Information Security

Research Bulle tin

Information Security

Gregory W. Hedrick, Director, Security Services, Purdue University

Joanna Grama, Portfolio Manager, EDUCAUSE

Overview

This special ECAR research bulletin series highlights findings from the EDUCAUSE Core Data Service, focusing on a small but meaningful slice of data collected in the CDS. These selected highlights are intended to provide context and meaning for CDS benchmarks that might be of especially broad interest or particularly timely or that could help draw connections between research from ECAR and CDS. The series is featured along with other CDS publications on the CDS website (http://www.educause.edu/coredata) and is available to eligible ECAR subscribers as part of their subscription.

This spotlight focuses on data from the 2012 Core Data Service to better understand how higher education institutions approach information security activities. Information provided for this spotlight was derived from Module 7 of CDS, which asked several questions regarding IT security. Responses from 636 institutions were analyzed. Only U.S. institutions with a

designated Carnegie class (AA, BA, MA, DR) were analyzed for this bulletin.

The Role of Information Security in the IT

Organization

A unique discipline that blends technology, smart business processes, legal and regulatory requirements, and plain old common sense, information security doesn’t just impact an IT organization—it impacts an entire higher education institution. Information security can be thought of both as an IT domain area in its own right and as a strategy that must be reflected in an institution’s governance and policies.

At some point, most higher education IT organizations grapple with where to place information security activities organizationally and how best to approach those activities. Most institutions (89%) report that their central IT organization is primarily responsible for campus information security activities. Far fewer institutions (7%) report that information security responsibility is shared between central IT and other administrative or academic units (see Figure 1).

Figure 1. General Responsibility for Information Security

Why Is It Important?

Regardless of organizational area, information security remains a constant concern for higher education IT organizations. Higher education institutions use and store large volumes of data, including personal information of employees and students, sensitive institutional business data, and faculty research data. Practices designed to institute strong and effective controls to safeguard data are often at odds with higher education’s values of collaboration and openness. Because of the different types of data that a higher education institution must protect, effective use of security technologies and coordination between IT organizations and administrative and academic units are key.

What Do the Data Show?

Institutions approach information security in a number of different ways. 2012 CDS data showed that institutions vary in how information security practices are apportioned by area of organizational responsibility, the types of security technologies deployed, institutional use of risk assessments, and how institutions approach security certifications for IT personnel.

IT Security Practices by Area of Responsibility

Higher education institutions implement a number of IT security practices, and most often central IT organizations are responsible for implementing technical security safeguards (see Figure 2). Technical (or “logical”) safeguards are those activities implemented in the hardware and software of information systems. At over 85% of institutions, central IT organizations are responsible for these eight IT security practices: network segmentation (96%), firewall operation and

management (91%), network access control (91%), intrusion detection system operation (90%), netflow data collection and analysis (88%), answering and processing abuse e-mail (86%), scanning the network for vulnerabilities (85%), and the selection of security software (85%).

Figure 2. Responsibility for Technical Practices

Shared responsibility between central IT organizations and other administrative or academic units tends to occur for IT security practices that are administrative in nature. Administrative safeguards are those controls influenced by laws and regulations and that set forth the institution’s rules and policies. Most of these security practices impact institutional business organizations and functions, making shared responsibility a natural fit. In particular, information

Figure 3. Responsibility for Administrative Practices

At some institutions, IT security practices are outsourced. While very few IT security services are outsourced overall, practices that are outsourced tend to be those that validate internal security practices. For instance, penetration testing (12%), scanning of web applications for vulnerabilities (6%), and scanning for network opportunities (5%) are the most commonly outsourced IT security practices. Likely due to technical skill requirements and alignment with law enforcement procedures, forensic analysis activities are also outsourced at a higher rate (8%). No significant differences by Carnegie class or control were found among different types of institutions.

Security Technologies

Higher education IT organizations continue to deploy a number of security technologies to protect institutional infrastructure and data. Firewalls continue to be the most widely used security technology across campus. In particular, firewalls are used in force at most institutions to protect external Internet connections (89%) and high-security servers and networks (87%) (see Figure 4).

Figure 4. Prevalence of Various Security Technologies

In 2012, CDS asked about intrusion protection systems (IPS), access control lists (ACL), network access control (NAC) and data loss prevention (DLP) implementations for the first time. These different technologies are used alone and in concert to secure an institution’s IT

infrastructure and institutional data. Institutions use IPS implementations to monitor network traffic for malicious activity and actively prevent attempted intrusions. Because their main function is to block malicious intrusion, IPS solutions are more likely to be implemented on external Internet connections (52%) and in high-security areas (40%).

Institutions use ACLs to manage user and process access permissions on systems or resources. ACLs ensure that only approved users can access certain systems and networks, and that regulated access provides a basic level of system security. ACLs are more likely to be used in areas where access permissions must strictly be monitored and enforced, such as high-security servers (60%).

Institutions can use NAC to verify whether equipment connecting to the network is running antivirus software. NAC can then prevent access to the network until antivirus software is installed and identified vulnerabilities on the equipment are resolved. NAC is a newer security technology and more difficult to implement than other technologies like firewalls and ACLs. At the institutions using NAC, it is predominantly used to segregate residence hall networks from main campus networks (21%). This is because higher education IT organizations typically have less control over student-owned machines but still need to allow those machines access to the campus network. The use of NAC helps prevent possible compromise of critical campus infrastructure.

