Creating An Information Security Strategy For Higher Education
Generally, information security (sometimes shortened to InfoSec) has been defined as the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. It refers to protecting these elements and related processes in terms of confidentiality, integrity and availability (CIA) of information while maintaining a focus on efficient policy implementation without hampering organization productivity.
Others view it as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. According to Pipkin, it is the process of protecting the intellectual property of an organisation. And McDermott and Geer regard it as a risk management discipline, whose job is to manage the cost of information risk to the business.
Information security is regarded as a multidisciplinary area of study and professional activity which is concerned with the development and implementation of security mechanisms of all available types (technical, organizational, human-oriented and legal) in order to keep information in all its locations (within and outside the organization’s perimeter) and, consequently, information systems, where information is created, processed, stored, transmitted and destroyed, free from threats.
The source of the information may take any form, electronic or physical. It may take the form of application security (dealing with software vulnerabilities in web and mobile applications and application programming interfaces); cloud security (focuses on building and hosting secure applications in cloud environments); encrypting data (such as the use of digital signatures in cryptography to validate the authenticity of data); infrastructure security (that deals with the protection of internal and extranet networks); and incident response to monitor for and investigate potentially malicious behavior.
Institutions of higher learning have become an essential part of the fabric of our civilization. Society requires them since they play a crucial role in our search for new knowledge and our civic life. They are becoming amazingly complex organizations and their scope for compliance regulations is wider and more complex than other industries.
Today’s universities offer services ranging from student registration, online billing, academic transcript services, accommodation, food services and others to their students and other stakeholders, and manage significant data processing operations. Research documents that today’s universities have become a complicated maze of physical campuses, online learning, students, faculty, alumni, and research partners from both the public and private sectors. They store huge data about students, parents, alumni, faculty, and staff. When students graduate, most institutional policies require that data is kept for a considerable period of time. And these processes and interactions create a large and evolving threat surface that makes institutions a target for cyber attack.
In addition to storing large volumes of data, in today’s academic environment, students are increasingly learning in digital formats. At the same time, most of them have deployed learning management systems to facilitate online teaching and learning. This increasing dependency on online platforms have has made IHEs around the world targets of cyber attacks.
In spite of the increasing threats, cybersecurity leaders in higher education spend only a small percentage of their time developing strategy, but this activity is likely to have the largest impact on their institutions. Having a strategy that evolves to adapt to a changing environment can make a good security team into a great one.
It has been documented that the education sector has the highest rate of ransomware of all industries. Data by EDUCAUSE shows that between 2005 and 2014, 562 data breaches were reported at 324 IHEs, with doctoral institutions marking the majority (63 percent) of those reported. According to the US Department of Homeland Security, hacking/malware and unintended disclosures were the most commonly reported breach types within institutions of higher learning.
Institutions of higher learning are beginning to recognise the threats their institutions are facing in a technological world and are beginning to build platforms which will enable them to seize these opportunities and embrace the future. Safeguarding information and information systems is essential to preserving the ability of these institutions to perform their mission and meet their responsibilities to students, faculty, staff, and the citizens whom they serves.
Attacks of this nature creates operational, reputational, and/or financial issues that goes beyond the loss of data for the said institution. These attacks requires academic institutions to be sensitive to cyber security threats and the need to consider cybersecurity planning as part of the over planning strategy of the institution. This perspective will enable academic institutions put in place structures and policies to address issues around cyber security and breach of information.
How do we protect data. Fact is, there is no easy solution to this, given the large and diverse campus population of users who need to be educated on potential dangers, but who don’t always realize the issues or take them seriously.
Most institutions of higher learning have implemented information security policies to help safeguard their information resources from accidental or intentional damage and data from alteration or theft. The purpose of most of this policy is to ensure the protection of information resources from accidental or intentional access or damage while also preserving and nurturing the open, information-sharing requirements of academic culture.
Most academic institutions have adopted the use of cloud computing services to enable them to create a virtual repository of data to facilitate information storing and dissemination. According to EDUCAUSE, the Higher Education Information Security Council (HEISC) has developed a Higher Education Cloud Vendor Assessment Tool that IHEs can use to assess the quality of cloud computing services provided by third-party vendors.
The need to work with departments and faculties across the entire university spectrum is crucial to ensure proportionate and robust IT solutions are in place supporting the overall universityinformation security strategy.
Information security is a global challenge. Thus, international collaboration is needed to deal with the problem.While these suggestions will not guarantee the security of IT systems, it will go a long way to reduce the impact of cyber theft.
Nana Prof. Osei Darkwa, President
African Virtual Campus