SlideShare a Scribd company logo

IT Security in Higher Education

Rapid7, profile picture
Rapid7

This white paper discusses the increasing importance of IT security in higher education, highlighting significant breaches and the lack of adequate security measures in many institutions. It emphasizes the necessity for dedicated IT security roles and the implementation of compliance with government regulations. Additionally, it describes various resources and tools available, such as Rapid7 Nexpose, to enhance security measures across campuses.

TechnologyEducation
Related topics:
IT Security Information Security
1 of 6
Download to read offline
1
2
3
4
5
6
White Paper IT Security in Higher Education
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com 3BIntroduction: The Growing Need for Improved IT Security on Campuses IT security is a hot topic these days, especially at colleges and universities. An April 2008 Symantec Global Internet report noted that the education sector experienced more IT security breaches than any other industry.F 1 F What’s more, the number of higher education breaches and institutions affected continues to rise, as schools are under greater pressure to collect more and more student data. Between 2006 and 2008, the number of incidents reported by schools grew by 101 percent, and during that same period, the number of institutions affected rose by 173 percent.F 2 F As recently as February 2009, the University of Florida reported an exposure of 97,200 student records, all of which contained names and Social Security Numbers. Statistics like these in the education sector – as well as the increasing number of breaches in other industries – have garnered a great deal of publicity and have generated cause for alarm. There has been tremendous growth in the field of IT security training, as organizations of all sizes struggle to find professionals to help them address the challenge. There are a myriad books on IT security on the market, and the list grows monthly; and many colleges, universities, and technical schools now offer a degree or certification in IT security. A December 2008 Gartner Group Survey found that “the role of the chief information security officer (CISO) is no longer rare, but many institutions have yet to formalize the role and the title. Policies and support for educating the community are also still evolving. Work still needs to be done, if security is to be viewed not as an IT problem, but as an institutional problem that needs addressing.”F 3 F The Gartner survey’s key findings include the following: • “The need for a security officer is now recognized and supported by more than 60 percent of institutions. • “The risk of losing important data is still a more important business driver for security compared to financial risks. “Calculating the cost of security breaches and attacks is rare. More than 75 percent of institutions have not even calculated the cost of mobile PC thefts, which should be less difficult to calculate”F 4 4BCampus Technology The technology environment in higher education is complicated by many factors. First, there are often ambiguous campus perimeters. Many schools have a transient student population, and, even when this is not the case, computer equipment is often moved during the school year between campus and home. This situation is further complicated by the fact that a distributed computing environment is common at large schools, making it hard for a central IT group to keep track of what’s out there. Furthermore, many schools offer distance learning options, meaning that some student computers may never actually be on campus. Second, there is a tremendous amount of sensitive electronic data on most campuses. Determining the location of that data, who controls it, and how best to protect it is a daunting task, even at a small school. At large universities, there may be a central IT group – or even a central IT security group – but the daily management of many systems and/or handling of data is usually the responsibility of the individual colleges or departments. 1 Security Threat Report, Symantec Global Internet, April 2008. 2 Educational Security Incidents (ESI) Year in Review – 2008, Released February 2009. 3 Gartner 2008 Higher Education Security Survey: Governance, Policy and Cost. Michael Zastrocky, Jan-Martin Lowendahl, and Marti Harris. 22 December 2008. 4 Ibid.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Third is the issue of shadow systems. The university’s core systems, containing Enterprise Resource Planning (ERP), CC information, medical records, or other important student data, may be well protected; but there are frequently local copies of sensitive data that are not under that same protective umbrella. Even small schools have multiple departments, and some of these – Housing or Campus Dining, for example – need systems containing important student information in order to function. When these various shadow systems are connected to the Internet, or where the shadow systems are accessible from across the campus networks, the problem is compounded. This proliferation of systems in a highly distributed information environment makes it very difficult for colleges and universities to keep track of everyone who has copies of sensitive data such as students’ Social Security Numbers. Academic freedom is a fourth concern. Open networks – indeed, the Internet itself – have their roots in academe. Networks have long been viewed as teaching tools, and the notion of imposing any restrictions on them has been forbidden. IT security measures that would exist as a matter of course in a business environment have, until recently, been frowned upon in academic settings in the name of academic freedom. Finally, there is always the issue of funding. Because of financial constraints – now more than ever – schools are often forced to depend on a limited staff of professional IT support personnel. In fact, some campus IT departments are staffed primarily by computer science majors or other students with an interest in technology. 