Higher education institutions face unique information security challenges
as their mission is centered on the exchange of information, ideas and research.
It is paramount for colleges and universities to evaluate what laws are applicable
to their institution. It will be easier to determine this for some laws such as
FERPA. However, not all departments in a university may fall under HIPAA.
System engineers and administrators need to work together with university
lawyers to determine which parts of the organization require what kind of
security and/or archival/data backup systems. For example, USF migrated their
email system used by most departments and colleges, to Google mail, which does
not comply with HIPAA regulations. USF’s Health department and the college of
public health, did not migrate their email accounts to Google mail in order to
remain in compliance with HIPAA.
Furthermore, threat assessments are difficult to perform, because the
number of potential scenarios compromising security in higher education is
potentially limitless. The laws on information privacy and security have a broad
reach affecting university registrars, financial aid departments, student health
departments, learning management systems, research databases and general
administrative functions; this constitutes a need for a centralized approach to
information security. All personal identifiable and financial information needs to
be housed in a protected, centralized database environment. Access needs to be
restricted and information controls need to be tightened, while keeping the
mission of the organization in mind. Proactive security practices should be
established alarming system administrators in the event of potentially harmful
communications. It is important to avoid roadblocks that can be created by over
protecting information assets. However, implementing security strategies almost
always is accompanied by end user inconveniences. For example, most end users
feel inconvenienced by security policies that require users to periodically change
their passwords. To strike a balance between security and accessibility, Yale
University has implemented a three level system categorizing data security and
promotes periodic scanning of computers for personal identifiable information.
Moreover, Yale University provides guidelines for handling personal identifiable
information.
Shaul outlines several basic steps that can be taken to reduce risk and ensure
more effective and proactive information security strategy.
1. Establishing a baseline.
2. Understanding vulnerabilities and exploitation tactics
3. Prioritizing vulnerability remediation
4. Continuous monitoring and periodic system maintenance
5. Automating security processes
6. Promptly implementing patches and system updates
7. Auditing systems periodically
8. Employing real time intrusion detection systems
9. Extending protection to the database application layer
10. Verifying that user behavior falls within authorized activity
11. Develop a disaster recovery plan and be ready to execute it.
Additionally, it is important to assess where personally identifiable
information has been stored in the past. Posing the following questions may help
prevent the loss or theft of personally identifiable information. How is personally
identifiable information distributed across the organization? Have university
departments created databases housing personally identifiable information?
What enrollment procedures require the student’s social security number? How
are enrollment documents stored? What responsibilities and contractual
obligations to our third party vendors have? What information practices are used
by our partners and third party vendors; do they comply with applicable laws?
How are reports from databases detailing student or staff information stored?
What data protection is in place in the event of a stolen laptop? What are the
password requirements; are they effective?
In conclusion, the increased security obligations mandated by law
requires implementers to balance the need for security and open, collaborative
networking. Implementing effective security practices can be achieved by
continuously evaluating and improving security in information processes and
procedures, while enforcing compliance with applicable laws.