For What Purpose Do Organizations Typically Review Applicant Rãƒâ©sumãƒâ©s?

Current Issues

Effective Direction of Information Security and Privacy

Security and privacy are not IT issues—they demand a comprehensive, strategic, team approach to find effective solutions

In May 2005, hackers broke into Stanford University'southward Career Development Center, gaining access to Social Security numbers, résumésouth, fiscal data, credit card information, and government information for 10,000 students and recruiters. In the same calendar month, 380,000 students, alumni, faculty, employees, and applicants of San Diego Country University were affected when hackers bankrupt into four of the academy's business concern and fiscal services department servers, gaining admission to Social Security and commuter'south license numbers. In January 2005, hackers broke into George Stonemason Academy's campus identity card server and gained access to the names, photos, Social Security numbers, and campus ID numbers of 59,000 current, former, and prospective students, as well as electric current and former faculty and staff.

The list goes on, and no academy seems immune to these attacks. For many universities, such events take served as wake-up calls to develop a comprehensive information security and privacy strategy. This is no simple task, still. It involves balancing a civilisation of openness with a demand for security and privacy.

Recognition of the diverse stakeholders—parents, students, applicants, alumni, staff, faculty, third parties—and their sometimes competing interests is both vital and difficult. Regulations, community expectations, ease of access to records, and increased cyber-threats demand an aggressive strategy while imposing sometimes heavy financial costs and cultural merchandise-offs. Effective privacy management and information security requires understanding both technical and human dimensions also as acknowledging the need to address not simply what is required (by law) just also what is expected (from the customs).

Privacy and Security: Related, just Not Identical

Security consists of ii master components: physical and electronic. The campus police take clear responsibility for physical security. Information security refers mainly to protection of electronic information and networks, although information exists in both physical and electronic forms. Information security, from an operational, twenty-four hour period-to-day standpoint, involves protecting network users from such cyber-attacks as phishing, spam, hacking, subconscious lawmaking to make PCs into zombies,¹ and identity theft. It includes educating the user customs in addition to providing technical tools. The central Information technology section unremarkably handles this part of data security for systems under its control, but it does not command all information systems on campus.

Information security gaps exist within nearly universities for several reasons:

• No organized fashion exists to ensure appropriate security for systems outside fundamental IT's control. In fact, departments accept used security as justification for building and maintaining their own systems and networks, further promoting disparities in the level of importance given to security in the blueprint of new systems.
• No organized way exists to provide security for information in non-electronic form, such equally paper documents. Sensitive data is gathered on paper forms by diverse departments, with protection and security of this data left up to the policies of each department.

Although universities have taken the lead in research and training, a gap divides the country of academic security research and security operations in the university setting. Additionally, the academic civilisation often puts a lower priority on data security in relation to openness. Ced Bennet, emeritus manager of Information Services at Stanford University stated,

At a corporation where, for the nigh role, they want to keep information inside the corporation, they put up large fences. Universities, because they tend to be relatively open and invite inspection, tend not to put up fences. So it makes information technology even harder to manage the data which by police needs to be protected.²

To address information security at the enterprise level, some organizations accept hired a main information security officeholder (CISO), a relatively new position in most organizations. The CISO is responsible for providing tactical data security communication and examining the ramifications of new technologies. In most corporations the CISO reports to the principal information officer (CIO) or chief applied science officer (CTO). The CISO role does not usually include responsibleness for physical security, take chances management, and business continuity, which are more oft the province of the chief security officer (CSO), who has a broader focus and reports to the head of operations or directly to the CEO. A CSO typically has responsibility for global and enterprise-wide security, including physical security, protection services, privacy of the corporation and its employees, and information security. In other words, the CSO is responsible for coordinating all corporate activities with security implications.ⁱⁱⁱ

Privacy is even more complex than security, involving protection of sensitive information in both electronic and physical forms. Federal constabulary recognizes no difference in the levels of protection expected for physical and electronic information. Privacy also involves protecting that which is personal, including an individual's body, belongings, and private life. Theft and stalking are clearly the responsibility of the campus police, only matters such as who should have admission to the list of visitors to a dorm does non fall under their auspices. Other privacy matters that don't involve the campus police include access to e-mail service and voicemail. Privacy is addressed by both policy and law.

In that location's an "expectation of privacy" at nigh universities. Gaps exist in definitions of what should be considered sensitive or personal. How to utilize these principles in applied, operational terms challenges most universities.

