Mar 17 2016

How to Adopt the Right IT Security Posture in Higher Ed

Maintain a complete and total security posture through new security tools and strategies.

Your institution fights new and emerging threats each day. Maintain a complete and total security posture through new security tools and strategies.

Information security issues top the list of technology concerns for colleges and universities. In the wake of high-profile security incidents at Penn State University, Rutgers University and other institutions across the nation, higher education administrators and governing boards are carefully examining their exposure to confidentiality, integrity and availability risks.

Each year, EDUCAUSE, the higher education information technology association, surveys IT professionals throughout higher education about the top issues they face. Information security skyrocketed on the list in 2016, rising from 10th place in 2015 to the very top of the list this year. That ranking reflects the significant investments institutions are making in protecting information and dealing with emerging information security priorities.

Assessing Your Current Security Posture

Institutions should begin their information security journey with an honest assessment of their current security posture. That may include both the use of qualitative program assessments as well as automated tools designed to assess the configurations of security controls.

Many different security frameworks exist that allow an institution to verify that it is covering all of the common elements of an information security program. These include the ISO 27001 standard for Information Security Management and the Control Objectives for Information Technology (COBIT) framework. Either of these frameworks offers an excellent starting point and may be used as guides for institutions performing their own control assessments.

Frameworks only tell part of the story, however. They’re useful for determining if the institution has the right types of controls in place but they don’t assess the proper implementation of those controls.

That’s where automated vulnerability assessment tools come into play. These tools scan an organization’s technology infrastructure, searching for the presence of known vulnerabilities. They then provide administrators with a prioritized remediation plan that walks technical staff through correcting any identified risks. Mike Chapple, senior director for IT Service Delivery at the University of Notre Dame, feels that vulnerability assessments are an essential tool for security teams.

“Vulnerability assessments provide organizations with important insights into their security posture, including a detailed examination of active infections and weaknesses that might allow an attacker to gain a foothold on the network,” Chapple says.

The stakes are high. Higher education is an information-driven field and protecting that information is critical to continued success.

Colleges and universities serve as stewards of sensitive personal information belonging to students, faculty, staff and alumni, but that personal information represents only the tip of the information iceberg. Institutional research, financial investments, admissions priorities and other proprietary records are attractive targets for theft.

Prioritizing Your IT Security Needs

While many security measures come without a price tag, for instance crafting an incident response plan and purging old records, building a secure IT infrastructure requires investments of both financial and human resources.

Colleges and universities often face a nearly insurmountable list of potential security initiatives and must decide which initiatives will deliver the most security benefit in a cost-effective manner.

EDUCAUSE’s 2016 Top Ten IT Issues list made it clear that institutions are prioritizing security investments. Susan Grajek, EDUCAUSE’s vice president for data research and analytics, led the most recent study and summarized the findings by saying that institutions “need to double down with information security, in part because there’s just so much more data that we need to manage but also because the threats keep increasing.”

Security leaders may find that the media attention focused on security issues makes the timing ripe for a new budget request, designed to bolster an institution’s information security program. Other institutions may find themselves under financial pressures that require the reallocation resources from other technology initiatives.

In either case, institutional leadership will call on IT professionals to help prioritize security initiatives to allow the wise investment of school funds.

Wavebreakmedia Ltd/Thinkstock