Learning the Lessons and Moving Ahead

An interview with Rodney J. Petersen, EDUCAUSE

Despite intensive security measures, institutions are still suffering breaches – sometimes quite painful and costly ones. Since UCLA’s major incident reported this past November, we spoke with EDUCAUSE security expert Rodney Petersen, to get his perspectives and advice for higher education leadership.

Rodney J. Petersen

CT: The security breach uncovered this past fall at UCLA was among the largest higher education has seen. How does this breach compare to others?

Petersen: Well on the one hand I’m amazed by the interest that this particular breach has generated, but I think there are a couple things that are unique to this incident as compared to other ones. First, is the magnitude of the number of records exposed – 800,000 is by far the largest incident involving a college or university that I’m aware of. And secondly, the fact that the data was contained in a central information system is fairly unique in that the majority of other instances have involved distributed servers or databases maintained by departments or other organizations at the university…

Read Complete Article:

CT: Reports indicated that the perpetrators were at work for a very long time before the breach became public information in November. Does that mean that officials waited on notifications?

Petersen: It is my understanding that this breach only came to the attention of UCLA officials in November. They had been conducting their forensic investigation, and soon after reaching a conclusion of the risk of exposure they decided to go public and notify the individuals. Any institution that becomes aware of an incident or potential exposure walks a fine line between doing some preliminary investigation, typically involving law enforcement, and wanting to notify the individuals affected at the earliest possible point. But, there is a timeframe within which they need to collect their information, and quite frankly it may help them to catch the perpetrator if they don’t make all of the facts known too early.

Contrast this with the follow-up investigation with the Veterans Affairs Administration of the federal government, where a series of congressional hearings disclosed that fairly junior individuals knew about their security breach and exposure, and it took a number of days to reach to the level of attention—in this case to the Secretary, or in an institution’s case to the president or senior leadership. I don’t think that’s been the case [at UCLA]. I think everybody acts on these promptly, and moves as quickly as they can at least to understand the severity of the situation and decide what next steps to take.

CT: UCLA’s was a pretty big breach, but there have been other institutions that have had large breaches… Do you think that higher education is on the road to putting steps in place not just to react to these, but actually to prevent them?

Petersen: The EDUCAUSE Center for Applied Research (ECAR) recently conducted a security survey that was a follow-on to a survey done in 2003, and the respondents indicated that they felt more secure today than they did two years ago. And on the one hand we were surprised of the progress that the individuals self reported. Yet on the other hand, I think we are in a much better position today than we were a couple years ago, ranging from more security staff in place, more investment of resources, and getting a better handle on some of the technical vulnerabilities and problems caused by viruses and worms, et cetera, that were really plaguing institutions two years ago. But having said that, tremendous challenges lie ahead, including the fact that the attacks are getting increasingly more sophisticated and more severe, and the fact that the attacks have moved from just from being attempts to gain access to systems, to now directly targeting data or personal information.

CT: Given those challenges ahead, what would you like to see leadership in higher education do, or do more of?

Petersen: Well, ironically we have a one-day seminar we’re just getting ready to roll out this month, and the first one is scheduled to be held at UCLA in late January. And it’s totally coincidental that that’s the location, but the seminars are entitled, “A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations.” And whether they take our proposed blueprint, or modify it to address their own institutional needs, we do believe that every institution needs to have a strategy for how they are going to protect sensitive information at their institution. And I would add that the seminar and certainly the strategy is not just targeted towards the CISOs or campus IT staff, in fact, it really requires interdisciplinary participation of campus executives, risk managers, legal counsel, auditors, IT directors, data stewards, and others who have a role to play.

CT: What are some of the steps institutions might take?

Petersen: We do actually have seven summary steps that institutions should follow:

  • Create a security risk-aware culture that includes an information security risk management program.
  • Safeguard institutional data, and classify the data according to its importance, locating it and protecting it against unauthorized access and use.
  • Clarify roles and responsibilities and hold individuals accountable for safeguarding data.
  • Reduce access to sensitive data that is not essential to university processes.
  • Implement stricter controls—that includes policies, processes, and technologies that will safeguard data.
  • Raise awareness and provide training to the community.
  • Routinely verify compliance with all policies and procedures.

