Risky Business

By Monique Lucey

It’s hard to believe there was a time in higher education IT where you would try for a secure network but it was okay for users to trump those attempts in favor of being unencumbered. Now, as the list of compliance mandates coming at you from all angles grows and higher education security is considered critical from a business and academic standpoint, suddenly the pressure is on to deploy unparalleled network security.

Most importantly, you are on the hook to provide proof in audits that you’ve taken significant measures to protect the privacy of sensitive student, employee and even research subject information.

Here’s just a sampling of the regulations to which most colleges and universities have to adhere:

• The Health Insurance Portability and Accounting Act (HIPAA) of 1996
• The Payment Card Industry’s Data Security Standard (PCI DSS)
• The Family Education Rights and Privacy Act (FERPA)
• Multiple rulings under the U.S. Food and Drug Administration

Each of these, in addition to the dozens of individual state privacy laws, dictate how institutions must safeguard data in motion and at rest through a solid security infrastructure, access control and enforceable policies. And in most cases, their guidelines must be provable in periodic and/or sometimes random audits.

The problem that most higher education institutions face in meeting these demands is that information needed to create reports and comply with audit demands lies in systems sprinkled around the enterprise. There is often no unified strategy for addressing what, in many cases, are common requirements, such as encryption for data at rest, the use of firewalls, and user authentication.

Instead, the financial aid and admissions office is left to tackle the PCI DSS and FERPA because they deal with electronic payments and student records. The on-campus clinic has a small group looking at HIPAA compliance for student medical data. And then the labs, which interact with the FDA regarding research, try to ensure their own proper handling of electronic records.

You’ll find that it would be much easier and efficient to gather a cross-functional team of administrators, researchers, clinicians and others that are close to these mandates and map out the crossover in requirements. From there you can develop campus-wide policies that satisfy the requirements. And finally, with this comprehensive, collaborative view, you can deploy technology across the entire network to automate the monitoring, auditing and reporting necessary to manage and enforce these policies and stay in compliance.

Suddenly, what once seemed like an impossible task – securing the network – is achievable and you can once again set your talents to allowing your users the freedom and flexibility to thrive.

How does your institution address compliance: in a one-off fashion where each group tackles what they perceive as their own mandates or as a unified whole? If each group is doing compliance separately, what do you think of that approach? Has it been successful?  Let us know.

Is higher education network security making the grade? How does your institution score?

By Monique Lucey

Welcome to the H3C On-Demand Higher Education blog. I’m Monique Lucey, the higher education solutions marketing manager for the H3C product line.  I’m responsible for understanding the technology trends and issues in higher education and ensuring that our solutions deliver performance and value to meet the specific needs of academic institutions around the globe.

We’re launching this blog to create a dialogue about the business and technology challenges you’re confronting as you support collaboration among your users via secure on-demand access.  Our goal:  To help you enable your institution to deliver best-in-class services to achieve enhanced collaboration and academic excellence.

In the coming months, my colleagues and I will offer a look at the industry from our point of view which encompasses the latest research, analyst and industry expert views on topics such as cloud versus data centers, implications of web 2.0 on security and the growing demand for Network Access Control to name a few. We hope to get your feedback to round out the discussions.

So let me kick off this premier edition with the top concern among academic institutions – security and student privacy.  As the headline of this entry suggests, higher education network security is at risk.

This Network World article looks at some alarming survey results which make it clear that higher education institutions perceive the threat of viruses and malware as the greatest network security threat.  58% of respondents claim the most common way they fight these shortcomings is through education of students and staff. But is education alone enough?

I’m wondering if you’re seeing increased pressure in your institution to shore up your network against the latest security threats.  If so, what are you doing to meet this demand?

Over the next few weeks, we’ll continue to probe into this topic, share your insight and best practices. We hope you continue to visit us to join in on the discussion and stay tuned for more on the topic of security as it relates to FERPA (Family Educational Rights and Privacy Act) and other compliance challenges in higher education.