Privacy and security. Security and privacy. Like ebony and ivory, the terms privacy and security seem to go together: one is rarely mentioned without the other. However, they are not synonymous and do not always exist in perfect harmony. Security is principally concerned with the management of risk. Privacy relates to the ability of individuals to control information about themselves. In our efforts to add more and more security to protect the U.S. homeland and cybersystems, we have enhanced the privacy of personal information but we have also simultaneously created situations in which privacy is traded or sacrificed for the sake of security.
Addressing privacy and security in cyberspace is thus an evolving balance for higher education. One aspect of privacy is ensuring that personal information held by the college or university does not fall into the wrong hands, also referred to as confidentiality. Another side of privacy is the ability of students, faculty, and staff to go about their daily lives without leaving a trail, including anonymous forms of communication. Security, on the other hand, may limit activities to only the things that those both within and outside the campus community have the right to see and do, often expressed as authentication and authorization. Additionally, security controls are designed to ensure that computers, systems, and networks are available on a timely basis to meet the institution’s mission requirements.
Clearly, both security and privacy are topics of increasing importance to colleges and universities, especially given higher education’s reliance on information technology and its growing dependence on electronic communications. This importance is not lost on those who work in the higher education IT field: in the 2006 EDUCAUSE Current Issues Survey, participants ranked “Security and Identity Management” as the number-one IT-related issue in terms of its strategic importance to the institution. To address this concern and to help college and university administrators navigate the complex areas of privacy and security, we have compiled this EDUCAUSE Review focus section: a comprehensive set of articles whose authors cover the landscape of topics of practical significance to the higher education community.
Fred Cate sets the stage by challenging higher education administrators to take privacy and security issues more seriously. He observes that institutions of higher education collect an enormous volume and variety of personal information that, unfortunately, has not been sufficiently protected. He offers some very practical advice for how colleges and universities can improve their privacy and security position.
John Voloudakis argues that higher education has made progress toward improving IT security in the past three years, as revealed by data collected in a recent EDUCAUSE Center for Analysis and Research (ECAR) study. Voloudakis suggests that interventions, including awareness initiatives and defensive measures, are evidence of greater attention and focus. Nonetheless, Voloudakis notes that improvement is still needed. He suggests an enterprise IT security program so that higher education can address the changing nature of IT security threats and can meet the increasing number of IT security mandates required by the federal government.
This growing list of IT security laws and regulations is the focus of Peter Adler’s article. A lawyer and consultant who served as the interim chief security officer at the University of Colorado System, Adler has experienced firsthand the challenges of developing an information security program that will be effective in higher education, given academia’s traditions of openness and the decentralized culture of academic organizations. He also understands the nuances of the multiple sources of federal and state laws that often result in a piecemeal approach to information security. Fortunately, he offers a “unified approach” for untangling the complex set of mandates and for weaving them into a single, comprehensive compliance process that both satisfies legal requirements and improves the security of information assets.
Implementing any enterprise-wide, unified program or approach for information privacy and security necessitates the talents of someone who can fulfill the roles of both a Chief Security Officer (CSO) and a Chief Privacy Officer (CPO). No one is positioned to explain the role of the CPO in higher education better than two of the pioneers who have helped to define that role. Lauren Steinfeld and Kathleen Sutherland Archuleta articulate the value of formally consolidating all responsibility for privacy matters into a single position, someone who can serve as the “champion” for these issues throughout the institution. They discuss the activities of the CPO and also the key elements for success in this position. Undoubtedly, the need for privacy advocacy and expertise within colleges and universities will become even greater as the responsibility to protect networked personal information becomes more evident and as the use of computers and the Internet makes it easier to monitor personal behavior and communications.
Developing and executing the institution’s information security program is the job of the CSO. The CSO function is relatively new to higher education, although there has been a steady growth in the number of dedicated IT security staff since the mid-1990s, according to the 2003 ECAR research study “Information Technology Security: Governance, Strategy, and Practice in Higher Education.” The role of the CSO varies from institution to institution, largely due to the diversity in size and type of colleges and universities. Based on 2005 ECAR data and the experiences of the EDUCAUSE/Internet2 Computer and Network Security Task Force, Rodney Petersen documents the trends in the CSO position.
This collection of articles from thought leaders in the field is designed to apprise the higher education community of the current privacy and security challenges and also to offer possible solutions for those challenges. Over time, the tension between privacy and security will likely diminish, and their complementary natures will be leveraged for the interests of both the institution and the individual. In the meantime, working together, the CPO and the CSO (or equivalent positions) can strike a harmonious chord that demonstrates the importance and relevance of both privacy and security in a world in which colleges and universities are increasingly reliant on the use of information technologies for the collection, storage, use, distribution, and protection of data.
Rodney Petersen is Policy Analyst and Security Task Force Coordinator for EDUCAUSE. Steve Worona is Director of Policy & Networking Programs for EDUCAUSE.
© 2006 Rodney Petersen and Steve Worona. The text of this article is licensed under the Creative Commons Attribution 4.0 International License.
EDUCAUSE Review vol. 41, no. 5 (September/October 2006): 16–17