A security audit at Walsh College confirmed that technology defenses were solid. But suspected vulnerabilities for other types of stored documents led to the launch of an initiative to make staff aware of its key role in data protection.
By Helen Kieba-Tolksdorf and Joe Esdale
Any campus leader in charge of valuable, private information understands that there are two lines of defense when it comes to safeguarding information at an institution—people and technology. While most institutions put all the emphasis on electronic controls and training employees on securing IT-related functions and processes, information outside the cyber domain is perhaps even more vulnerable to loss. In this new age of information fraud and theft, specialists must assess risks to information wherever it is within the organization. There is no amount of technology investment that can overcome deficiencies in the first line of defense—people. An institution can invest in a state-of-the-art security system, but that can be easily defeated when an employee writes down his password on a sticky note and posts it on a computer monitor, where it can be freely accessed by anyone.
According to Identity Theft Loss Prev-ention LLC (IDTLP), Lansing, Michigan, which provides systems designed to protect sensitive information, colleges and universities are at a very high risk for incidents of information loss. Nearly every function of a higher education institution involves confidential and sensitive information (CSI), which is highly valuable to thieves for direct use or resale for identity theft and fraud.
Higher education institutions have concentrated on compliance policies, technology, and a limited scope of identifiers in order to safeguard information. According to IDTLP, "A person's name found with any one identifier, aside from contact information, can be used to recreate that individual's entire identity, and therefore is of great value to a thief." Most prevention programs at institutions focus on identifiers such as Social Security numbers or financial account numbers, while overlooking other key information such as addresses and family relationships.
Campus IT administrators in higher education typically have done a good job with hardware and software network controls; only 29 percent of information breaches annually are related to computer hackings. The true challenge for program auditors and administrators is providing the level of expertise necessary to address the other 71 percent of institutional risk for information loss or breach. Unauthorized access to student, employee, faculty, and vendor information in any area can damage the finances, operations, and reputation of an institution. When individuals become victims of identity theft, they look for restitution from the organization that lost their information.
We wanted to ensure that any efforts to increase security awareness would permanently change the information security culture of the college, but we weren't sure that training alone could achieve that.
At Walsh College, a multicampus institution in Michigan, we formed a core team in May 2011 consisting of the vice president of finance, the controller, and the executive director of technology, to discuss the college's readiness to resist and successfully prevent a targeted attack against its information security. The team was confident that its technology line of defense was adequate, and a security audit conducted by an independent qualified security assessor in June 2011 confirmed this. But, we knew that there were vulnerabilities in our first line of defense—people. The college did not have a formal program to make its employees aware of their role in safeguarding information, what a possible information security threat might look like, or how to respond to a breach.
The team discussed the possibility of conducting training sessions for the entire Walsh College staff to raise awareness of the importance of information security. We wanted to ensure that any efforts to increase security awareness would permanently change the information security culture of the college, but we weren't sure that training alone could achieve that.
Committed to CSI Control
Walsh College has always been committed to protecting the confidential and sensitive information of its 4,500 students, 26,000 alumni, and 400 employees. System security audit reviews are performed routinely, internally and by outside independent experts, after which control improvements are implemented, if necessary.
The college has a history of proactively reviewing its policies against the Family Educational Rights and Privacy Act (FERPA) to ensure compliance. Among other security insurance programs, Walsh College instituted an extensive and successful payment card industry (PCI) and Red Flag identity theft warning signs compliance project. It was also an early adopter of Good for Enterprise mobile-device security tools so that e-mail sent to smartphones would be encrypted to protect any potential sensitive information. Finally, the college has provided its adjunct instructors with terminal-server access to college systems and network drives from their work or home PCs. This enables the instructors to save any CSI on the college's infrastructure, where it is properly secured and backed up.
Because of Walsh College's ongoing commitment to data security, we decided to find an experienced consulting firm to help us create a social engineering awareness and data-loss prevention initiative. We contracted with IDTLP and the result was an information security program that was recognized with a NACUBO 2012 Innovation Award.
Plan of Attack
As part of the college's initiative, the consulting firm conducted a penetration test of the institution's staff, technology, and facilities. According to TechTarget, a technology-review Web site, "Social engineering is a term that describes a nontechnical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures." What is innovative about this approach is that very few colleges test their ability to resist social engineering; they typically hire outside security consultants to test IT systems, but rarely challenge the human-related components of data protection.
The exact dates of the testing were left vague even to those at the college who knew about them. We wanted the tests to be as realistic as possible to see how the staff would react. While the specific results of the attacks against Walsh College remain confidential, exposing its entire operation to a series of "real-life" breaches—in a controlled environment, by ethical thieves, using actual tactics—shocked everyone at the college. Suddenly, these were not crime stories that we read about in the newspapers, but events that actually happened on our campus. Even more surprising was how and where the test's social engineers got the information.
The test confirmed that the majority of our vulnerability was outside the cyber domain. We had to expand our definition of information security and redefine it as the security of the information contained in documents in employee drawers, on their desks, and in storage rooms. In August 2011, the firm debriefed the audit committee, the group responsible for oversight and integrity of the college's financial systems and records.
Information Security Culture Change
The consulting firm helped us accomplish the first part of our initiative, which was to test Walsh College's breach preparedness and to raise awareness among staff. Now that everyone's awareness was at an all-time high, the core team began the second part of the initiative: implementing an identity theft prevention program to be managed by an identity theft prevention team. The team, which reports to the vice president of finance, consists of the director of admissions and advising, the director of records and registration, the controller and director of accounting, the director of facilities and auxiliary services, and the executive director of the office of information technology.
The team assessed each department for information vulnerability, then helped department heads plan information security programs. Together, they also identified interdepartmental risks, after which the college has made a number of process and procedural changes:
- All on-site contractors obtain identity badges through a new procedure.
- Back-office areas have newly secured doors that were previously left open as a matter of convenience for staff.
- Guests are escorted through back offices following procedures outlined in a new policy.
- Staff follow new procedures when storing confidential information on hard copy.
Additionally, the college hired IDTLP to return on our employee training day in July 2012 to present its employee identity theft prevention program. Each employee was given training on ways to prevent identity theft, identify confidential and sensitive information in his or her area, and protect information in transit and when stored. We recorded these sessions and posted them to the employee portal so that new employees would also receive the benefit of this training during their orientation. Since the training session, each department is reexamining its policies and procedures to make sure that the college is doing everything possible to protect the CSI of our students, staff, and faculty.
The expertise and proven methodology of our consulting firm, in collaboration with our experience, enabled us to create an effective information security program. The next phase is maintaining and improving the program. The identity theft prevention team will initially meet quarterly to address ways to do this as well as discuss our other security initiatives. We will continue to engage outside experts for ongoing team, faculty, and staff training, as well as for periodic assessment. While there is no guarantee against incidents of information loss, Walsh College now has a comprehensive identity theft prevention program in place and has established the culture to maintain it.
HELEN C. KIEBA-TOLKSDORF, CPA, is vice president, finance, and chief financial officer and treasurer, Walsh College, Troy, Michigan; and JOE ESDALE, a CareTech Solutions client executive, is assigned the role of executive director, office of information technology, Walsh College.