How are remote campuses protected in your recovery plan?
Derwostyp: Normally what is done, is teams are sent to disconnect and pull out core equipment and bring it to Hattiesburg. But because of the evacuation orders, we didn't have a chance to do that; we didn't want to put our guys in harms' way, or get them stuck in the traffic jams. Leading up, we concentrated on Hattiesburg where our core operations are and were planning to shut down all our equipment. We do that building-to-building by shutting down all our switches and routers and doing the same to our datacenter during major storms. That usually takes six to 12 hours with the number of locations we have on campus. Staff on the gulf is tasked with bringing any equipment into the center of buildings, cover it in plastic and power everything down.
Could you rate the effectiveness of your DR plan?
Derwostyp: The plan was developed in 1999 [editor's note: Derwostyp has been at USM for 14 months], and a project plan was submitted in August to redevelop the DR and continuity plans, but they weren't acted on. The plan is very rudimentary; there was nothing in there, for example, to replace communications in an emergency, nor were there plans for our own emergency response team. This is an opportunity to refine policy and procedures.
What security issues have you run into since Katrina?
Derwostyp: Looting on campus -- that and getting physical access to buildings. We've also had to relax some of our remote access security so people who have laptops could get into our systems and do some work, or at least communicate to others that they're OK.
What is your next step as an information security manager?
Derwostyp: Once things settle down and we lock everything back down to the way we had it, we'll have to verify who has machines with them versus machines that may have been looted, and verify who is accessing our systems. We know 17 offices were broken into.
How can you turn the disaster into a positive from a security point of view?
Derwostyp: We're working on new policies to tighten down our procedures on a university-wide basis, putting all five state colleges under the same umbrella and in compliance with regulations like HIPAA, SOX, GLB and the Mississippi Pub Records Act.
I come from a corporate background. The academia mindset is they can do anything they want, whenever they want. I want to stop them from doing that, do what they need to in a secure process and not open the university to liability.
What recovery and continuity improvements would you like to see?
Derwostyp: I would like to see a team formed that can respond to incidents and has the power and authority to do what needs to be done like spend money, bring in equipment and be a best practices model for the university.
It's extremely hard in this environment because we're at the mercy of what the state gives us. In most environments, IT is thought of as a cost center, but is asked to do the most. This may significantly help it.
I'd also like to see a separate security policy and compliance team that would report directly to the president of the university that would have full authority to manage security on all systems as it relates to federal and state regulations.
What difficulties would have been averted with a more refined policy in place?
Derwostyp: If there had been more policies and procedures, it would have made recovery easier and it would have been more of a structured process. That said, this was so catastrophic, I don't know many DR plans that would have been fully functional.
About the author
Michael S. Mimoso is Senior Editor of Information Security magazine.