Training your staff to protect SIS data: no matter how robust your firewall, trained faculty and staff are your first line of defense against system breaches.MORE THAN 180,000 STUDENTS AND alumni at Western Illinois University For another university which uses the abbreviation "WIU", see Webber International University Athletics
[ILLUSTRATION OMITTED] In 2006 alone, 83 security breaches were reported at 65 colleges and universities worldwide, compromising 2,683,059 records, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. a report titled "Educational Security Incidents Year in Review: 2006," prepared by industry observer Adam Dodge. Interestingly, only 33 of the 83 incidents involved purposeful penetration of an institution's SIS by computer hackers. The majority of data losses occurred through theft, unauthorized disclosure, loss, and impersonation Impersonation Patroclus wore the armor of Achilles against the Trojans to encourage the disheartened Greeks. [Gk. Lit.: Iliad] Prisoner of Zenda, The . For example, personal information regarding political science students at the University of Minnesota (body, education) University of Minnesota - The home of Gopher. http://umn.edu/. Address: Minneapolis, Minnesota, USA. was revealed when a laptop containing the unencrypted data was stolen from a professor's car. One hundred Westminster College Westminster College may refer to: In the United Kingdom:
In the first half of 2007, 73 incidents occurred, according to "Educational Security Incidents"--only 10 fewer than occurred in all of 2006. "The breaches are absolutely increasing in frequency," says Rob Guido, director, fusion middleware at Oracle, and nearly 50 percent of all breaches are happening in higher ed, he says. Colleges and universities are likely targets because there is "an abundance of personal information," it is of high quality, and it exists in an open, decentralized de·cen·tral·ize v. de·cen·tral·ized, de·cen·tral·iz·ing, de·cen·tral·iz·es v.tr. 1. To distribute the administrative functions or powers of (a central authority) among several local authorities. environment, he says. Additionally, universities have less money to put towards securing the data, making them more vulnerable to attack. While preventing hackers from accessing sensitive computer data has been the focus at many institutions of higher education higher education Study beyond the level of secondary education. Institutions of higher education include not only colleges and universities but also professional schools in such fields as law, theology, medicine, business, music, and art. , attention appears to be shifting to reducing the risk of security breaches made via human error. The EDUCAUSE Center for Applied Research (ECAR ECAR East Central Area Reliability Coordination Agreement ECAR European College of Animal Reproduction ECAR Economy Car ECaR Every Child a Reader (UK) ECAR European Campaign for the Freedom of the Automotive Parts and Repair Market ) conducted an Information Technology (IT) Security Study in 2006 and found that 69.1 percent of educational institutions had a security awareness Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization. program in place for staff, up from 42.2 percent in 2003. Additionally, 68.8 percent of institutions had a security awareness program in place for faculty, up from 38.2 percent in 2003. What is surprising, however, given these jumps, is that only 20.4 percent reported mandatory security training for staff and 14.5 percent required it for faculty. Yet most colleges and universities have some form of training--mandatory or not--to teach faculty, staff, and students how to use and safeguard the information residing in the SIS. Common Approaches Although each educational institution is different, there are generally three types of security training in place, says Rodney Petersen, government relations officer and security task force coordinator at EDUCAUSE, the nonprofit organization Nonprofit Organization An association that is given tax-free status. Donations to a non-profit organization are often tax deductible as well. Notes: Examples of non-profit organizations are charities, hospitals and schools. dedicated to promoting the use of information technology in higher ed: 1. General user awareness programs designed to promote internet safety and security, which includes information on how to protect personally identifiable information In information security and privacy, personally identifiable information or personally identifying information (PII) is any piece of information which can potentially be used to uniquely identify, contact, or locate a single person. and prevent identity theft. The focus is on the user's role in protecting a computer system and personal information. 2. General employee training regarding safe computing and employee responsibility that touches on skills such as effective password development and protection. 3. Specialized training in how to use a specific campus system, such as SIS or contracts and grants. Which department provides the security training, its length and frequency, all vary widely, however. Increase Awareness of Threats Awareness of security issues is at the heart of security training at Coppin State University Coppin State University, formerly Colored High School (changed to Douglass High School) (1900-1926), Fanny Jackson Coppin Normal School (1926-1938), Coppin Teachers College (1938-1950), Coppin State Teachers College in Baltimore, which is part of the University of Maryland University of Maryland can refer to:
