< Back to Main Site

EDUCAUSE review onlineEDUCAUSE review online

The Myth about IT Security

0 Comments

© 2006 Diana G. Oblinger and Brian L. Hawkins

EDUCAUSE Review, vol. 41, no. 3 (May/June 2006): 14–15.

Diana G. Oblinger and Brian L. Hawkins
Diana G. Oblinger is Vice President of EDUCAUSE, where she is responsible for the associations teaching and learning activities and for the EDUCAUSE Learning Initiative (ELI). Brian L. Hawkins is President of EDUCAUSE. Comments on this article can be sent to the authors at doblinger@educause.edu and bhawkins@educause.edu.

Seeing an institutions name in the headlines for a security breach may be among a CIOs—and a presidents—worst nightmares. Whether the breached data involves social security numbers, credit card accounts, clinical records, or research, this is bad news. Federal agencies that provide research funding may lose confidence in data integrity, putting millions of dollars in grants at risk. Legislators may seek additional oversight. Beyond image, institutions face issues of liability and business continuity. Considering that colleges and universities manage some of the worlds largest networks and collections of computers, the risk and the importance of the issue should not be underestimated.1

Information security cannot be the responsibility of only the CIO—or even a chief security officer (CSO). Part of the reason is its importance. Institutions rely on information for academic, research, and outreach programs and for support services. Information security ensures the availability, integrity, and confidentiality of information, services, networks, and computer systems. These systems and networks must be available on a timely basis. Their information must be protected from unauthorized use or disclosure as well as from unapproved, unanticipated, or unintentional modification.

Security incidents include inappropriate access, alteration of data, virus infiltrations, and denial-of-service attacks. Contrary to common belief, the greatest risks may be internal, rather than external. Incidents may be precipitated by disgruntled or dishonest employees. Hackers are found on campus as well as off. Other incidents are due to unsecured systems resulting from unlocked computer rooms or from passwords posted on monitors. Even the lack of antivirus software on one students machine or a single inadvertent download of malicious code by a staff member can put the entire IT system at risk. Although the campus provides much of the IT infrastructure, a host of systems that are not managed by the CIO process or store private data: the campus meal-plan server, the housing server, the parking services server, the international student office server—all of which have been hit by hackers in publicized incidents.2 It would be convenient if we could solve security problems by installing a piece of technology, but the truth is that security is as much an issue of people and process as it is technology.

Security problems are no longer rare. Over a thirteen-month period from February 2005 to March 2006, Privacy Rights Clearinghouse estimated that 53.5 million Americans had their personal information compromised; nearly half of the incidents reported involved higher education institutions.3 Half of the 489 colleges surveyed in the 2005 Campus Computing Project experienced network attacks in the previous year; nearly 20 percent of those represented major security breaches involving personal information that could leave people vulnerable to identity theft.4 Findings from the 2005 EDUCAUSE Center for Applied Research (ECAR) IT security survey reported that incidents involved system unavailability (34%), network unavailability (29%), compromise of information confidentiality (26%), damage to data (12%), and identity theft (8%).5

Security-related IT incidents involve direct costs for an institution. Simply notifying affected individuals of a security breach can cost $300,000 to $500,000.6 One study published in 2000 estimated that thirty known security-related IT incidents resulted in over $1 million in direct and indirect costs; more than 9,000 employee hours were diverted for incident investigation and resolution; and nearly 270,000 computer and network users were affected.7 But the true cost of information security breaches is not easy to quantify. Beyond repairing the problem, costs can include legal liability, loss of intellectual property or institutional assets, and delayed or compromised research.8

According to a 2003 ECAR study, just over half of the 435 institutions surveyed had official institutional policies covering IT security; only one-third had formal security awareness programs for students and faculty. Although IT security is recognized as a top issue by CIOs, institutions struggle to establish meaningful security policies. The result is that less than two-thirds of the survey respondents said that IT security was actually a priority at their colleges and universities.9

