Re: IT Security in Higher Ed.

[Anand S Malwade <Anand.Malwade () SHU EDU>]

I would say that the risk appetite for HE is much different than corporate say Banking/finance. From my experience 
Security within HE relies more on detective and reactive controls more than preventive controls due to concept of 
Academic Freedom.

Also there is lack of senior management commitment and support due to the low reporting structure and chain of command 
Issues. Governance and staffing is significantly different as well.

Anand

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jim 
Dillon
Sent: Thursday, October 22, 2009 4:05 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] IT Security in Higher Ed.

Lee Anne,

To echo Randy's statement and provide another thought or two...  (or a
dozen!)

HE markets, pays bills, is mindful of taxes, has inventory problems,
must manage personnel, has a variety of constituents, must deliver a
product or become irrelevant, is subject to competition (albeit entry is
a tad bit restricted in many cases), regulation, and so on.  HE IS
BUSINESS and as such has a lot of similar problems to solve, objectives
to reach etc.  Just like any business, cash procedures, credit
procedures, billing and receivables are important.  Customer relations
have to be maintained, and on, and on...

It is however a different business.  It can be broad-based for research
universities, or very vertical for specialty schools.  It has a higher
effectiveness need than efficiency need - by that I mean the product is
more resistant to failure, as failure in and of itself is an expectation
for both the demand and the learning process.  (That is failure inspires
research, pursuit of knowledge, and failure provides data through which
the product of "education" is recognized.)  It is less subject to
timeline/delivery pressures than say manufacturing, or market conditions
say as in merchandising. HE will say it isn't about profit, but if you
follow the $ to research and intellectual property rights you'll see
through that smokescreen really fast (particularly in heavy research
institutions.)

Risks still exist, threats to objectives still exist, and some good
portion of the work and control structure of any "business" is still
expected.  (e.g. PCI DSS, FISMA, HIPAA, and IRS Reporting requirements
still play!)

HE tends to push decision making way down the hierarchy, thus
distribution of authority makes for some challenges in resolving
concerns.  HE tends to optimize at the unit, again a less efficient
outcome, but perhaps more important for "effectiveness" or "quality of
education" goals.

Basically, no two business are completely alike, so there is no perfect
answer to your question. Things that particularly amaze me as being
quite different, at least in my "public" university:

- That typical HR management is done by the academic unit, not HR, for
faculty.  Complicates that space.
- The tendency to shun direction, edict, and embrace collaboration and
consensus.  Authority is of the masses not those endowed with
responsibility.  Makes for some interesting dynamics.
- Autonomy amongst the units is incredible.  The ability of the smallest
function to dictate its own existence is massive, and that creates all
sorts of conflict.
- There is little REAL social pressure yet for something "DIFFERENT"
than the traditional romantic model of education, so the barriers to
competition are pretty high.  State education being subsidized creates
real barriers on an economic basis, and where competition exists, it
seems to play to limited audiences.  Information ubiquity is however
having some impact here I think, the academy is being forced to adjust
and adopt.
- The reward cycles and motivations of participants are quite unique,
particularly amongst faculty.  It always seems that if there isn't some
unique honorable title to go along with the role, we'll find a way to
create one (adjunct assistant tenured fellow of distinction in "name
your topic" etc.).
- Great social protections seems to create an environment of almost
limitless entitlement.  For whatever you take of that it does impact
your ability to govern, manage change, etc.  Both state/federal
expectations and a commonly unionized environment play heavily into
this.
- Protection of information in an environment that is designed to
disseminate information.  Wow does that create interesting conflicts.

So none of this opinion above is research worthy, but maybe it will help
you in your consideration of what areas to research.

Despite the uniqueness, the basic security principles discussed in
something like GAISP or in common security definitions like CIA
(confidentiality, integrity, availability) still apply.  It is simply
the unique criticality and priority based on the unique business outcome
that is different, thus the weights and focus of your security efforts
are likely to be a bit different than your typical corporate
board-managed culture.  That's as true for HE as it is for Defense
Electronics, Semiconductor Manufacture, or Technology Merchandising, all
of which have unique demands and qualities.  Essential security doctrine
still applies and works in all 3 of these at least by my personal
experience.  Secrecy, Timeliness, Proprietary Value are all still
attributes that matter.

Does this help?  I'm afraid it's a "both" answer, but there isn't a good
way to simplify that.

Best regards,

Jim

-----------University of Colorado--------------
Jim Dillon, CISA, CISSP
Program Manager
Administrative Systems and Data Services
jim.dillon () colorado edu        303-735-5682
-------------------Boulder------------------------


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Hart, Lee Anne
Sent: Thursday, October 22, 2009 7:56 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] IT Security in Higher Ed.

Hello,

I'd like to do a little research on how or if IT Security in Higher
Education is different from other organizations such as the government
and
corporate America.

- Are the threats/risks different?
- Is the purpose or goal different?
- Are there organizational differences?
- Unique challenges to working in higher ed?
- Why do you work in higher ed?
- Unique benefits to higher ed?
- Have you worked for the government or a "for profit" company? If so,
what
differences do you see?
- Should it be different? Why/why not?
- Do you know of similar articles or threads on this topic?
- Other?

Thanks in advance for you help. Feel free to respond offline. I'll
review
the responses and use the information in blog entry I'll share with
list.

Thanks,
Lee Anne

-------------------------------
Lee Anne Hart, CISSP
IT Security Analyst
Montgomery College
15400 Calhoun Drive, Suite 310
Rockville, MD 20855
240-567-3142 (O)
240-731-2332 (C)