Learning the Lessons and Moving Ahead
Security expert Rodney Petersen is focused on higher education’s
struggle with security breaches.
Educause's Petersen: "Every institution
needs to have a strategy for how it is
going to protect sensitive information."
Despite intensive security measures, institutions
are still suffering breaches—sometimes quite
painful and costly ones. After a major breach
was reported at UCLA this past November, we
spoke with Educause security expert Rodney Petersen, to get his
perspective and advice for higher ed leadership.
Petersen is a government relations offi-
cer with Educause and the coordinator of the
Educause and Internet2 Computer and Network Security Task Force.
The recent security breach at UCLA was among the largest
higher ed has seen. How does it compare to others?
On the one hand, I’m amazed by the interest that this particular breach has generated;
still, there are a couple things that are unique to this incident.
First is the magnitude of the number of records exposed; 800,000
is by far the largest incident involving a college or university that I’m
aware of. And second, the fact that the data was contained in a
central information system is fairly unique. The majority of other
instances have involved distributed servers or databases maintained
by departments or other organizations at the university.
Reports indicated that the perpetrators were at work for a very
long time before the breach became public information in
November. Does that mean that officials waited on notifications?
It is my understanding that this breach only came to the
attention of UCLA officials in November; they had been conducting
their forensic investigation, and soon after reaching a conclusion
of the risk of exposure, they decided to go public and notify
the affected individuals. Any institution that becomes aware of an
incident or potential exposure walks a fine line between doing some preliminary investigation—typically
involving law enforcement—and wanting
to notify the affected individuals at the
earliest possible point. But, there is a
time frame within which investigators
need to collect their information and,
quite frankly, it may help them to catch
the perpetrator if they don’t make all of
the facts known too early.
Contrast this with the follow-up
investigation of recent security breaches
in the US Department of Veterans Affairs: A series of congressional
hearings disclosed that fairly
junior individuals knew about the
security breach and exposure, yet it
took a number of days to reach the level
of attention of senior leadership.
I don’t think that’s been the case [at
UCLA]. I think everybody acts on these
things promptly, and they move as
quickly as they can, at least to understand
the severity of the situation and
decide which steps to take next.
Do you think that higher ed is putting
steps in place not just to react to
large security breaches, but actually
to prevent them?
The Educause Center for Applied Research recently conducted a security
survey that was a follow-up to a survey
done in 2003, and the respondents
indicated that they feel more secure
today than they did then. Not surprising:
We are in a much better position today
than we were a couple years ago, ranging
from more security staff in place and
more investment of resources, to getting
a better handle on some of the technical
vulnerabilities and problems caused by
viruses, worms, et cetera, that were
really plaguing institutions two years ago.
But tremendous challenges lie ahead,
including the fact that attacks are getting
increasingly more sophisticated and
more severe, and have moved from just
being attempts to gain access to systems,
to now directly targeting data or
Given those challenges ahead, what
would you like to see leadership in
higher ed do, or do more of?
out a one-day seminar this year, entitled
“A Blueprint for Handling Sensitive
Data: Security, Privacy, and Other
Considerations.” The first one, coincidentally,
was held at UCLA in late January .
Whether schools use our proposed blueprint,
or modify it to address their own
institutional needs, we do believe that
every institution needs to have a strategy
for how it is going to protect sensitive
information. And the seminar and strategy
are not just targeted toward the
CISOs or campus IT staff; in fact, the
strategy requires interdisciplinary participation
of campus executives, risk managers,
legal counsel, auditors, IT directors,
data stewards, and others.
Do you try to outline specific steps
institutions might take?
We do have
seven summary steps that institutions
should follow [see “Seven Steps to
Protecting Your Institution.”]. This
is a high-level blueprint and strategy.
But at the seminar, the blueprint will
introduce both strategies and a number
of practical steps that institutions could
implement to effectuate a more comprehensive
If an institution wants to keep information decentralized
and continues to operate in a distributed form, it does need
some overall institutional compliance.