Making security an institutional priority faces cultural hurdles. Even though all may agree that security is important, specific practices elicit differences of opinion. For example, IT staff may feel that a firewall is necessary, but faculty may see this restriction on access as an impediment to intellectual freedom. Logging user access is one method of tracking intruders; however, monitoring and recording user access may be considered a threat to privacy. Attempts to demand that faculty, staff, and students update software, change passwords regularly, or use antivirus software have been perceived as contrary to academic freedom.10

Technology is clearly important in information security. Networks, systems, and applications should be periodically scanned to check for vulnerabilities. Automatic password changes should be enforced, and computers should be protected with antivirus software and should be updated regularly with the latest operating system patches.11 Authentication systems can place higher levels of security on more sensitive assets. Although the CIO can provide guidance on these types of technical issues, information security is not just the CIOs responsibility. An effective cybersecurity program requires the cooperation of senior executives, legal counsel, auditors, policy and public safety, faculty, staff, and students.

In addition, someone must be in charge. Is there a person on campus whose primary responsibility is information security? Does that person have the authority to manage and ensure compliance with policies? Finally, education is a critical component as well. Does the institution have an ongoing education and awareness program? Is communication effective? If policies are in place, are they easy to understand? Is there a method for communicating policies to faculty, staff, and students? Are the consequences for noncompliance clearly explained—and enforced?

In thinking about information security, the CIO and the executive team should ask themselves the following strategic questions:

  1. Do we treat security as a campus governance issue or as an IT governance issue? Higher education faces a host of potential security vulnerabilities, ranging from unsecured wireless networks to student-owned equipment to incomplete security policies and unclear oversight. Because of the mission-critical nature of information security, responsibilities for information security go beyond IT. College and university boards are being encouraged to adopt information security principles, for example. Are roles and responsibilities clearly defined? Does authority accompany those roles? Are adequate resources available? Have senior managers established policies and controls? Are regular reports on information security made to institutional leaders? Does the executive team consider information security part of its responsibility, or has security been relegated to IT?
  2. Do we know which institutional assets need to be protected? Not all information is equally important. Do senior leaders know what needs to be protected? Can they differentiate information needing high levels of security from that requiring lower levels? Has the institution considered physical assets, such as laptops and servers, along with the information stored on them? Are machine rooms locked? Is the institution safeguarding older formats? For example, is the information in file cabinets secured in locked drawers?
  3. Do all IT users consider that security is their responsibility? It is easy to feel that information security is someone elses responsibility. However, a single breach can put the entire campus at risk. Everyone shares responsibility for information security. At James Madison University, for example, all users—students, staff, faculty, and administrators—must complete a tutorial/quiz to obtain or change a password. The security awareness program makes it clear that everyone, not just the IT organization, is involved. President Linwood Rose argues, "We must all become much more vigilant in the provision of secure systems, in intrusion detection, in rapid response, and especially in education."12
  4. How do we ensure academic values and institutional integrity without ensuring security? Security is necessary for higher education to be able to manifest its core values. Has the campus engaged in discussions of academic values and security concerns? The perspectives of faculty and IT staff are likely to differ. And the culture of autonomy and self-governance may make the adoption of uniform standards difficult. Is it possible to ensure privacy without security? Have campus constituents explored the risks of not adopting a deliberate security strategy? Has the institution found an appropriate balance among values, risk, and realistic safeguards?

Security is not just the CIOs problem; it is everyones problem. And everyone is responsible for the solution.

Notes

1. Security Risk Assessment Working Group, EDUCAUSE/Internet2 Computer and Network Security Task Force, "Information Security Governance Assessment Tool for Higher Education," http://www.educause.edu/ir/library/pdf/SEC0421.pdf.

