Every year at the EDUCAUSE Conference the Top 10 IT Issues for the upcoming year are announced. Leading up to each conference a panel of experts ranging from IT leaders, CIO’s and faculty members present a list of the top IT trends. which are then voted on by EDUCAUSE members. The top initiatives are the most important topics and trends and will be a focus for the upcoming year. This year was no different. Two topics that have been at the forefront over the last few years have been Information Security Strategy and Privacy. I thought it would be interesting to do some research on two of these topics.
Information Security Strategy is defined by EDUCAUSE as developing a risk-based security strategy that effectively detects, responds to, and prevents security threats and challenges.
First, you need to understand the cybersecurity risk related to your critical business operations. For example, where are those threats gaining access? The most common is an employee clicking on a malicious link. Social engineering and phishing attacks are another popular way people are gaining access to your critical information. In this case, hackers send an email asking for non-public information with the hopes someone will offer up any information such as their login or password. What it boils down to is educating faculty, students, and staff. A good beginning is to add cyber attacks to their business plan and properly define the risks. Check out our post on trending cybersecurity attack types to learn more.
Next, to effectively create a successful security strategy, buy-in from faculty, staff, and students is a must. Most organizations are reactive when it comes to security and properly safeguarding your data. But having a proactive strategy instills confidence and trust, and these practices show that you value and respect the privacy needs of your campus. Security Magazine had a great article discussing the 5 components needed to develop a proactive security strategy. They recommend using these 5 components as a starting point to develop a successful strategy.
Those components are:
- Get visibility of all your assets
- Leverage modern and intelligent technology
- Connect your security solutions
- Adopt comprehensive and consistent training methods
- Implement response procedures to mitigate risk
Privacy is defined by EDUCAUSE as safeguarding institutional constituents privacy rights and maintaining accountability for protecting all types of restricted data.
It’s no secret that colleges must collect a range of sensitive data, including social security numbers and bank account information. This information, along with other highly personal data of young adults with little credit or tax history, makes schools a desirable target for identity thieves.
Do you know the difference between Restricted Data vs Confidential Data?
STOP - Restricted Data (Highest Level of Access)
- Social Security Numbers
- Drivers License/state ID numbers
- account numbers
- Credit card numbers
- Medical Insurance
PROCEED WITH CAUTION - Confidential Data (Protect from Unauthorized Access)
- Home Address / Phone number
- Student records / Grades / evaluations / letters of recommendation.
GO - Non-Confidential Information (Non-Sensitive Information)
- Campus email address
- Department address
Privacy on college campuses is covered under the Family Educational Rights and Privacy Act (FERPA), and the Health Insurance Portability and Accountability Act (HIPPA), but it is also a very ethical concept. It provides the overall framework of how to showcase your standards and highlight your campus ethics, trust, and vision.
In closing, maintaining security and data privacy is one of the biggest challenges in IT today. With all of the information schools have at their fingertips, I bet in a year from now when I sit down and write my first blog of 2020 Security and Privacy will be back on the EDUCAUSE Top initiatives once more. Stay tuned!