Where does the CSO or CISO fit in
an institution’s organizational and
There’s been a
clear movement toward a) hiring and
designating more CISO-like people to
be responsible for this kind of task and
duty, and b) seeing to it that those individuals
are increasingly reporting to
CIOs or VP-level executives. Previously,
the CISO was farther down the IT
chain, often reporting to a network
director or other position. So the good
news is there have been significant
advances in recognizing the need for
somebody to be responsible for IT
security within IT organizations.
The vast majority of institutions that
claim to have a CISO probably have
the equivalent of an IT security officer,
meaning that he or she is primarily
focused on information that is contained
on systems and computers, and
that traverses networks—in other
words, the information technology part
of security. Very few institutions have
embraced the information security offi-
cer role that really tries to look not only
at information that is on computer networks,
but also at information that
might reside in physical file cabinets.
And in that case, it wouldn’t necessarily
make sense that a true CISO would
report to the CIO; in fact, he or she
should probably report outside of the IT
organization, possibly to a COO, senior
VP, CFO, or to some other part of the
university. So there clearly have been
some changes, trends, and movements,
mostly in a positive direction.
I’m wondering if you might comment
a bit more on security in distributed
versus central environments.
interesting about the UCLA breach is that it involved a central information
system; previously, the vast majority of
data breaches at colleges and universities
have involved departmental systems
such as alumni records, patrons
of the performing arts center, athletic
ticket offices, or other such systems
that are maintained by departments
and not necessarily managed or run by
the central IT organization. That does
not mean that all data and all information
systems must be centralized, but if
an institution wants to keep information
decentralized and continues to operate
in a distributed form, it does need some
overall institutional compliance. That’s
why our blueprint says that the need to
clarify roles and responsibilities—and
to hold people accountable—applies
whether it’s a departmental system
maintained by a local IT person, or a
And if the local department cannot
maintain the level of standards or security
that is necessary, then those administrators
should be asked whether they
want to have that information stored
and protected centrally. Ultimately, it’s a
policy decision that presidents and
executive leaders might have to make
about whether this information is so
sensitive, so critical, and the risks so
high, that they need to exercise stricter
controls than they have previously. We
are going to see a lot of testing and
questioning about the nature of distributed
technology, at least with respect
to systems that contain highly sensitive
and personally identifiable information.
Seven Steps to Protecting Your Institution
- Create a security-risk-aware culture
that includes an information security
risk management program.
- Safeguard institutional data, and
classify the data according to its
importance, locating it and protecting
it against unauthorized access
- Clarify roles and responsibilities
and hold individuals accountable
for safeguarding data.
- Reduce access to sensitive data
that is not essential to university
- Implement stricter controls: policies,
processes, and technologies
that will safeguard data.
- Raise awareness and provide
training to the community.
- Routinely verify compliance with
all policies and procedures.
Based on the Educause seminars, "A Blueprint for Handling
Sensitive Data: Security, Privacy, and Other Considerations"
Are institutions learning how to perform
better departmental audits?
audit practice has improved significantly,
based on internal as well as external
auditors becoming more IT-savvy, and
increasingly including IT security as part
of audit reviews. However, I continue to
hear reports that the audits are performed
largely on central information systems,
and have not trickled down to
cover these very decentralized systems
that are of concern. So while the quality
of audits has improved, the pervasiveness
of audits across the various types
of information systems that might be in a
single university has a long way to go.
Is there any other observation you
would like to make, regarding the
Whether it be UCLA—
which I know has been working very
hard over the past several years to
increase IT security—or any other institution,
it’s unfortunate to suddenly be
dragged across the front page of every
major newspaper and be featured on
every radio and TV news program
because of a security breach. But the
reality is, if an institution does suffer an
incident of this kind, it has to go forward,
learn the lessons, and continue to
intensify and accelerate campus IT
security efforts that, in most cases, are