I don’t really need to belabor the point that securing educational institutions is both incredibly challenging and crucially important; it’s a bit like describing the importance of water to a fish. Schools and universities are here for the primary purpose of education, but they often have groups devoted to healthcare, finance, retail, and research, among the other usual administrative departments like human resources and accounting.
And with that breadth of service comes an alphabet soup of security compliance regulations that you need to be aware of; like HIPAA, CIPA, COPPA, FERPA and PPRA. And within higher education, there is also the expectation of an openness of information within and throughout the organization. How on earth can colleges and universities be expected both to fiercely guard and freely share information?
Information and Assets in Context
If we think of security and privacy in the context of our daily lives, there are things each of us consider private (including both property and information) and would take steps to make sure they’re shared with a limited number of people, such as close family members.
And then there are other things that we would give away freely to anyone who asked. Most of us don’t have to give this process a lot of thought, and the categorization happens automatically because our personal context is relatively stable.
When you have the interests of more than just a small group of people to consider, you will be bringing a myriad of different contexts into the equation. But there is a significant advantage in having a wealth of different people contributing their privacy contexts and their visibility into your environment, as it can help you root out the most persnickety corner cases.
3 Campus Security Musts for Summer Kick Off
1. Know what you have
As the recent WannaCryptor ransomware outbreak illustrated, the security chain is only as strong as its weakest link. It’s important to identify all of your assets, in terms of both data and physical machines.
It’s important to be thorough; attackers will not necessarily enter networks through obvious places, and it is equally important to include that one machine moldering in a back room that is running prehistoric versions of software, and that is nonetheless connected to the internet. Because school networks have such an itinerant population, this must be an ongoing task rather than a yearly chore.
Once you have established regular reporting of your assets, you can start identifying the risks associated with those assets. Performing ongoing risk assessment gives you a number of other benefits. Having a constantly evolving record of your assets improves reporting and tracking of security incidents and it can help you recognize suspicious actions more quickly.
In an industry where budget cuts can seem to be as certain as death and taxes, good records can also help justify the necessity of budget items, and help assure more appropriate levels of coverage with whatever money is allotted.