Steve Williams, leader of Higher Education practice in IT consultancy, Waterstons Ltd
Universities are open. They exist to create and disseminate knowledge. At their best, staff, students and partners outside the university collaborate on research, teaching and embracing their communities. This is fundamentally different from other types of organisation. In a business, health trust or government department, information is closed unless there is a good reason to grant access to it. In universities, it is open unless there is a reason to secure it.
This makes information security difficult to handle. The security professional must devise and monitor policies which are workable but which support openness and sharing. Any hint of bureaucracy – even if it is a justifiable measure that strengthens the university – will be actively worked around.
On the other hand, universities handle a great deal of the most sensitive data, from medical details of their students to research data from many domains. Handling information sensitively, while facilitating the smooth operation of the university, is a huge prize. A reputation for prudent effectiveness benefits the university, while the damage a data breach can cause to a university’s reputation can last many years.
So, how can this best be managed? Clear accountabilities help and universities will greatly benefit from not only identifying the types of data they hold but also assigning clear ownership. However this is not a trivial task. Technical IT security usually resides in IT operations. In some universities, the policy side – data protection, freedom of information and IT security policy – is also in IT, while in others it belongs to the governance function. Either can work. Most important is for people to work effectively together. A disjointed approach – perhaps where policy is not tested against the realities of university life – is a recipe for increased risk. Clear accountabilities are essential. Who is ultimately accountable for risk (the ‘Senior Information Risk Officer’ or SIRO)? In most organisations, this is the Chief Operating Officer or Registrar.
It may be helpful to set out some concrete steps that directors and those tasked with information security can take.
1. Be proportionate
Handling data about medical testing, genetics, or crimes requires a different standard of security from other data. Researchers, for example, usually understand this – indeed, it is increasingly becoming a condition of grants that data is handled with proportionate security. The same principles apply to administrative data such as personnel records or student enrolment applications. By assigning clear ownership of critical data assets and specifying pragmatic rules to store and transport this data, the right balance of security and agility can be achieved.
Security is most effective when those who handle the data and those who understand information security actively consult each other. Involve technical staff in data-sensitive projects; consult widely on security measures. Keep policies as simple as they can be. Far better a simple policy that covers 95% and is used than a comprehensive approach that is ignored. The key to changing culture is often communicating “why” and dispelling the myth that security is all about saying “No” – this can often be your most effective weapon.
3. Corral your allies
There will always be many people, in IT and around the university, who really ‘get’ this. So have them work together, and spread the message. A consensus of academic and professional opinion is the ideal.
4. Develop and agree a Code of Connection
This is rather a technical point but is important. The largest technical risk to university data is from servers which are not kept up to date and are connected to the university’s network. This presents vulnerabilities which hackers will exploit and, once they are in, it is much easier for data to be lost and for viruses and other malware to be spread around. The most frequent situation is a web server owned by an academic unit which “was used for a research project some years ago and has not been kept patched since that research associate left … whenever it was… what was her name?….”
The way to handle this is to agree a code of connection. At its simplest, this is like an MOT test for connecting to the network. IT security staff should agree a set of standards with those who own data and servers, and should ensure that any server connected to the network and thence to the internet meets those standards.
5. Train people on good practice
Security staff should train anyone who works with systems around the university on the basics of good security practice, including the Code of Connection. Their door should always be open to work with colleagues – an ‘ivory tower’ approach will fail.
A Code of Connection and the right sort of training and support simply make it easy for people to do the right things.
6. Work with your Audit Committee, not against them
Audit Committees have an important remit in the governance and risk management of universities. Their members are frequently experienced professionals such as senior lawyers and accountants. Information risks are among their headline areas. Sometimes IT Directors, or members of their teams, are reticent to open up to Audit Committees. This is a mistake – it comes across as defensive and may prevent proper scrutiny. Open dialogue is not always comfortable but it ensures that the risks are understood and can therefore be managed.
7. Review your information security maturity
An independent look at the rigour and practicality of your policies, and of how secure your operations are in reality, may minimise risks and improve the levels or assurance in your university. There are several security standards which can be used to benchmark a University including ISO 27001:2013 and Cyber Essentials. Once you know “where you are” to can identify “where you want to be” and initiate a journey to implement just enough security.
One effective structure
At my former university, the information governance arrangements worked well. The Registrar was SIRO. There were two information security officers in the IT Service, one for policy and one for technical matters. Three things made this successful: the SIRO and the IT security officer (policy) worked well together and had frequent contact; the IT security officer (technical) trained over six hundred people around the university and agreed an effective Code of Connection; and the two IT security officers were very capable and provided cover for each other. As IT Director, I took a strong interest in security and reported frequently and openly to Audit Committee.