IT Policies Must be Prioritized in Higher Education as Data Breaches Skyrocket

January 2, 2020
[First] [Last]

Information security tops the Educause 2018 Top 10 IT Issues as institutions look for better ways to keep up with modern security threats and challenges. This is the third year in a row that security has been at the top of the list. Awareness of the problem is there, but another uptick in data breaches shows schools are still struggling to find a solution.

The right technology is a critical component of an effective security strategy, but humans continue to be the weakest link in the security chain. That’s why ransomware, which relies on phishing emails to trick humans into download malware and open malicious links, has become such a problem.

Higher education institutions need to tighten up their IT policies and procedures if they expect to slow the pace of data breaches. In many cases, IT policies are outdated if they exist at all. Having the right IT policies will reduce the risk of a breach and make it easier for security tools to do what they’re supposed to do.

There are basic IT policies that every organization should have:

  • Acceptable Use. How should devices, applications and other technology be used, accessed and secured? How is access to and sharing of sensitive data controlled? What are the rules for modifying technology?
  • Security Awareness. Users should be educated about the consequences of a data breach in terms of cost, disruption and reputation. This policy should be accompanied by required training and ongoing sharing of security information.
  • Information Security. This policy explains the roles and responsibilities of security personnel and the purpose of security technology.
  • Business Continuity. This includes disaster recovery. In case of downtime caused by a data breach, weather or other event, how will data and applications be recovered to minimize disruption? What tasks are involved, and who is responsible for those tasks? These procedures must be tested regularly.
  • Change Management. All changes to IT systems and software must be properly managed, approved and tracked with a clear understanding of the impact of changes.
  • Incident Response. What qualifies as a security incident? How are incidents detected, contained, remediated and investigated? What actions will be taken to prevent a similar incident from occurring?
  • Remote Access. Approved procedures for connecting to the institution’s network, and penalties for violating this policy, must be defined. This applies to staff, students, parents, alumni, vendors and anyone else who accesses the network.
  • Bring Your Own Device. If your institution permits the use of personal devices, as most schools do, you must have a policy that defines approved operating systems, applications, security mechanisms, how to handle data, and how to report a lost or compromised device.
  • Data Backup, Retention and Destruction. Backups are critical to business continuity, but holding onto data beyond its useful life can increase risk. This policy explains how to back up data, how long to retain it, and how to securely dispose of data and IT assets.

To implement a policy, you first must define the problem or issue that requires a policy solution, and appoint a person or group to manage policy development. Determine what the policy development process looks like. This includes research, consultation with all stakeholders, the writing of the policy in consultation with legal and compliance departments, review of the policy, and adoption. Once the policy has been adopted, training and education are typically required. The policy should be reviewed annually or as technology and regulations change.

Despite increased efforts to improve IT security in higher education, the situation is getting worse. Schools need to start integrating that data from disparate sources, and developing IT policies that account for both security tools and the human element.