Universities have a poor reputation when it comes to IT security. Crackers, for example, have notoriously probed school networks for vulnerable entry points in order to commandeer systems for use in distributed denial-of-service attacks.
Further muddying the security waters at higher-learning institutions is the not-for-profit nature of the beast. IT security does not demonstrate a tangible return-on-investment and is usually not high on the list of priorities for spare funds that could otherwise be funneled into a classroom.
Needless to say, university chief security officers have their hands full.
But in many ways they're not unlike corporate CSOs.
There are still internal political hurdles to climb to procure resources. College CSOs also have to instill a culture of security without getting in the way of faculty research or student learning.
Krizi Trivisani, the director of system security for George Washington University, is a presence on the Washington, D.C., campus. The 32-year-old admits she is more strategist than technician, and since she took over at GWU in May 2000, her mission has been to evangelize as much as it has been to lock down the school's network from invaders.
"If you have a CSO standing in on day-to-day incidents, you cannot plan your program and implement it," said Trivisani, who reports to the chief technical officer and is two rungs below the chief information officer on the organizational ladder. "You need a staff large enough to handle different aspects of the job. I've seen cases where you have a CSO doing everything and not getting anything done because they spend their day putting out fires."
The most important weapon in Trivisani's holster is a solid security policy and best practices. Her implementation follows the National Institute of Standards and Technology (NIST) framework and has been applauded campus-wide. The implementation was recently recognized by the Technology Manager's Forum with an award for best practices implementation and enforcement in information security.
Trivisani also holds quarterly security forums with faculty members and administration, giving them an opportunity for information-sharing, networking and education. Each forum focuses on a specific tenet of information security, and the forums often include hacking demonstrations and guest speakers.
"I see my office as a partnering organization. We have legal folks on campus, a university police force and student judicial services," Trivisani said. "You've got to have them all involved."
Trivisani said her position on the organizational ladder is advantageous. Reporting to the university's CTO gets her office fully involved in new technology being developed or considered for widespread use. The relationship simplifies her strategizing, she said. But there are hurdles.
"Security often doesn't fly. It's like insurance; if you haven't been in an accident, you can say 'why do I need insurance?' -- until it happens," Trivisani said. "You have to balance academic freedom, security and confidentiality. This is not a corporation where profits can be put into security. Every dollar I use is a dollar that does not go into a classroom.
"We are not here to punish. We're here to protect and partner. This is different than a corporation, where they can mandate security. We cannot stifle the learning environment."
Trivisani often puts on hacking demonstrations to show her superiors skeptical of security the impact of ignoring it. During one session, her engineers hacked into a university system in 27 seconds, potentially compromising research that took years to compile.
"I have to educate. The more we educate, the more they buy into security," Trivisani said.
Key has been her policy implementation and enforcement using the NIST framework.
The framework separates an organization's security into levels. These include security management and culture; computer security plans; awareness, training and education; budget and resources; incident response and more. Each level includes policy, procedure, implementation, testing and integration checkpoints.
"We took the NIST levels and set implementation goals," Trivisani said. "What is great about the framework is that you get great flexibility to determine what your organization's risk levels are. You can adjust your spending and priorities accordingly.
"The framework is a good template to let new CSOs start thinking about the areas they need to cover."