5BGovernment Compliance Issues Unfortunately, this challenging campus IT environment exists at the same time when increasingly stringent government regulations continue to raise the bar for data protection and to impose harsh penalties for those who fail to protect sensitive data. At colleges and universities, IT managers must comply with many such regulations. • Banking. Universities and colleges lend and collect large amounts of money, as they grant loans and disperse funds. This means that they fall under the Gramm-Leach-Bliley Act (GLBA) and must protect the privacy of their student customers. • Health care. Almost institutions of higher education with students living on campus have a health center and therefore must protect patient data under the Health Insurance Portability and Accountability Act (HIPAA). • Retail sales. Parents and students use credit cards to pay for everything from books to tuition, meaning that colleges and universities – like all other retailers – must comply with the Payment Card Industry (PCI) Data Security Standard (DSS). • Student grades. The Family Educational Rights and Privacy Act (FERPA) controls who can access student grades. If grades are being distributed or stored electronically, they must be secured. In addition to these federal requirements, colleges and universities in most states must comply with state privacy laws such as California SB 1386, a piece of landmark legislation that became operative in July of 2003. Laws like this require that any agency, person, or business that owns or licenses computerized “personal information” must disclose any breach of security to those whose unencrypted data is believed to have been disclosed. In his article, “Back to School: Compliance in Higher Education,” Ken Bocek notes, “While most institutions are compliance with GLB, PCI, HIPAA, FERPA, and other regulations, the number of institutions involved in data breaches does not seem to be on the decline. It’s this point that makes higher education a lesson for all organizations.”F 5 5 “Back to School: Compliance in Higher Education,” SC Magazine. Ken Bocek. September 19, 2007.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com 6BAddressing IT Security on Campus Thanks to their growing awareness of the importance of IT security, schools are addressing the issue in a variety of ways. The most obvious solution – creation of a full-time central IT security group on campus – has been put in place at many schools, especially large universities. Even smaller schools have recognized the need for someone whose full-time job is IT security, and higher education employment Websites frequently advertise IT security positions at community colleges and comprehensive universities. The recognition that security is not something a network engineer can do as a side job is viewed by education professionals as a positive trend as they accept the challenge of safeguarding sensitive data, complying with government regulations, and generally protecting the systems and information within the campus computing environment. A central IT security group is typically managed by an IT security officer, a high-level position with broad authority and recognition throughout the school. Because of budget pressures, many schools’ IT groups have not grown larger in the past few years, but schools have reprioritized resources to address their security concerns. For example, a school may designate what was formerly a network engineering position as a full-time security position, and retrain that individual accordingly. There has also been a trend toward greater cooperation among departments regarding security. Various campus offices – Human Resources, Controller, Registrar, Financial Aid – frequently collaborate to develop innovative ways to share resources and protect their user communities. Another important trend has been increased educational opportunities for the extended university community – students, faculty, and administration – about the importance of IT security. Blogs, YouTube, and the ubiquitous laptop and cell phone are all effective means of communication, along with campus newsletters, email, and face-to-face discussions. By communicating through these various media, campus IT security professionals have helped their communities to understand that IT security is a shared responsibility and that every campus computer user faces risks if there is a security lapse. Many campuses have adopted the practice of conducting departmental or area IT security reviews to help their constituents recognize their vulnerabilities; identify potential problems with hardware, applications, and/or databases; and offer alternatives. Some schools have even developed and distributed an IT disaster recovery plan. It has also become common for schools to conduct compliance-related reviews to teach people how to handle FERPA, PCI, HIPAA, and/or GLB data, and to underscore the benefit of adopting industry practices such as ISO 27001, CoBIT, and NIST. Furthermore, every college or university today acknowledges the need to maintain a reliable Web presence, and most of their websites now include at least one page dedicated to IT security. The bottom line is that IT security operations and practices have become increasingly formalized, and schools have a far greater awareness of compliance requirements. Colleges now understand that PCI applies everywhere. 