As federal and state laws governing privacy and information security have become more abundant and complex, security practices in colleges and
universities must adapt accordingly. With the increased security specifications mandated by law, implementers must aim to balance the need for security and open, collaborative networking. Information security has been in the limelight as numerous incidents of security breaches in higher education emphasize the potentially unforeseen liabilities that can arise. On February 14th, 2008 “malicious computer hackers gained access to a Web server at Harvard University’s Graduate School of Arts and Sciences [..], snagging data about the site’s administrators.” (Young) “Now
the university is reporting that the intruders may have done far worse, and accessed records of 10,000 people. Some of those records included Social
Security numbers.” (Fischman) In response, Harvard issued new identification cards using contactless smartcard technology, intended to strengthen security by encrypting data used for authentication and removing the student ID number which was printed on the card in the past. (Phillip) Additionally, students were urged to monitor their financial transactions and credit ratings. A more prominent issue also with serious security implications arose in 2002 when “Yale University discovered that a member of Princeton University’s
admissions staff used the birth dates and Social Security numbers of Princeton applicants who had also applied to Yale to gain access to a Yale web site set up for prospective students” (Cassat) This incident prompted Yale to file a complaint with the FBI and also prompted Princeton to launch an independent investigation.
The aforementioned examples go to show that unexpected risk often accompanies information technology assets. With the increasing digitization of
records and applications, the significance of information technology assets continues to grow. Student records and transcripts, faculty syllabi, research and proprietary records housed in networked databases on university servers, must be kept secure to protect privacy, confidentiality and integrity mandated by law. However, higher education system engineers have designed the information technology infrastructure in a way that embraces and supports interconnectivity and digital communication. “Unlike private corporate networks, which, by their nature, are designed to be “walled gardens” of information, campus networks – due to the need to facilitate collaboration and provide access to information – generally are designed to be more open, and therefore more vulnerable to misuse.” (Cassat) The implied risk here is two fold: information technology is at
risk of unauthorized access and individuals with access could use the institutional infrastructure to launch an attack on another entity. The challenge posed to information technology administrators of higher education is how to effectively protect their systems while at the same time supporting the mission of the organization. A balance must be achieved between these opposing goals. The increasing number of laws governing privacy and information security further complicates the issue. The following section provides a brief overview of laws currently governing privacy and information security in higher education, followed by implications for host and network security.