Key Takeaways
- No single product can guarantee the security of systems and data, especially in the face of increasingly sophisticated threats.
- The real issues in protecting data may lie in an institution's processes, awareness programs, and technology for handling risks.
- Building a highly visible program to continuously improve security can provide a safer environment for data, as explained here.
Connor Gray is chief strategy officer of Campus Management.
In the wake of recent headlines about cyberattacks on colleges and universities, there is growing concern among students, parents, alumni, and donors about the security of the personal information they entrust to institutions. At the same time, these constituents want staff to continue delivering academics, information, and services over the web and to their mobile devices.
How can a school remain true to higher education's principles of openness, community engagement, and the free exchange of ideas, while increasing the security of its data and the confidence of its constituents?
Unfortunately, no single product you buy can guarantee the security of systems and data. The security landscape is constantly evolving in response to newer and more sophisticated threats.
More than the latest security products, though, the real issues may lie on the school's side of the firewall. By examining current processes, awareness programs, and technology for risks and building a highly visible program for continuous improvement in security, today's institutions can achieve a safer environment for their data.
Some recommended guidelines follow.
1. Identify a Security Champion at Your institution
Part of the challenge is creating awareness within the institution's leadership so that security is seen as important across campus rather than as a burden. An increasing number of institutions now have a chief information security officer (CISO), but the person to whom you assign security responsibilities can be someone in IT who implements and maintains systems. This person must have high visibility and be a champion for security initiatives and compliance. Directives like this need to come from the top for workers to see value in them.
2. Make a Risk-Based Assessment Based on Standards
While there could be many potential threats and weak points across the institution, don't try to implement everything at once. Do a risk assessment first and start with your high-risk items. Ask yourself: What kind of information do we have in house (PCI, FERPA, HIPAA)? Take an inventory of what you have and where you currently dedicate your resources for remediation. You can then measure your current environment against industry standards. The current gold standard for security management systems is ISO27001, which provides requirements for establishing, implementing, maintaining, and continuously improving these systems.
But your goal doesn't have to be certification. There are 114 controls in 14 groups for ISO27001. Instead, you can focus on controls that address your risk-based assessment.
By considering some of the controls within these standards, you may, for example, discover that no one in IT is regularly reviewing your Active Directory, or that there is no formal or documented process for digitally disengaging employees from systems and facilities when they leave the institution, or that malicious activity is only being discovered after the fact rather than when it's occurring.
3. Assess Your Processes
Controls for assessing your processes include segregating conflicting duties and areas of responsibility that can lead to unauthorized or unintentional modification or misuse of the institution's assets.
What happens to an employee's access privileges if he or she transfers to another department? Is the transfer noted by the security team? Should accessibility be restricted based on the new department or role? If students have access to administrative files in the course of a work-study program, are those access rights removed when they leave the job?
4. Promote Awareness across the Institution
Make your awareness programs highly visible and role-based. The industry standards include separate policies and controls for students, faculty, and staff that go beyond prompts to change passwords, so security education and awareness programs should be geared to each group.
A program for students could focus on recognizing malicious software (malware), phishing, and social network targeting, while your faculty awareness program would include policies and procedures around your learning management system. Again, this would depend on your earlier risk-assessment results.
If your assessment revealed that faculty members are lending badges and devices to their colleagues, then your awareness training for faculty should include physical and biometric security information sessions.
5. Isolate Systems and Data into Zones
Multi-zone isolation of systems with sensitive information is critical to data integrity. For example, student and alumni data could be zoned in separate databases, with access restricted based on roles or departments. With data zoned in this way, you can put more controls in place that are designed specifically to protect those areas. What's more, with remediation potentially very expensive, localized troubleshooting rather than fixing every system is much more cost effective.
6. Confirm the Security of Applications
Ask before you buy, and check what you develop. Secure development of the product should include security imbedded not just for functionality, but for backdoors and SQL injections.
System development life cycle (SDLC) reviews for vulnerabilities should take place during development and testing.
Before you sign a contract, you could ask for a penetration or vulnerability assessment, where someone tries to hack into the application. These tests can be expensive, so an alternative might be to ask about previous vulnerability scans and penetration tests as part of your RFP. Through these steps, you can assess how security is factored into the software development life cycle.
7. Determine Security Levels of Hosting and Cloud Services
When considering a hosting provider, you need to determine the levels of support and layers of responsibility for security. Is the vendor just providing a server while you manage the security, content, and liability if anything happens? Is the vendor only providing physical security?
Ask them about certifications. SOC 2 is the assessment standard for technology-oriented service organizations — and any vendor with data center operations or software-as-a-service (SaaS) offerings should have this certification or be close to achieving it. Also ask about the hosting provider's:
- Resiliency and recovery plans: redundancy in the network, power, and multiple ISPs
- Staffing: how many IT professionals will support your hosted solution and have knowledge of your environment?
- Testing of those plans: even if it's a tabletop test where they step through the process without taking systems down, and then enhance processes based on results
8. Measure Outcomes
Follow the old adage: trust but verify. Are your security processes working? Again, this is a risk-based approach, so you don't need metrics for every control, but certainly for the high-risk ones. Were there more security incidents this month than last month? If so, investigate the incidents and consider putting more controls in place.
Implementing a program that includes all these "small steps" is the best way to protect your institution. These proactive measures may be all it takes to secure your data, instill confidence in your constituents, and keep your institution out of those headlines.
© 2014 Connor Gray. The text of this EDUCAUSE Review online article is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs 4.0 license.