7BIT Security Resources in Higher Education As IT security has gained exposure on college and university campuses, a growing number of resources have become available to address the issue. The Virginia Alliance for Secure Computing and Networking (VA SCAN) was established to strengthen IT security programs throughout the Commonwealth of Virginia. As their Website points out, “This Alliance brings together Virginia higher education security practitioners who developed and maintain security programs widely emulated by other institutions, and researchers responsible for creating cybersecurity instruction and research programs nationally recognized for excellence.”F 6 6 Website – Virginia Alliance for Secure Computing and Networking (VA SCAN), Hwww.vascan.org
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com The University of Wisconsin’s flagship campus in Madison now routinely conducts risk assessment of its IT systems with all departmental CIOs in the University system. In Texas, the state legislature has enacted new laws that impact all public universities and their approach to IT security. Perhaps the best known American higher education technology resource is EDUCAUSE, which was founded in the late 1990s “to advance higher education by promoting the intelligent use of information technology.”F 7 F Open to all public and private colleges and universities, EDUCAUSE fosters information sharing by providing schools with opportunities to participate in policy-sharing forums or to post presentations and other materials that they have developed. EDUCAUSE also sponsors an annual security event for those in security officer or security analyst roles so they can come together and focus on communication, collaboration, and information sharing. 8BThe Role of Rapid7 Nexpose Rapid7 Nexpose is a vulnerability assessment product that has become a boon to IT security professionals at nearly 100 institutions of higher learning, including Carnegie Mellon University, Florida State University, George Washington University, Norwich University, University of Mary Washington, Virginia Tech University and Weill Medical College. In fact, one IT security officer has described Rapid7 Nexpose as a “force multiplier” that saves valuable time and resources. Nexpose provides broad platform coverage from one integrated product that assesses the security risk for a wide array of systems, software and devices in your IT environment, including: • Network and Operating System Vulnerability Assessment – The first step in securing your IT environment is to ensure that all systems and network devices have been properly audited and exposures eliminated. Rapid7 Nexpose enables organizations to audit their networks, track discovered vulnerabilities through resolution, and ensure policy compliance. • Web Application Vulnerability Assessment – Because they exist as a conduit between external users and a company’s internal databases, Web applications can be one of the biggest security risks. Rapid7 Nexpose scans the Web application server and all Web applications for serious threats to your environment, such as SQL injection and cross-site scripting. • Database Vulnerability Assessment – Rapid7 Nexpose provides comprehensive database scanning for Oracle, Microsoft SQL Server, Sybase, PostgreSQL, MySQL, IBM DB2 and IBM DB/400 to identify vulnerabilities that affect databases such as default accounts; default permissions on database objects like tables, views, and stored procedures; buffer overflows; and denial of service. • Compliance Scanning – The growing number of government and industry-specific regulations designed to protect corporate information require organizations to put policies in place to regularly audit the environment and produce reports that validate compliance. Rapid7 Nexpose generates SOX, HIPAA, PCI, FISMA and GLBA reports that document and demonstrate compliance to auditors. 7 Website – EDUCAUSE, Hwww.educause.edu
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com 9BAbout Rapid7 Rapid7 is a leading provider of IT security risk management software. Its integrated vulnerability management and penetration testing products, Nexpose and Metasploit, and mobile risk management solution, Mobilisafe, enable defenders to gain contextual visibility and manage the risk associated with the IT environment, users and threats relevant to their organization. Rapid7’s simple and innovative solutions are used by more than 2,000 enterprises and government agencies in more than 65 countries, while the Company’s free products are downloaded more than one million times per year and enhanced by more than 175,000 members of its open source security community. Rapid7 has been recognized as one of the fastest growing security companies by Inc. Magazine and as a “Top Place to Work” by the Boston Globe. Its products are top rated by Gartner®, Forrester® and SC Magazine. The Company is backed by Bain Capital and Technology Crossover Ventures. For more information about Rapid7, please visit http://www.rapid7. com.

