11 questions to ask your campus CIO about information security
Picture this scenario: An employee leaves for a family vacation
and plans to do some work while being out of the office. So, they take their
company laptop
on the trip. But, the employee accidentally leaves it in the plastic bin at
airport security before heading to the gate. Maybe they were distracted;
perhaps they were running late. No matter the reason, the employee does not realize what has happened until mid-flight. In
2008, a lost laptop might have been a problem, but in 2018, it can be a crisis.
This
type of event may trigger panic in many higher education leaders. After all, a
lost employee laptop means the potential breach of tens of thousands of student
records. Knowing the right questions to ask your CIO, IT teams and vendor
partners can help quell those feelings of dismay and helplessness.
Data security has always been a priority for colleges and universities. Today it is more
important than ever. Shifts
inside and outside of higher education are creating new security challenges:
devices that arrive on campus in greater numbers and greater variety, larger
volumes of data, increased use of business
intelligence and analytics, and increased “hacker” activity. In the first half of last year alone,
the number of lost, stolen or compromised records grew 164 percent, according
to a report from
Gemalto. Once again this year, information security is the No. 1 issue in EDUCAUSE’s Top 10 IT Issues report.
I saw the
growing concern over security in higher education when I led the Office of
Analytics at the University of Maryland University College, and I continue to watch the effects on the institutions we work with today.
What’s clear is that too often, non-IT leaders are in the dark about all
the potential security risks they face.
Let’s return
to the lost laptop. The crux of data security is to create multiple layers of
defense. Ensuring your CIO has the right answers to the following questions can establish a strong foundation.
What are our policies for encrypting laptops?
These days, login credentials are fairly standard. You can bolster
that best practice by requiring all employee laptops to be encrypted and locked
when not in use. Encryption provides a formidable first level of defense.
Do we require multi-factor authentication to log into our network?
This security measure is often used by financial
institutions, email providers and even social media channels. Multi-factor
authentication adds an additional layer of security where a secondary device is
required to authenticate the user on the network. Even if the
employee’s laptop is stolen, multi-factor authentication would require the
employee’s mobile phone to be able to breach your network.
How can we remotely access laptops?
Remote
access is an IT team’s fail-safe when it comes to security. If that same
employee’s laptop cannot be recovered, your IT team
should be able to send a remote wipe command to clear the computer of all
personally identifiable information (PII) and other sensitive data.
While
laptop security might seem straightforward, network and enterprise system security are a bit
more complex.
Now
that you know your laptops are secure, you need to ensure your network is also
protected. To be sure of this, go through these additional questions with your CIO.
Is the most restrictive access in place?
Data
should not live on the public internet and should only be accessible by people
your IT team has deemed secure
in order to ensure the highest protection against
inbound access. The ideal configuration is to have firewalls in place and only
allow in-network and whitelisted IPs to access important records.
How do we share data with third parties not on our network?
Today,
working with external partners often means sharing files that may contain
sensitive data that needs to be protected at every stage. A best practice is to
use a secure and auditable application to share files between parties.
How is data encrypted?
Data
should be encrypted while it’s “at rest,” meaning sitting in a database, and
“in transit,” meaning moving from one department’s system to another or back
and forth between an institution and a third party.
How are events and changes logged and monitored?
In data security, you want to prevent human error. For
example, someone could accidentally open up a firewall port to a broad range of
IP addresses. Notification systems are standard today but be sure they are in
place, so the appropriate staff are notified of the violation.
What are the business continuity plan and disaster recovery strategies?
Make sure there is a plan to rebuild
systems in a different, pre-determined geographic region in the event of a
disaster in the primary region, and that regular snapshots of system data are
taken.
How do we look for system vulnerabilities?
At all institutions, IT teams should use third-party
tools for proactive assessments, evaluations on a weekly basis, and regularly
schedule operating systems patches to keep data defenses strong against new
attacks.
How do we prevent intrusion?
Similar to anti-malware in the lost laptop, networks also
need an additional layer of security. Be sure there are algorithms in place
that look for suspicious behavior at host level and network level, and there is
a centralized console to monitor activity.
How can we create a culture of data security on campus?
Regular
education for data and security professionals via professional development,
online groups, etc. is key to staying up-to-date with the changing landscape of
security. The other side of the culture coin is regular compliance assessments
of campus devices. Remember to check that your partners follow similar
policies.
As
new technology and methods for sharing information are developed, protecting
data will continue to be a priority for higher education. Asking the right
questions now could help set you up to respond nimbly to new threats in the
future.
Darren Catalano is the CEO of HelioCampus, a higher education analytics platform. Prior to joining HelioCampus, Darren was the vice president of analytics at the University of Maryland University College (UMUC), where he helped develop a culture of data-driven decision making.