The new reality of risk: even two years later, the post-9/11 world is spinning new challenges for IHEs.It's no secret that since the terrorist attacks of 2001, schools have had to rethink their security and risk issues. Universities must be ever more wary of who their students and faculty are, what they are doing, and how their actions can impact the institution in ways they never considered before. Jean Demchak, managing director and global leader for Higher Education higher education Study beyond the level of secondary education. Institutions of higher education include not only colleges and universities but also professional schools in such fields as law, theology, medicine, business, music, and art. Practice at Marsh, Inc. (www.marsh.com) risk management specialists, spoke to University Business about the new reality of risk. UB: What changes have resulted from such measures as the USA PATRIOT Act USA PATRIOT Act [Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorists], 2001, U.S. ? Demchak: Many of the changes mandated by the USA PATRIOT Act are unfunded, which has caused some problems for schools at a time of budget cuts. One of the tools they've had to implement is the SEVIS SEVIS Student and Exchange Visitor Information System (US Immigration and Naturalization Service) tracking system for foreign students. That has meant reallocating some of their human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. staffing, and even bringing in some students who pass security checks, to help input data for foreign students entering campus this fall. The deadline (originally January of this year) has been extended a couple of times, and now is enforceable for just the new foreign students who have come in this past year. Returning students are part of the second phase. Another onerous issue raised by this anti-terrorism bill is electronic surveillance, which forces universities--and allows the FBI--to monitor any kind of communication service provider they're using, whether it's telephones, computers, or Internet access See how to access the Internet. . But the nature of the higher education industry is all about information sharing See data conferencing. and open-door policies Noun 1. open-door policy - the policy of granting equal trade opportunities to all countries open door national trading policy, trade policy - a government's policy controlling foreign trade , and this monitoring has created an unsettling un·set·tle v. un·set·tled, un·set·tling, un·set·tles v.tr. 1. To displace from a settled condition; disrupt. 2. To make uneasy; disturb. v.intr. internal situation for many administrators, because now they have to do something they don't feel comfortable doing. How are research institutes that work with biological agents affected by the legislation? The Public Health Security and Bioterrorism bi·o·ter·ror·ism n. The use of biological agents, such as pathogenic organisms or agricultural pests, for terrorist purposes. Bioterrorism Preparedness and Response Act, a subset of the USA PATRIOT Act, regulates the possession, use, and transfer of biological materials, including those at research institutes. Universities are required to inventory all those special agents, but that creates additional issues. The government is looking for Looking for In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. duty of care here. They're looking for the university to take a proactive stance, and universities are usually very willing. But the administration often has little to do with the research, except to secure funding. And for professors, the regulations are almost like invading sacred territory; they fly in the face of Verb 1. fly in the face of - go against; "This action flies in the face of the agreement" fly in the teeth of go against, violate, break - fail to agree with; be in violation of; as of rules or patterns; "This sentence violates the rules of syntax" academic freedoms and the sharing of information with researchers around the world. Still, there's a new responsibility for institutions to maintain an awareness of where the data is going and who is receiving it. These days, the government is suspicious of who gets the data and what allegiances they may have. Universities are at the heart of all this. Is compliance a problem? Well, the question is: How do you secure cooperation from the professor or principle investigator leading a research project, to also protect the institution's reputation? And how do you ensure they've inventoried all the old research data, to prevent the government from coming in and slapping their hands or closing down the laboratory? Some schools are lackadaisical lack·a·dai·si·cal adj. Lacking spirit, liveliness, or interest; languid: "There'll be no time to correct lackadaisical driving techniques after trouble develops" William J. Hampton. about keeping old records, and sometimes this information deals with 10- or 20-year-old research that--white a principle investigator knew about it at one time--may not be brought to a relevant state. That's a real challenge for research institutes. The other part of the picture is the handling of biological agents and toxins. This is forcing campus security programs to look differently at how they treat crisis management plans and how they embrace laboratories. They now have to perform background checks not only on students, but also on faculty that teach there. There's an increased administrative burden, too, because now they're accountable for stronger physical security and maintaining stricter inventory of biological agents. They must be able to show whether they have any of these agents, where they are contained, how they are protected, and who has access. The open nature of the university extends to its computer network. What are the risks there? Universities set the standard for high-speed broad bandwidth and it has been a tremendous tool for sharing information and performing research for whatever studies a school is embracing. But it has also created a wonderful platform for hackers to go in and commandeer com·man·deer tr.v. com·man·deered, com·man·deer·ing, com·man·deers 1. To force into military service. 2. To seize for military use; confiscate. 3. To take arbitrarily or by force. other systems. They don't necessarily want to get at the information the university is housing, but they use the networks as a staging platform to go to a third party. Right after 9/11, for example, there were reports that a student in a German university had been using that university's network to send encrypted en·crypt tr.v. en·crypt·ed, en·crypt·ing, en·crypts 1. To put into code or cipher. 