IT Auditing in a Higher Education Environment: What Are the Challenges?
Higher education institutions face unique threats in their data security. Hackers specifically target universities for sensitive information, such as proprietary research data stored in their systems. A cyber-attack poses a significant threat to a university’s reputation and the safety of its students and staff.
Many universities offer degree programs in information technology, some with a concentration in cybersecurity education, yet many do not prioritize information security practices within their own environment.
This standard of practice leaves the organization vulnerable, and makes the job of an IT Auditor difficult. Universities must identify, and prioritize, risk identification and management, particularly focused on cybersecurity. Learn more about information security for universities below.
How is a University Environment Different?
Academia has a unique culture, due to a less traditional method of operation. Universities typically encourage an openness on the campus environment, focusing efforts on allowing faculty, students, the general public and alumni access to online resources. As a result, many university networks are not designed for maximum protection of information.
Many institutions of higher learning rely on legacy systems that are particularly vulnerable to attacks. Universities were one of the first areas with Internet connectivity, inviting curious students and others to find weaknesses in restricted areas.
The university’s network is the primary access point for resources. Weak passwords, and users having access to multiple areas poses a severe security threat.
Physical and Logical Access
Physical security and surveillance responsibilities are usually managed by Campus Security. These departments often have limited resources, presenting opportunities for inappropriate access. Computing equipment distributed throughout campus buildings oftentimes are placed in less secure locations and lack appropriate physical safeguards. The desire for the free flow of information flies in contrast with stronger least privilege security models for logical access.
Universities employ a significant number of part-time staff, with expected turnover. Students work in various departments such as the Bursar’s Office and Financial Aid, oftentimes with access to some level of sensitive data. Security measures are often insufficient.
Because institutions deal with regulations governing the various forms of data they handle, ensuring compliance with all rules should be a priority in setting up system security. Medical service data for students and staff must conform to HIPAA policies, while other types of information must adhere to regulations from FERPA, PCI and Sarbanes-Oxley (SOX). Creating secure systems that satisfy these various requirements requires both planning and balance to optimize security without sacrificing usability.
IT Staff Participation
Research information is often managed by individual departments, without knowledge or involvement of the IT staff. Although research departments want this information confidential, essential members of IT need to understand where this information resides in order to properly secure its contents. Communication between researchers and IT security should be a part of the planning process for any highly sensitive research at the institution.
Third-Party vendors are often used for functions such as maintenance and security responsibilities, website creation, teaching resources, research, student grade information, and payroll. A university is vulnerable in the event the third-party experiences a breach.
Universities are particularly susceptible to phishing scams. Attackers capitalize on the fact that students and staff are following current events, and are likely to accept an email that seems legitimate. The social aspect of university life plays into this as well as students look to amass wide reaching networks of peers, potential employers, other researchers and administrators.
University IT systems are often characterized by a decentralized construction that attackers can easily exploit. Many universities have individual technology domains, networks, systems, applications and structures under the control of specific colleges or departments. Without a centralized process, it is likely that vulnerabilities such as unpatched OS, inadequate email filtering, insufficient antivirus, or weakened firewalls are being used. As a result, effective security and network defense is nearly impossible.
IT Staffing Practices
Many universities lack a formal Information Security department, or individuals with these focused responsibilities. The IT staff’s ideas are often not solicited and their opinions regarding security concerns are not considered. Although the IT department is charged with protecting the institution’s data, the responsibility surrounding Information Security is often not a priority, until a security breach occurs.
What Do Universities Need To Focus On?
Establish a Formal Information Security Department
The mission of information security is to protect the university’s systems, services and data against unauthorized use, disclosure, modification, damage and loss, while maintaining the ability to function on a day-to-day basis. The university needs to hire individuals who are skilled in information security, and support continued education and certifications.
A Chief Information Security Officer or CISO needs to be appointed. This senior position needs to be part of the executive team, considering the tremendous responsibility entrusted to the IT department. Security issues in higher education need to be addressed with senior board members, in order to promote the understanding that cybersecurity risk is a primary initiative needed to operate the university.
Research Third Parties
All third-party vendors should be thoroughly researched, to reduce the chances of security breaches. Least privilege security surrounding these should be implemented and all known ingress/egress points, especially those in the hands of a third-party should be eliminated unless a bona fide reason exists. And then, that connectivity should still be viewed from a least privilege security mindframe.
Strengthen the Network
Since access is permitted through multiple areas, it is likely that an attacker could gain access to an area of the network, and move laterally to discover assets and related vulnerabilities, leading to a potential foothold in a different area.
Consistent with a least privilege security model, the network should be segmented, to include a true isolation of different areas. All traffic should enter the network through a central area, protected by a firewall that restricts activity to other areas of the network. Universities must take proactive steps to prevent attacks through threat detection software and other system upgrades.
Budget for Security Initiatives
Increase security spending to include added IT Security Services. As a general rule, an organization should spend between 7% and 10% of its IT budget on cybersecurity measures.
Disaster Recovery Planning
Often, the majority of disaster recovery procedures are created and tested within the IT department. Disaster recovery procedures need to include all departments, with involvement/approval of executive personnel. Although plans and procedures are documented, disaster recovery training may not be performed consistently. Lessons learned must be documented, so that the disaster recovery plan is a continually evolving document.
Storage of backup media – to include a separate location of data – may be insufficient to ensure recovery if necessary.
Staff Training on Security
Continuous training in cybersecurity protocol needs to be established. Phishing software should be incorporated, and regular phishing expeditions scheduled. Attackers often hack into other systems through phishing emails or spam. Best practices such as user/password protection, appropriate onboarding/termination protocol, and training in cybersecurity risks should be incorporated. All sensitive data must be encrypted.
Universities face some unique challenges as it relates to cybersecurity – much of which centers around the institution’s culture and general raison d’etre. In order to protect the wealth of information contained within their systems, universities must develop and practice an overall data security initiative. Adopting a standard cybersecurity framework, such as NIST cybersecurity framework, ISO 27001, etc., can help the institution assess and quantify its overall cybersecurity maturity.
Contact Vestige for a consultation on IT Auditing including proactive cybersecurity services, as well as incident response, at your higher education institution. We also offer a variety of services for IT Professionals.
Look for Vestige who is guest speaking at the ACUA AuditCon being held in San Antonio, TX, Sept. 13-17, 2020.
By Mary Brewer, MBA, BS, AAS