Protecting the Sensitive

A privacy policy dictates who should know what. Policies and procedures supported by system enhancements tin can largely address protection of sensitive information, often identified or implied by federal laws or community expectations. Privacy is more important now because of linkages and access to data that weren't available before. Examples of potentially sensitive information include the following:

• Social Security numbers
• Grades
• Financial aid
• Inquiry
• Donor information
• Health records
• Physical activity (such equally garage or shuttle utilize)
• Educatee information
• Employee data
• Applicant information
• Credit bill of fare information
• Names
• Addresses
• Communications (who sends to who)
• Electronic mail content
• Network logins

Protecting the Personal

Protecting personal information has trivial to do with organisation automation, being primarily a matter of policies and procedures that govern man interaction. Privacy violations are non broadcasted or publicly disclosed but instead are reported to ombudsmen at many universities. Privacy concerns range from petty matters to potential criminal violations. Examples include:

• Access to due east-post and voicemail
• Access to data on borrowed or loaned computers
• Access to an individual's desk
• Hacking
• Utilise of Social Security numbers on forms
• Salary questions
• Nosy supervisors
• Discomfort with undressing in certain areas due to physical abnormalities
• Inquiries nigh personal health
• Inquiries about reasons for fourth dimension off
• Inability needs
• Stalking

Parents, students, university staff, and faculty report these concerns. Often, a chat initiated past the ombudsperson with the relevant party resolves these matters simply.

Privacy and Security Intersect

Several areas of business concern are common to both privacy and security: policy establishment, communication, grooming and enforcement, procedures, detection/discovery of intrusions, notification of victims, and response to intrusions. Theoretically, security should protect privacy. However, they don't friction match perfectly—they overlap (run across Figure 1). Security involves protection of the physical and virtual realms. Sensitive information in a form that could be accessed by others (such as paper or electronic documentation) might be protected by security. Security measures typically do not protect those things that are personal and not documented, yet. These matters should be protected by privacy policies.

Click image for larger view.

The generally accepted role of information security is to support information privacy, but in some situations, 1 might be compromised for the sake of the other. For example, threatening eastward-mails might be accessed (a violation of privacy) to protect the security of potential victims. This interrelationship implies that one needs to exist considered "superior" to the other, or at a minimum a plan established to decide which is more important.

Why Universities Are So Susceptible to Attack

Colleges accept become a target of cyber-intrusion for several reasons. According to an article in U.South. News & Globe Report,^four

• One-half of universities apply Social Security numbers as pupil IDs.
• Students download music and video.
• University databases house lots of personal information and accept lax computer and network security.
• Around-the-clock access to administrative services and to digital library resources contribute to potential malfeasance.
• The utilise of radio frequency identifiers (RFIDs) and ID cards also makes universities an attractive target.

The relatively new use of RFIDs and electronic ID cards exposes increasingly larger amounts of information to potential abuse, either by hackers or by authorized viewers. For instance, information gathered about an RFID or ID bill of fare could exist used to track an individual's habits, through stalking (a jealous colleague or friend tracking the person'southward location) or ascertainment of a student'southward class omnipresence or eating habits (a parent tracking ID carte utilize). Supervisors might monitor an employee's arrivals and departures by tracking the employee'due south ID card access to a parking garage. Some applications might seem reasonable, only who has the potency to decide access to the data and how it is used?

Likewise technological vulnerability, universities suffer from human susceptibility. Privacy and security failures can consequence from errors, inadequate preparation, or malfeasance, fabricated possible past poor controls on access. Frequently irresolute laws and inadequate processes to ensure compliance render universities sick-prepared to protect data security and privacy.

Make Information Security and Privacy a Priority

Several reasons argue in favor of universities focusing on privacy and security. First, the university and its constituents need a single source of accountability, responsibility, and ownership. Without this single contact, members of the university community don't know the person or department to contact with issues. As a result, issues either go unreported or are reported to several different parties who don't necessarily share information. Because no single person or group is aware of all the issues reported, the university risks not recognizing the magnitude of threats or responding appropriately. Each event is handled in isolation and treated as an anomaly.

Universities must ascertain who inside their customs has the leadership role in developing and implementing policies necessary to minimize unauthorized access to sensitive data. A single contact with the responsibleness for assuming leadership in the issue of an information leakage needs to be identified. This individual or body also needs to be responsible for electronic security. Someone needs to provide consistent data privacy and security leadership if many departments accept their ain policies and systems exterior of a central It organization.

