Higher education is an interesting place to be if you are an information security professional. We work on campuses that are essentially small cities. Our organizations often provide our own utilities, fire departments, police, power and deal with transient populations that often make up a significant percentage of the local area’s total when school is in session. Campuses often have a variety of independent IT organizations, and those organizations are asked to act as an ISP, providing networking to a populace that may require most normal security tools to get out of the way. We also have a population that, in some cases, designed the basic technologies we’re using.
The security risks we face aren’t unique, but they are quite varied. Many security professionals from the business world that I talk with cringe when I describe a typical higher education environment! Thus, when I was asked to write about security in my area of expertise, I pondered common topics like phishing, reputation services, and what bring your own device (BYOD) means in an open environment. What I realized was that all of it came down to the way we look at risk as an organization. If we don’t get that right, our technologies and policies won’t matter much.
Director of information security
University of Notre Dame
Leads Notre Dame’s SSN Remediation program, which is designed to reduce the risk of inadvertent disclosure of Social Security numbers. The three-pronged strategy includes technical remediation, business process reviews and the creation of a long-term governance structure for the management of highly sensitive information.
Managed Notre Dame’s Information Security Program, a four-year effort involving 24 projects to create a long-term security infrastructure for the university. Key projects included creation of Notre Dame’s Security Operations Center.
Cut vulnerability scanning costs by 50 percent in support of the university’s fiscal responsibility goals.
Every organization realizes at some point that it needs to assess the risks it faces. Some organizations choose a standardized model for security risk assessment, others use a model devised in-house or hire expensive consultants. The worst case is one that takes the unfortunate option of denial. What the organization chooses to do about risk is critical. Addressing risk can only be successful if management is willing to look at risks head-on, and take ownership of the security risk assessment process of handling them.
At Notre Dame, we do something that is relatively unique in my higher education experience. The executive vice president created—and personally chairs—a group known as the Institutional Risk and Compliance Committee. This group is composed of senior members of management, including functional roles like finance, IT and research, and covers each of the major business areas of the university. It is a diverse group with a big impact.
What makes the group different from many management teams is how it looks at risks, and how it reacts to risks. This diverse group has created a simple process of yearly assessments conducted by each major business area in the university. Risks must affect the university as a whole, and they’re categorized on a simple high, medium and low scale for probability and impact, and colored red, yellow or green. Each one is then rated on its current status: un-handled and needs a plan; in progress with a plan; or handled as well as it can be handled. Again, each risk is red, yellow or green based on its status—a separate rating from its probability and impact. A quick glance at a chart tells the group what needs attention or a status check. Red risks with a red status rating get attention quickly!
You will notice that the last rating for status isn’t “closed”—major risks to the organization are rarely something you can call done. Instead, you may complete your plan for handling the risks, but you continuously monitor them.
The broad view approach—the understanding that risks have a lifecycle—and the way members of the team work together are what sets this group apart. You see, over the life of the group, the members have become comfortable challenging each other and at asking questions that help their peers take a different look at what they’re presenting. When the group gets together, sessions are lively. The sessions result in useful feedback and a lot of improvement in the risks that are identified, plans to address those risks, and the entire group’s understanding of what the university faces.
The fact that executive-level support is needed to handle risks for an organization is nothing new, and every risk assessment manual mentions it. What then can you take away from this?
Two things: First, there is hope. If your organization isn’t addressing risk in a realistic way, put your leadership in touch with an organization that is. Have them talk about methods, costs and benefits. Second, look at how you treat the security risk assessment process. Is it something you share with your peers? Are they comfortable with being upfront about it? And, most importantly, do they think about risk over time, or simply as a set of controls? Answer these questions and you just might realize it’s time to change how your organization handles the next big security risk.
Information Security's 2012 Security 7 winners: