When you read the reports of information security breaches at The Breach Blog (see http://www.breachblog.com) and SC Magazine (see http://breach.scmagazineblogs.com), one of the most remarkable patterns is the frequency of breaches occurring in colleges and universities.
Source: Scott Wright's Security ViewsWhile it is true that many of the published breaches took place at colleges and universities, it is important to realize that institutes for higher education are typically more open and willing to share information with the outside world than many corporations of a similar size would be. Do not forget that even a small college may have upwards of 10,000 users (students, faculty, administration and staff). Those numbers go up significantly when the larger universities are also included.
The most important core value of research and education is Academic
Freedom. Academic freedom is usually described as the right of each
individual member of the faculty of an institution to enjoy the freedom
to study, to inquire, to speak his mind, to communicate his ideas, and
to assert the truth as he sees it. In the United States, the
professor's academic freedom is often defined in terms of full freedom
in research and in the publication of the results, in classroom
discussion of his subject, and in the exercise extra-murally of his
basic rights as a citizen [See: Dictionary of the History of Ideas]
In other words, the nature of Academic Freedom almost requires that members of Faculty are provided with any access that they request. There is no need for administration to assess the request, or even do a risk analysis of the implications it may have. Academic Freedom provides faculty members with the right to study what they feel necessary, which usually also means in the way the feel necessary.
Scott provides the example of restricting access to institutional directories. Even that is hard. The scientific method relies on peer-review is it primary means of quality control. Reaching out to peers to request reviews, participation in conferences, or otherwise provide constructive feedback to them is essential. For the administrative side of life, the same is true. Students are expected to be able to contact members of administration for a large variety of issues, ranging from financial aid to enrollment, or IT support. Restricting access to local users only, or requiring remote users to log on to a web site is often seen as a very unfriendly way of doing things. Especially private universities, which rely heavily on student tuition, will go to great lengths to keep students happy.
Faculty will not adjust to information security policies and procedures. Rather, information security policies and procedures must adjust to Faculty. This realization may be the most important lesson that a university administrator must learn. Without it, he will fail.
Scott also wrote:
The good news is that an increasingly growing number of schools have realized that information security is important. Not only because of increasing legislation and regulation (most colleges must comply with GLBA, HIPAA, PCI/DSS, FERPA, and a few more), but more so because of an increasing expectation of students that their information is secure, while at the same time having full and unlimited access to very high-speed networks. Remember, students are the largest source of revenue for universities, and that fact is very well known. Meeting students expectation is a critical success factor. Schools who fail to do that will be faced with dropping enrollment numbers, and as a direct result, with less revenues.
In other words, the nature of Academic Freedom almost requires that members of Faculty are provided with any access that they request. There is no need for administration to assess the request, or even do a risk analysis of the implications it may have. Academic Freedom provides faculty members with the right to study what they feel necessary, which usually also means in the way the feel necessary.
Scott provides the example of restricting access to institutional directories. Even that is hard. The scientific method relies on peer-review is it primary means of quality control. Reaching out to peers to request reviews, participation in conferences, or otherwise provide constructive feedback to them is essential. For the administrative side of life, the same is true. Students are expected to be able to contact members of administration for a large variety of issues, ranging from financial aid to enrollment, or IT support. Restricting access to local users only, or requiring remote users to log on to a web site is often seen as a very unfriendly way of doing things. Especially private universities, which rely heavily on student tuition, will go to great lengths to keep students happy.
Faculty will not adjust to information security policies and procedures. Rather, information security policies and procedures must adjust to Faculty. This realization may be the most important lesson that a university administrator must learn. Without it, he will fail.
Scott also wrote:
It can be a challenge to secure such a large and complex environment, but by breaking the problem down and addressing the issues one step at a time, the rate of security breaches can certainly be improved to a less embarrassing frequency.The most critical success factor when dealing with universities is patience. An information security professional typically spends most of his time away from his desk, talking to stakeholders and explaining what information security is about, and why they do it. Because of the high degree of autonomy that faculty members have, and the often decentralized nature of most colleges, implementing (technical) controls like restricting access to a directory is typically a very lengthy process that requires an enormous amount of awareness raising, lobbying, and convincing.
The good news is that an increasingly growing number of schools have realized that information security is important. Not only because of increasing legislation and regulation (most colleges must comply with GLBA, HIPAA, PCI/DSS, FERPA, and a few more), but more so because of an increasing expectation of students that their information is secure, while at the same time having full and unlimited access to very high-speed networks. Remember, students are the largest source of revenue for universities, and that fact is very well known. Meeting students expectation is a critical success factor. Schools who fail to do that will be faced with dropping enrollment numbers, and as a direct result, with less revenues.