DLP is also a newer technology used to protect sensitive institutional data or intellectual property. This technology is designed to detect a potential data breach through monitoring data during storage and transmission. While DLP is still an emerging technology in higher education, its use may grow in the future because some regulatory programs, such as the Payment Card Industry (PCI) standards, require that DLP be implemented as part of an institution’s security

where the technology can detect data leaving an institution, such as external Internet connections (5%), high-security servers (4%) or individual workstations (4%).

Mobile device management (MDM) for personally owned devices was another new question asked by CDS in 2012. MDM is used to secure and monitor the use of mobile devices deployed across an institution. MDM use may increase in the future due to the rise of the bring-your-own-device (BYOD) explosion at higher education institutions. Only 10% of institutions have

implemented an MDM policy for personally owned devices such as laptops, smartphones, tablets, or portable storage devices (see Figure 5). Private bachelor’s institutions are most likely to have implemented such a policy (15%), followed by associate’s institutions (13%). It may be that the size, governance models, and culture of these institutions allow IT organizations to more easily implement policies requiring the use of MDM on personally owned devices.

Figure 5. MDM Policies

Risk Assessment

Responsibility for information risk management activities tends to be split nearly evenly between being primarily with central IT organizations (48%) and being shared between central IT and other administrative or academic units (46%). The use of risk assessments to help identify vulnerabilities in and threats to critical subsets of institutional IT resources continues to rise across all institutional areas, highlighting its growing importance in determining IT security deficiencies and priorities. Overall, institutions report the greatest use of risk assessments in reviewing central IT systems and infrastructure. However, from 2011 to 2012, the largest increase was in the use of risk assessments to review central administrative systems and data, from 53% to 59% (see Figure 6). Central administrative systems and data include student

administration systems (admissions, financial aid, registration, etc.), financial information systems, procurement systems, human resource systems, payroll, and similar enterprise-wide systems.1

Figure 6. Change in Risk Assessments

IT Security Personnel

Most higher education institutions (89%) do not require IT security personnel to obtain security certifications. Doctoral institutions are the notable exception, where nearly 26% of public institutions and 14% of private institutions require security certifications (see Figure 7). Few institutions (10%) appear to be planning to require security certifications for IT security personnel. Private master’s institutions are the most likely to be planning to require security certifications in the future (17%).

Even though most institutions do not require security certifications, many institutions do provide financial support when security personnel do obtain those certifications. Once again, doctoral institutions (both public and private) are more likely to provide either full or partial financial support to those employees who obtain certification.

Figure 7. Security Certifications

What Could This Mean for You and Your Institution?

This spotlight points out that responsibility for IT security practices in higher education IT organizations may depend on the underlying nature of the practice. IT security practices that have a technology and institution-wide focus, such as network administration or network access control, tend to be located within an institution’s central IT organization. This makes sense because the implementation of these very technical practices is more likely to be successful when they are centrally organized and administered on behalf of the institution. Conversely, this spotlight points out that responsibility for administrative IT security practices—those practices that are influenced by laws and regulations and impact business processes—tends to be shared between the central IT organization and another administrative or academic unit. In these situations, the central IT organization must work with the other unit to understand underlying business process and administrative requirements. Then the units must work together to design security solutions that meet administrative requirements without impeding business processes.

For outsourced IT security practices, this spotlight found that IT security practices more likely to be outsourced are those that tend to validate institutional IT security practices or that require

special levels of training, skill, and impartiality (e.g., forensics). Because most higher education institutions do not require that their IT security personnel obtain security certifications, it is likely that IT security practices requiring sophisticated levels of knowledge, training, and skill will continue to be outsourced at higher rates.

In 2012, CDS asked about innovative security technologies such as NAC, DLP, and MDM for the first time. As higher education IT organizations look for technological solutions to protect critical systems and data, it is likely that these types of technologies will be implemented at greater rates in the future. NAC and DLP in particular can be implemented by a central IT organization to protect the institution and its data as a whole.

Finally, this spotlight found that the use of risk assessments to help identify vulnerabilities in and threats to critical subsets of institutional IT resources continues to rise across all

institutional areas. Institutions need to continue using risk assessments to help identify existing vulnerabilities in critical systems and to validate the IT security practices used to protect those systems. Risk assessments can also be useful in prioritizing risk response and determining where to apply institutional resources.

Where to Learn More

 Lang, Leah, and Pam Arroway. 2012 CDS Executive Summary Report. Louisville, CO: EDUCAUSE, January 2013, available from http://www.educause.edu/coredata.  Higher Education Information Security Guide, available from

http://www.educause.edu/security/guide.

About the Authors

Gregory W. Hedrick ([email protected]) is the Director of Security Services at Purdue

University. Joanna Grama ([email protected]) is the Portfolio Manager for the

EDUCAUSE Center for Analysis and Research (ECAR).

Citation for This Work

Hedrick, Gregory W., and Joanna Grama, “CDS Spotlight: Information Security,” Louisville, CO: EDUCAUSE Center for Analysis and Research, June 14, 2013, available from

http://www.educause.edu/ecar.

Note

1. See the Core Data Service Survey Glossary, http://www.educause.edu/research-and-publications/research/core-data-service/about-core-data-service/survey-glossary.