2. Joy R. Hughes and Jack Suess, "Presidents and Campus Cybersecurity," EDUCAUSE Review, vol. 40, no. 6 (November/December 2005): 118–19, http://www.educause.edu/er/erm05/erm05613.asp.

3. "A Chronology of Data Breaches Reported since the ChoicePoint Incident," http://www.privacyrights.org/ar/ChronDataBreaches.htm.

4. Andrea L. Foster, "Technology: Safeguarding Networks Is Priority No. 1," Chronicle of Higher Education, January 6, 2006.

5. Robert Kvavik, personal communication with author, January 2006.

6. Rodney Petersen, personal communication with author, December 2005.

7. Virginia Rezmierski et al., "Incident Cost and Analysis Modeling Project: I-Camp II," http://www.cic.uiuc.edu/groups/ITSecurityWorkingGroup/archive/Report/ICAMP.shtml.

8. Diana Oblinger and Rodney Petersen, "Cyber Security: It Takes a Community," University Business, April 2004, http://www.universitybusiness.com/page.cfm?p=517.

9. Robert B. Kvavik and John Voloudakis, "Information Technology Security: Governance, Strategy, and Practice in Higher Education," EDUCAUSE Center for Applied Research (ECAR) Study, vol. 5 (2003), http://www.educause.edu/LibraryDetailPage/666?ID=ERS0305.

10. Diana Oblinger, "IT Security and Academic Values," in Mark Luker and Rodney Petersen, eds., Computer and Network Security in Higher Education, vol. 8, EDUCAUSE Leadership Strategies Series (San Francisco: Jossey-Bass, 2003), http://www.educause.edu/ir/library/pdf/pub7008e.pdf.

11. Security Risk Assessment Working Group, "Information Security Governance Assessment Tool."

12. Linwood H. Rose, "Information Security: A Difficult Balance," EDUCAUSE Review, vol. 39, no. 5 (September/October 2004): 10, http://www.educause.edu/er/erm04/erm0456.asp.

Diana Oblinger

Dr. Diana G. Oblinger President and CEO of EDUCAUSE

Dr. Diana G. Oblinger is President and CEO of EDUCAUSE, a nonprofit association whose mission is to advance higher education through the use of information technology. The current membership comprises over 2,300 colleges, universities and education organizations, including 250 corporations. Previously, Oblinger held positions in academia and business: Vice President for Information Resources and the Chief Information Officer for the University of North Carolina system, Executive Director of Higher Education for Microsoft, and IBM Director of the Institute for Academic Technology. She was on the faculty at the University of Missouri-Columbia and at Michigan State University and served as the associate dean of academic programs at the University of Missouri.

Since becoming president of EDUCAUSE, Oblinger has become known for innovative product and services growth as well as international outreach. For example, Oblinger created the EDUCAUSE Learning Initiative (ELI), known for its leadership in teaching, learning and technology innovation as well as several signature products, such as the 7 Things You Should Know About series. She also initiated EDUCAUSE's first fully online events and its e-book series, including Educating the Net Generation and Learning Spaces.

In collaboration with the Bill and Melinda Gates Foundation she led the creation of the Next Generation Learning Challenges, a $30M program focused on improving college readiness and completion through information technologies. Partners include the League for Innovation in the Community College, the International Association for K-12 Online Learning, the Council of Chief State School Officers, and the Hewlett Foundation.

Oblinger has served on a variety of boards such as the board of directors of ACT, the editorial board of Open Learning, the National Science Foundation's Advisory Committee on Cyberinfrastructure, and the National Visiting Committee for NSF's National Science Digital Library project. She currently serves on the American Council on Education (ACE) board and works with other higher education associations as chair of the Washington Higher Education Secretariat. Dr. Oblinger has testified before the U.S. Senate Committee on Employment, Safety and Training and the U.S. House of Representatives Subcommittee on Technology.

