In piecing together a multilevel security strategy, most IT managers start by assessing the risks and selecting technologies that can help them get the job done.
E-mail and web content filtering applications help guard students, faculty and staff from phishing and other web-based attacks. And technologies such as desktop virtualization can secure IT resources at colleges and universities by keeping them safe within the confines of a hardened data center.
But a truly effective strategy requires more than just a solid mix of traditional client-based antivirus and personal firewalls and layers of network management tools. A campus IT and security team needs to think holistically about information assurance.
When it comes to security, everything matters. Multilevel security is a juggling act where you're assessing the risks, selecting the right technology and applying it in layers, making sure your staff (and especially your users) recognize that they're also on the front lines of keeping data and systems safe.
Everyone at your institution has to be aware of the inherent risks associated with browsing the web, exchanging data and accessing the enterprise network.
The IT department can be invaluable in driving awareness. It's their responsibility to keep the community up to date on the latest phishing scams and viruses, yet make students, faculty and staff feel that the network is safe and they can get classwork and projects done.
“User education is critical because most students have no idea how their online actions affect the institution and their own future,” says Scott Crawford, managing research director at consultancy Enterprise Management Associates.
Some of the colleges we profile in the feature story “A Good Offense” understand exactly where Crawford is coming from with this advice.
John Dolinar, manager of safe and secure computing at Cuyahoga Community College in Ohio, says security education is part of the web- and video-based training now available to students at his institution.
And at Connecticut's Quinnipiac University, Information Security Officer Brian Kelly has set up a help desk in the library to teach students basic skills such as resetting passwords.
Whatever approach your organization takes, a user training session should be part of student orientation and reinforced on a regular basis. Remember that all the security tools in the world won't help if your students, faculty and staff don't understand the risks facing them.
So how does IT balance this delicate juggling act? One option is to leverage the availability of 24x7 networks and upgraded security tools. For example, Quinnipiac's Kelly says because student notebooks tend to be always on and connected to the network, it makes it easier for the IT staff to keep the systems' antivirus and other critical security software up to date.
The percentage of unwanted e-mail in circulation during 2010 that contained links to spam sites or malicious websites
SOURCE: “2010 Threat Report,” Websense, January 2011
While users need to be aware of potential threats and that their systems run security software, IT is most effective when the staff works quietly behind the scenes and students, faculty and staff can work on their computers with few if any changes to their routines.
A primary goal for any multilevel security program is to keep the network as open as possible, especially for students. Today's students grew up with technology and expect broadband networks to be available and safe, the way it was at home for many of them.
It's a challenge, but by deploying a multilevel security strategy that balances the need for security with open access to the campus network, your institution can stay competitive in the race to attract high-caliber faculty and students.