More Related Content

PDF
Rapid7 Report: Data Breaches in the Government Sector
Rapid7
 
PDF
Protecting Patient Health Information in the HITECH Era
Rapid7
 
PDF
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Rapid7
 
PDF
Data Breaches
sstose
 
PDF
Privacy trends 2011
Vladimir Matviychuk
 
PDF
Research on Legal Protection of Data Rights of E Commerce Platform Operators
YogeshIJTSRD
 
PPTX
Legal issues in technology
EzraGray1
 
PPTX
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Dr. Donald Macfarlane
 
Rapid7 Report: Data Breaches in the Government Sector
Rapid7
 
Protecting Patient Health Information in the HITECH Era
Rapid7
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Rapid7
 
Data Breaches
sstose
 
Privacy trends 2011
Vladimir Matviychuk
 
Research on Legal Protection of Data Rights of E Commerce Platform Operators
YogeshIJTSRD
 
Legal issues in technology
EzraGray1
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Dr. Donald Macfarlane
 

What's hot (19)

PPTX
WCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014
 
PDF
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
Cédric Laurant
 
PDF
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
Andrea Omicini
 
PPT
Gebm os presentation final
sunnyjoshi88
 
DOCX
ONR Blog 1
Charles (Mac) Hamilton M.A., M.F.A., C.P.C.
 
PPT
Online security – an assessment of the new
sunnyjoshi88
 
PDF
Data Security and Privacy Under The Compliance Spotlight April 2014
Adriana Sanford
 
PPTX
LAK16 privacy and analytics (2016)
Wolfgang Greller
 
PDF
iStart feature: Protect and serve how safe is your personal data?
Hayden McCall
 
DOCX
Maintain data privacy during software development
MuhammadArif823
 
PDF
Data Breach Response Checklist
- Mark - Fullbright
 
PDF
Information governance a_necessity_in_to
Anne ndolo
 
PPT
Consumer Privacy
Ashish Jain
 
DOCX
Privacy Breaches In Canada It.Can May 1 2009
canadianlawyer
 
PDF
Open Government Data & Privacy Protection
Sylvia Ogweng
 
PDF
India Legal 17 June 2019
ENC
 
PDF
wp-analyzing-breaches-by-industry
Numaan Huq
 
PDF
E Commerce Platform Data Ownership and Legal Protection
ijtsrd
 
PDF
Major Essay_ US-China Relations_FINAL
Louise Collins
 
WCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014
 
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
Cédric Laurant
 
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
Andrea Omicini
 
Gebm os presentation final
sunnyjoshi88
 
ONR Blog 1
Charles (Mac) Hamilton M.A., M.F.A., C.P.C.
 
Online security – an assessment of the new
sunnyjoshi88
 
Data Security and Privacy Under The Compliance Spotlight April 2014
Adriana Sanford
 
LAK16 privacy and analytics (2016)
Wolfgang Greller
 
iStart feature: Protect and serve how safe is your personal data?
Hayden McCall
 
Maintain data privacy during software development
MuhammadArif823
 
Data Breach Response Checklist
- Mark - Fullbright
 
Information governance a_necessity_in_to
Anne ndolo
 
Consumer Privacy
Ashish Jain
 
Privacy Breaches In Canada It.Can May 1 2009
canadianlawyer
 
Open Government Data & Privacy Protection
Sylvia Ogweng
 
India Legal 17 June 2019
ENC
 
wp-analyzing-breaches-by-industry
Numaan Huq
 
E Commerce Platform Data Ownership and Legal Protection
ijtsrd
 
Major Essay_ US-China Relations_FINAL
Louise Collins
 
Ad

Viewers also liked (8)

PDF
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7
 
PDF
The Dynamic Nature of Virtualization Security
Rapid7
 
PDF
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Rapid7
 
PDF
Combating Phishing Attacks
Rapid7
 
PDF
Rapid7 FISMA Compliance Guide
Rapid7
 
PDF
What is Penetration Testing?
Rapid7
 
PDF
Rapid7 CAG Compliance Guide
Rapid7
 
PPTX
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
Rapid7
 
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7
 
The Dynamic Nature of Virtualization Security
Rapid7
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Rapid7
 
