The Human Side of IT Security

Securing the network, protecting sensitive information and providing an environment that facilitates learning are day-to-day tasks for all higher education information technology shops.

But what about the human side of IT security? It's no secret that in the fast-paced world of IT security, user education, victim advocacy and actions to reduce the negative social impacts of living in an always- connected world can fall by the wayside. The University of Maryland's Office of Information Technology (OIT) has approached this challenge by forming a unit populated with staff appropriately equipped and trained to address the social concerns. We call it Project NEThics.

While the university maintains a staff of IT security professionals responsible for incident response, monitoring intrusion prevention system logs and controlling access, Project NEThics takes on the challenges of IT security from the social angle. Internet abuse has real consequences, often affecting people negatively. Whether a student is the victim of harassment via the Internet or cyberstalking, Project NEThics endeavors to achieve a safe and positive outcome to the situation.

Project NEThics was created in 1996 to address the social consequences of the increased use of the Internet and related technologies on campus. The term NEThics was created to characterize the proper use, or ethics, involved with using new technologies. Along with developing and enforcing policy, Project NEThics became the public face of IT security and the most effective way to handle user complaints and issues regarding unacceptable use of campus technology resources.

NEThics Issues

The issues addressed by Project NEThics include:

Criminal Activity: We all know that the Internet can be used to break the law. As a function of IT security, our Project NEThics office has built relationships with the campus police and public safety departments to efficiently report crimes and deliver evidence, if possible. For instance, we turn over messages that threaten bodily harm, hint at hate crimes or are used to intimidate.

DMCA Complaints and Intellectual Property: One of the biggest issues for universities across the country is how to handle Digital Millennium Copyright Act takedown notices and any other correspondence with copyright holders regarding the violation of intellectual property rights, usually referred to as illegal downloading. Project NEThics takes a proactive approach in handling these requests from copyright holders, working with notice recipients in a non-threatening way to explain the ramifications of the complaint and to lead to compliance.

We stand ready to alert students, faculty and staff to any DMCA complaints that have been filed against them and to work with them to explain what the takedown notice actually means. If dealing with repeat offenders, we suspend their network access until we can meet with them. While we reserve the right to refer students who refuse to comply with our acceptable use policy to the Office of Rights and Responsibilities, we prefer to act proactively through social measures to prevent restricted actions. Along with a grass-roots effort by student government legislators who were concerned about the increasingly hostile legal climate around illegal file sharing, Project NEThics staff took the lead in securing and promoting a legal music service for students.

Hacking or Unauthorized Access: Having personal information compromised can be a scary scenario. Aside from trying to identify the perpetrators behind the attack, Project NEThics strives to make students aware of how they can recover from such an attack and take steps to protect themselves from future attacks.

Take a Proactive Approach

These issues permeate higher education in America. So how do you build a program to address these social issues related to IT security management?

First, you prioritize your risks. Determine what you think are the greatest weaknesses in the management of your IT infrastructure. If these issues have social implications, then it may be necessary to take a more active approach in mitigating these risks. Before formally implementing Project NEThics, we identified a need for staff to address the issues described above.

You also must understand your own policies and procedures. Is there an acceptable use policy in place at your institution? This type of policy sets the bar for what is considered to be acceptable use and what is not. The basis of everything that we do regarding proper use of information technology resources is based on this document, so it is critical to the vitality and authority of the program that this document exists.

Before you can begin responding to and resolving issues that are being reported, it is important to have clearly assigned responsibilities and defined processes for responding to certain issues your program will be handling. Develop a program charter and support documentation. Only after you have defined and refined a standard process can your office best respond to variations of similar issues that will likely come through your door. Acting “on the fly” is not the best way to respond to these issues.

Finally, it is crucial to build intracampus relationships. A program of this scope can be successful only if campus stakeholders across the spectrum stand behind it. This means building relationships and leveraging the capabilities of police, public safety, general counsel, campus residents and other groups. With the potential for cyberstalking, account sabotage and sexual harassment occurring over the Internet, the IT aspect of the situation must be addressed in conjunction with other agencies.

Victims advocate offices, health or counseling centers, or ombudsmen for faculty/staff/student issues may all be important points of contact. With case coordination between offices, a victim of cybercrime can be carefully shepherded through the investigative process as well as a healing process with the most effective attention the university has to offer. By obtaining buy-in from these important stakeholders, you can assure that your program has the support that it needs to be effective at its mission.

The concept of IT security gets increasingly complex every day, and it requires a proactive and creative approach in order to comprehensively manage the challenges that accompany it. By building a program to supplement the capabilities of classic approaches to IT security through education, advocacy and counseling, your program will have evolved in readiness to gracefully address all that comes its way.