Second, legal compliance calls for a focus on privacy and security. Several regulations crave institutions to protect privacy. The Family unit Educational Rights and Privacy Act (FERPA) of 1974, for example, mandates electronic and concrete protection of student information. Additionally, a privacy officer is required nether FERPA. The Gramm-Leach-Bliley Act requires protection of financial data. Universities must comply with the Safeguard dominion, which includes creation of a "comprehensive information security programme." Health records are protected under the federal Health Insurance Portability and Accountability Human activity (HIPAA). There are yet other legal obligations including compliance with European Wedlock Data Protection Directive and other international laws; California and other state laws enacted to institute notice obligations in case of a security breach; and Federal Trade Committee regulations regarding electronic records.

Failure to ensure data security and privacy may result in fiscal and legal consequences to the university and private representatives. Potential consequences include police force suits from students, monetary damages for violations of FERPA, loss of federal funding, and criminal and ceremonious penalties.

Third is recognition of the community'south expectation of privacy. University staff, students, and faculty have implicit assumptions about privacy that should be honored and, in some cases, formalized equally policy. The university needs community-wide, articulated privacy standards.

4th, collaboration betwixt concern and technology is essential to provide an environment supportive of privacy and security. Business and technical leaders within the university should brand decisions jointly, not in isolation. This is of import because failure to collaborate results in inadequate systems and processes, and making changes is costly. Business leaders can apply technology equally a safeguard to assist enforce policies. Every bit new technologies and methodologies that protect privacy and ensure information security are discovered and proven by university research, the administration should lead the fashion in embracing and implementing them.

Fifth, a proactive (rather than reactive) approach toward ensuring advisable privacy and security is urgently needed. Reacting to crises is not only ineffective and potentially negligent but also costly and hard to recover from. The consequences associated with waiting to make changes merely after an incident include loss of the community's trust, public embarrassment, loss of intellectual property, and identity theft. Universities demand to found systems, tools, and procedures to find leakages proactively instead of responding to reports from the community. Establish policies and procedures to prevent violations of privacy expectations and regulations.

Sixth, systems should be designed to back up privacy and security needs rather than redesigning older systems, which is difficult and expensive. Ane challenge is to achieve consistency across all departments, especially for systems outside of the key It system.

Seventh, focusing on privacy and security tin can protect confronting internal and external intrusion and abuse. Policies and system checks can forbid abuse from authorized users of data, while detection and prevention systems guard confronting unauthorized users.

Eighth, aligning security and privacy systems and policies with the best practices of other universities can put an establishment at the forefront of the effect. Many universities are making pregnant policy and organizational changes to address data privacy and security, opening a great opportunity for leadership in this area.

Universities Act

Support for data security and privacy has come in the form of new positions and committees also as policy changes. Universities are becoming more than focused on best practices equally their standard, as opposed to limiting their policies to those that ensure legal compliance lonely. Investment in external consultants to appraise vulnerabilities and make security and privacy recommendations is common.

Other changes include a growing number of policy offices and awareness programs, including steady growth in the creation of Information technology security officer positions in higher education since 1994. A common practice has been the realigning of the security functions and chain of command, with more enterprise-level than departmental officers. Per an October 2003 EDUCAUSE study,⁵ 22.4 pct of universities have a chief IT security officer or equivalent, with 95 percent of those reporting to a senior executive administrator in IT and 50 percent to the CIO.

At the request of President Emeritus Charles Vest of the Massachusetts Plant of Technology, I conducted a written report of 14 universities to determine how they approach the issues of security and privacy. The universities were chosen as representative of the larger population. They included large and small, public and individual institutions. The participating universities took a variety of approaches to security and privacy needs on campus, from establishing privacy officers to committees to policies.

Privacy Officers

Privacy officers appointed for regulatory compliance are typically dispersed throughout the academy. The privacy officers at five universities included in my written report provide an interesting contrast in the arroyo to security and privacy on campus, with differing titles, levels of dominance, assigned responsibilities, and key actions taken to date. In addition to the five described hither, privacy officer positions on the other campuses included chief privacy officer, privacy compliance officeholder, FERPA compliance officer, and principal privacy/security officeholder for HIPAA.

Primary Privacy Officer. The master privacy officeholder at one university reports to the vice president of audit and compliance. The office-fourth dimension (three days a week) position has existed for three years and is supported by committees and working groups.

The key goals of the chief privacy officer include identifying university functions, routines, and business organisation practices involved with privacy requirements and risks or remediation; developing a potent network inside the campus community; identifying and accessing applied science and resource available to help in performing the assigned mission; and establishing an effective communication, training, and monitoring program. The privacy officer must also prioritize issues and determine the university components appropriate for privacy compliance, grooming, or remediation initiatives.

