Click here to receive your FREE subscription to Campus Technology
News Feature
Once More unto the Breach
4/13/2007
John DiMaria of BSI said, "The problem is [symptomatic] of most organizations that have major breaches. It is not unique to colleges or universities. Breaches stem from poor or no risk analysis/management and no consistency of process. Most organizations think that technology is the answer to mitigating risk while they ignore the “Egg Shell” security problem (hard-core technology on the outside; firewalls, penetration testing, passwords, segmentation, etc., but no controls governing the information within the organization’s walls, lack of training and awareness, no classification of information, no formal controls, absence of or poor access and incident management, and so on). [It's] basically an “ad hoc” approach to security and risk management."
DiMaria also points to the adoption of security standards in higher education, such as ISO/IEC 27001. Georgia State University currently uses this system and, according to DiMaria, will become the only certified university in the United States.
"International Standards such as ISO 27001 exist and are used around the world and are certifiable. ISO 27001 promotes the adoption of a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's information security management system (ISMS)," said DiMaria.
He broke the process down into four steps: Plan, Do, Check, Act. He explained:
Plan (establish the ISMS). Establish ISMS policy, objectives, processes and procedures relevant to managing risk (identifying the vulnerabilities and threats that exist and establishing controls as outlined in the standard) and improving information security to deliver results in accordance with an organization’s overall policies and objectives.Nobody's perfect
Do (implement and operate the ISMS). Implement and operate the ISMS policy, controls, processes and procedures.
Check (monitor and review the ISMS). Assess and, where applicable, measure process performance against ISMS policy, objectives, and practical experience, and report the results to management for review.
Act (maintain and improve the ISMS). Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.
Of course, no system or combination of systems, policies, encryption, and people will ever be able to provide 100 percent protection of data, networked or otherwise. But by following best practices, risks can be minimized.
Said Symantec's Hart, "The solution requires more than technology. This is really an issue that requires the combination of people, process, and technology. It includes assessment, prioritization and plans for prevention and protection. Institutions must strike a balance between keeping data both secure and available. Employees must receive training so that policies and accountability can be enforced. Upper management support is essential.
Recommended Reading
- California Community Colleges Partner with Waterfall Mobile on Statewide Emergency Notification Coverage
The Foundation for California Community Colleges (FCCC) has awarded a statewide emergency alert notification contract to Waterfall Mobile. The contract establishes Waterfall's AlertU as an approved technology through the official non-profit foundation for the California Community College (CCC) system office. Through this partnership, individual colleges may directly implement emergency communication services, eliminating lengthy technology evaluation and RFP processes.
- King's College and ASU Add e2Campus for Improved Emergency Notifications
King's College and Arizona State University have switched to Omnilert's e2Campus for emergency notification. Omnilert also has introduced a new program called the ENS Conversion Service that allows schools to bulk upload data from their previous emergency notification system into e2Campus at no charge.
- Saint Joseph Builds Out Wireless Network in Multi-year Upgrade
Saint Joseph's University has begun deploying a Meru Networks wireless local area network across its Philadelphia campus as part of a multi-year effort to bring wireless coverage to every building on campus.
- Vista Ramp Up Is Happening Now, Study Says
Organizations may have been slow to adopt Microsoft Windows Vista, but expect that to change by late 2008 to 2009, according to a Forrester Research report by Benjamin Gray et al., published last week.
- Talisma Launches New Version of CRM with Built-in Application Management
Talisma Corp. announced version 8.0 of its constituent relationship management (CRM) application for higher education. The new release includes application management, a revamped user interface, two-way text messaging, personalized Web portals, and an ADA-compliant Web client, among other enhancements.
- Bringing Composers into Classrooms Through Skype
Two Pennsylvania teaching colleagues with an interest in music and technology are bringing remote experts into classrooms at almost no cost, using Skype's free videoconferencing technology.
