” says Dabirian. CSU–Fullerton currently has earmarked roughly $250,000 for IT security-specific projects. During the past several years, spending has increased in an effort to keep pace with the sharpened skills of hackers, says Willie Hagan, CSU–Fullerton’s vice president for administration and finance and information security officer. “The people you are trying to catch today have virtually the same skill level of the staff you have working for you. It’s a case of the cops and robbers having the same arsenal at their disposal,” says Hagan.
A similar tale of increased time and financial attention to IT security no doubt is shared among many institutions. For Seton Hall University, South Orange, New Jersey, the bright spot on the horizon is the imminent hiring of the university’s first full-time director of IT security. Stephen Landry, Seton Hall’s chief information officer, is hopeful that will herald a new phase of proactive IT security planning. “Our first initiatives were driven by events, including firewall protection and centrally automated anti-virus updates as the result of server break-ins and virus outbreaks,” says Landry. “Ever since 2003, many of our security initiatives have been in response to mandates by our compliance office or board to establish an IT security plan and to inventory our risks.” One significant outgrowth of those directives has been a move toward standardizing the entire university on the Microsoft Windows XP operating system.
“But it’s not enough to make sure our network is secure if our data are in jeopardy,” he notes. A primary responsibility of the new director will be to work with others on campus to build data access and storage policies and establish protocols for what information can be downloaded, how it should be encrypted, and what protections must be in place for specific technologies, says Landry. “The last thing you want is to have your director of admissions maintain student names, Social Security numbers, and addresses on a laptop in unencrypted format. We need well-thought-out, carefully constructed architecture policies, processes, and procedures.”
Dabirian echoes that concern. In an age where a 100-gigabyte hard drive is the size of a wallet, it’s not only those with malicious intent to steal data, but also innocent, albeit negligent, staff members who walk away for a minute who can be the cause of your worst IT security breach nightmare. That raises the dual issues of authentication and access: Who should have access to which data and for what purposes?
Granting Who, What, and When
As Ringle suggests, in the same way that institutions must take steps to ensure that unauthorized external access to network resources is kept to an absolute minimum, they must also take precautions internally. “The majority of breaches of confidential records in private databases are inside jobs,” says Ringle, noting that’s nothing new. “Even in pre-computer days, one of the first places you looked was at those who had legitimate access to the information.”
More colleges and universities are segmenting networks to limit access to areas where the potential for mischief is high. At CSU–Fullerton, employees granted anything other than normal network access must have written approval, signed by their division head, with ultimate approval by Hagan. These employees must attend a training program that addresses issues of responsibility as custodians of information and must agree to abide by university policies and procedures for sharing information.
How to maximize security without adding complex or onerous requirements is a constant balancing act, admits Dabirian. For Bruggeman, freedom versus security is the crux of his looming challenge: adding wireless access on campus. “As the expectation grows for accessing sensitive data at any time, anywhere, you have to also consider all the necessary protections required to allow a faculty member to sit in a classroom and input grades on a laptop,” he says.
Rodney Petersen acknowledges that IT security can be particularly challenging for colleges and universities because of their unique environments, where attributes of a company are commingled with attributes of a research enterprise and attributes of a residential environment. “The very measures that introduce security and protection, such as firewalls, seem to contradict and restrict ideals of academic freedom and a spirit of collaboration,” says Petersen, EDUCAUSE policy analyst and security task force coordinator. “As such, it’s very difficult to implement a one-size-fits-all security strategy.”
|First Step: Assess Risk|
“One thing you can say about a computer virus is that it is completely democratic. When it hits a campus, it’s indifferent to size,” says Marty Ringle, chief technology officer at Reed College, Portland, Oregon. Yet, while small colleges face the same types of network security threats as do larger institutions, they typically are unable to dedicate even a full-time staff member to deal with these issues, he continues. And as Ringle knows from his many conversations with colleagues, a line item for network security doesn’t exist in the budgets of many smaller institutions, which can be hard pressed to spend even $50,000. That is essentially what it costs to implement the most basic, but arguably the most critical, network security protections: required login with user ID for authentication and automatic scanning of a user’s computer to ensure that it is virus free.
No matter an institution’s size, an important first step for IT security is to conduct an inventory and risk assessment of information systems and data, says Rodney Petersen, EDUCAUSE policy analyst and security task force coordinator. “This includes assessing physical security—where servers are located and how they are protected from damage and natural disaster—as well as whether operating system configurations are up to date and whether individuals responsible for safeguarding data are professionally trained to do so,” says Petersen.
Ringle likewise suggests starting with a security audit, whether done internally, by an outside firm, or by a white hat team from another institution commissioned to attempt a breach of your network. He believes that smaller institutions must be especially mindful of their vulnerabilities. “As it becomes more risky or more difficult for hackers to break into a larger institution’s network, it won’t be long until they begin targeting smaller institutions where security levels may be much lower,” he says.
Petersen believes an institution’s best defense against external security threats is to ensure that operating systems and software have the latest patches and upgrades in place. This is one area where he thinks small institutions may have an advantage in that they tend to have more homogeneous IT environments that can make staying on top of upgrades less complex. A critical review of IT policies and procedures is also essential, says Petersen. “A policy written 10 years ago within a mainframe context must be updated, as must policies and procedures for all employees and those collecting, storing, and disclosing data in this current environment of increased security risk.”
