8 Spots for Tightening Security on Campus

• By Linda L. Briggs
• 02/02/04

5. Sell Security to Management

Here's another challenge for all IT professionals, but that may be especially tough on campus because of tight funds: getting management on board for any security push. It's important that your school's top managers see security as the priority it is, and act accordingly - that is, that they allocate realistic funds for the software you need to lock down your systems, for education programs, and for adequate personnel.

Management responds to numbers, so putting together estimates on what security breaches are costing the school in terms of down time, hours spent by your staff repairing the damage, and so forth, can be effective. Damage to the school's reputation can also be a warning point; many large-scale cyber-attacks have made ample use of university computers.

For Susan Monsen, director of IT services at Yale University's Law School, lack of resources is definitely an issue. Her biggest challenge: Dealing with compromised student laptops on the network. "We don't have a way to scan and remove viruses" automatically system-wide yet, she says. "That's something we're working on." Regarding security in general, she says, "There are good tools out there, but they're very expensive."

"There are good tools out there, but they're very expensive."

The problem peaked in September at the law school, when a widely spread virus was attacking Microsoft operating systems and unsuspecting students returned to campus with infected laptops. Now, the problem is down to three or four laptops a week, she says.

Requiring students to register their network cards in order to get access outside the campus on the university's network helps, she says - students can then be tracked down through a database and contacted if necessary through their network IDs.

6. Set and Enforce Testing Standards

As you continue to develop, integrate, and enforce working security policies for your organization, cooperation and communication among various groups on campus are key. Among other things, this becomes important in setting and enforcing testing standards for how new software is deployed. In examining how an SQL server was compromised, a case study from the University of Memphis highlights the importance of policies for making sure that testing is conducted in keeping with agreed-upon security policies. As the authors of the case study conclude in one of their findings after the security breach was closed, agreeing on what tests are required before deployment into the production environment is paramount:

"Equilibrium between experimentation and security standards must be established. It may not be appropriate to deploy an application into a production environment unless appropriate security testing has been performed… Service administrators must understand the importance of securing, and keeping secure, the production environments upon which services depend."

7. Review Data Retention Policies

With the enactment of the USA Patriot Act in 2001 ("Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001"), data retention has become a security hot spot.

Setting record-retention policies, never easy, has become even more difficult. According to Fred Beshears, senior strategist at Educational Technology Services at the University of California-Berkeley, FERPA, an older government mandate to protect student records, conflicts with the Patriot Act, which allows for governmental access to student records in some cases. In short, Beshears says, "You get into all these gnarly problems on [privacy]."

For an in-depth discussion of the conflicts of privacy and security on today's campus, and some insights into the issue, read the in-depth discussion by Kent Wada, information technology security and policy coordinator at the University of California-Los Angeles.

Among other things, Wada notes that in the face of the Patriot Act and other legislation, security concerns regarding e-mail become more difficult than ever and probably need to be reviewed and reassessed. "The balancing act is to keep relevant data only as long as it is legitimately needed, and no longer, lest it become a liability."

"The balancing act is to keep relevant data only as long as it is legitimately needed, and no longer, lest it become a liability."

He notes that this same balancing act applies in other areas of data as well: "This is also true for electronic records of another sort: computer transaction logs. Web servers, e-mail servers, and other network devices all automatically note when services are used… Policies should be viewed in the larger records management context rather than as a separate effort. "

8. Curb File Sharing

The still hugely popular practice of file sharing, particularly videos and music, via peer-to-peer software, remains an obvious Achilles heel.

As Wada notes in his article on campus security versus privacy, recording and motion picture industry executives are pushing schools to do more to curb illicit file sharing, thus turning up the heat on IT administrators. Not only is file sharing generally illegal, depending on what's being shared, but peer-to-peer networks, of course, are a huge security risk.

Many colleges and universities are fighting the file-sharing issue through attempts at education on their Web sites. For example, the University of California at Davis offers this article for students on legitimate music download sites and options: http://technews.ucdavis.edu/news2.cfm?id=623. Also, articles like this one on the University of Wisconsin-Madison Web site , which clearly state that the recording industry in now prosecuting individuals for file-sharing violations, are becoming more common. And Penn State is modeling for students the good practice of staying within the law by providing students with legal means to download music files. As part of the education process, and to remind students of the facts about file sharing, consider posting similar information and tools on your own campus Web site or portal if you haven't already.

An Ongoing Challenge

IT administrators tasked with campus security face special challenges. But the struggle for a secure campus isn't a futile one; there are many steps you can take to help ensure that you, along with faculty, students and staff, sleep easier at night. In general, it's probably best to look at security as an ongoing challenge, one that will require some of your resources for a long time to come.

In fact, Rochester Institute of Technology's Barbour predicts that things will get worse before they get better, as society and IT experts only gradually get security issues under control and can begin to act proactively. "We're just seeing the tip of the iceberg. The worst of it is yet to come, and it's going to take a while to catch up." Accept the security challenge and begin now to tighten your campus networks.

Back to main page :: Previous page