Educause Security Discussion mailing list archives
Re: IT Security in Higher Ed.
From: Jim Dillon <Jim.Dillon () COLORADO EDU>
Date: Thu, 22 Oct 2009 14:04:47 -0600
Lee Anne, To echo Randy's statement and provide another thought or two... (or a dozen!) HE markets, pays bills, is mindful of taxes, has inventory problems, must manage personnel, has a variety of constituents, must deliver a product or become irrelevant, is subject to competition (albeit entry is a tad bit restricted in many cases), regulation, and so on. HE IS BUSINESS and as such has a lot of similar problems to solve, objectives to reach etc. Just like any business, cash procedures, credit procedures, billing and receivables are important. Customer relations have to be maintained, and on, and on... It is however a different business. It can be broad-based for research universities, or very vertical for specialty schools. It has a higher effectiveness need than efficiency need - by that I mean the product is more resistant to failure, as failure in and of itself is an expectation for both the demand and the learning process. (That is failure inspires research, pursuit of knowledge, and failure provides data through which the product of "education" is recognized.) It is less subject to timeline/delivery pressures than say manufacturing, or market conditions say as in merchandising. HE will say it isn't about profit, but if you follow the $ to research and intellectual property rights you'll see through that smokescreen really fast (particularly in heavy research institutions.) Risks still exist, threats to objectives still exist, and some good portion of the work and control structure of any "business" is still expected. (e.g. PCI DSS, FISMA, HIPAA, and IRS Reporting requirements still play!) HE tends to push decision making way down the hierarchy, thus distribution of authority makes for some challenges in resolving concerns. HE tends to optimize at the unit, again a less efficient outcome, but perhaps more important for "effectiveness" or "quality of education" goals. Basically, no two business are completely alike, so there is no perfect answer to your question. Things that particularly amaze me as being quite different, at least in my "public" university: - That typical HR management is done by the academic unit, not HR, for faculty. Complicates that space. - The tendency to shun direction, edict, and embrace collaboration and consensus. Authority is of the masses not those endowed with responsibility. Makes for some interesting dynamics. - Autonomy amongst the units is incredible. The ability of the smallest function to dictate its own existence is massive, and that creates all sorts of conflict. - There is little REAL social pressure yet for something "DIFFERENT" than the traditional romantic model of education, so the barriers to competition are pretty high. State education being subsidized creates real barriers on an economic basis, and where competition exists, it seems to play to limited audiences. Information ubiquity is however having some impact here I think, the academy is being forced to adjust and adopt. - The reward cycles and motivations of participants are quite unique, particularly amongst faculty. It always seems that if there isn't some unique honorable title to go along with the role, we'll find a way to create one (adjunct assistant tenured fellow of distinction in "name your topic" etc.). - Great social protections seems to create an environment of almost limitless entitlement. For whatever you take of that it does impact your ability to govern, manage change, etc. Both state/federal expectations and a commonly unionized environment play heavily into this. - Protection of information in an environment that is designed to disseminate information. Wow does that create interesting conflicts. So none of this opinion above is research worthy, but maybe it will help you in your consideration of what areas to research. Despite the uniqueness, the basic security principles discussed in something like GAISP or in common security definitions like CIA (confidentiality, integrity, availability) still apply. It is simply the unique criticality and priority based on the unique business outcome that is different, thus the weights and focus of your security efforts are likely to be a bit different than your typical corporate board-managed culture. That's as true for HE as it is for Defense Electronics, Semiconductor Manufacture, or Technology Merchandising, all of which have unique demands and qualities. Essential security doctrine still applies and works in all 3 of these at least by my personal experience. Secrecy, Timeliness, Proprietary Value are all still attributes that matter. Does this help? I'm afraid it's a "both" answer, but there isn't a good way to simplify that. Best regards, Jim -----------University of Colorado-------------- Jim Dillon, CISA, CISSP Program Manager Administrative Systems and Data Services jim.dillon () colorado edu 303-735-5682 -------------------Boulder------------------------ -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Hart, Lee Anne Sent: Thursday, October 22, 2009 7:56 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] IT Security in Higher Ed. Hello, I'd like to do a little research on how or if IT Security in Higher Education is different from other organizations such as the government and corporate America. - Are the threats/risks different? - Is the purpose or goal different? - Are there organizational differences? - Unique challenges to working in higher ed? - Why do you work in higher ed? - Unique benefits to higher ed? - Have you worked for the government or a "for profit" company? If so, what differences do you see? - Should it be different? Why/why not? - Do you know of similar articles or threads on this topic? - Other? Thanks in advance for you help. Feel free to respond offline. I'll review the responses and use the information in blog entry I'll share with list. Thanks, Lee Anne ------------------------------- Lee Anne Hart, CISSP IT Security Analyst Montgomery College 15400 Calhoun Drive, Suite 310 Rockville, MD 20855 240-567-3142 (O) 240-731-2332 (C)
Current thread:
- IT Security in Higher Ed. Hart, Lee Anne (Oct 22)
- <Possible follow-ups>
- Re: IT Security in Higher Ed. Basgen, Brian (Oct 22)
- Re: IT Security in Higher Ed. John Ladwig (Oct 22)
- Re: IT Security in Higher Ed. randy marchany (Oct 22)
- Re: IT Security in Higher Ed. Valdis Kletnieks (Oct 22)
- Re: IT Security in Higher Ed. Allison Dolan (Oct 22)
- Re: IT Security in Higher Ed. Plesco, Todd (Oct 22)
- Re: IT Security in Higher Ed. Pete Hickey (Oct 22)
- Re: IT Security in Higher Ed. John Ladwig (Oct 22)
- Re: IT Security in Higher Ed. Jim Dillon (Oct 22)
- Re: IT Security in Higher Ed. Anand S Malwade (Oct 22)
- Re: IT Security in Higher Ed. Charles Buchholtz (Oct 22)