All new employees at Coppin State attend a training session hosted by the human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. department regarding their employment, but in the past year, 15-30 minutes have been set aside specifically to address security risks and how to mitigate them, says Doddanna. In that brief time, Coppin State employees learn about how to access and store information on the SIS and how and where to save information securely. Using Oracle's PeopleSoft Enterprise Planning System See spreadsheet and financial planning system. , Doddanna reports that Coppin State hasn't had a breach yet. But the university is well aware of the threats and takes a proactive approach to educating system users about security and other issues. For example, "anytime we have a new functionality [added to the system], we send an e-mail blast with videos," says Doddanna, to encourage everyone on campus to check out the video to learn more. "We prefer to send video training to enable our staff to do it at their own pace, versus on a particular date for 30 minutes," explains Doddanna. In fact, the university uses "a lot" of self-paced training for that reason--convenience--in the hopes that more people will watch and learn. Add New Training Texas State University San Marcos San Marcos (săn mär`kəs). 1 City (1990 pop. 38,974), San Diego co., S Calif., a northern suburb of San Diego; settled 1880s, inc. 1963. hasn't perceived its homegrown VMS-based SIS as a likely hacker target, because "it's so obscure," says Don Volz, special assistant to the vice president for information technology. However, as the university implements a new system, it will overhaul its security training procedures, too. Texas State University San Marcos is in the early stages of acquiring a new system and will add a security training component to teach system users how to protect the confidential student information that has been entrusted to them and that they are required by law to keep confidential. The federal Family Educational Rights and Privacy Act The Family Educational Rights and Privacy Act of 1974 (FERPA or the Buckley Amendment) is a United States federal law codified at 20 U.S.C. 1232g, with implementing regulations in title 34, part 99 of the Code of Federal Regulations. (FERPA FERPA Family Educational Rights and Privacy Act (aka the Buckley Amendment) FERPA Fédération Européenne des Retraités et des Personnes Agées (French) ) legislates what type of student information disclosure is allowed, explains Volz, and obligates institutions of higher education to safeguard student information. "You can't expose a student's record without that student's prior consent," says Volz, with the only exception being a student directory, which the university reserves the right to publish. Texas State University San Marcos keeps standard information in its student directory, such as name, address, and telephone number, as well as major and minor (and for athletes, height and weight). However, years ago, student Social Security numbers were also routinely published, he says. "Rules change over time to address the threats that are out there," he explains. More recently, the university decided it would no longer publish e-mail addresses. [ILLUSTRATION OMITTED] That doesn't necessarily mean that all students are included in the institution's directory, however, since FERPA provides students the option to prohibit release of any personal information. Most SISs have an attribute, or field, within the system to identify students who have declared their privacy rights, says Volz. Spotting that attribute can be tricky, however, and system users need to be trained to look for that identifier to prevent unauthorized release of information. Make Training an Ongoing Effort At Ursinus College in Collegeville, Pa., Chief Information Officer John King reports that the institution's approach to security and confidentiality has been revamped in the last three to four years. "We've had some turnover, but no incidents, and we wanted to make sure everyone understood their role in securing data and the importance of confidentiality," King explains. Today, security training is done on an ongoing basis at Ursinus, following a process the college has developed to ensure that everyone is aware of the college's policies and their own responsibility. When new employees are hired they are required to complete and sign a form indicating their understanding of the college's data security policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental . Learning the