Establishing information technology best practices within a university setting has been, and continues to be, no easy task. Unlike accounting practices, which evolved over centuries, IT erupted over the course of a few decades.
In the late 1980s and early 1990s, as departmental networks came online and desktop computers became commonplace for faculty and staff, the risk was very low. Those new devices represented opportunity to empower decision-makers, hasten research and streamline office processes; cyber risks weren’t in the picture. Distributed computing required talented people to make it all work, but unlike accountancy, IT did not require passing a certification exam or the application of standards shared by colleagues worldwide.
For those of us who were building computers back in the 1990s, we arrived at our best practices relatively independent of one another. Guided by a few principles — the principle of least privilege, the removal of unnecessary services and software, and providing a simple interface for our users — we began to churn out computer labs for students, desktops and notebooks for faculty and staff, and servers to run it all.
What Have We Learned in 25 Years of IT?
It wasn’t until the late 1990s and early 2000s that standards began to be catalogued and shared, thanks to ITIL, ISACA, SANS and others. IT auditors updated their protocols by looking at more than just electronic accounting ledgers and enterprise systems. Attention began to turn to desktop computers, local servers and applications. By the time universities began to implement IT security, privacy and acceptable-use policies, the professionalization of the IT field in higher education had begun.
So, collectively, what have the past 25 years taught us? What are our best IT security practices? First, we’ll look at what we’ve learned at the institutional level. Second, we’ll examine the departmental, or college, level. Finally, we’ll take a look at where to turn for answers.
At an institutional level, we’ve learned that the risk involved with storing and processing personally identifiable information, patient records and financial information cannot be ignored. We have demonstrated that understanding by creating official policies that address security, privacy, acceptable use and data handling, to name a few. Certainly, the past two decades have taught us to protect our borders. Buy as much bandwidth as you can afford — just be sure to buy the fastest security appliances too.
Understand the importance of establishing formal security and privacy responsibilities, whether it’s by creating a CISO position or by assigning that role to a high-level IT person. Raise awareness among faculty, students and staff, as they play a significant role in protecting a university’s digital assets. Address emergency management at campus and institutional levels. All of that, and more, are the best practices we now expect from institutions of higher learning.
Not surprisingly, the lessons of the past 25 years have taken some time to grab the attention of deans and department chairs, whose business is not IT; however, news headlines are changing that. Departmental IT professionals can find it difficult to implement best practices, where such measures are often viewed negatively as bureaucratic or out of touch with the demands of teaching, research and the pressure of tenure and promotion. The departmental IT leader must work closely with the dean or department chair to establish policy, procedures and enforcement measures. Lacking local political cover, IT leadership hopefully has institutional backing to implement best practices.
From my experience, departmental IT professionals know the following best practices. Yet, because of local political resistance, they still struggle to implement them:
- Limit the use of administrative privilege
- Manage, inventory and secure mobile devices (tablets, phones and notebooks)
- Manage the procurement of all computing devices
- Store institutional data only on approved systems
And because of budgetary concerns and staffing levels, departmental IT professionals struggle with:
- Regular review of server logs
- Training of IT staff (for both security and job skills)
- Business continuity and disaster recovery planning and testing
Interpreting institutional policy can be problematic at a departmental level. Having a formal, enterprisewide IT security office or program can be helpful in establishing and communicating best practices for all to follow.
Valuable Online Resources for Further Reading
For institutions just getting started, there are several places to turn for help.
A good place to start is the Information Security Guide, curated by the EDUCAUSE/Internet2 Higher Education Information Security Council. It is thorough and well worth the read, online at spaces.internet2.edu/display/2014infosecurityguide.
For sample policies from dozens of universities, EDUCAUSE maintains a large library, available at educause.edu/library/security-policies.
The EDUCAUSE site is a great resource for members and nonmembers. Information is grouped by focus area, with “Policy and Security” at educause.edu/focus-areas-and-initiatives/policy-and-security.
SANS publishes a popular list of 20 critical security controls, online at sans.org/critical-security-controls.
For those who want to join a trusted community of IT security professionals, the Research Education Networking Information Sharing and Analysis Center (REN-ISAC; ren-isac.net) is a great resource for actionable, timely information and threat intelligence.
We are all too familiar today with the risk of connecting a computer or server to our campus network. Executive administrators are too. With the proper institutional willpower, we can move forward with the industry’s best practices, and that will help the entire profession.