SOUTHFIELD – According to a recent study by EDUCAUSE, IT security was listed among the top three concerns of higher education institutions. Last years electrical blackout in the upper Midwest, lack of confidence in data backup, the enactment of Gramm-Leach-Bliley, and the proliferation of new viruses have left many colleges and universities ill-prepared and concerned. What should you be doing to protect your institution?
Disaster Recovery
Higher education institutions typically have an overall disaster recovery or business continuity plan in place, Often times, however, this plan doesnt cover IT systems or is ineffective in meeting the recovery requirements. For example, many institutions have a Buy & Build strategy which, in a best case scenario, takes a minimum of five days to recover, hardly the 24- hour period thats needed. As colleges and universities become increasingly reliant on IT systems for day-to-day business, its imperative that an effective Plan is in place to restore the systems.
Consider developing a comprehensive Disaster Recovery Plan that addresses the specific needs of your institution. This Plan should include items such as:
A network diagram; Business processes that are dependent on the student/financial management system as well as those dependent on local area network services; Obtaining a replacement server(s) with a compatible tape drive; Instructions for restoring from backup;
Offsite network and tape backup storage; Temporary workstations, temporary cabling and hubs, and remote communications needs; A Plan testing schedule; A Plan review schedule; and
An employee responsibility list.
The Disaster Recovery Plan should be tested and reviewed annually, or as any major changes occur (a new student system, a network equipment upgrade, personnel change, etc.) Also consider creating hot site agreements with alternate facilities, as well as equipment replacement agreements with vendors. A hot site would provide a place for IT operations to restore services quickly and continue to operate, should a disaster occur that would prevent the use of existing facilities.
Data Backup
While organizations typically back up data on a regular basis, they dont always archive or store the tapes properly. For example, some organizations will perform incremental backups nightly and a full backup weekly, but will overwrite the tapes the next week. If something occurs during the overwrite backup, the institution may lose critical data such as student information, as there wouldnt be another backup. In addition, while many organizations may keep monthly backups, they tend to keep them in the same room as the server and not in a fireproof safe. If a fire in the data center were to occur, all student data could be lost, as the backups were located in the same room.
A secure and up-to-date backup will help prevent unrecoverable damage. Analyze data to determine which data should be backed up, the frequency of the backup, and the retention needs. Then develop a backup procedure based on the needs, and implement it. Its important to document this in a backup policy. Higher education institutions should also test tapes periodically to ensure they can be used for a recovery. Store tapes at an off-site location thats at least five miles away and ensure the appropriate security and environmental controls are in place.
Gramm-Leach Bliley Act (GLBA)
Many IT departments are not fully aware of the details of The Gramm-Leach Bliley Act (GLBA). The Act, which initially applied to financial institutions, requires safeguarding of student financial information (such as credit information, income, etc.) and includes a number of steps to achieve the appropriate level of safeguarding. These steps include: (1) a formal documented risk assessment, (2) an information security program, (3) a technology security assessment, (4) a vendor relationship assessment, and (5) annual GLBA audits and updates. Colleges and universities should perform a gap analysis to ensure that theyve completed these steps and address any outstanding issues. The Federal Trade Commission (FTC) could impose serious financial penalties to noncompliant institutions.
Viruses/Spam
Through the use of three tools, organizations can minimize the likelihood that viruses can invade their networks. If you arent already, consider using:
Antivirus programs that automatically update themselves and push updates out to client workstations and servers; Spam blocking software and services; and Pop-up blocking software.
Given the constant proliferation of new viruses, these safeguards are critical.
Recognize These Threats as Genuine
Its important to recognize these issues as serious IT threats and address them appropriately. Many can be easily remedied, but if left unaddressed, there can be serious consequences. We realize that colleges and universities often face a lack of staff and/or resources. However, many tools are available to help with items such as security log monitoring and penetration testing, cutting down on the time it takes employees to secure the network. An investment of time in creating items such as a physical security plan and security policies and procedures can also make a world of difference in your institutions security.
In Conclusion
Through appropriate reviews, risks can be identified and recommendations can be made. Colleges and universities can then take measures to mitigate these risks and keep their networks and student data safe. To assist our higher education clients, Plante & Moran offers a number of security services including:
IT Risk Assessments; IT General Control Reviews; Network Penetration Reviews (External & Internal); Disaster Recovery/Business Continuity Planning; and Application Security Reviews.
For more information on the above services, please contact Raj Patel ([email protected]) at 248.223.3428 or Amy Sasina ([email protected]) at 248.223.3681.
For the latest Security news, click on the Security Section at Mitechnews.Com