Combating Phishing Attacks
Rapid7
 
Rapid7 FISMA Compliance Guide
Rapid7
 
What is Penetration Testing?
Rapid7
 
Rapid7 CAG Compliance Guide
Rapid7
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
Rapid7
 
Ad

Similar to IT Security in Higher Education (20)

PDF
Cybersecurity in Educational Institutions: Management Strategies (www.kiu.ac.ug)
publication11
 
PPT
The Impact Of Breaches On Higher Ed Tlc 27 Sep09
Tammy Clark
 
PPT
How To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
Tammy Clark
 
PDF
Why Education Sector Needs To Prioritize Cybersecurity? 7 Helpful Importance ...
Future Education Magazine
 
PDF
Key findings from information security survey at higher education institution...
MajedahAlkharji
 
PDF
Keep Student information protected while improving services
CloudMask inc.
 
PPT
Cybersecurity education for the next generation
IBM Security
 
PDF
cyber security certifications in Malaysia..pdf
Careerera
 
DOCX
Journal of Information Technology Education Volume 11, 2012 .docx
tawnyataylor528
 
PPTX
Importance of cyber security in education sector
Seqrite
 
PDF
Information Security Management in University Campus Using Cognitive Security
CSCJournals
 
PDF
An analysis framework of portable and measurable higher education for future ...
Journal of Education and Learning (EduLearn)
 
PDF
A6704d01
mudigonda
 
PPTX
Don't Get Stung - Student Data Security
cschumley
 
PDF
Enhanced Cryptographic Solution for Security Issues Faced by Saudi Arabian un...
MajedahAlkharji
 
PDF
CIO Magazine Article - October 2014
Apurva Mehta
 
PPT
Start With A Great Information Security Plan!
Tammy Clark
 
PDF
Information Assurance And Security Ethics In Complex Systems Interdisciplinar...
thlxpasv1106
 
PPT
The IT Security Jungle of Higher Education
Nicholas Davis
 
PPTX
Cybersecurity and Academic Research
Christian Schreiber, CISM, PMP
 
Cybersecurity in Educational Institutions: Management Strategies (www.kiu.ac.ug)
publication11
 
The Impact Of Breaches On Higher Ed Tlc 27 Sep09
Tammy Clark
 
How To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
Tammy Clark
 
Why Education Sector Needs To Prioritize Cybersecurity? 7 Helpful Importance ...
Future Education Magazine
 
Key findings from information security survey at higher education institution...
MajedahAlkharji
 
Keep Student information protected while improving services
CloudMask inc.
 
Cybersecurity education for the next generation
IBM Security
 
cyber security certifications in Malaysia..pdf
Careerera
 
Journal of Information Technology Education Volume 11, 2012 .docx
tawnyataylor528
 
Importance of cyber security in education sector
Seqrite
 
Information Security Management in University Campus Using Cognitive Security
CSCJournals
 
An analysis framework of portable and measurable higher education for future ...
Journal of Education and Learning (EduLearn)
 
A6704d01
mudigonda
 
Don't Get Stung - Student Data Security
cschumley
 
Enhanced Cryptographic Solution for Security Issues Faced by Saudi Arabian un...
MajedahAlkharji
 
CIO Magazine Article - October 2014
Apurva Mehta
 
Start With A Great Information Security Plan!
Tammy Clark
 
Information Assurance And Security Ethics In Complex Systems Interdisciplinar...
thlxpasv1106
 
The IT Security Jungle of Higher Education
Nicholas Davis
 
Cybersecurity and Academic Research
Christian Schreiber, CISM, PMP
 

More from Rapid7 (8)

PDF
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
Rapid7
 
PPTX
OpenSSL Heartbleed Vulnerability Explained & Tips for Protection
Rapid7
 
PPTX
How to Manage Your Security Control's Effectiveness
Rapid7
 
PPTX
Penetration Testing Techniques - DREAD Methodology
Rapid7
 
PDF
Life's a Breach: Yahoo Gets Burned by SQL Injection
Rapid7
 
PDF
Rapid7 NERC-CIP Compliance Guide
Rapid7
 
PDF
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Rapid7
 
PDF
How to Sell Security to Your CIO
Rapid7
 
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
Rapid7
 
OpenSSL Heartbleed Vulnerability Explained & Tips for Protection
Rapid7
 
How to Manage Your Security Control's Effectiveness
Rapid7
 
Penetration Testing Techniques - DREAD Methodology
Rapid7
 
Life's a Breach: Yahoo Gets Burned by SQL Injection
Rapid7
 
Rapid7 NERC-CIP Compliance Guide
Rapid7
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Rapid7
 
