Case Study

Financial Compliance a Growing Concern on Campuses

• By Linda L. Briggs
• 10/23/08

When a server belonging to a campus vendor is hacked, what are the overall implications for the institution? At the University of Houston, the experience led to the adoption of more stringent controls of its computer systems, including annual network audits and other best practices.

In part, those efforts were driven by a need to comply with financial privacy compliance regulations from the Payment Card Industry Data Security Standards (PCI DSS), which dictate how merchants deal with credit cards. Any company that handles payment card data must regularly demonstrate that it is compliant with PCI's standards or risk audits and fines--or even lose of the right to accept credit cards at all.

Compliance issues around network management in higher education may be coming to a head on college campuses, as the University of Houston's example demonstrates. "It's going to be a huge issue on campuses," predicted Charles Chambers, the university's manager of network planning and development. "We've been working for a couple of years to get compliant [with PCI standards]...." After several attempts, the campus now has a PCI-compliant portion of the network that is separate from the rest of the LAN and is used by PCI merchants. It includes things like PCI-compliant data encryption, firewalls, authentication, and more. The layered approach "was a way to reach PCI compliance without having to create yet another separate physical infrastructure on top of our existing one," Chambers explained. In fact, he said he regards the university as lucky for having gotten a head start on the compliance issue.

The University of Houston isn't uncommon in that it has perhaps as many as 50 different merchants that accept credit cards operating on campus, ranging from individual departments to vendors selling athletic equipment. Several years ago, outsiders broke into an application server maintained by one of the university's merchants. Although there was no evidence that credit card data was stolen, the university complied with PCI Data Security Standards in reporting the incident. That, in turn, led to several years of work, some of it ongoing, in gradually bringing various portions of the university's network into PCI compliance.

There are many levels to complying with standards like PCI, but part of the focus is on how the computer network itself is managed. That includes monitoring network access, tracking and documenting configuration and change requirement policies for the network on a daily basis, and setting and then monitoring internal policies around network control.

One way to help control the network and monitor and maintain the sorts of security controls that many compliance regulations require is through software designed specifically to monitor the network for any changes to hardware or software. To do that, the University of Houston turned to Netcordia's NetMRI, a network configuration and change management solution. NetMRI works by constantly monitoring the network infrastructure for any change, ranging from switches to routers to computers. It initially compiles a picture of the entire network, then automatically reports any alterations, whether authorized or not. It also maintains an ongoing picture of what devices are attached to the network and how they are currently configured.  

That sort of product can save tremendous amounts of time for IT personnel, who no longer have to hand-compile inventory lists, for example, or track the myriad of software updates required to keep applications current.

NetMRI has provided significant savings for the University of Houston, a major research institution that serves 35,000 students on its main campus and also provides at least some of the network infrastructure for several sister campuses. The institution currently uses NetMRI to manage some 800 devices on the network.

Although he didn't select NetMRI specifically with compliance issues in mind--he purchased it last fall for network management in general--Chambers said the product has also been helpful from a compliance standpoint. Tracking configuration changes to the network, for example, is a PCI requirement; NetMRI also produces a number of reports specifically required by PCI.

"I didn't buy it for compliance issues," Chambers said. "We bought it for [network management] best practices." However, he said, issues the product addresses from a compliance standpoint include keeping track of configuration changes, and producing a number of reports required under PCI's sizable umbrella of requirements.

A selling point for NetMRI was the low total cost of ownership, Chambers said. Configuration was easy, and little training was required because of the intuitive interface. He also liked the fact that the software defines best practices for configuring the network in a logical manner that make it easy to implement the recommended steps.

"We've lost control of a lot of best practices over time," Chambers said. "This is bringing them back into the fold. Now we've got [everything] on the radar.... It takes a long time to find these things in manual mode. This just automates the process."