importance of information security is now part of the college's orientation procedure, which also applies to student workers. Their supervisor sits down with them to review the policies and procedures and they, too, sign the confidentiality form indicating their understanding and compliance. The college is in the process of implementing a new SIS--the Blackbaud Education Edge--and as part of that, says King, they will incorporate a new module into the security training regarding safeguarding data on laptops. "We'll remind [employees] that 'you're exposing the college and yourself to security and confidentiality issues' by transferring data to a laptop," he says. They will also be informed that information should not be taken off campus and that such data should only be accessed remotely through a VTN VTN Victoria Telecommunity Network VTN Vitronectin VTN VeriSign Trust Network VTN Valentine, Nebraska (Airport Code) VTN Vatan (Bosnian Moslem Party, Kosovo) VTN Virtual Telephone Number line-encrypted server. Fill the Security Gaps Most security training is designed to guard SISs from the outsider, when teaching system users how to use technology to safeguard personal information is equally--and perhaps more--important. "A lot of the security training that needs to be provided is awareness-type training," says Volz. EDUCAUSE'S Petersen advises that it is increasingly important to emphasize the following as part of any security training session: * Roles and responsibilities. Make it clear what information each SIS user is authorized to access and who is a "data steward In metadata, a data steward's role is assigned to a person that is responsible for maintaining a data element in a metadata registry. Data stewardship roles are common when organizations are attempting to exchange data precisely and consistently between computer systems and "--someone authorized to share confidential data with others. For example, in student records, the data steward is frequently the registrar. * Security practices. Training users in such tactics as password protection, operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. updates, antivirus protection, and spyware protection, to fortify for·ti·fy v. for·ti·fied, for·ti·fy·ing, for·ti·fies v.tr. To make strong, as: a. To strengthen and secure (a position) with fortifications. b. To reinforce by adding material. the system's defenses. * Privacy protections for personally identifiable information (PII See Pentium II. ). This includes: limiting the type of information that is accessed or displayed to that which is essential for the function to be performed; limiting downloads of SIS data into spreadsheets or other formats to workstations, laptops, or storage devices unless the data is encrypted or under strict controls; and effective methods of disposing of devices or data. Identify Weaknesses Cindy Bixler, CIO CIO: see American Federation of Labor and Congress of Industrial Organizations. (Chief Information Officer) The executive officer in charge of information processing in an organization. of Embry-Riddle Aeronautical University Embry-Riddle Aeronautical University (ERAU) is a not-for-profit, non-sectarian, coeducational private university with a history dating back to the early days of aviation. , which has campuses in Prescott, Ariz., Daytona Beach Daytona Beach (dātō`nə), city (1990 pop. 61,921), Volusia co., NE Fla., on the Atlantic coast and Halifax River (a lagoon); inc. 1876. Center of a rapidly urbanizing area, in a region settled by Spanish Franciscans in the 17th cent. , Fla., and at more than 130 centers in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. through its Worldwide Campus, says that about two years ago the university instituted an integrated student services training program for staff to increase awareness of the need for data security. While that training has been successful, there is currently no ongoing training to remind longtime employees of their responsibilities and to correct risky behavior, such as downloading information from the university's core SIS onto a laptop or USB drive A flash memory card that plugs into the computer's USB port. Small enough to hook onto a keychain, it emulates a small disk drive and allows data to be easily transferred from one machine to another. . The university is conducting an information systems audit of its Oracle Portal with the help of Ernst & Young, whose auditors are looking over the system to identify weaknesses that need to be addressed. Bixler says that lack of ongoing security training will be one of them. "You get security training as a new employee [at Embry-Riddle] but someone who's been here for a few years doesn't ever get retrained," she says. "And that's a huge weakness." Bixler hopes to implement a new online training process as part of a new employee training program she is designing that will provide a means of tracking which faculty and staff members have completed the training and which haven't. The university currently has no way to verify that someone has actually gone through