Back in January, I wrote a fairly comprehensive piece for BTL (What makes schools vulnerable) discussing a number of things that academic institutions can do to help secure their data, much of which is highly decentralized. Well, after readying OU leaves server in hackers' hands for a year, I thought it was time to bring this topic back to the forefront.
As the CIO of Ohio University points out:
Then there's the free-flow of information. "If you're a corporation, you can just lock everything down," CIO Bill Sams said. "We don't have that luxury. The academic side is trying to find a line between maximum flexibility and data security…We need someone somewhere to come up with a set of best practices for schools."
It is all too easy to let the long-held, and highly-valued, principle of Academic Freedom cloud the issue. All too often, the assumption is that security means that information can no longer be freely shared. Never mind that this needn't be the case.
Further, there is a certain amount of distrust between the academic units of an institution and the university's administration. Rarely overt, it grows out of a lack of understanding of the each others' roles in the operation of the institution -- and neither side will acknowledge the gulf.
Unlike the corporate world, academia has no 'profit centers' -- each and every unit of the institution lives within a confined budget which is largely beyond its control. Budgets are jealously guarded and departmental funding is a political hot potato. The result is decentralization to the extreme.
In many instances, even IT is highly decentralized. From a budgetary standpoint, this often keeps the institution from embarking on large projects because such projects require centralized funding and centralized control. The entire institution gets held back because individual departments are unwilling to give up control of their piece of funding in order to pay for services which could benefit the institution as a whole.
The lesson to be learned from OU is that when it comes to security, a centrally controlled and monitored IT infrastructure is essential. Included in the list of essential features of such an infrastructure are:
- Firewalls around your campus border and around each of your campus machine rooms.
- User authentication required to access your network.
- MAC Registration of all workstations connected to your network.
- Authentication required for use of campus mail-relays.
- Locating all institutional data behind a machine room firewall.
- Comprehensive virus protection for all network-connected workstations.
- Requiring timely security updates for all network-connected workstations.
- Performing routine security scans on all network-connected workstations.
- Comprehensive SPAM filtering for e-mail.
- Enforceable policies regarding 'user rights and responsibilities'.
Not all institutions are in a position to institute all of these features today but with each of these features (and others which have undoubtedly slipped my mind) comes a higher level of internal security. The sooner your institution (be it a high school, a school district, or a university) becomes aware of how vulnerable your data might be, the sooner you can take steps to mitigate that risk.