2. Computer Science messages to some of Osama bin Laden's cells in the U.S., through another university. Credit card fraud Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. and identity theft is also a huge concern for colleges and universities. Social security numbers and medical records have been huge issues, especially for institutions that are linked to hospitals. Can that information be used against the institution? Yes, in fact, there was one recent incident in which a hacker A person who writes programs in assembly language or in system-level languages, such as C. The term often refers to any programmer, but its true meaning is someone with a strong technical background who is "hacking away" at the bits and bytes. threatened to use the information if the university didn't respond to his demands. What has happened, given such incidents, is that schools are starting to move away from social security numbers as identifiers for students, toward a randomly generated four- or five-digit code that has nothing to do with anything else. So, shouldn't colleges and universities make these changes proactively? Yes, they should be moving away from using social security numbers as any kind of identifier. But not all institutions are doing this, it's the ones that have been impacted that are initiating change. Medical records also need to be protected. The HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, (Health Insurance Portability and Accountability) law that now limits access to medical information impacts all schools, whether they nave nave (nāv), in general, all that part of a church that extends from the atrium to the altar and is intended exclusively for the laity. In a strictly architectural sense, however, the term indicates only the central aisle, excluding side aisles. just a smart student health clinic or a full-fledged teaching hospital. That information still needs to be protected. What can be done to protect this information? In the past, institutions relied on their Web masters or IT managers as the go-to resource. Those people are very good at what they do, but they can't always get their hands around all the ways that hackers are coming into their university sites. Now we're seeing more institutions conducting external security audits of their systems. Just like the 24/7 security services Security services are state institutions for the provision of intelligence, primarily of a strategic nature, but also including protective security intelligence. Examples include the Security Service (MI5) and the Secret Intelligence Service (MI6) in the United Kingdom, and the that we have to protect our homes, this kind of surveillance is now available for universities. These services perform "ethical hacking" so they can see how easy it is to get inside the systems, and identify those areas of the system that need to be protected differently. They can immediately determine where the attacks are coming from and can shut them down. What about the threat that comes from within the university--where students use the network to trade copyrighted materials or software? That's certainly an issue for universities, but I think they're still at a loss as to how to protect themselves from that. When you have a student population that has grown up with the Internet and is very comfortable with trading music, they feel they have the right to do what they want even if they use the institution's network. Some institutions are taking a hard line and putting their file-sharing policies in writing to protect themselves. Whether it is executable and whether they can control every single act is a different subject, but at least they are stating that it is their intent that students do not share these files or this software. Institutions deal in intellectual property, and copyright information is a new issue for them, especially when they consider research data. Who owns the data and who owns the material? That's a somewhat different area but it does migrate into the area of Internet security ''This article or section is being rewritten at Internet security is the process of protecting data and privacy of devices connected to internet from information robbery, hacking, malware infection and unwanted software. . What are the risks that are faced by schools offering study-abroad programs? Now schools with study-abroad programs have to think differently about crisis management plans for them. How do you move students to a safe haven 1. Designated area(s) to which noncombatants of the United States Government's responsibility and commercial vehicles and materiel may be evacuated during a domestic or other valid emergency. 2. ? More importantly, how do you define "safe haven"? I worked with a university that had students in Spain on 9/11. Their news came only from BBC BBC in full British Broadcasting Corp. Publicly financed broadcasting system in Britain. A private company at its founding in 1922, it was replaced by a public corporation under royal charter in 1927. and Sky News, and the only information they were getting had to do with the celebrations on the West Bank. These students thought that all of America was under attack, and they couldn't call home because communication was down, and servers were down. They didn't know what to do, where to go, or whether they, too, were targets because they were American. Those questions were never considered by the institution because this had never happened. It's all different now. Even students who were in France this year during the recent war with Iraq felt at risk because of the anti-American sentiment. One institution we dealt with wondered: At what point do we consider France a hostile bureaucracy? Do we need to move our students out? Do we leave them in France or do we relocate them, perhaps to England? Are they safer in England or not? Then there is also a "failure to educate" issue here. If students were promised a certain curriculum in a particular country and they were suddenly not able to continue that education in the same manner, there is certainly the potential for a lawsuit. Universities now have to be very careful about the materials they create for their study-abroad programs. We encourage them to add more qualifiers. If there is an exception to the rule, it needs to be in the program orientation materials for parents and students to see. They need to be careful in what they promise. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion