A Damning Indictment

"Insecure and Unaware…"An indictment of higher ed IT management that may well resonate across campus

Well, it looks like the insurance folks, the corporate defense attorneys, and the auditors finally got together and took a critical look at campus network security. Most of it is nothing we haven't already heard about, and talked about, but a recent article in The Chronicle of Higher Education presents it all in a fairly damning (alarmist) kind of way:
· "[U]niversities are among the least secure places in the universe, as far as computing g'es."
· "[M]any institutions do not properly maintain and test their strategies for recovering lost data . . . in the event of catastrophe."
· "[I]t may be just a matter of time before colleges are hit with multimillion-dollar lawsuits accusing them of negligently operating their networks."

D'esn't that just make you want to curl up and, defensively, go to sleep? That's how I felt when I read the article the first time. The second time I kept thinking, "Hey, but they just don't understand higher education." The third time, I also thought, "Hmm, there are some useful insights here." The bottom line is that someone, somewhere on your campus is going to hand this article to your president, or worse, to a trustee. Ouch. What are you going to do then?

The lengthy Chronicle article, titled "Insecure and Unaware: An analysis of campus networks reveals gaps in security," appears in its May 7 issue. Go ahead, read it. I'm going to summarize it, but given the varying directions from which fallout from this article is going to come at you, you had better read it for yourself. And, get ready to spend some money that you don't have, because this article is going to resonate.

The gist of the article can be summarized this way: With respect to limiting access, risk assessment, securing data, and planning for disaster, especially from the perspective of the types of people who might conduct audits of legal liability exposure, colleges and universities are low on the totem pole of successful practices in the commercial, corporate world.

What brought the article about? A number of security breaches, confidential information releases, and other related issues on campuses have made news in the past year, and clearly someone saw a pattern. The Chronicle obtained IT audit results from several public institutions and has synthesized some of the more alarming information.

The security issues presented are, by and large, "people" issues, not hardware and software issues. The most prevalent problems identified by the Chronicle's survey of audits are:
· Institutions are not doing well enough at ensuring that users (students, faculty, staff) protect their accounts, largely acquiescing to sloppy password practices;
· Many institutions either lack disaster recovery plans or fail to test them;
· Personnel practices frequently leave terminated employees with the ability to access information or modify it; and
· Few institutions are conducting the kind of risk assessments that inform them about where their top priority risks might be.

On reflection, I don't think that there's a whole lot there we aren't fairly aware of. And some institutions cope with some of those things better than others. I don't doubt for a second that there are issues of "openness" relating to university and college culture and the creativity and innovation requirements of academicians. As one commentator put it, would Tim Berners-Lee be able to get a proposal to work on a brand new idea like the World Wide Web in a higher education regime run by auditors?

On the other hand, I suspect that most of the unresolved issues relate simply to funding-meaning campus-based funding, as opposed to research-based and funded, say, by the NSF. That's another tradition that can, in general be called the "under management" of higher education's business side. If it's going to take $300,000 to conduct a risk assessment that's going to tell you what you already know: that you need to get all sorts of people, in all sorts of positions, in all sorts of departments, to change their behavior, well . . . unless someone walks up and hands you that $300,000 for expressly for that purpose, you're not going to be spending it.

Once your heart rate settles down, this article, combined with some insightful preparation and background work already underway by the higher education community, can be viewed as an opportunity. First, check out these resources:

The EDUCAUSE Effective Security Practices Guide is one place to start, and I'd say it's required reading for CIOs and others at some point in the next 24 hours. It's got a lot of good stuff about risk assessment and risk analysis. You might also want to reference Building a Disaster Resistant University, a FEMA publication available online as well. And, conveniently, a coalition higher education organizations sent a letter out in February of 2003 to all college and university presidents in the United States, alerting them to many of these issues. In fact, it sounded a bit alarmist as well: "We've all seen the headlines: grades and salary records altered; medical information and social security numbers exposed to the public; major commercial web sites attacked by hackers using campus computers as a launching point; and massive invasions by Internet worms."

But, I bet that most college and university CEOs blew that letter off. Probably only a handful took it seriously enough to pass it on to their CIO, or to the person their CIO reports to, with a request to bring them up to date on their campus' risk assessment and security position.

That may well change now. Sadly, a prominent article in The Chronicle of Higher Education may get more presidential and trustee attention than a paper letter from an organizational coalition.

I recommend that you review the Effective Security Practices Guide and have a copy of that letter printed out and handy for when you are asked about the Chronicle article. You can say that the authorities in your field recognize that there are important issues involved and, that as a whole, the issues are being worked on. The next thing you can do, of course, is get to work drafting that budget request for the risk assessment.

Featured