Main Nav

EDUCAUSE Enterprise 2006. Summary: Enterprise-wide Security

Enterprise-wide Security
Mark Bruhn and Jack Suess
Enterprise 2006
May 24, 2006
Chicago, Illinois
During 2005, more than 50 universities notified thousands of individuals that their campuses had data-security breaches, which might affect them personally. Many states have passed data privacy laws. This session will focus on the current challenges in data security, compliance, and disaster recovery: how new standards related to security and compliance are impacting university planning, and some of the critical activities on which we must collectively work together.
Security is #1 on the Top 10 Issues survey.  Bruhn and Suess asked if this was true for the participants.  Two thirds of the participants in this session agreed that it was their top issue.  All participants agreed that it was in the top five issues.
They then asked “Who has security as a goal on their performance evaluations?”
A few do. One participant indicated that under the new university strategic plans at his institution this will become one of his personal goals and that it will trickle down to others in the organization.
A key to good enterprise-wide security is to determine how to use/do security as a part of everyone’s every day work  In addition, some have state IT security policies to which they must be responsive.  Part of evaluation criteria may be to determine if the organization or institution have an aligned policy.
Suess said it was important “to have a good IT audit.”   He noted their performance evaluations have a Staff Development component in which every person has a security development component.   Unless you are building it in to your performance evaluations then staff will do the other things that you are evaluating. 
Question:  How do you measure security itself (re audit) when there is so very much that “can/should” be done?   Suess says they have tried to look at specific incidents (compromised machines) about through very specific design to do this and work towards a full audit report.   He said it was helpful to translate these into “insurance/risk” language for a Board of Regents.
Question:  Is security in the strategic plan?  For the most part, security is in strategic plans but this is new and some institutions have not figured out how to include it yet.   It may be harder to quantify/qualify security in a strategic plan than it may be for other goals in areas like research and teaching/learning.
Question:  Who has a perimeter based firewall or an appliance?  Response: Fewer have an appliance.  Most use filtering and other mechanisms.
A participant from DeVry indicated that corporate policy came from the top with the decision to get an appliance and the people to administer it.  Every bit of the traffic in and out goes through the appliance.
In a recent survey they found that 90+% have a firewall “somewhere.”  Most have VPNs and have added intrusion detection and prevention.  The worry is the education and use.  Everyone is buying technology but not all may have use policies and educational awareness in place to support it.
Question:  How many detect and automatically react?  A quick show of hands indicated that not that many do.  One participant had a situation where a system in the Radio/TV department was really bad and so was blocked.  This turned into a political issue because this was the machine receiving Public Radio feeds.
We all need to think about how identity management and security relate to each other.
Question:  We’ve spent a lot of money on technology – are we more secure?
  • We are getting the environment to a place we can look at it. 
  • Tools today are much better.  We can do more with them and it is easier to administer.
  • One person didn’t know what he didn’t know before.  Now that he “knows” he feels less secure.  In addition, we have a continual barrage of horror stories in the media every week.
  • Another participant said “the bad guys get better at being bad than we get at blocking them.”
  • The more things you look as the more scared you become.
Suess followed up:  “How far can the tentacles go?  Comprised machines can be well hidden.  Hackers are getting better.  Our efforts should be constant but we still might not know till we peel back the covers and see the bedbugs.”
Questions:  What is the process for identifying and developing policies and procedures related to security?  Who has a policy about policies?  
If there is going to be an e-mail policy then it must go thru a policy creation procedure and then we must abide by the policy.  We can add definition to existing policy to clarify “proper use” of e-mail or something similar.
About half in the room had IT security policies. 
  • At UC Berkeley, one can’t run a system that isn’t supported by the manufacturer for security patch updates.  But it is still very hard to determine if everyone is following the policy when you have thousands of things connected to the network.  Not all are cleared as compliant.  It can be expensive to try to manage this.
  • One person indicated that they have a very authoritarian policy.  If you don’t have designated software then you can not connect to the net.  This was campus driven after chaos happened.  The cost was deemed okay but it was for a small institution.
  • Suess indicated that as CIO, he has the power to take a machine off the net if he perceives a problem and he can set guidelines for departments to follow.  They can be disconnected if they don’t follow the guidelines.
Question:  How is compliance monitored and enforced?  HIPAA, GLBA, FERPA
Do you have a data classification policy that is activity enforced?  What classifications are used?  Is training provided for end-users?  Is the training mandatory?
  • Often things are available but not mandatory.   We are trying to tag on to other things that are mandatory (like sexual harassment training.) 
  • Some are expecting a new push from Congress on security/privacy issues and therefore more mandatory training will be included.
  • There are laws that should drive a data classification policy.
  • Right now many treat everything as NPI  (National Provider Identifier such as SSN)
Resource:  Check under Security on the EDUCAUSE website for a Data Incident Notification tool kit.
We all believe that security is time critical and that we must move quickly to address issues.
Question:  How is your organization organized for security?  Who has a Chief Information Security Officer (CISO) and to whom do they report?
All who had CISO have them report to the CIO.  Most had someone, regardless of title, who has this responsibility.  The security person/group should be integrated so there are no silos on this topic.  The CISO needs authority and rapport to be effective and to have a way to mitigate any conflict that may occur.
Questions:  How many security staff do you have?  Is that a useful metric?
The responses were a real mix from 4 out of 162 to “a piece” of everyone on staff of 12.
Questions:  What is the role of the CIO (in security)?  How is funding for security handled?  What % is appropriate?  How does this relate to physical security?
Risk Management
Question:  What group on campus has responsibly for risk management and what role does auditing play?
A few do and some have “spot” checks related to “problems” real or possible.
Follow-up questions:
How many have done a risk assessment of at least some departments on campus?
How many have a formal process for risk assessment that you use across campus?
How many have done an institution-wide risk assessment?  How frequent?
What are the barriers?
Suess reports that UMBC departments are going thru the process with help and may move towards an ISO process.  So doing something lightweight and doable now may help to move an organization towards routine and standard practices.
An ECAR study showed less than half of all institutions have done any sort of risk assessment.  Many are afraid to look under the covers because they don’t want to see what’s there.  We don’t yet have risk assessment competency in our IT units.  Risk assessment expertise is generally in other business parts of the university.
  • Technical devices can help but can’t guarantee you won’t have an incident so you must layer security.
  • Don’t stovepipe security under CISO.  Security must be everyone job’s including yours.
  • Engage your leadership team around this issue.
  • Develop a comprehensive risk management program across the institution and insist on leadership buy-in.
  • Invest in training campus staff across the board.
  • Management by oversight is key and the development of policies and procedures is essential.  Begin to look towards ISO 17799.