Information Security In Higher Education: Baby Steps presented at SOURCE Boston 2009

by Adam Dodge, Kees Leune,

Tags: Security Others Access Business

Summary : Higher Education is an interesting field for information security professionals. Many of the rules that we learn in infosec-school do not apply as well as they do in commercial environments. In this presentation, a number of the exceptions that make higher education such an interesting field will be discussed, and lessons that were learned after one year of starting a new security program are presented. Colleges are special places of learning, exploration and the open exchange of information. Through intellectual discussion and organized discourse, students and faculty convene to transfer knowledge and insight on esteemed topics. As idealistic as this sounds, it is truly the case.
Students and faculty are a few special types of unique users not found anywhere else. Students regularly have an ideological sense of ethics that may not always be compatible with the rest of the organization. Some students learn best through experiment and every now and then, experiments have a tendency to go horribly wrong. Residence halls usually have high bandwidth connections with few restrictions. Faculty are self-governing employees who are guaranteed the freedom of academic pursuit. That privilege grants a faculty member the right to work on whatever topic he or she desires, without interference or censorship from the university. In other words, administration cannot interfere with how research and teaching is conducted, which includes to the use of information resources.
The free flow of information is sacrosanct on college and university campuses. Most information security handbooks emphasize that information assets are owned by the organization. Not so in higher education: scholarly works are typically owned by the faculty member who authors them, and each individual member of faculty is in full control of who has access to which resources, under which conditions, and in which way. As information security professionals, this makes our life a little harder than it would be in a comparable commercial organization. Given the previous, starting a new information security program in an institute for higher education is a daunting task. The amount of stakeholders is incredible, and just about any technical control that is going to be proposed will be subject to one very relevant question: "how will it affect the freedom of academic pursuit?"
Ignoring this question is a guaranteed road to failure. Information security managers learn that security controls must be aligned with business goals, and the business goal of a university is to provide education and to perform research. Both of these goals require that the rights of faculty and students be protected from censorship or interference. This lesson, as well as several others that we have learned the hard way, will be the topic of our talk. We will illustrate how much different, yet how much similar, information security work is in higher education, compared to commercial environments. The most important lesson is: Take baby steps. The academic institution has been around for almost two millenia, and it takes it time when faced with change. This also applied to information security.