Oblinger is a frequent keynote speaker as well as the co-author of the award-winning book What Business Wants from Higher Education. She is the editor or co-editor of seven books: The Learning Revolution, The Future Compatible Campus, Renewing Administration, E is for Everything, Best Practices in Student Services, Educating the Net Generation, and Learning Spaces. She also is the author or co-author of numerous monographs and articles on higher education and technology.

Dr. Oblinger has received outstanding teaching and research awards, was named Young Alumnus of the Year by Iowa State University and holds two honorary degrees. She is a graduate of Iowa State University (Bachelors, Masters, and Ph.D.) and is a member of Phi Beta Kappa, Phi Kappa Phi, and Sigma Xi.

 

Brian L. Hawkins

Brian L. Hawkins was president of EDUCAUSE from 1998-2007. Prior to joining EDUCAUSE, Hawkins was senior vice president for Academic Planning and Administrative Affairs at Brown University. In this capacity, he oversaw academic planning, instructional budget management, campus computing, enrollment management, institutional research, summer programs, admission, financial aid, and student registration. Hawkins went to Brown in 1986 as vice president for Computing and Information Services. In 1989, he filled in as senior vice president for Finance and Administration, and then was appointed special assistant to the president for Academic Planning while he spearheaded Brown’s strategic planning processes. In 1997, he served as part of a three-person team standing in for the president of Brown University.

Before going to Brown, Hawkins was associate vice president for Academic Affairs at Drexel University. At Drexel, he was responsible for general academic planning and the first academic program in the nation to require access to a microcomputer, as well as integrating the use of technology throughout the curriculum.

Hawkins is a management professor by training and the author of one book and many articles on organizational behavior. He received his bachelor’s and master’s degrees from Michigan State University and his doctorate from Purdue University. He taught at The University of Texas at San Antonio (UTSA) and served there as department chairman and assistant dean of the College of Business. His organizational work focused on organizational structure, conflict management, communication, and performance appraisal. He earned tenure as faculty member at both UTSA and Drexel.

Hawkins has combined his academic and business experience to serve as a consultant to more than 350 organizations. In 1983, the governor of Pennsylvania asked him to initiate a corporate, industrial, public, and educational partnership in Southeastern Pennsylvania to create start-up companies and develop new jobs. Nearly two decades later, this program is still thriving.

Throughout his career, Hawkins has served on a variety of boards and committees. He is currently a member of the board of directors of the Forum for the Future of Higher Education and the Washington Higher Education Secretariat. Hawkins served as a member of the board of trustees of the University of Richmond and the Consortium on Financing Higher Education (COFHE) General Assembly and as chair and member of the boards of Educom and CAUSE. He also served on the boards of the Coalition for Networked Information (CNI) and the International Consortium for Educational Computing. Additionally, Hawkins has been a member of higher education advisory boards for Apple, IBM, NeXT, Sun, and Microsoft and has served on more than 60 advisory panels for various colleges and universities.

He has written extensively, including four books, numerous articles, book chapters, and monographs on information resources, academic planning, and the use of technology in higher education. Hawkins has received two honorary doctorates of science. In 1991, he received the CAUSE ELITE Award, a lifetime achievement award for Exemplary Leadership and Information Technology Excellence. He has served actively on accreditation teams as a chair and member, as well as the standards committee for North East Association of Schools and Colleges. Hawkins has been an invited speaker at professional meetings including the American Association of Higher Education (AAHE), Educom, CAUSE, the Society for College and University Planning (SCUP), the American Association of Publishers (AAP), the Association for College Research Libraries (ACRL), the National Association of College Stores (NACS), the National Association of College and University Business Officers (NACUBO), and the National Association of State Universities and Land-Grant Colleges (NASULGC).

 

Tags from the Community

Most Popular

Stay Up-to-Date

RSS Email Twitter

Share Your Work and Ideas

Issues coming up will focus on designing the future of higher ed, digital engagement, and new business models. Share your work and ideas with EDUCAUSE Review Online.

E-mail us >
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.