Click here to receive your FREE subscription to Campus Technology
Features
Technology and the CEO: Information Security Technology
10/26/2005
Key areas that need to go through a risk analysis include administrative servers, e-mail systems, institutional desktops, and the student residential network, for a start. The simple truth: Every area on campus that has stored electronic information needs to be secure. Even the office computer in the Department of Buildings and Grounds could be a risk. How? Consider this: Suppose a student submits a request to Buildings and Grounds and that department uses the student ID number to track the request. Further suppose that the institution still is using social security numbers as a student identifier— the conclusion is obvious.
Second, institutions need to make sure they have the appropriate policies in place and that those policies are enforced. For example, d'es the campus have an acceptable use policy as well as an enforced password policy? If not, those policies should be in place, and IT must have the means and the authority to enforce them. For help creating or revising such policies, Educause and the Cornell Institute for Computer Policy and Law have compiled hundreds of information policies from dozens of campuses and made them available on the Educause Web site.
Target Student and Employee Threats
A study conducted by the US Secret Service and the Carnegie Mellon Software Engineering Institute found that 78 percent of computer crimes carried out at financial institutions were accomplished by authorized users—that is, users who had the right to access the affected systems. While not operating a financial institution, colleges and universities do house information that is compelling for data thieves, including social security and credit card numbers.
An information security policy should limit access to key systems to only those who require access in order to perform their jobs. Too often, campuses provide access to almost every system to every employee—without determining who has a “need to know.” Unfortunately, every person with access to a key system becomes a potential threat to the institution’s information security.
Some universities provide inappropriately wide access in the mistaken belief that to limit access is to communicate that the institution distrusts its own employees. With today’s high stakes in IT, common sense dictates restricting access. After all, colleges do not make explosive laboratory chemicals or the institution’s checking accounts available to everyone on campus.
Another part of an information security policy should detail exactly what kind of data is stored and why. For example, colleges may need to store social security numbers for financial aid reporting, but are they storing other information that leaves the institution at even greater risk? Maybe it d'esn’t have to be that way. For instance, instead of storing student credit card numbers for tuition payment, one might consider outsourcing this activity to a competent third party with a security infrastructure designed to handle this kind of activity, thus avoiding the liability of storing credit card numbers.
Recommended Reading
- Microsoft Changes Virtualization Licensing Rules
Microsoft has made substantial changes to its virtualization licensing program, changes that will lower the cost of using virtualization for many customers.
- Vorex Upgrades Web-based Data Collection Tool for Schools
Vorex has released an update to its Vorex Online Survey, a Web-based data collection tool designed to allow schools to collect information and gather feedback from education stakeholders.
- Georgia Virtual Tech Moves to Angel LMS for Web-based Instruction
Georgia Virtual Technical College has selected the Angel Learning Management Suite (LMS) as the platform for its portal to deliver Web-based instruction to Georgia's 33 technical colleges and one Board of Regents college.
- Video Spotlight: Campus Technology 2008 Keynote Address
Adrian Sannier, technology officer for Arizona State University, discusses strategies for putting in place ground-breaking plans that will serve the next generation of students. These are actionable visions that include strategic technology choices--advancements that may be unfamiliar or even unpopular at first, but which carry enormous potential.
- Report Finds Dip in Microsoft's Browser Share
Microsoft lost browser market share over the last year, and the company's Windows Vista operating system has had "slow" market adoption among individuals and enterprises, according to a report issued by management consulting firm Janco Associates Inc.
- AT&T 'Big Mobile' Grant Extended
AT&T has extended the deadline for its first-ever Big Mobile On Campus Challenge, a competition that calls on college and university faculty and students to develop apps for mobile devices. The top prize includes $10,000 and a trip to the October Educause 2008 conference for the winning individual or team.