the training, she explains. While the system audit will certainly pinpoint processes, policies, and procedures that need improvement, Bixler is also working toward a change in the university's culture and attitude toward data security. "Identity theft is a foreign concept to [most faculty and staff]. They don't think it could happen to them," she says, and so they underestimate the importance of the security training Bixler wants to introduce. The good news is that the cost to implement a new security training program is minimal, says Bixler. "The real cost is maintaining the content and keeping it current," she says, since they already have the tools available to deploy it. Possible Patches Conducting an audit is certainly one way to systematically identify where the security weaknesses are and what kind of training can be done to address them. But some universities seem fairly clear about their own weaknesses and are looking for Looking for In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. solutions, or patches, to correct them. One major security gap that many universities mention is the unauthorized download of sensitive data to laptops or through unsecured data lines, potentially exposing that data to misuse by outsiders. That threat was identified at Coppin State as a key issue, so six months ago the university proceeded to buy and install Pointsec for PC, which provides data encryption data encryption, the process of scrambling stored or transmitted information so that it is unintelligible until it is unscrambled by the intended recipient. Historically, data encryption has been used primarily to protect diplomatic and military secrets from foreign . The university's policy now requires that anyone using a campus-provided desktop or laptop must use Pointsec for protection. Pointsec not only encrypts and decrypts all laptop data and files, but also information on removable media, such as USB USB in full Universal Serial Bus Type of serial bus that allows peripheral devices (disks, modems, printers, digitizers, data gloves, etc.) to be easily connected to a computer. devices. But just as important, the software requires a login ID and password to boot the laptop--Pointsec is loaded first. Without it, the laptop cannot be turned on, nor can the hard drive be removed and used--they are useless. Coppin State is still in the process of rolling out Pointsec campuswide, starting with its high value users, including the IT staff. Installation and training required to implement Pointsec involves one hour to load the software and a half-day investment on the part of an IT staff member, followed by 30 minutes of one-on-one training of system users. "We have been pretty successful so far," says Doddanna. Training Buzzwords Below is a list of common buzzwords which form part of the business jargon of Corporate work environments. General Conversation
When describing the security training their institution currently provides, or is in the process of implementing, many campus IT leaders use the words "awareness" and "reminder." Recognizing that one-time campuswide training sessions are not enough to secure sensitive personally identifiable information, most colleges and universities are scheduling follow-up training for employees who may need a refresher regarding their role and responsibilities as it relates to SIS data. "The biggest risk at many organizations is not the core system, it's the employees," says Bixler. "Security is everyone's job." A seven-step plan for protecting confidential data To aid higher ed institutions in implementing policies, processes, and technology to safeguard confidential data, EDUCAUSE/Internet2 Security Task Force working groups developed the following roadmap: [ILLUSTRATION OMITTED] 1. Create a culture that is aware of security risks and threats. 2. Define institutional data types. 3. Clarify roles and responsibilities for safeguarding confidential data. 4. Reduce access to confidential data. 5. Establish and implement stricter controls for safeguarding such data. 6. Provide awareness and training. 7. Verify compliance routinely with established policies and procedures. For resources and guidelines for each of these steps, visit https:// wiki A Web site that can be quickly edited by its visitors with simple formatting rules. Developed by Ward Cunningham in the mid-1990s to provide collaborative discussions, there are several "wiki" tools on the market for creating such sites, including www.editme.com, www.seedwiki.com, www. .internet2.edu/confluence/display/secguide/confidential+data +handling+blueprint and download instructions and-case studies. Resources Blackbaud, www.blackbaud.com/ products/industry/highered.aspx Campus Management, www. campusmanagement.com Datatel, www.datatel.com/results/ enrollment/ EDUCAUSE, www.educause.edu Oracle, www.oracle.com/industries/ education/highered.html Marcia Layton Turner is a freelance writer and the author of 14 business and consumer books. She lives in Rochester, N.Y. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion