MORE THAN 180,000 STUDENTS AND alumni at Western Illinois University were at risk of identity theft when their personal information- Social Security numbers, credit card accounts, and other sensitive data-was revealed after hackers tapped into the institution's student information system (SIS) in 2006. Earlier this year, personal information from 46,000 students, faculty, and staff at the University of California at San Francisco was revealed during a possible security breach. And as recent as June 2007, 5,735 current and former faculty members at the University of Virginia had their Social Security numbers, names, and birth dates exposed through a series of system breaches at the university that were discovered dating as far back as 2005.
In 2006 alone, 83 security breaches were reported at 65 colleges and universities worldwide, compromising 2,683,059 records, according to a report titled "Educational Security Incidents Year in Review: 2006," prepared by industry observer Adam Dodge. Interestingly, only 33 of the 83 incidents involved purposeful penetration of an institution's SIS by computer hackers. The majority of data losses occurred through theft, unauthorized disclosure, loss, and impersonation.
For example, personal information regarding political science students at the University of Minnesota was revealed when a laptop containing the unencrypted data was stolen from a professor's car. One hundred Westminster College (Utah) students and alumni had their personal information made available on a public webpage through an innocent error. And 49 Texas A&M students had their personal data compromised when a class roster containing personal identifying information was temporarily lost.
In the first half of 2007, 73 incidents occurred, according to "Educational Security Incidents"-only 10 fewer than occurred in all of 2006. "The breaches are absolutely increasing in frequency," says Rob Guido, director, fusion middleware at Oracle, and nearly 50 percent of all breaches are happening in higher ed, he says. Colleges and universities are likely targets because there is "an abundance of personal information," it is of high quality, and it exists in an open, decentralized environment, he says. Additionally, universities have less money to put towards securing the data, making them more vulnerable to attack.
-Don Volz, Texas State University San Marcos
While preventing hackers from accessing sensitive computer data has been the focus at many institutions of higher education, attention appears to be shifting to reducing the risk of security breaches made via human error.
The EDUCAUSE Center for Applied Research (ECAR) conducted an Information Technology (IT) Security Study in 2006 and found that 69.1 percent of educational institutions had a security awareness program in place for staff, up from 42.2 percent in 2003. Additionally, 68.8 percent of institutions had a security awareness program in place for faculty, up from 38.2 percent in 2003.
What is surprising, however, given these jumps, is that only 20.4 percent reported mandatory security training for staff and 14.5 percent required it for faculty. Yet most colleges and universities have some form of training-mandatory or not-to teach faculty, staff , and students how to use and safeguard the information residing in the SIS.
Although each educational institution is different, there are generally three types of security training in place, says Rodney Petersen, government relations officer and security task force coordinator at EDUCAUSE, the nonprofit organization dedicated to promoting the use of information technology in higher ed:
1. General user awareness programs designed to promote internet safety and security, which includes information on how to protect personally identifiable information and prevent identity theft. The focus is on the user's role in protecting a computer system and personal information.
2. General employee training regarding safe computing and employee responsibility that touches on skills such as effective password development and protection.
3. Specialized training in how to use a specific campus system, such as SIS or contracts and grants.
Which department provides the security training, its length and frequency, all vary widely, however.
Awareness of security issues is at the heart of security training at Coppin State University in Baltimore, which is part of the University of Maryland system, indicates Prasad Doddanna, director, office of information systems.
All new employees at Coppin State attend a training session hosted by the human resources department regarding their employment, but in the past year, 15-30 minutes have been set aside specifically to address security risks and how to mitigate them, says Doddanna. In that brief time, Coppin State employees learn about how to access and store information on the SIS and how and where to save information securely.
Using Oracle's PeopleSoft Enterprise Planning System, Doddanna reports that Coppin State hasn't had a breach yet. But the university is well aware of the threats and takes a proactive approach to educating system users about security and other issues. For example, "anytime we have a new functionality [added to the system], we send an e-mail blast with videos," says Doddanna, to encourage everyone on campus to check out the video to learn more. "We prefer to send video training to enable our staff to do it at their own pace, versus on a particular date for 30 minutes," explains Doddanna. In fact, the university uses "a lot" of self-paced training for that reason- convenience-in the hopes that more people will watch and learn.
Texas State University San Marcos hasn't perceived its homegrown VMS-based SIS as a likely hacker target, because "it's so obscure," says Don Volz, special assistant to the vice president for information technology. However, as the university implements a new system, it will overhaul its security training procedures, too. Texas State University San Marcos is in the early stages of acquiring a new system and will add a security training component to teach system users how to protect the confidential student information that has been entrusted to them and that they are required by law to keep confidential.
The federal Family Educational Rights and Privacy Act (FERPA) legislates what type of student information disclosure is allowed, explains Volz, and obligates institutions of higher education to safeguard student information. "You can't expose a student's record without that student's prior consent," says Volz, with the only exception being a student directory, which the university reserves the right to publish.
Texas State University San Marcos keeps standard information in its student directory, such as name, address, and telephone number, as well as major and minor (and for athletes, height and weight). However, years ago, student Social Security numbers were also routinely published, he says. "Rules change over time to address the threats that are out there," he explains. More recently, the university decided it would no longer publish e-mail addresses.
That doesn't necessarily mean that all students are included in the institution's directory, however, since FERPA provides students the option to prohibit release of any personal information. Most SISs have an attribute, or field, within the system to identify students who have declared their privacy rights, says Volz. Spotting that attribute can be tricky, however, and system users need to be trained to look for that identifier to prevent unauthorized release of information.
At Ursinus College in Collegeville, Pa., Chief Information Officer John King reports that the institution's approach to security and confidentiality has been revamped in the last three to four years. "We've had some turnover, but no incidents, and we wanted to make sure everyone understood their role in securing data and the importance of confidentiality," King explains.
Today, security training is done on an ongoing basis at Ursinus, following a process the college has developed to ensure that everyone is aware of the college's policies and their own responsibility.
When new employees are hired they are required to complete and sign a form indicating their understanding of the college's data security policies and procedures. Learning the importance of information security is now part of the college's orientation procedure, which also applies to student workers. Their supervisor sits down with them to review the policies and procedures and they, too, sign the confidentiality form indicating their understanding and compliance.
The college is in the process of implementing a new SIS-the Blackbaud Education Edge-and as part of that, says King, they will incorporate a new module into the security training regarding safeguarding data on laptops. "We'll remind [employees] that 'you're exposing the college and yourself to security and confidentiality issues' by transferring data to a laptop," he says. They will also be informed that information should not be taken off campus and that such data should only be accessed remotely through a VTN line-encrypted server.
Most security training is designed to guard SISs from the outsider, when teaching system users how to use technology to safeguard personal information is equally-and perhaps more-important. "A lot of the security training that needs to be provided is awareness- type training," says Volz.
-Rob Guido, Oracle
EDUCAUSE's Petersen advises that it is increasingly important to emphasize the following as part of any security training session:
- Roles and responsibilities. Make it clear what information each SIS user is authorized to access and who is a "data steward"-someone authorized to share confidential data with others. For example, in student records, the data steward is frequently the registrar.
- Security practices. Training users in such tactics as password protection, operating system updates, antivirus protection, and spyware protection, to fortify the system's defenses.
- Privacy protections for personally identifiable information (PII). This includes: limiting the type of information that is accessed or displayed to that which is essential for the function to be performed; limiting downloads of SIS data into spreadsheets or other formats to workstations, laptops, or storage devices unless the data is encrypted or under strict controls; and effective methods of disposing of devices or data.
Cindy Bixler, CIO of Embry-Riddle Aeronautical University, which has campuses in Prescott, Ariz., Daytona Beach, Fla., and at more than 130 centers in the United States through its Worldwide Campus, says that about two years ago the university instituted an integrated student services training program for staff to increase awareness of the need for data security. While that training has been successful, there is currently no ongoing training to remind longtime employees of their responsibilities and to correct risky behavior, such as downloading information from the university's core SIS onto a laptop or USB drive.
The university is conducting an information systems audit of its Oracle Portal with the help of Ernst & Young, whose auditors are looking over the system to identify weaknesses that need to be addressed. Bixler says that lack of ongoing security training will be one of them. "You get security training as a new employee [at Embry- Riddle] but someone who's been here for a few years doesn't ever get retrained," she says. "And that's a huge weakness."
Bixler hopes to implement a new online training process as part of a new employee training program she is designing that will provide a means of tracking which faculty and staff members have completed the training and which haven't. The university currently has no way to verify that someone has actually gone through the training, she explains.
While the system audit will certainly pinpoint processes, policies, and procedures that need improvement, Bixler is also working toward a change in the university's culture and attitude toward data security. "Identity theft is a foreign concept to [most faculty and staff ]. They don't think it could happen to them," she says, and so they underestimate the importance of the security training Bixler wants to introduce.
The good news is that the cost to implement a new security training program is minimal, says Bixler. "The real cost is maintaining the content and keeping it current," she says, since they already have the tools available to deploy it.
Conducting an audit is certainly one way to systematically identify where the security weaknesses are and what kind of training can be done to address them. But some universities seem fairly clear about their own weaknesses and are looking for solutions, or patches, to correct them.
One major security gap that many universities mention is the unauthorized download of sensitive data to laptops or through unsecured data lines, potentially exposing that data to misuse by outsiders. That threat was identified at Coppin State as a key issue, so six months ago the university proceeded to buy and install Pointsec for PC, which provides data encryption.
The university's policy now requires that anyone using a campus- provided desktop or laptop must use Pointsec for protection. Pointsec not only encrypts and decrypts all laptop data and files, but also information on removable media, such as USB devices. But just as important, the software requires a login ID and password to boot the laptop-Pointsec is loaded first. Without it, the laptop cannot be turned on, nor can the hard drive be removed and used-they are useless.
Coppin State is still in the process of rolling out Pointsec campuswide, starting with its high value users, including the IT staff . Installation and training required to implement Pointsec involves one hour to load the software and a half-day investment on the part of an IT staff member, followed by 30 minutes of one-on-one training of system users. "We have been pretty successful so far," says Doddanna.
When describing the security training their institution currently provides, or is in the process of implementing, many campus IT leaders use the words "awareness" and "reminder." Recognizing that one-time campuswide training sessions are not enough to secure sensitive personally identifiable information, most colleges and universities are scheduling follow-up training for employees who may need a refresher regarding their role and responsibilities as it relates to SIS data.
"The biggest risk at many organizations is not the core system, it's the employees," says Bixler. "Security is everyone's job."
Marcia Layton Turner is a freelance writer and the author of 14 business and consumer books. She lives in Rochester, N.Y.