ECAR Publishes 2006 Study on Information Technology Security in Higher Education

The EDUCAUSE Center for Applied Research (ECAR) has just released a study of IT security in higher education called Safeguarding the Tower: IT Security in Higher Education 2006. This study builds on a similar study performed by ECAR in 2003. The study was conducted by Senior ECAR Fellow Robert B. Kvavik, with John Voloudakis of BearingPoint. Over the past 10 to 15 years, IT security has evolved from being an afterthought in the development and delivery of IT services to a critical element of IT at higher education institutions. As such, it continues to change and grow. In the time between the 2003 and 2006 ECAR security studies, institutions have made marked changes in their IT security investments and practices. Driven by the increasing frequency and virulence of attacks on their networks and systems, institutions have made a number of moves to secure their critical systems and protect their users. The degree of this change in a relatively short time span is one of the key findings of this study.

Significant changes include the tremendous growth in the use of perimeter firewalls, especially among doctoral institutions. There is also growth in the use of interior firewalls (over 27 percent across all Carnegie classes) and in adoption of other technologies. Institutions also have made progress on the human side of IT security: by hiring chief information security officers (34.9 percent), implementing security awareness programs (48.5 percent), and increasing staffing for IT security. There is, however, much yet to be done to improve IT security on campuses.

There are many incentives for these changes. First is the changing nature of the threats to institutions’ data and technological resources. The target of many new attacks is no longer the operating system, the network, or control of the machine but rather personal data stored in these systems. The driver of these hacking attempts is profit, and the hackers’ goals are to find a weak link in the organization’s security and use it to find personal data. A second major motivation is external pressure in the form of increased legislation at both the federal and state levels. New laws and regulations have recently been passed that require the protection of personally identifiable data and require notification if this data is released.

In response to these drivers, many institutions are adopting an enterprise security program to ensure they are taking the appropriate measures. The goal of these programs is to embed security into the organizational fabric, making it an accepted, ongoing part of everyday activities. Major components of the program include appropriate governance structures and processes; an inventory of central and distributed assets needing protection; definition of needed controls such as policies, standards, and processes; training programs; assessment mechanisms; and monitoring and remediation. Such a program must be standards-based, mission-driven, flexible, and measurable.

Additionally, a summary of the study’s key findings [PDF772 KB*] is available to all. The complete research study is accessible to ECAR subscribers and is available for purchase by nonsubscribers.

*To view the PDF files on this page, you must have Adobe Acrobat Reader version 5.0 or greater. Download now.

About ECAR

The EDUCAUSE Center for Applied Research (ECAR) was established in 2001 to promote effective IT decisions in higher education. To date, ECAR has published more than 325 research studies and bulletins, roadmaps, case studies, and occasional papers. ECAR has organized a dozen symposia, and in 2006, ECAR and the North East Regional Computing Program (NERCOMP) delivered the first ECAR Academy. Today, 430 colleges and university subscribe to ECAR. Learn more about ECAR at www.educause.edu/ecar.

About EDUCAUSE

EDUCAUSE is a nonprofit association whose mission is to advance higher education by promoting the intelligent use of information technology. The current membership comprises more than 2,200 colleges, universities, and educational organizations, including 250 corporations, with 17,000 active members. Learn more about EDUCAUSE at www.educause.edu.