11 Questions to Ask Your Campus CIO About Information Security

Picture this scenario: An employee leaves for a family vacation and plans to do some work while being out of the office. So, they take their company laptop on the trip. But, the employee accidentally leaves it in the plastic bin at airport security before heading to the gate. Maybe they were distracted; perhaps they were running late. No matter the reason, the employee does not realize what has happened until mid-flight. In 2008, a lost laptop might have been a problem, but in 2018, it can be a crisis.

This type of event may trigger panic in many higher education leaders. After all, a lost employee laptop means the potential breach of tens of thousands of student records. Knowing the right questions to ask your CIO, IT teams and vendor partners can help quell those feelings of dismay and helplessness.

Data security has always been a priority for colleges and universities. Today it is more important than ever. Shifts inside and outside of higher education are creating new security challenges: devices that arrive on campus in greater numbers and greater variety, larger volumes of data, increased use of business intelligence and analytics, and increased “hacker” activity. In the first half of last year alone, the number of lost, stolen or compromised records grew 164 percent, according to a report from Gemalto. Once again this year, information security is the No. 1 issue in EDUCAUSE’s Top 10 IT Issues report.

I saw the growing concern over security in higher education when I led the Office of Analytics at the University of Maryland University College, and I continue to watch the effects on the institutions we work with today. What’s clear is that too often, non-IT leaders are in the dark about all the potential security risks they face.

Let’s return to the lost laptop. The crux of data security is to create multiple layers of defense. Ensuring your CIO has the right answers to the following questions can establish a strong foundation.

What are our policies for encrypting laptops?

These days, login credentials are fairly standard. You can bolster that best practice by requiring all employee laptops to be encrypted and locked when not in use. Encryption provides a formidable first level of defense.

Do we require multi-factor authentication to log into our network?

This security measure is often used by financial institutions, email providers and even social media channels. Multi-factor
authentication adds an additional layer of security where a secondary device is required to authenticate the user on the network. Even if the employee’s laptop is stolen, multi-factor authentication would require the employee’s mobile phone to be able to breach your network.

How can we remotely access laptops?

Remote access is an IT team’s fail-safe when it comes to security. If that same employee’s laptop cannot be recovered, your IT team should be able to send a remote wipe command to clear the computer of all personally identifiable information (PII) and other sensitive data.

While laptop security might seem straightforward, network and enterprise system security are a bit more complex.

Now that you know your laptops are secure, you need to ensure your network is also protected. To be sure of this, go through these additional questions with your CIO.

Is the most restrictive access in place?

Data should not live on the public internet and should only be accessible by people your IT team has deemed secure
in order to ensure the highest protection against inbound access. The ideal configuration is to have firewalls in place and only allow in-network and whitelisted IPs to access important records.

How do we share data with third parties not on our network?

Today, working with external partners often means sharing files that may contain sensitive data that needs to be protected at every stage. A best practice is to use a secure and auditable application to share files between parties.

How is data encrypted?

Data should be encrypted while it’s “at rest,” meaning sitting in a database, and “in transit,” meaning moving from one department’s system to another or back and forth between an institution and a third party.

How are events and changes logged and monitored?

In data security, you want to prevent human error. For example, someone could accidentally open up a firewall port to a broad range of IP addresses. Notification systems are standard today but be sure they are in place, so the appropriate staff are notified of the violation.

What are the business continuity plan and disaster recovery strategies?

Make sure there is a plan to rebuild systems in a different, pre-determined geographic region in the event of a disaster in the primary region, and that regular snapshots of system data are taken.

How do we look for system vulnerabilities?

At all institutions, IT teams should use third-party tools for proactive assessments, evaluations on a weekly basis, and regularly
schedule operating systems patches to keep data defenses strong against new attacks.

How do we prevent intrusion?

Similar to anti-malware in the lost laptop, networks also need an additional layer of security. Be sure there are algorithms in place that look for suspicious behavior at host level and network level, and there is a centralized console to monitor activity.

How can we create a culture of data security on campus?

Regular education for data and security professionals via professional development, online groups, etc. is key to staying up-to-date with the changing landscape of security. The other side of the culture coin is regular compliance assessments of campus devices. Remember to check that your partners follow similar policies.

As new technology and methods for sharing information are developed, protecting data will continue to be a priority for higher education. Asking the right questions now could help set you up to respond nimbly to new threats in the future.

Darren Catalano is the CEO of HelioCampus, a higher education analytics platform. Prior to joining HelioCampus, Darren was the vice president of analytics at the University of Maryland University College (UMUC), where he helped develop a culture of data-driven decision making.

To view the original article, please refer to the following link: https://edscoop.com/11-questions-to-ask-your-campus-cio-about-information-security/