How to Sell Security to Your CIO
Rapid7
 

Recently uploaded (20)

PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
A Presentation on Artificial Intelligence
memembruh336
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 

IT Security in Higher Education

  • 1. White Paper IT Security in Higher Education
  • 2. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com 3BIntroduction: The Growing Need for Improved IT Security on Campuses IT security is a hot topic these days, especially at colleges and universities. An April 2008 Symantec Global Internet report noted that the education sector experienced more IT security breaches than any other industry.F 1 F What’s more, the number of higher education breaches and institutions affected continues to rise, as schools are under greater pressure to collect more and more student data. Between 2006 and 2008, the number of incidents reported by schools grew by 101 percent, and during that same period, the number of institutions affected rose by 173 percent.F 2 F As recently as February 2009, the University of Florida reported an exposure of 97,200 student records, all of which contained names and Social Security Numbers. Statistics like these in the education sector – as well as the increasing number of breaches in other industries – have garnered a great deal of publicity and have generated cause for alarm. There has been tremendous growth in the field of IT security training, as organizations of all sizes struggle to find professionals to help them address the challenge. There are a myriad books on IT security on the market, and the list grows monthly; and many colleges, universities, and technical schools now offer a degree or certification in IT security. A December 2008 Gartner Group Survey found that “the role of the chief information security officer (CISO) is no longer rare, but many institutions have yet to formalize the role and the title. Policies and support for educating the community are also still evolving. Work still needs to be done, if security is to be viewed not as an IT problem, but as an institutional problem that needs addressing.”F 3 F The Gartner survey’s key findings include the following: • “The need for a security officer is now recognized and supported by more than 60 percent of institutions. • “The risk of losing important data is still a more important business driver for security compared to financial risks. “Calculating the cost of security breaches and attacks is rare. More than 75 percent of institutions have not even calculated the cost of mobile PC thefts, which should be less difficult to calculate”F 4 4BCampus Technology The technology environment in higher education is complicated by many factors. First, there are often ambiguous campus perimeters. Many schools have a transient student population, and, even when this is not the case, computer equipment is often moved during the school year between campus and home. This situation is further complicated by the fact that a distributed computing environment is common at large schools, making it hard for a central IT group to keep track of what’s out there. Furthermore, many schools offer distance learning options, meaning that some student computers may never actually be on campus. Second, there is a tremendous amount of sensitive electronic data on most campuses. Determining the location of that data, who controls it, and how best to protect it is a daunting task, even at a small school. At large universities, there may be a central IT group – or even a central IT security group – but the daily management of many systems and/or handling of data is usually the responsibility of the individual colleges or departments. 1 Security Threat Report, Symantec Global Internet, April 2008. 2 Educational Security Incidents (ESI) Year in Review – 2008, Released February 2009. 3 Gartner 2008 Higher Education Security Survey: Governance, Policy and Cost. Michael Zastrocky, Jan-Martin Lowendahl, and Marti Harris. 22 December 2008. 4 Ibid.
  • 3. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Third is the issue of shadow systems. The university’s core systems, containing Enterprise Resource Planning (ERP), CC information, medical records, or other important student data, may be well protected; but there are frequently local copies of sensitive data that are not under that same protective umbrella. Even small schools have multiple departments, and some of these – Housing or Campus Dining, for example – need systems containing important student information in order to function. When these various shadow systems are connected to the Internet, or where the shadow systems are accessible from across the campus networks, the problem is compounded. This proliferation of systems in a highly distributed information environment makes it very difficult for colleges and universities to keep track of everyone who has copies of sensitive data such as students’ Social Security Numbers. Academic freedom is a fourth concern. Open networks – indeed, the Internet itself – have their roots in academe. Networks have long been viewed as teaching tools, and the notion of imposing any restrictions on them has been forbidden. IT security measures that would exist as a matter of course in a business environment have, until recently, been frowned upon in academic settings in the name of academic freedom. Finally, there is always the issue of funding. Because of financial constraints – now more than ever – schools are often forced to depend on a limited staff of professional IT support personnel. In fact, some campus IT departments are staffed primarily by computer science majors or other students with an interest in technology. 