The primary privacy officeholder has acted to heighten sensation on campus through a Spider web site, student records brochure, dissemination of a bulletin from the provost'southward office, publication of guidelines for distributing and destroying information, presentations for students and staff, confidentiality statements, product of a brochure about ID theft, and training. The position manages information sharing with external entities and coordinates implementation of privacy policies or programs as mandated by federal constabulary.

Associate Vice President for Institutional Compliance and Legal Affairs. This position reports to the president and is supported by a Social Security number committee. The central responsibilities are to reply to privacy bug and problems. This associate vice president provides leadership for the Social Security number remediation project on campus.

University Privacy Officeholder. This function-time position reports to the chief financial officer and is supported by a staff of one (full-fourth dimension equivalent). The privacy officer implements policies and procedures to comply with federal regulations and governs the handling of individually identifiable health information.

Associate Vice President for Security and Privacy. This associate vice president reports to the CIO. The full-time position has existed for six months and is supported by a squad of xiv people, with i person devoted to policy.

The position is responsible for ensuring the confidentiality, integrity, and availability of university data, data, communications, and services. The acquaintance vice president and staff research, educate, appraise, and consult in the areas of security risk, practice, policy, and technology. They maintain antivirus protection and offer site-licensed antivirus software to faculty, staff, and students. The associate vice president leads the university's identity direction services and incident investigation and response.

The acquaintance vice president played a major role in securing one university's wireless network (in the face of opposition) and installing firewall capabilities inside bookish schools. The provision of consulting services helped teach different groups how to secure their systems. Hazard assessment provided security expertise to groups on campus to assess their infrastructure. Vulnerability scanning, patch management, centralized antivirus management, and preparation and education (by and large reduction of illegal peer-to-peer activity) were all provided. Policies were created, and the associate vice president took a leadership position in compliance.

Director of Data Engineering science Policy and Services. This office-time position reports to the CIO and has existed for 10 years. Responsibilities include establishing policy and granting permission to access personal data. The director created an appropriate utilise policy for the campus.

Privacy Committees

Standing and ad hoc committees are prevalent within universities, but few were established for the sole purpose of addressing privacy bug. Of the 14 universities contacted for this study, only two had committees devoted exclusively to privacy. One university has two dissever privacy committees, i for senior executives and the other for representatives from each of the stakeholder groups. The committees are chaired by a member of faculty, the administration (for example, the deputy provost), or the privacy officer. The primary objectives include raising awareness, making privacy a priority, protecting Social Security numbers, and establishing privacy policies.

Security Officers

The effort to provide information security was led by an administrator in all fourteen of the universities studied. The titles and responsibilities differed only slightly. All positions report to the senior IT executive with the exception of an data security officer who reports to internal audit. One-third of the universities studied separated the data privacy and security functions by appointing both a privacy officer and an information security officer. Half of the universities assign the responsibleness for both information security and privacy under one individual inside the It department (typically the information security officer).

Security Committees

Half of the universities studied accept committees devoted to information security. Some are equally old equally nine years and some every bit young every bit ii. Although led primarily by the It arrangement, they might be chaired by an IT representative, faculty member, or authoritative executive. Principal goals include developing security policy, practices, and procedures; establishing a Web site policy; and determining guidelines or rules for directory and electronic mail security. Additional committees address information security and privacy with a broader focus on IT in general.

Programs and Policies

Of the fourteen institutions surveyed, xxx percent had formal security awareness programs. They used presentations, brochures, posters, postcards, and videos to communicate with the campus community. Programs demonstrated an increased accent on security outreach, education, and evangelizing. For example, they offered network authentication procedures equally part of registration, video presentations and posters nigh virus protection, and security awareness seminars with kinesthesia and staff on securing and protecting PCs and data.

A growing number of universities now take a Social Security number policy (eliminating them as student identifiers), Web site privacy policy, and an Information technology policy on security and privacy standards.

Recommendations for Action

A significant opportunity for improvement exists in the handling of information security and privacy within universities. Students, employees, parents, and alumni have expressed concerns with existing privacy and information security on campus. Security and privacy issues must be tracked and addressed at the policy level, and accountability for compliance must be clarified. Privacy and security policies should be created and widely communicated. Compliance with increasing regulatory demands related to security and privacy must be understood and kept current. Unless the handling of security and privacy improves, universities tin expect increasing incidents of privacy violation, potentially generating adverse publicity, loss of funding, and lawsuits.

Security should be viewed as a means of implementing a privacy policy, but when these goals disharmonize, the university must have some fashion of establishing priority. Creation of a formal position or committee tin help the community make the correct decisions regarding information privacy and security. The key areas an officer or commission will demand to address are policy creation and enforcement, community teaching, and incident response handling.

