Higher education institutions face unique information security challenges as their mission is centered on the exchange of information, ideas and research. It is paramount for colleges and universities to evaluate what laws are applicable to their institution. It will be easier to determine this for some laws such as FERPA. However, not all departments in a university may fall under HIPAA. System engineers and administrators need to work together with university lawyers to determine which parts of the organization require what kind of security and/or archival/data backup systems. For example, USF migrated their email system used by most departments and colleges, to Google mail, which does not comply with HIPAA regulations. USF’s Health department and the college of public health, did not migrate their email accounts to Google mail in order to remain in compliance with HIPAA. Furthermore, threat assessments are difficult to perform, because the number of potential scenarios compromising security in higher education is potentially limitless. The laws on information privacy and security have a broad reach affecting university registrars, financial aid departments, student health departments, learning management systems, research databases and general administrative functions; this constitutes a need for a centralized approach to information security. All personal identifiable and financial information needs to be housed in a protected, centralized database environment. Access needs to be restricted and information controls need to be tightened, while keeping the mission of the organization in mind. Proactive security practices should be established alarming system administrators in the event of potentially harmful communications. It is important to avoid roadblocks that can be created by over protecting information assets. However, implementing security strategies almost always is accompanied by end user inconveniences. For example, most end users feel inconvenienced by security policies that require users to periodically change their passwords. To strike a balance between security and accessibility, Yale University has implemented a three level system categorizing data security and promotes periodic scanning of computers for personal identifiable information. Moreover, Yale University provides guidelines for handling personal identifiable information. Shaul outlines several basic steps that can be taken to reduce risk and ensure
more effective and proactive information security strategy.
1. Establishing a baseline.
2. Understanding vulnerabilities and exploitation tactics
3. Prioritizing vulnerability remediation
4. Continuous monitoring and periodic system maintenance
5. Automating security processes
6. Promptly implementing patches and system updates
7. Auditing systems periodically
8. Employing real time intrusion detection systems
9. Extending protection to the database application layer
10. Verifying that user behavior falls within authorized activity
11. Develop a disaster recovery plan and be ready to execute it.
Additionally, it is important to assess where personally identifiable information has been stored in the past. Posing the following questions may help prevent the loss or theft of personally identifiable information. How is personally identifiable information distributed across the organization? Have university departments created databases housing personally identifiable information? What enrollment procedures require the student’s social security number? How are enrollment documents stored? What responsibilities and contractual obligations to our third party vendors have? What information practices are used by our partners and third party vendors; do they comply with applicable laws? How are reports from databases detailing student or staff information stored? What data protection is in place in the event of a stolen laptop? What are the password requirements; are they effective? In conclusion, the increased security obligations mandated by law requires implementers to balance the need for security and open, collaborative networking. Implementing effective security practices can be achieved by continuously evaluating and improving security in information processes and procedures, while enforcing compliance with applicable laws.