As Ann West sees it, one response to growing concerns about access is to develop applications that leverage information about people and policies within an administrative architecture based on clear standards of appropriate use. “Once you prove you are who you say you are, such as logging on with a user ID and password, something must also determine what you are allowed or authorized to do,” says West. She leads outreach efforts for the NMI-EDIT Consortium (www. nmi-edit.org), part of the National Science Foundation Middleware Initiative. The consortium, composed of Internet2, EDUCAUSE, and the Southeastern Universities Research Association, works to improve the productivity of the research a nd education community through development, testing, and dissemination of architectures, software, and practices in the areas of identity and access management. An overall model is emerging from the work of NMI-EDIT and others that will enable greater flexibility to integrate automated business rules and policy structures to control access to a wide variety of applications, says West. A new piece of infrastructure called privilege management promises to help.
“In essence, privilege management is a way of managing the information associated with who has access to what information, for what reason, and for how long,” she explains. Consider the following statement: By authority of the Dean (grantor), principle investigators (role or group) who have completed financial training (prerequisite) can approve purchases (action) in the School of Medicine (context or scope) for research projects up to $100,000 (limits) until January 1, 2006 (condition). “The infrastructure keeps track of the groups or roles, granting authorities, duration, and so forth, and then provisions the applications appropriately. The policy and business rules must be well integrated into the technology,” explains West. “This not only increases the security, but also can enable new, more flexible applications.” NMI-EDIT is developing these new pieces of information infrastructure for wide use so that institutions won’t have to reinvent the wheel.
Architectures aside, business officers and information officers agree that progress must also be made in bolstering internal understanding about the importance of maintaining data integrity.
End-User Awareness Raising
All computer users need basic awareness about how to protect their own information and the institution’s data as well as how to select good passwords and identify phishing scams, says Petersen. “Once you move beyond the average user, more indepth training is needed for those responsible for data, especially in terms of legal requirements and compliance issues.”
End-user awareness i s one of Seton Hall’s biggest challenges. “The majority of our network problems are the result of students or faculty who inadvertently misconfigure computers or bring a virus onto our campus network,” says Landry. The university is preparing to make some form of computer security and compliance training mandatory for everyone. IT staff are working to develop training for students that covers how to back up data and prevent crashes.
Well-meaning faculty and staff are also apt to get sloppy on occasion when it comes to safeguarding institutional and student data. This past year CSU–Fullerton’s president appointed Hagan as information security officer to focus specifically on information security. “Most attention gets focused on protecting technologies, but increasingly it is the information that is the cause for greatest concern,” explains Hagan. In one instance, a faculty member told Hagan that she was approached by a firm that wanted to survey students and had requested student e-mail addresses. “While greater sensitivity exists today to providing that kind of information, in many instances such requests may seem innocent, and well-intentioned staff or faculty members may comply,” says Hagan. “We have to do a better job of informing our faculty and staff about current laws and about the need to be vigilant regarding potential security breaches.”
As part of Calvin’s general awareness campaign, IT staff generate a weekly e-newsletter that includes articles about security issues, scheduled downtimes, and links for software updates. The college also established a cross-departmental Computer Security Incident Response Team that mobilizes in the event of virus outbreaks and other security emergencies. In one instance, a staff member working from home one night detected a potential virus and called the campus help desk. By 10:00 p.m., the team decided to shut down the network. By 8:00 the next morning, staff and faculty arrived to signs posted on doors alerting them to the potential outbreak and instructing them to log on to receive the latest antivirus patch being pushed to them. “That entailed two hours of no e-mail access for everyone—an inconvenience that you have to counterbalance with days of lost productivity and many hours of cleanup work for our IT staff,” says DeVries.
|What thoughts did this article trigger about the IT security policies outlined or the steps your institution is taking to protect data? Share your feedback with Jane Rooney, managing editor, at firstname.lastname@example.org.|
More recently, Calvin’s IT staff made the roll-out of a new security patch a voluntary process for three months by urging users to download the update at their convenience, letting them know it would take about 45 minutes. Half the machines were updated voluntarily, says DeVries. “Some things are obviously more important than others, so one key to getting the response you need is showing respect for the time of others,” he says. Another is maintaining a tone of reason. “Part of the challenge when you need user compliance is getting their attention without crying wolf. If you can leverage the difference between a priority and an emergency, then when you truly do have a dire situation, warning signs posted on doors will more likely generate the action you need.”
Author Bio Karla Hignite, Tacoma, Washington, covers higher education business issues for Business Officer.
- ED Publishes Proposed Rules on Cash Management
- IPEDS Considers Improving Finance Survey
- Guidance Available on Title IX Coordinator Role
- 2015 CAO and CBO Collaborations
August 3-4, 2015
- 2015 Planning and Budgeting Forum
September 28-29, 2015
- 2015 Tax Forum
October 25-27, 2015
- ON-DEMAND: Lessons Learned in Communicating Financial Information Effectively
- ON-DEMAND: Corporate Sponsorships: Getting it Right
- ON-DEMAND: Analytics that Support Planning, Budgeting, and Results
- A Guide to College and University Budgeting: Foundations for Institutional Effectiveness, 4th ed. - by Larry Goldstein
- NACUBO's Guide to Unitizing Investment Pools - by Mary S. Wheeler
- Managing and Collecting Student Accounts and Loans - by David R. Glezerman and Dennis DeSantis