As I indicated, this is a high-level blueprint and strategy. But at the seminar, the blueprint will introduce both strategies and a number of practical steps that institutions could implement to effectuate a more comprehensive approach.

CT: Maybe you could comment on where the CSO or the CISO fits in the organizational and reporting structure… I realize that’s a major question – I’m expecting a 400-page essay!

Petersen: Well, for purposes of the “400-page essay” I would refer you to the September/October issue of EDUCAUSE Review, where I wrote an article on the role of the CSO... I went through in detail the current thinking about the role of the CSO including some of the results of our EDUCAUSE Center for Applied Research survey that shows where they currently do report. In summary I would say that there’s been a clear movement, (a) towards hiring and designating more CISO-like people to be responsible for this kind of task and duty, and (b) that those individuals are increasingly reporting to CIOs or vice presidential-level executives – previously, they were further down the IT chain, often reporting to network directors and others. So the good news is there have been significant advances with recognizing the need for somebody to be responsible for IT security within IT organizations.

The vast majority of institutions who claim to have a CISO probably have the equivalent of an IT security officer, meaning that they are primarily focused on information that is contained on systems and computers, and that traverses networks… in other words, the IT part of security. I would say that very few institutions have embraced the information security officer role that really tries to look at not only information that is on computer networks, but also information that might reside in file cabinets or paper forms. And in that case it wouldn’t necessarily make sense that a true CISO would report to the CIO, in fact, they would probably want to report outside of the IT organization, possibly to the chief operating officer, senior vice president, CFO, or some other part of the university. So there have clearly been some changes, trends, and movements, mostly in a positive direction…

CT: I’m wondering if you might comment a bit more on security in distributed versus central environments. That seems to be a real issue—Casey Green for the first time has a separate question in the 2006 Campus Computing Survey regarding institutions reporting breaches on decentralized or departmental servers. What do you see as trends there?

Petersen: What’s interesting about the UCLA breach is that this involved a central information system, and previously the vast majority of data breaches at colleges and universities have involved departmental systems, such as alumni records, patrons to the performing arts center, athletic ticket offices, or other such systems that are maintained by departments and not necessarily managed or run by the central IT organization. So a couple comments getting to the core of your question and concern: That does not mean that all data, all information systems must be centralized, but if an institution wants to keep the information decentralized and continues to operate in a distributed form, it does need some overall institutional compliance – which is why our blueprint, where it talks about clarifying roles and responsibilities and holding people accountable, [says] that applies whether it’s a departmental system maintained by a local IT person or a central system.

And if the local department cannot maintain the level of standards or security that is necessary, then perhaps they should be asked whether or not they want to have that information stored and protected centrally. And ultimately it’s a policy decision that presidents and executive leaders might have to make about whether or not this information is so sensitive, so critical, and the risks are so high that they need to exercise stricter controls than they have previously. So I do think we are going to see a lot of testing and questioning about the nature of distributed technology, at least with respect to systems that contain this kind of highly sensitive and personally identifiable information.

CT: Are institutions learning how to do better departmental audits? Is there some good news there?

Petersen: I would say the audit practice has improved significantly, based on internal auditors as well as external auditors becoming more IT savvy and increasingly including IT security as part of their audit reviews. However, I do continue to hear reports that the audits are mostly done of the central information systems, and have not trickled down to cover these very decentralized systems that are of concern… So while improvement has been made on the quality of audits, the pervasiveness of the audits across the various types of information systems that might be in a single university seems to have a long way to go.

CT: Is there any other observation you have, reflecting back on the UCLA breach?

Petersen: I think it’s unfortunate, whether it be UCLA – or any other institution – who I know for a fact has been working very hard over the past several years to increase their campus’s IT security, to suddenly be dragged across the front page of every major newspaper and every radio and TV show because of a security breach. But the reality is, if an institution does suffer an incident of this kind, they have to go forward, learning the lessons, and just continue to intensify and accelerate their campus IT security efforts that in most cases are already underway.

Rodney J. Petersen is a government relations officer with EDUCAUSE and the coordinator of the EDUCAUSE / Internet2 Computer and Network Security Task Force.

Featured