Learning the Lessons and Moving Ahead

• By Mary Grush
• 03/01/07

Security expert Rodney Petersen is focused on higher education’s struggle with security breaches.

Educause's Petersen: "Every institution
needs to have a strategy for how it is
going to protect sensitive information."

Despite intensive security measures, institutions are still suffering breaches—sometimes quite painful and costly ones. After a major breach was reported at UCLA this past November, we spoke with Educause security expert Rodney Petersen, to get his perspective and advice for higher ed leadership. Petersen is a government relations offi- cer with Educause and the coordinator of the Educause and Internet2 Computer and Network Security Task Force.

The recent security breach at UCLA was among the largest higher ed has seen. How does it compare to others?

On the one hand, I’m amazed by the interest that this particular breach has generated; still, there are a couple things that are unique to this incident. First is the magnitude of the number of records exposed; 800,000 is by far the largest incident involving a college or university that I’m aware of. And second, the fact that the data was contained in a central information system is fairly unique. The majority of other instances have involved distributed servers or databases maintained by departments or other organizations at the university.

Reports indicated that the perpetrators were at work for a very long time before the breach became public information in November. Does that mean that officials waited on notifications?

It is my understanding that this breach only came to the attention of UCLA officials in November; they had been conducting their forensic investigation, and soon after reaching a conclusion of the risk of exposure, they decided to go public and notify the affected individuals. Any institution that becomes aware of an incident or potential exposure walks a fine line between doing some preliminary investigation—typically involving law enforcement—and wanting to notify the affected individuals at the earliest possible point. But, there is a time frame within which investigators need to collect their information and, quite frankly, it may help them to catch the perpetrator if they don’t make all of the facts known too early.

Contrast this with the follow-up investigation of recent security breaches in the US Department of Veterans Affairs: A series of congressional hearings disclosed that fairly junior individuals knew about the security breach and exposure, yet it took a number of days to reach the level of attention of senior leadership.

I don’t think that’s been the case [at UCLA]. I think everybody acts on these things promptly, and they move as quickly as they can, at least to understand the severity of the situation and decide which steps to take next.

Do you think that higher ed is putting steps in place not just to react to large security breaches, but actually to prevent them?

The Educause Center for Applied Research recently conducted a security survey that was a follow-up to a survey done in 2003, and the respondents indicated that they feel more secure today than they did then. Not surprising: We are in a much better position today than we were a couple years ago, ranging from more security staff in place and more investment of resources, to getting a better handle on some of the technical vulnerabilities and problems caused by viruses, worms, et cetera, that were really plaguing institutions two years ago. But tremendous challenges lie ahead, including the fact that attacks are getting increasingly more sophisticated and more severe, and have moved from just being attempts to gain access to systems, to now directly targeting data or personal information.

Given those challenges ahead, what would you like to see leadership in higher ed do, or do more of?

We rolled out a one-day seminar this year, entitled “A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations.” The first one, coincidentally, was held at UCLA in late January . Whether schools use our proposed blueprint, or modify it to address their own institutional needs, we do believe that every institution needs to have a strategy for how it is going to protect sensitive information. And the seminar and strategy are not just targeted toward the CISOs or campus IT staff; in fact, the strategy requires interdisciplinary participation of campus executives, risk managers, legal counsel, auditors, IT directors, data stewards, and others.

Do you try to outline specific steps institutions might take?

We do have seven summary steps that institutions should follow [see “Seven Steps to Protecting Your Institution.”]. This is a high-level blueprint and strategy. But at the seminar, the blueprint will introduce both strategies and a number of practical steps that institutions could implement to effectuate a more comprehensive approach.

Where does the CSO or CISO fit in an institution’s organizational and reporting structure?

There’s been a clear movement toward a) hiring and designating more CISO-like people to be responsible for this kind of task and duty, and b) seeing to it that those individuals are increasingly reporting to CIOs or VP-level executives. Previously, the CISO was farther down the IT chain, often reporting to a network director or other position. So the good news is there have been significant advances in recognizing the need for somebody to be responsible for IT security within IT organizations.

The vast majority of institutions that claim to have a CISO probably have the equivalent of an IT security officer, meaning that he or she is primarily focused on information that is contained on systems and computers, and that traverses networks—in other words, the information technology part of security. Very few institutions have embraced the information security offi- cer role that really tries to look not only at information that is on computer networks, but also at information that might reside in physical file cabinets. And in that case, it wouldn’t necessarily make sense that a true CISO would report to the CIO; in fact, he or she should probably report outside of the IT organization, possibly to a COO, senior VP, CFO, or to some other part of the university. So there clearly have been some changes, trends, and movements, mostly in a positive direction.

I’m wondering if you might comment a bit more on security in distributed versus central environments.

What’s interesting about the UCLA breach is that it involved a central information system; previously, the vast majority of data breaches at colleges and universities have involved departmental systems such as alumni records, patrons of the performing arts center, athletic ticket offices, or other such systems that are maintained by departments and not necessarily managed or run by the central IT organization. That does not mean that all data and all information systems must be centralized, but if an institution wants to keep information decentralized and continues to operate in a distributed form, it does need some overall institutional compliance. That’s why our blueprint says that the need to clarify roles and responsibilities—and to hold people accountable—applies whether it’s a departmental system maintained by a local IT person, or a central system.

And if the local department cannot maintain the level of standards or security that is necessary, then those administrators should be asked whether they want to have that information stored and protected centrally. Ultimately, it’s a policy decision that presidents and executive leaders might have to make about whether this information is so sensitive, so critical, and the risks so high, that they need to exercise stricter controls than they have previously. We are going to see a lot of testing and questioning about the nature of distributed technology, at least with respect to systems that contain highly sensitive and personally identifiable information.

Are institutions learning how to perform better departmental audits?

The audit practice has improved significantly, based on internal as well as external auditors becoming more IT-savvy, and increasingly including IT security as part of audit reviews. However, I continue to hear reports that the audits are performed largely on central information systems, and have not trickled down to cover these very decentralized systems that are of concern. So while the quality of audits has improved, the pervasiveness of audits across the various types of information systems that might be in a single university has a long way to go.

Is there any other observation you would like to make, regarding the UCLA breach?

Whether it be UCLA— which I know has been working very hard over the past several years to increase IT security—or any other institution, it’s unfortunate to suddenly be dragged across the front page of every major newspaper and be featured on every radio and TV news program because of a security breach. But the reality is, if an institution does suffer an incident of this kind, it has to go forward, learn the lessons, and continue to intensify and accelerate campus IT security efforts that, in most cases, are already underway.