5BGovernment Compliance Issues Unfortunately, this challenging campus IT environment exists at the same time when increasingly stringent government regulations continue to raise the bar for data protection and to impose harsh penalties for those who fail to protect sensitive data. At colleges and universities, IT managers must comply with many such regulations. • Banking. Universities and colleges lend and collect large amounts of money, as they grant loans and disperse funds. This means that they fall under the Gramm-Leach-Bliley Act (GLBA) and must protect the privacy of their student customers. • Health care. Almost institutions of higher education with students living on campus have a health center and therefore must protect patient data under the Health Insurance Portability and Accountability Act (HIPAA). • Retail sales. Parents and students use credit cards to pay for everything from books to tuition, meaning that colleges and universities – like all other retailers – must comply with the Payment Card Industry (PCI) Data Security Standard (DSS). • Student grades. The Family Educational Rights and Privacy Act (FERPA) controls who can access student grades. If grades are being distributed or stored electronically, they must be secured. In addition to these federal requirements, colleges and universities in most states must comply with state privacy laws such as California SB 1386, a piece of landmark legislation that became operative in July of 2003. Laws like this require that any agency, person, or business that owns or licenses computerized “personal information” must disclose any breach of security to those whose unencrypted data is believed to have been disclosed. In his article, “Back to School: Compliance in Higher Education,” Ken Bocek notes, “While most institutions are compliance with GLB, PCI, HIPAA, FERPA, and other regulations, the number of institutions involved in data breaches does not seem to be on the decline. It’s this point that makes higher education a lesson for all organizations.”F 5 5 “Back to School: Compliance in Higher Education,” SC Magazine. Ken Bocek. September 19, 2007.
  • 4. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com 6BAddressing IT Security on Campus Thanks to their growing awareness of the importance of IT security, schools are addressing the issue in a variety of ways. The most obvious solution – creation of a full-time central IT security group on campus – has been put in place at many schools, especially large universities. Even smaller schools have recognized the need for someone whose full-time job is IT security, and higher education employment Websites frequently advertise IT security positions at community colleges and comprehensive universities. The recognition that security is not something a network engineer can do as a side job is viewed by education professionals as a positive trend as they accept the challenge of safeguarding sensitive data, complying with government regulations, and generally protecting the systems and information within the campus computing environment. A central IT security group is typically managed by an IT security officer, a high-level position with broad authority and recognition throughout the school. Because of budget pressures, many schools’ IT groups have not grown larger in the past few years, but schools have reprioritized resources to address their security concerns. For example, a school may designate what was formerly a network engineering position as a full-time security position, and retrain that individual accordingly. There has also been a trend toward greater cooperation among departments regarding security. Various campus offices – Human Resources, Controller, Registrar, Financial Aid – frequently collaborate to develop innovative ways to share resources and protect their user communities. Another important trend has been increased educational opportunities for the extended university community – students, faculty, and administration – about the importance of IT security. Blogs, YouTube, and the ubiquitous laptop and cell phone are all effective means of communication, along with campus newsletters, email, and face-to-face discussions. By communicating through these various media, campus IT security professionals have helped their communities to understand that IT security is a shared responsibility and that every campus computer user faces risks if there is a security lapse. Many campuses have adopted the practice of conducting departmental or area IT security reviews to help their constituents recognize their vulnerabilities; identify potential problems with hardware, applications, and/or databases; and offer alternatives. Some schools have even developed and distributed an IT disaster recovery plan. It has also become common for schools to conduct compliance-related reviews to teach people how to handle FERPA, PCI, HIPAA, and/or GLB data, and to underscore the benefit of adopting industry practices such as ISO 27001, CoBIT, and NIST. Furthermore, every college or university today acknowledges the need to maintain a reliable Web presence, and most of their websites now include at least one page dedicated to IT security. The bottom line is that IT security operations and practices have become increasingly formalized, and schools have a far greater awareness of compliance requirements. Colleges now understand that PCI applies everywhere. 