Secure Data Relies on People, Not Just Technology

Because universities are decentralized, data is located everywhere. Personal information stored on central administration servers is replicated in individual school and department servers and personal computers, allowing administrators in each area to run their day-to-day operations, says Kent Wada, director of IT policy at the University of California, Los Angeles (UCLA).

“Many people need to work with this data every day, so security becomes the responsibility of a lot of people, not just IT staff,” Wada says.

Colleges and universities, along with corporations, financial institutions and government agencies, are favorite targets of data thieves and hackers who want to commit identity theft or compromise data, such as student grades or university research.

Because of a rash of high-profile data security breaches, Congress is considering legislation to establish national guidelines on storing and protecting consumer information. Legislation may require data handlers to issue notifications every time unauthorized people access sensitive information. Some states already require such notifications.

Security technologies such as firewalls, intrusion-detection tools, and antivirus and antispyware software go a long way toward keeping data safe. But for the technology to be effective, institutions must develop good security policies and procedures, and then train everyone on campus to follow them, says Charles Morrow-Jones, director of cybersecurity for The Ohio State University in Columbus.

“Information security is a three-legged stool: policy, technology and security awareness,” Morrow-Jones explains. “None is effective without the others. Technology with no policy doesn't tell you how to act. People need to know that policies are in place and their ramifications. And all that is incomplete without user education – making people aware of the policies with which they must comply.”

Creating Policies

The most basic policy is an acceptable-use policy, a set of rules users on campus must abide by. At Ohio State, users can't use network resources in excess. Intellectual property theft – from downloading music illegally to plagiarizing information from the Internet – is prohibited. To connect to the campus network, users must have the latest antivirus and antispyware definitions and operating system updates.

“If you don't have an acceptable-use policy in place, there are no grounds to enforce anything,” Morrow-Jones points out.

Besides an acceptable-use policy, University of California, Davis (UC Davis) has developed 14 security standards with which each campus department must comply. The standards include a mix of network and physical security measures. For example, all users are required to go through an authentication process, by providing user names and passwords, before they can access campus network services, says Robert Ono, UC Davis' information technology security coordinator.

All critical and sensitive data must be backed up in separate storage devices and placed in secure locations. If computers are left unattended for more than 20 minutes, they lock themselves and require users to log in again, Ono says.

In addition, every campus department must evaluate all its computing systems and applications that house personal information, such as student health records and driver's license numbers. If the information is not required, the department must remove it. If the data cannot be removed, the department must secure the information with measures such as removing several digits from Social Security numbers or encrypting the data.

In recent years, UCLA has gone through a similar exercise, which caused every campus unit, including administrators in student affairs and the finance office, to inspect its data and delete unnecessary records. UCLA also reviewed the individuals who have access to sensitive data and the way they handle that information – particularly when that data resides in devices that are easily lost or stolen, such as notebook computers, personal digital assistants and memory drives.

“Sticking huge amounts of data on notebook PCs, CDs – and now, even cell phones – is extremely convenient, but it represents a big security risk,” Wada says.

The ongoing effort has tightened up security on campus. UCLA no longer puts Social Security numbers on pay stubs, for example. “We are in a much better place than we were before,” he says.

UC Davis' security team focuses on quality assurance to measure its security performance. The campus requires each department to self-evaluate its security measures. Then a university audit team performs security reviews to make sure each department is meeting requirements.

Choosing Technologies

Besides firewalls, antivirus software and antispyware software applications, universities should install intrusion-detection tools to thwart hacking and other malicious activities, along with tools to scan the network for vulnerabilities.

To further boost security, colleges can create “network honeypots,” which are servers on the network that offer no productive service, but provide attractive bait for attackers, UC Davis' Ono says. System administrators can detect remote users trying to connect to the honeypots, and the IT staff can block those IP addresses from entering the campus network again.

Many universities are also exploring encryption technology to protect personal data on servers and other electronic media. Commercial applications allow users to encrypt data while saving and storing it and to decrypt the information when they need to access it.

To educate students, faculty and staff, colleges offer security Web sites with the latest news, alerts and advisories. Ono offers Brown Bag lectures, featuring campus security officials and experts from tech vendors, throughout the year. He also sends periodic e-mail alerts to everyone on campus about new security risks.

To succeed in making campus data secure, IT security officers need to work closely and consult with everyone on campus, from the faculty senate to the student affairs office to human resources, says Tom Siu, chief information security officer for Case Western Reserve University in Cleveland. “You have to build a liaison with all the constituencies, so they adopt security practices as a part of their day-to-day data management routine,” he says.