Security

Ensuring Security in Partnerships

Entering partnerships without addressing proper privacy and security controls is risky business.

Karen Scarfone is the principal consultant for Scarfone Cybersecurity. She provides cybersecurity publication consulting services to organizations and was formerly a senior computer scientist for the National Institute of Standards and Technology (NIST).

Colleges and universities rely increasingly on partnerships with other institutions and organizations to improve their administrative and academic services. The use of cloud services to provide IT infrastructure and application services is just one example.

Partnerships can be incredibly beneficial, allowing institutions to focus on what they do best while leaning on partners to provide auxiliary services that support their core mission.

The movement toward partnerships is being helped along by the increasingly vital role of technology. It is a major challenge to keep up with the rapid pace of technological change, and that is even more true in education. Learning management systems, online course modules and other innovations are being adopted quickly, in large part thanks to their availability through vendor partnerships.

Institutions also enter into partnerships among themselves. Two colleges may agree to offer classes to each other's students, for example. While their agreement may not necessarily focus on technology, it certainly is a core component, and student information, transcripts and other information associated with students will be shared.

No matter the nature of the partnership, universities must be diligent when considering inherent IT security and privacy risks. Recent changes in technology merit re-examination of security and privacy practices to ensure such concerns are properly addressed, today and in the near future. Colleges and universities should follow several security and privacy best practices when investigating, implementing and managing partnerships.

Security and Privacy Considerations

Any partnership should be based on an agreement, such as a contract, which defines all terms and conditions. Security and privacy considerations should be included, with privacy especially important if the partner will access or host personal information on an institution's behalf. Any cloud services agreement also should involve detailed security requirements so that it is clear which party (the cloud provider, the institution or a third party) is responsible for securing each part of a cloud solution.

Involve the Appropriate People in Decision-Making

Every university should have a chief security officer and a chief privacy officer, who may or may not be the same person. If the CPO is not an attorney, then other legal counsel should be included in privacy decision-making, such as during the creation of institutional privacy policies and when formalizing privacy agreements with partners. It's critical to involve staff or faculty who are driving adoption of technologies, to ensure that their use cases are fully understood and subsequently accounted for within related policies and agreements. Qualified practitioners identified by the CSO and CPO should handle day-to-day security and privacy considerations, such as maintaining security controls, safeguarding use of personal information and monitoring partners for compliance with other institutional policies.

Consider Data Loss Prevention (DLP) Technology

DLP is specifically designed to monitor network and computer activity to identify inadvertent or intentional attempts to migrate sensitive information to unauthorized locations, such as forwarding a spreadsheet with confidential student records to an external email address. Although DLP may be costly to implement and to maintain, and requires frequent monitoring and tuning to optimize performance, it can save an institution from significant expense and embarrassment by preventing major data breaches. If an institution and its partners cannot afford to implement DLP, determine what compensating controls can take its place (such as enhanced training and email encryption); however, there is no replacement for effective DLP when it comes to preventing a data breach.

Be Aware of Uses of Datamining

Datamining is used increasingly to analyze large data sets, which may include demographic information or other personal information held by colleges and universities. Unfortunately, datamining can be misused — intentionally or not — to compromise privacy. A partner that is not authorized to look up individual student records could make general queries against the student database and receive anonymous results. If the partner knows an institution has only one student enrolled from a particular country, a query for all students from that country allows the partner to effectively infer information about that student based on the query results. While this is an old problem with databases, it is being seen again more frequently thanks to the prevalence of datamining technology. Known techniques — such as refusing to provide results when the number of results is too small — should be implemented to ensure database queries do not return results that could negatively impact any student's privacy.

Distinguishing Privacy from Security

Privacy is a complex concept. In terms of IT, privacy can be defined as an individual's right to the confidentiality of their personal information, and protection from unauthorized access and use of that information. Colleges and universities are entrusted with a wide variety of personal information related to students, faculty and staff, and are expected to protect their right to privacy. That requires management, operational and technical security controls that ensure confidentiality, including privacy policies, access-control lists and data encryption.

Privacy grows more complex when partnerships are involved, mostly due to the many differences in privacy laws among states, countries or other jurisdictions. The fundamental security controls used to ensure privacy basically are the same everywhere, but the legal responsibilities associated with hosting personal information vary. Legal counsel should be involved in the planning and execution of agreements to ensure privacy considerations are fully understood by all.

BrianAJackson/thinkstock