A Damning Indictment

Click here to receive your FREE subscription to Campus Technology

Home > A Damning Indictment

Current News

A Damning Indictment

5/6/2004

By Terry Calhoun

"Insecure and Unaware…"An indictment of higher ed IT management that may well resonate across campus

Well, it looks like the insurance folks, the corporate defense attorneys, and the auditors finally got together and took a critical look at campus network security. Most of it is nothing we haven't already heard about, and talked about, but a recent article in The Chronicle of Higher Education presents it all in a fairly damning (alarmist) kind of way:
· "[U]niversities are among the least secure places in the universe, as far as computing g'es."
· "[M]any institutions do not properly maintain and test their strategies for recovering lost data . . . in the event of catastrophe."
· "[I]t may be just a matter of time before colleges are hit with multimillion-dollar lawsuits accusing them of negligently operating their networks."

D'esn't that just make you want to curl up and, defensively, go to sleep? That's how I felt when I read the article the first time. The second time I kept thinking, "Hey, but they just don't understand higher education." The third time, I also thought, "Hmm, there are some useful insights here." The bottom line is that someone, somewhere on your campus is going to hand this article to your president, or worse, to a trustee. Ouch. What are you going to do then?

The lengthy Chronicle article, titled "Insecure and Unaware: An analysis of campus networks reveals gaps in security," appears in its May 7 issue. Go ahead, read it. I'm going to summarize it, but given the varying directions from which fallout from this article is going to come at you, you had better read it for yourself. And, get ready to spend some money that you don't have, because this article is going to resonate.

The gist of the article can be summarized this way: With respect to limiting access, risk assessment, securing data, and planning for disaster, especially from the perspective of the types of people who might conduct audits of legal liability exposure, colleges and universities are low on the totem pole of successful practices in the commercial, corporate world.

What brought the article about? A number of security breaches, confidential information releases, and other related issues on campuses have made news in the past year, and clearly someone saw a pattern. The Chronicle obtained IT audit results from several public institutions and has synthesized some of the more alarming information.

The security issues presented are, by and large, "people" issues, not hardware and software issues. The most prevalent problems identified by the Chronicle's survey of audits are:
· Institutions are not doing well enough at ensuring that users (students, faculty, staff) protect their accounts, largely acquiescing to sloppy password practices;
· Many institutions either lack disaster recovery plans or fail to test them;
· Personnel practices frequently leave terminated employees with the ability to access information or modify it; and
· Few institutions are conducting the kind of risk assessments that inform them about where their top priority risks might be.