7BIT Security Resources in Higher Education As IT security has gained exposure on college and university campuses, a growing number of resources have become available to address the issue. The Virginia Alliance for Secure Computing and Networking (VA SCAN) was established to strengthen IT security programs throughout the Commonwealth of Virginia. As their Website points out, “This Alliance brings together Virginia higher education security practitioners who developed and maintain security programs widely emulated by other institutions, and researchers responsible for creating cybersecurity instruction and research programs nationally recognized for excellence.”F 6 6 Website – Virginia Alliance for Secure Computing and Networking (VA SCAN), Hwww.vascan.org
  • 5. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com The University of Wisconsin’s flagship campus in Madison now routinely conducts risk assessment of its IT systems with all departmental CIOs in the University system. In Texas, the state legislature has enacted new laws that impact all public universities and their approach to IT security. Perhaps the best known American higher education technology resource is EDUCAUSE, which was founded in the late 1990s “to advance higher education by promoting the intelligent use of information technology.”F 7 F Open to all public and private colleges and universities, EDUCAUSE fosters information sharing by providing schools with opportunities to participate in policy-sharing forums or to post presentations and other materials that they have developed. EDUCAUSE also sponsors an annual security event for those in security officer or security analyst roles so they can come together and focus on communication, collaboration, and information sharing. 8BThe Role of Rapid7 Nexpose Rapid7 Nexpose is a vulnerability assessment product that has become a boon to IT security professionals at nearly 100 institutions of higher learning, including Carnegie Mellon University, Florida State University, George Washington University, Norwich University, University of Mary Washington, Virginia Tech University and Weill Medical College. In fact, one IT security officer has described Rapid7 Nexpose as a “force multiplier” that saves valuable time and resources. Nexpose provides broad platform coverage from one integrated product that assesses the security risk for a wide array of systems, software and devices in your IT environment, including: • Network and Operating System Vulnerability Assessment – The first step in securing your IT environment is to ensure that all systems and network devices have been properly audited and exposures eliminated. Rapid7 Nexpose enables organizations to audit their networks, track discovered vulnerabilities through resolution, and ensure policy compliance. • Web Application Vulnerability Assessment – Because they exist as a conduit between external users and a company’s internal databases, Web applications can be one of the biggest security risks. Rapid7 Nexpose scans the Web application server and all Web applications for serious threats to your environment, such as SQL injection and cross-site scripting. • Database Vulnerability Assessment – Rapid7 Nexpose provides comprehensive database scanning for Oracle, Microsoft SQL Server, Sybase, PostgreSQL, MySQL, IBM DB2 and IBM DB/400 to identify vulnerabilities that affect databases such as default accounts; default permissions on database objects like tables, views, and stored procedures; buffer overflows; and denial of service. • Compliance Scanning – The growing number of government and industry-specific regulations designed to protect corporate information require organizations to put policies in place to regularly audit the environment and produce reports that validate compliance. Rapid7 Nexpose generates SOX, HIPAA, PCI, FISMA and GLBA reports that document and demonstrate compliance to auditors. 7 Website – EDUCAUSE, Hwww.educause.edu
  • 6. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com 9BAbout Rapid7 Rapid7 is a leading provider of IT security risk management software. Its integrated vulnerability management and penetration testing products, Nexpose and Metasploit, and mobile risk management solution, Mobilisafe, enable defenders to gain contextual visibility and manage the risk associated with the IT environment, users and threats relevant to their organization. Rapid7’s simple and innovative solutions are used by more than 2,000 enterprises and government agencies in more than 65 countries, while the Company’s free products are downloaded more than one million times per year and enhanced by more than 175,000 members of its open source security community. Rapid7 has been recognized as one of the fastest growing security companies by Inc. Magazine and as a “Top Place to Work” by the Boston Globe. Its products are top rated by Gartner®, Forrester® and SC Magazine. The Company is backed by Bain Capital and Technology Crossover Ventures. For more information about Rapid7, please visit http://www.rapid7. com.