Implementing the following recommendations would equip universities to handle data security and privacy appropriately.

ane. Conduct Enquiry

Many universities have assembled a chore force to assess risks and areas for improvement. Potential areas for investigation include usage of Social Security numbers, community expectations for privacy, a resource audit (to make up one's mind whether the university has the arrangement and human resource to adequately address privacy), and evolution of metrics to measure the effectiveness of data security and privacy programs.

2. Appoint a Privacy Officeholder

Create a privacy officer position to serve as a full-time resource exclusively dedicated to privacy. This person can address the diverse privacy issues that either are neglected or only partially addressed by different departments having no common policies or comprehensive reporting and tracking of issues. To ensure the goals of legal compliance and electronic security, this officer must build a strong alliance between the legal department and fundamental IT. Individuals responsible for compliance with specific regulations (such equally HIPAA or FERPA) should report to this person, who will provide general oversight of all privacy-related matters at the academy. The privacy officer should be supported by designated compliance representatives as well as a privacy advisory board. This position should report to the president as a signal of the importance given to privacy and to ensure impartiality. A conflict of interest could consequence if the privacy officer reported to the Information technology or legal departments.

three. Establish a Privacy Advisory Board

But as security experts exist, and then do privacy experts. A group of experts and high-ranking representatives of the administration, academic departments, and the student body should be appointed to a privacy advisory board chaired by the privacy officeholder. The board should see once a month, at a minimum, to proactively manage privacy at the university, including providing education and awareness programs to the community, reviewing regulations, establishing policies, and creating task forces to manage specific initiatives.

4. Institute an Insider Network of Privacy Advocates

Security is effectively addressed by IT systems and concrete security teams. Privacy, however, requires many more than transmission adjustments in processes that must be performed by people. For maximum acceptance of privacy policies, tap into graduate students, faculty, and administrators with a passion for and expertise in this subject. These individuals could exist used as researchers, privacy board members, or privacy advocates. Universities with successful privacy programs rely heavily on a network of liaisons inside each department who have a personal involvement in privacy.

5. Launch Data Security and Privacy Campaigns

Create a culture where the community has the knowledge (what to practise), skill (how to exercise information technology), and attitude (desire to do it) that support information security and privacy objectives. Security and privacy awareness must be role of an intentional, systematic, organizational modify effort that adjusts attitudes and reshapes values and norms. These campaigns should be divide and led by the information security officeholder and privacy officer, with annual events to continually promote awareness and pedagogy.

Conclusion

Security and privacy are not the same, and the traditional functions of Information technology, human resources, and campus security exercise not fairly address the privacy problems arising on today'due south college campuses. Security receives organizational attention and funding, while privacy is largely neglected or causeless to be handled by existing security mechanisms. Institutions of higher education are naturally vulnerable to both security leaks and privacy violations because of their civilisation of openness.

Technology has enabled sophisticated capabilities for sharing information, merely with attendant complexity and difficulty in protecting that information. Additionally, transmission processes and practices persist, potentially leading to the compromise of sensitive data. Universities need new approaches to both privacy and security issues to successfully protect the personal information of their communities.

Acknowledgments

Special thanks to the fourteen universities that participated in the study and to the following individuals at MIT, who contributed significantly: Jerry Grochow, Tim McGovern, Laura Avakian, Hal Ableson, Simson Garfinkel, Joseph Ferreira Jr., Jeff Meldman, Mary Rowe, and Jamie Lewis Keith.

Endnotes

1. A computer implanted with a daemon that puts information technology nether the control of a malicious hacker without the knowledge of the computer owner is called a zombie.

two T. Schevitz, "Colleges Leaking Confidential Data; Students Compromised by Internet Intrusions," San Francisco Chronicle, Monday, April 5, 2004.

3 From the CSO magazine glossary, <http://world wide web.csoonline.com/glossary/term.cfm?ID=970> (accessed Dec 5, 2005).

four. J. R. Marbaiz, "Lessons in Privacy," U.S. News & World Report, September 6, 2004.

5. R. B. Kvavik and J. Voloudakis et al., Information technology Security: Governance, Strategy, and Practice in College Education (Boulder, Colo.: EDUCAUSE Center for Analysis and Research, Research Study, Volume 5, 2003), <http://world wide web.educause.edu/LibraryDetailPage/666?ID=ERS0305>.

Alicia Anderson ([e-mail protected]) recently completed the MBA program at MIT Sloan and resides in Cambridge, Massachusetts.

leemajew1957.blogspot.com

Source: https://er.educause.edu/articles/2006/2/effective-management-of-information-security-and-privacy

Share this post